Releases: openabdev/ghpool
Releases · openabdev/ghpool
Release list
v0.4.0
ghpool v0.4.0 — MCP gateway for AI coding agents
The headline: agents get GitHub's official MCP tools without holding any GitHub credential. ghpool is now a credential-swapping MCP reverse proxy with a per-agent default-deny policy engine, GitHub App credentials, and hard-gated audited writes — the complete RFC #15 Phase 1 + Phase 2 scope.
MCP reverse proxy (/mcp, opt-in)
- Proxies GitHub's hosted MCP server — official tool schemas, zero schema maintenance ghpool-side (#20)
- Session pinning with MCP-spec semantics: unknown/expired session → 404 → transparent client re-init; identity never rotates mid-session
- Streaming passthrough (JSON + SSE), client
Authorizationalways stripped
Per-agent authentication & policy (#26, #28, #30)
X-Ghpool-Keyper-agent API keys (digest comparison, dual-key zero-downtime rotation)- Default-deny tool allowlists — new upstream tools are denied until granted; enforced at the proxy, mirrored upstream via
X-MCP-Tools - Repository allowlists with deny-if-unresolvable; sessions bound to the agent that opened them
- Rule-based write classification (unknown tools = writes, conservative)
GitHub App credential backend (#31)
- ghpool mints and auto-refreshes installation tokens from the App private key (secret-refs:
env:/aws:secretsmanager:/k8s:) - Sessions cannot outlive their credential
- Repo-scoped tokens: agents with exact repo allowlists get tokens minted with the
repositoriesparameter — GitHub itself enforces the boundary
Writes, behind a hard gate (#32, #33)
enable_writesrequires agents + App backend + audit — validated at startup, in code- Fail-closed audit: fsync'd JSONL pre-flight record or the write is rejected; result records capture the MCP tool outcome (
isErrorinside HTTP 200 is recorded as failure). Argument values never logged - Per-agent write concurrency cap; no auto-retry, ever
Also
- Config: XDG fallback path (
~/.config/ghpool/config.toml) + loaded-path logging (#27) - Docs: Getting Started · Design
- CI: live e2e (18 checks incl. real App-token minting) on every push + daily upstream contract canary
Agent config, in full
{ "mcpServers": { "github": {
"url": "http://ghpool:8080/mcp",
"headers": { "X-Ghpool-Key": "${GHPOOL_KEY}" } } } }Full changelog: v0.3.4...v0.4.0
v0.3.4
What's Changed
- feat: cache raw/diff responses with 30s TTL by @chaodu-agent in #13
- release: v0.3.4 by @openab-app[bot] in #14
Full Changelog: v0.3.3...v0.3.4
v0.3.3
What's Changed
- fix: add curl + HEALTHCHECK to Dockerfile by @chaodu-agent in #10
- release: v0.3.3 by @openab-app[bot] in #11
Full Changelog: v0.3.2...v0.3.3
v0.3.2
What's Changed
- fix: ghp version prints own version by @chaodu-agent in #9
Full Changelog: v0.3.1...v0.3.2
v0.3.1
What's Changed
- fix: use musl for Linux builds (no glibc dep) by @chaodu-agent in #8
Full Changelog: v0.3.0...v0.3.1
v0.3.0
What's Changed
- feat: add pr diff support via /raw proxy route by @chaodu-agent in #6
- release: v0.3.0 by @chaodu-agent in #7
New Contributors
- @chaodu-agent made their first contribution in #6
Full Changelog: v0.2.1...v0.3.0