MCP gateway should enforce tool allowlist at the gateway layer, not only at the Claude client layer #22908
Description
This follows up on a reviewed security finding from githubnext/gh-aw-security. The finding indicates a likely gh-aw defect in the MCP gateway tool enforcement boundary, where the --allowed-tools constraint passed to Claude Code is enforced only at the Claude client layer and is not mirrored as a filter in the MCP gateway. Code executing inside the runner (e.g. via prompt injection, a malicious step, or a supply-chain compromise) can read the plaintext bearer token from /tmp/gh-aw/mcp-config/mcp-servers.json (mode 644) and send raw JSON-RPC requests directly to the gateway, invoking any tool the MCP server advertises—including tools absent from the workflow's declared --allowed-tools list. The gateway executes these calls and returns results rather than rejecting them. Mitigations include: populating the tools field in mcp-servers.json to mirror the workflow's declared tool scope, restricting mcp-servers.json permissions to 0600, and considering per-session tokens scoped to the declared tool set.
Affected area: MCP gateway / tool allowlist enforcement boundary (mcp-servers.json token exposure, gateway-side filtering)
Original finding: https://github.com/githubnext/gh-aw-security/issues/1519
gh-aw version: v0.63.1
Generated by File gh-aw Issue · ◷