[SECURITY FEATURE]: Simple Endpoint Feature Flags (selectively enable or disable tools, resources, prompts, servers, gateways, roots)Β #537
Description
ποΈ FEATURE: Enhanced Endpoint Feature Flags
Summary: Add configuration-based feature flags to enable/disable MCP capabilities (tools, resources, prompts, servers, gateways, roots) and additional system endpoints (REST API tools, metrics, version, docs, connection tester). Features are toggled via environment variables, and the UI/version endpoint shows which features are enabled.
All Feature Flags to Implement
Existing Flags (already implemented):
MCPGATEWAY_UI_ENABLED=false # Admin UI interface
MCPGATEWAY_ADMIN_API_ENABLED=false # Admin API endpoints
MCPGATEWAY_BULK_IMPORT_ENABLED=true # Bulk import endpoint
MCP_CLIENT_AUTH_ENABLED=true # JWT auth for MCP clients
CORS_ENABLED=true # CORS middleware
SECURITY_HEADERS_ENABLED=true # Security headers middleware
FEDERATION_ENABLED=true # Gateway federation
SSE_KEEPALIVE_ENABLED=true # SSE keepalive events
JSON_RESPONSE_ENABLED=true # JSON vs SSE responses
PLUGINS_ENABLED=false # Plugin frameworkMCP Capability Flags (all missing):
FEATURES_TOOLS_ENABLED=true # /tools router
FEATURES_RESOURCES_ENABLED=false # /resources router
FEATURES_PROMPTS_ENABLED=false # /prompts router
FEATURES_SERVERS_ENABLED=true # /servers router
FEATURES_GATEWAYS_ENABLED=true # /gateways router
FEATURES_ROOTS_ENABLED=false # /roots routerSystem Feature Flags (all missing):
FEATURES_VERSION_ENABLED=true # /version router
FEATURES_METRICS_ENABLED=true # /metrics router
FEATURES_DOCS_ENABLED=true # /docs, /redoc endpoints
FEATURES_REDOC_ENABLED=true # /redoc specifically
FEATURES_REST_API_TOOLS_ENABLED=true # REST API conversion
FEATURES_CONNECTION_TESTER_ENABLED=true # Admin UI testingAdditional Flags Needed:
FEATURES_TAGS_ENABLED=true # /tags router
FEATURES_REVERSE_PROXY_ENABLED=false # reverse proxy functionality (conditional import exists)Implementation
1. Update config.py
Add feature flag settings to the Settings class:
# In mcpgateway/config.py
class Settings(BaseSettings):
# ... existing settings ...
# Feature Flags - MCP Capabilities
# These control which endpoints/features are enabled
features_tools_enabled: bool = True
features_resources_enabled: bool = False
features_prompts_enabled: bool = False
features_servers_enabled: bool = True
features_gateways_enabled: bool = True
features_roots_enabled: bool = False
# Feature Flags - Additional Features
features_tags_enabled: bool = True # /tags endpoint
features_reverse_proxy_enabled: bool = False # reverse proxy functionality
features_rest_api_tools_enabled: bool = True # REST API to MCP Tools conversion (future/not implemented)
features_metrics_enabled: bool = True # /metrics endpoint
features_version_enabled: bool = True # /version endpoint
features_docs_enabled: bool = True # /docs endpoint
features_redoc_enabled: bool = True # /redoc endpoint
features_connection_tester_enabled: bool = True # Connection testing in UI (future/not implemented)
# Helper property to get enabled features as a list
@property
def enabled_features(self) -> List[str]:
"""Get list of enabled MCP features."""
features = []
if self.features_tools_enabled:
features.append("tools")
if self.features_resources_enabled:
features.append("resources")
if self.features_prompts_enabled:
features.append("prompts")
if self.features_servers_enabled:
features.append("servers")
if self.features_gateways_enabled:
features.append("gateways")
if self.features_roots_enabled:
features.append("roots")
if self.features_tags_enabled:
features.append("tags")
return features
@property
def enabled_system_features(self) -> List[str]:
"""Get list of enabled system features."""
features = []
if self.features_reverse_proxy_enabled:
features.append("reverse_proxy")
if self.features_rest_api_tools_enabled:
features.append("rest_api_tools")
if self.features_metrics_enabled:
features.append("metrics")
if self.features_version_enabled:
features.append("version")
if self.features_docs_enabled:
features.append("docs")
if self.features_redoc_enabled:
features.append("redoc")
if self.features_connection_tester_enabled:
features.append("connection_tester")
return features
# Helper to check if a feature is enabled
def is_feature_enabled(self, feature: str) -> bool:
"""Check if a specific feature is enabled."""
return feature in self.enabled_features or feature in self.enabled_system_features2. Update .env.example
Add the new feature flag sections:
#####################################
# Feature Flags - MCP Capabilities
#####################################
# Control which MCP features are enabled
# Default: tools, servers, gateways enabled; resources, prompts, roots disabled
# Tools - Enable tool discovery and execution
FEATURES_TOOLS_ENABLED=true
# Resources - Enable resource serving
FEATURES_RESOURCES_ENABLED=false
# Prompts - Enable prompt template management
FEATURES_PROMPTS_ENABLED=false
# Servers - Enable server management
FEATURES_SERVERS_ENABLED=true
# Gateways - Enable federation with other gateways or upstream MCP Servers
FEATURES_GATEWAYS_ENABLED=true
# Roots - Enable root capability exposure
FEATURES_ROOTS_ENABLED=false
# Tags - Enable /tags endpoint for entity tagging
FEATURES_TAGS_ENABLED=true
#####################################
# Feature Flags - System Features
#####################################
# Control additional system features and endpoints
# Reverse Proxy - Enable reverse proxy functionality
FEATURES_REVERSE_PROXY_ENABLED=false
# REST API Tools - Enable automatic REST API to MCP Tool conversion (future/not implemented)
FEATURES_REST_API_TOOLS_ENABLED=true
# Metrics - Enable /metrics endpoint for Prometheus monitoring
FEATURES_METRICS_ENABLED=true
# Version - Enable /version endpoint (both UI and API)
FEATURES_VERSION_ENABLED=true
# Docs - Enable /docs endpoint (Swagger UI)
FEATURES_DOCS_ENABLED=true
# ReDoc - Enable /redoc endpoint (ReDoc UI)
FEATURES_REDOC_ENABLED=true
# Connection Tester - Enable connection testing functionality in UI (future/not implemented)
FEATURES_CONNECTION_TESTER_ENABLED=true3. Update main.py to conditionally include routers and middleware
# In mcpgateway/main.py
# Always create the base app
app = FastAPI(
title=settings.app_name,
version=__version__,
docs_url="/docs" if settings.features_docs_enabled else None,
redoc_url="/redoc" if settings.features_redoc_enabled else None,
openapi_url="/openapi.json" if (settings.features_docs_enabled or settings.features_redoc_enabled) else None,
)
# Include routers based on feature flags
app.include_router(protocol_router) # Always include protocol
# Version endpoint - conditional
if settings.features_version_enabled:
app.include_router(version_router)
else:
logger.info("Version feature disabled - not mounting version routes")
# Conditionally include feature routers
if settings.features_tools_enabled:
app.include_router(tool_router)
else:
logger.info("Tools feature disabled - not mounting tool routes")
if settings.features_resources_enabled:
app.include_router(resource_router)
else:
logger.info("Resources feature disabled - not mounting resource routes")
if settings.features_prompts_enabled:
app.include_router(prompt_router)
else:
logger.info("Prompts feature disabled - not mounting prompt routes")
if settings.features_servers_enabled:
app.include_router(server_router)
else:
logger.info("Servers feature disabled - not mounting server routes")
if settings.features_gateways_enabled:
app.include_router(gateway_router)
else:
logger.info("Gateways feature disabled - not mounting gateway routes")
if settings.features_roots_enabled:
app.include_router(root_router)
else:
logger.info("Roots feature disabled - not mounting root routes")
# Tags endpoint - conditional
if settings.features_tags_enabled:
app.include_router(tag_router)
else:
logger.info("Tags feature disabled - not mounting tag routes")
# Always include utility router
app.include_router(utility_router)
# Metrics endpoint - conditional
if settings.features_metrics_enabled:
app.include_router(metrics_router)
else:
logger.info("Metrics feature disabled - not mounting metrics routes")
# Reverse proxy router - conditional (handles existing conditional import)
if settings.features_reverse_proxy_enabled:
try:
from mcpgateway.routers.reverse_proxy import router as reverse_proxy_router
app.include_router(reverse_proxy_router)
logger.info("Reverse proxy router included")
except ImportError:
logger.warning("Reverse proxy router not available - feature disabled")
else:
logger.info("Reverse proxy feature disabled - not mounting reverse proxy routes")
# Admin UI - if enabled
if settings.mcpgateway_ui_enabled:
app.include_router(admin_router)4. Update version.py to show all enabled features
# In mcpgateway/version.py
from mcpgateway.config import settings
@router.get("/version", summary="Diagnostics (auth required)")
async def version_endpoint(
request: Request,
fmt: Optional[str] = None,
partial: Optional[bool] = False,
_user=Depends(require_auth),
) -> Response:
"""Update existing version endpoint to include feature information."""
# ... existing Redis health check and payload building logic ...
# Extend the existing payload with feature information
payload = _build_payload(redis_version, redis_ok)
# Add feature information to existing payload
payload.update({
"features_enabled": settings.enabled_features,
"system_features_enabled": settings.enabled_system_features,
"features": {
# MCP Features
"tools": settings.features_tools_enabled,
"resources": settings.features_resources_enabled,
"prompts": settings.features_prompts_enabled,
"servers": settings.features_servers_enabled,
"gateways": settings.features_gateways_enabled,
"roots": settings.features_roots_enabled,
"tags": settings.features_tags_enabled,
# System Features
"reverse_proxy": settings.features_reverse_proxy_enabled,
"rest_api_tools": settings.features_rest_api_tools_enabled,
"metrics": settings.features_metrics_enabled,
"version": settings.features_version_enabled,
"docs": settings.features_docs_enabled,
"redoc": settings.features_redoc_enabled,
"connection_tester": settings.features_connection_tester_enabled,
}
})
# Return response using existing format logic
if partial:
templates = Jinja2Templates(directory=str(settings.templates_dir))
return templates.TemplateResponse(request, "version_info_partial.html", {"request": request, "payload": payload})
wants_html = fmt == "html" or "text/html" in request.headers.get("accept", "")
if wants_html:
return HTMLResponse(_render_html(payload))
return JSONResponse(payload)5. Update Protocol Capabilities (Fix File Path)
CORRECTION: Update capabilities in mcpgateway/cache/session_registry.py (method: handle_initialize_logic):
# In mcpgateway/cache/session_registry.py
async def handle_initialize_logic(self, body: Dict[str, Any]) -> InitializeResult:
"""Handle initialize request, only advertising enabled capabilities."""
# ... existing validation logic ...
capabilities = {}
if settings.features_tools_enabled:
capabilities["tools"] = {"listChanged": True}
if settings.features_resources_enabled:
capabilities["resources"] = {"subscribe": True, "listChanged": True}
if settings.features_prompts_enabled:
capabilities["prompts"] = {"listChanged": True}
if settings.features_roots_enabled:
capabilities["roots"] = {"listChanged": True}
# Always include logging capability
capabilities["logging"] = {}
return InitializeResult(
protocolVersion=settings.protocol_version,
capabilities=ServerCapabilities(**capabilities),
serverInfo=Implementation(
name=settings.app_name,
version=__version__,
features_enabled=settings.enabled_features,
system_features_enabled=settings.enabled_system_features,
),
instructions=("MCP Gateway providing federated tools, resources and prompts. Use /admin interface for configuration."),
)6. Update REST API Tools Integration (Future/Not Implemented)
NOTE: REST API to MCP tools auto-conversion doesn't exist yet. This flag is for future use or can gate bulk import functionality:
# Future implementation or in bulk import logic
async def discover_rest_api_tools():
"""Discover and convert REST APIs to MCP tools."""
if not settings.features_rest_api_tools_enabled:
logger.info("REST API tools feature disabled - skipping REST API discovery")
return []
# ... future REST API discovery logic ...7. Update Admin UI Navigation and Features (Fix Template Path)
CORRECTION: Update mcpgateway/templates/admin.html (not admin_base.html). Note: No config object is currently passed to templates - this would need to be added:
# In mcpgateway/admin.py - pass settings to template context
@admin_router.get("/")
async def admin_dashboard(request: Request, user: str = Depends(require_auth)):
"""Admin dashboard."""
return templates.TemplateResponse(
"admin.html",
{"request": request, "config": settings} # Add settings to context
)Then conditionally show navigation items in template:
<!-- In mcpgateway/templates/admin.html - Update the tabs navigation -->
<nav class="-mb-px flex space-x-8">
{% if config.features_servers_enabled %}
<a href="#catalog" id="tab-catalog" data-testid="servers-tab"
class="tab-link border-indigo-500 text-indigo-600 dark:text-indigo-500 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Virtual Servers Catalog
</a>
{% endif %}
{% if config.features_tools_enabled %}
<a href="#tools" id="tab-tools" data-testid="tools-tab"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Global Tools
</a>
{% endif %}
{% if config.features_resources_enabled %}
<a href="#resources" id="tab-resources"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Global Resources
</a>
{% endif %}
{% if config.features_prompts_enabled %}
<a href="#prompts" id="tab-prompts"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Global Prompts
</a>
{% endif %}
{% if config.features_gateways_enabled %}
<a href="#gateways" id="tab-gateways" data-testid="gateways-tab"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Gateways/MCP Servers
</a>
{% endif %}
{% if config.features_roots_enabled %}
<a href="#roots" id="tab-roots"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Roots
</a>
{% endif %}
{% if config.features_metrics_enabled %}
<a href="#metrics" id="tab-metrics"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Metrics
</a>
{% endif %}
<a href="#logs" id="tab-logs"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Logs
</a>
{% if config.features_version_enabled %}
<a href="#version-info" id="tab-version-info"
class="tab-link border-transparent text-gray-500 dark:text-gray-300 hover:text-gray-700 hover:border-gray-300 whitespace-nowrap py-4 px-1 border-b-2 font-medium text-sm">
Version and Environment Info
</a>
{% endif %}
<button @click="darkMode = !darkMode" class="p-2">
<span x-text="darkMode ? 'βοΈ' : 'π'"></span>
</button>
</nav>8. Connection Tester (DEFERRED - Future Implementation)
NOTE: Connection Tester UI and API endpoints don't exist yet. The FEATURES_CONNECTION_TESTER_ENABLED flag is reserved for future implementation.
# Future implementation in mcpgateway/admin.py when connection tester is built
# @admin_router.get("/test-connection") # Future endpoint
# async def test_connection_page(request: Request):
# """Connection test page (future implementation)."""
# if not settings.features_connection_tester_enabled:
# raise HTTPException(status_code=404, detail="Connection tester is disabled")
#
# # Future: return test connection UI templateTesting
-
Default configuration (all features enabled):
curl http://localhost:4444/version # Should show all features enabled -
Disable documentation endpoints:
FEATURES_DOCS_ENABLED=false FEATURES_REDOC_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # /docs and /redoc should return 404 -
Disable metrics:
FEATURES_METRICS_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # /metrics should return 404 -
Disable REST API tools:
FEATURES_REST_API_TOOLS_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # REST APIs won't be converted to MCP tools -
Disable version endpoint:
FEATURES_VERSION_ENABLED=false mcpgateway --host 0.0.0.0 --port 4444 # /version should return 404 -
Minimal mode (only core MCP protocol):
FEATURES_RESOURCES_ENABLED=false \ FEATURES_PROMPTS_ENABLED=false \ FEATURES_ROOTS_ENABLED=false \ FEATURES_REST_API_TOOLS_ENABLED=false \ FEATURES_METRICS_ENABLED=false \ FEATURES_VERSION_ENABLED=false \ FEATURES_DOCS_ENABLED=false \ FEATURES_REDOC_ENABLED=false \ FEATURES_CONNECTION_TESTER_ENABLED=false \ mcpgateway --host 0.0.0.0 --port 4444
Alternative using uvicorn:
FEATURES_DOCS_ENABLED=false uvicorn mcpgateway.main:app --host 0.0.0.0 --port 4444Benefits
- Granular Control: Fine-grained control over individual features
- Security: Can disable unnecessary endpoints in production
- Performance: Reduced overhead by not loading unused features
- Compliance: Disable documentation/metrics in sensitive environments
- Simple: Just environment variables, no complex runtime management
- Clear: Version endpoint (when enabled) shows what's active
- Safe: Disabled features don't expose endpoints or functionality
- Visual: UI adapts to show only enabled features
Documentation and Deployment Updates
9. Update README.md
Add feature flags section to environment variables table:
## Feature Flags
Control which MCP capabilities and system endpoints are enabled:
| Variable | Description | Default |
|----------|-------------|---------|
| `FEATURES_TOOLS_ENABLED` | Enable /tools router and tool functionality | `true` |
| `FEATURES_RESOURCES_ENABLED` | Enable /resources router and resource serving | `false` |
| `FEATURES_PROMPTS_ENABLED` | Enable /prompts router and prompt templates | `false` |
| `FEATURES_SERVERS_ENABLED` | Enable /servers router and virtual server management | `true` |
| `FEATURES_GATEWAYS_ENABLED` | Enable /gateways router and federation | `true` |
| `FEATURES_ROOTS_ENABLED` | Enable /roots router and root capabilities | `false` |
| `FEATURES_TAGS_ENABLED` | Enable /tags router and entity tagging | `true` |
| `FEATURES_REVERSE_PROXY_ENABLED` | Enable reverse proxy functionality | `false` |
| `FEATURES_METRICS_ENABLED` | Enable /metrics endpoint for Prometheus | `true` |
| `FEATURES_VERSION_ENABLED` | Enable /version endpoint | `true` |
| `FEATURES_DOCS_ENABLED` | Enable /docs Swagger UI endpoint | `true` |
| `FEATURES_REDOC_ENABLED` | Enable /redoc documentation endpoint | `true` |
| `FEATURES_REST_API_TOOLS_ENABLED` | Enable REST API to MCP tool conversion (future) | `true` |
| `FEATURES_CONNECTION_TESTER_ENABLED` | Enable connection testing in UI (future) | `true` |
### Security Use Cases
- **Production hardening**: Disable documentation endpoints (`FEATURES_DOCS_ENABLED=false`)
- **Minimal deployment**: Enable only required capabilities
- **Compliance**: Disable metrics/monitoring in sensitive environments
- **Development**: Enable all features for testing10. Update Helm Charts
Update charts/mcp-stack/values.yaml to include feature flags:
# Feature Flags Configuration
mcpgateway:
features:
# MCP Capabilities
tools_enabled: true
resources_enabled: false
prompts_enabled: false
servers_enabled: true
gateways_enabled: true
roots_enabled: false
tags_enabled: true
# System Features
reverse_proxy_enabled: false
rest_api_tools_enabled: true
metrics_enabled: true
version_enabled: true
docs_enabled: true
redoc_enabled: true
connection_tester_enabled: trueUpdate charts/mcp-stack/templates/configmap-gateway.yaml:
data:
# ... existing config ...
# Feature Flags
FEATURES_TOOLS_ENABLED: "{{ .Values.mcpgateway.features.tools_enabled }}"
FEATURES_RESOURCES_ENABLED: "{{ .Values.mcpgateway.features.resources_enabled }}"
FEATURES_PROMPTS_ENABLED: "{{ .Values.mcpgateway.features.prompts_enabled }}"
FEATURES_SERVERS_ENABLED: "{{ .Values.mcpgateway.features.servers_enabled }}"
FEATURES_GATEWAYS_ENABLED: "{{ .Values.mcpgateway.features.gateways_enabled }}"
FEATURES_ROOTS_ENABLED: "{{ .Values.mcpgateway.features.roots_enabled }}"
FEATURES_TAGS_ENABLED: "{{ .Values.mcpgateway.features.tags_enabled }}"
FEATURES_REVERSE_PROXY_ENABLED: "{{ .Values.mcpgateway.features.reverse_proxy_enabled }}"
FEATURES_REST_API_TOOLS_ENABLED: "{{ .Values.mcpgateway.features.rest_api_tools_enabled }}"
FEATURES_METRICS_ENABLED: "{{ .Values.mcpgateway.features.metrics_enabled }}"
FEATURES_VERSION_ENABLED: "{{ .Values.mcpgateway.features.version_enabled }}"
FEATURES_DOCS_ENABLED: "{{ .Values.mcpgateway.features.docs_enabled }}"
FEATURES_REDOC_ENABLED: "{{ .Values.mcpgateway.features.redoc_enabled }}"
FEATURES_CONNECTION_TESTER_ENABLED: "{{ .Values.mcpgateway.features.connection_tester_enabled }}"11. Update Docker Compose
Add feature flags to docker-compose.yml:
services:
mcpgateway:
# ... existing config ...
environment:
# ... existing environment ...
# Feature Flags - MCP Capabilities
FEATURES_TOOLS_ENABLED: "true"
FEATURES_RESOURCES_ENABLED: "false"
FEATURES_PROMPTS_ENABLED: "false"
FEATURES_SERVERS_ENABLED: "true"
FEATURES_GATEWAYS_ENABLED: "true"
FEATURES_ROOTS_ENABLED: "false"
FEATURES_TAGS_ENABLED: "true"
# Feature Flags - System Features
FEATURES_REVERSE_PROXY_ENABLED: "false"
FEATURES_REST_API_TOOLS_ENABLED: "true"
FEATURES_METRICS_ENABLED: "true"
FEATURES_VERSION_ENABLED: "true"
FEATURES_DOCS_ENABLED: "true"
FEATURES_REDOC_ENABLED: "true"
FEATURES_CONNECTION_TESTER_ENABLED: "true"12. Update Kubernetes Deployments
Update deployment/k8s/mcp-context-forge-deployment.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: mcp-context-forge
spec:
template:
spec:
containers:
- name: mcpgateway
env:
# ... existing env vars ...
# Feature Flags
- name: FEATURES_TOOLS_ENABLED
value: "true"
- name: FEATURES_RESOURCES_ENABLED
value: "false"
- name: FEATURES_PROMPTS_ENABLED
value: "false"
- name: FEATURES_SERVERS_ENABLED
value: "true"
- name: FEATURES_GATEWAYS_ENABLED
value: "true"
- name: FEATURES_ROOTS_ENABLED
value: "false"
- name: FEATURES_TAGS_ENABLED
value: "true"
- name: FEATURES_REVERSE_PROXY_ENABLED
value: "false"
- name: FEATURES_REST_API_TOOLS_ENABLED
value: "true"
- name: FEATURES_METRICS_ENABLED
value: "true"
- name: FEATURES_VERSION_ENABLED
value: "true"
- name: FEATURES_DOCS_ENABLED
value: "true"
- name: FEATURES_REDOC_ENABLED
value: "true"
- name: FEATURES_CONNECTION_TESTER_ENABLED
value: "true"13. Update Management Documentation
Add new section to docs/docs/manage/index.md:
## ποΈ Feature Flags
Control which endpoints and capabilities are enabled through environment variables.
### MCP Capability Flags
| Flag | Default | Description |
|------|---------|-------------|
| `FEATURES_TOOLS_ENABLED` | `true` | Enable tool discovery and execution |
| `FEATURES_RESOURCES_ENABLED` | `false` | Enable resource serving |
| `FEATURES_PROMPTS_ENABLED` | `false` | Enable prompt template management |
| `FEATURES_SERVERS_ENABLED` | `true` | Enable virtual server management |
| `FEATURES_GATEWAYS_ENABLED` | `true` | Enable federation with other gateways |
| `FEATURES_ROOTS_ENABLED` | `false` | Enable root capability exposure |
| `FEATURES_TAGS_ENABLED` | `true` | Enable entity tagging |
### System Feature Flags
| Flag | Default | Description |
|------|---------|-------------|
| `FEATURES_REVERSE_PROXY_ENABLED` | `false` | Enable reverse proxy functionality |
| `FEATURES_METRICS_ENABLED` | `true` | Enable /metrics endpoint |
| `FEATURES_VERSION_ENABLED` | `true` | Enable /version endpoint |
| `FEATURES_DOCS_ENABLED` | `true` | Enable /docs Swagger UI |
| `FEATURES_REDOC_ENABLED` | `true` | Enable /redoc documentation |
### Security Hardening Examples
Disable documentation in production:
```bash
FEATURES_DOCS_ENABLED=false
FEATURES_REDOC_ENABLED=falseMinimal mode (only core protocol):
FEATURES_RESOURCES_ENABLED=false
FEATURES_PROMPTS_ENABLED=false
FEATURES_ROOTS_ENABLED=false
FEATURES_METRICS_ENABLED=false
FEATURES_DOCS_ENABLED=false
FEATURES_REDOC_ENABLED=falseCheck enabled features:
curl http://localhost:4444/version | jq .features
### 14. Update Deployment Guides
Add feature flag sections to:
- `docs/docs/deployment/kubernetes.md`
- `docs/docs/deployment/helm.md`
- `docs/docs/deployment/compose.md`
- `docs/docs/deployment/container.md`
### 15. Update Security Documentation
Add to `docs/docs/manage/securing.md`:
```markdown
## Endpoint Security via Feature Flags
Disable unnecessary endpoints in production environments:
### Production Hardening Checklist
- [ ] `FEATURES_DOCS_ENABLED=false` - Disable Swagger UI
- [ ] `FEATURES_REDOC_ENABLED=false` - Disable ReDoc
- [ ] Disable unused MCP capabilities (resources, prompts, roots)
- [ ] `FEATURES_METRICS_ENABLED=false` - If not using monitoring
- [ ] Verify `/version` endpoint doesn't expose sensitive info
### Compliance Scenarios
**HIPAA/SOX Compliance:**
```bash
FEATURES_DOCS_ENABLED=false
FEATURES_REDOC_ENABLED=false
FEATURES_METRICS_ENABLED=false
FEATURES_VERSION_ENABLED=false
Zero-Trust Environment:
# Only enable absolutely required features
FEATURES_RESOURCES_ENABLED=false
FEATURES_PROMPTS_ENABLED=false
FEATURES_ROOTS_ENABLED=false
## Out-of-Scope/Deferred Features
- **Connection Tester UI/API**: No existing endpoints or templates (future implementation)
- **REST API β MCP Tools auto-discovery**: No dedicated conversion module exists yet
- **Transport-level gating**: MCP mount points can be handled separately
This enhanced approach provides comprehensive control over all gateway features while maintaining simplicity through configuration flags.