Skip to content

Releases: openabdev/ghpool

v0.4.0

Choose a tag to compare

@github-actions github-actions released this 13 Jul 17:01
a935545

ghpool v0.4.0 — MCP gateway for AI coding agents

The headline: agents get GitHub's official MCP tools without holding any GitHub credential. ghpool is now a credential-swapping MCP reverse proxy with a per-agent default-deny policy engine, GitHub App credentials, and hard-gated audited writes — the complete RFC #15 Phase 1 + Phase 2 scope.

MCP reverse proxy (/mcp, opt-in)

  • Proxies GitHub's hosted MCP server — official tool schemas, zero schema maintenance ghpool-side (#20)
  • Session pinning with MCP-spec semantics: unknown/expired session → 404 → transparent client re-init; identity never rotates mid-session
  • Streaming passthrough (JSON + SSE), client Authorization always stripped

Per-agent authentication & policy (#26, #28, #30)

  • X-Ghpool-Key per-agent API keys (digest comparison, dual-key zero-downtime rotation)
  • Default-deny tool allowlists — new upstream tools are denied until granted; enforced at the proxy, mirrored upstream via X-MCP-Tools
  • Repository allowlists with deny-if-unresolvable; sessions bound to the agent that opened them
  • Rule-based write classification (unknown tools = writes, conservative)

GitHub App credential backend (#31)

  • ghpool mints and auto-refreshes installation tokens from the App private key (secret-refs: env: / aws:secretsmanager: / k8s:)
  • Sessions cannot outlive their credential
  • Repo-scoped tokens: agents with exact repo allowlists get tokens minted with the repositories parameter — GitHub itself enforces the boundary

Writes, behind a hard gate (#32, #33)

  • enable_writes requires agents + App backend + audit — validated at startup, in code
  • Fail-closed audit: fsync'd JSONL pre-flight record or the write is rejected; result records capture the MCP tool outcome (isError inside HTTP 200 is recorded as failure). Argument values never logged
  • Per-agent write concurrency cap; no auto-retry, ever

Also

  • Config: XDG fallback path (~/.config/ghpool/config.toml) + loaded-path logging (#27)
  • Docs: Getting Started · Design
  • CI: live e2e (18 checks incl. real App-token minting) on every push + daily upstream contract canary

Agent config, in full

{ "mcpServers": { "github": {
    "url": "http://ghpool:8080/mcp",
    "headers": { "X-Ghpool-Key": "${GHPOOL_KEY}" } } } }

Full changelog: v0.3.4...v0.4.0

v0.3.4

Choose a tag to compare

@github-actions github-actions released this 08 Jul 22:10
30b3e5d

What's Changed

  • feat: cache raw/diff responses with 30s TTL by @chaodu-agent in #13
  • release: v0.3.4 by @openab-app[bot] in #14

Full Changelog: v0.3.3...v0.3.4

v0.3.3

Choose a tag to compare

@github-actions github-actions released this 08 Jul 15:34
78d692c

What's Changed

  • fix: add curl + HEALTHCHECK to Dockerfile by @chaodu-agent in #10
  • release: v0.3.3 by @openab-app[bot] in #11

Full Changelog: v0.3.2...v0.3.3

v0.3.2

Choose a tag to compare

@github-actions github-actions released this 28 Jun 13:19
d360ecc

What's Changed

Full Changelog: v0.3.1...v0.3.2

v0.3.1

Choose a tag to compare

@github-actions github-actions released this 28 Jun 12:53

What's Changed

Full Changelog: v0.3.0...v0.3.1

v0.3.0

Choose a tag to compare

@github-actions github-actions released this 28 Jun 12:47
edff723

What's Changed

New Contributors

Full Changelog: v0.2.1...v0.3.0

v0.2.1

Choose a tag to compare

@github-actions github-actions released this 28 Jun 12:53
643bc3e

What's Changed

  • release: v0.2.1 by @openab-app[bot] in #5

Full Changelog: v0.2.0...v0.2.1

v0.2.0

Choose a tag to compare

@github-actions github-actions released this 28 Jun 12:54

What's Changed

  • release: v0.2.0 by @openab-app[bot] in #4

Full Changelog: v0.1.0...v0.2.0