docs: document mTLS & HMAC request signing env vars across developer-facing references

[Copilot]

The v0.3.1 mTLS & HMAC request signing feature (internal/server/hmac.go, gateway_tls.go, flags_tls.go) shipped with no documentation for its four new environment variables or CLI flags.

Changes

• docs/ENVIRONMENT_VARIABLES.md — Added MCP_GATEWAY_TLS_CERT, MCP_GATEWAY_TLS_KEY, MCP_GATEWAY_CA_CERT, and MCP_GATEWAY_HMAC_SECRET to the Optional Variables table with descriptions of semantics (one-way TLS vs. mTLS, replay-protection headers)
• AGENTS.md — Same four env vars added to the Environment Variables list; Security Notes expanded to cover mTLS and HMAC signing behavior
• config.example.toml — New Security: mTLS & HMAC Request Signing block under Advanced Options documenting all four CLI flags (--tls-cert, --tls-key, --tls-ca, --hmac-secret), their env var counterparts, and an example invocation:

# Run command example:
# ./awmg --config config.toml \
#   --tls-cert /path/to/server.crt \
#   --tls-key  /path/to/server.key \
#   --tls-ca   /path/to/ca.crt \
#   --hmac-secret "$(openssl rand -hex 32)"

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build1611418701/b513/launcher.test /tmp/go-build1611418701/b513/launcher.test -test.testlogfile=/tmp/go-build1611418701/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s rtcf�� .cfg 64/src/text/temp-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet .cfg�� 419592/b367/_pkg_.a -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet (dns block)
• invalid-host-that-does-not-exist-12345.com
  • Triggering command: /tmp/go-build1611418701/b495/config.test /tmp/go-build1611418701/b495/config.test -test.testlogfile=/tmp/go-build1611418701/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build1611418701/b396/vet.cfg /idna/go118.go /idna/idna10.0.0.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -I _.a -I x_amd64/vet --gdwarf-5 dns -o x_amd64/vet (dns block)
• nonexistent.local
  • Triggering command: /tmp/go-build1611418701/b513/launcher.test /tmp/go-build1611418701/b513/launcher.test -test.testlogfile=/tmp/go-build1611418701/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s rtcf�� .cfg 64/src/text/temp-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet .cfg�� 419592/b367/_pkg_.a -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet (dns block)
• slow.example.com
  • Triggering command: /tmp/go-build1611418701/b513/launcher.test /tmp/go-build1611418701/b513/launcher.test -test.testlogfile=/tmp/go-build1611418701/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s rtcf�� .cfg 64/src/text/temp-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet .cfg�� 419592/b367/_pkg_.a -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet (dns block)
• this-host-does-not-exist-12345.com
  • Triggering command: /tmp/go-build1611418701/b522/mcp.test /tmp/go-build1611418701/b522/mcp.test -test.testlogfile=/tmp/go-build1611418701/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s -I .cfg 419592/b314// x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet .cfg�� 419592/b445/_pkg_.a -trimpath x_amd64/vet -p g/grpc/balancer/--version -lang=go1.25 x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Adds developer-facing documentation for the gateway’s v0.3.1 TLS (incl. mTLS) and HMAC request-signing configuration via CLI flags and environment variables.

Changes:

• Documented four new env vars: MCP_GATEWAY_TLS_CERT, MCP_GATEWAY_TLS_KEY, MCP_GATEWAY_CA_CERT, MCP_GATEWAY_HMAC_SECRET
• Expanded AGENTS.md security notes to mention mTLS and HMAC signing requirements
• Added a reference block in config.example.toml describing the TLS/HMAC flags and env var mappings, plus an example invocation

Show a summary per file

File	Description
docs/ENVIRONMENT_VARIABLES.md	Adds the four new TLS/HMAC environment variables to the optional variables table.
AGENTS.md	Adds the same env vars to the agent-facing reference list and expands Security Notes for mTLS/HMAC.
config.example.toml	Documents TLS/HMAC flags + env var mappings and provides a sample run command snippet.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (2)

AGENTS.md:479

• This note reads as if --hmac-secret makes all gateway requests require signing. The code explicitly exempts common endpoints (e.g. /health, /close) from HMAC while enforcing it for MCP handler routes. Consider clarifying which endpoints are covered so operators don’t accidentally break health checks by expecting them to be signed.

- **HMAC request signing**: Set `--hmac-secret` (or `MCP_GATEWAY_HMAC_SECRET`) to require HMAC-SHA256 signed requests; protects against replay attacks using `X-MCP-Timestamp`, `X-MCP-Nonce`, and `X-MCP-Signature` headers

config.example.toml:207

• The example uses --hmac-secret "$(...)", which will typically leak the secret via shell history and process listings. Since this value is explicitly a shared secret, it’d be safer to show (or at least recommend) providing it via MCP_GATEWAY_HMAC_SECRET instead of a command-line flag, especially for production usage.

#   ./awmg --config config.toml \
#     --tls-cert /path/to/server.crt \
#     --tls-key  /path/to/server.key \
#     --tls-ca   /path/to/ca.crt \
#     --hmac-secret "$(openssl rand -hex 32)"

• Files reviewed: 3/3 changed files
• Comments generated: 3