mcp: allow configuring mcp encryption iterations in standalone mode (#1604)

nacx · web-flow · commit fadcd69095e2 · 2025-12-02T16:54:27.000Z
**Description** Allows configuring the MCP session encryption iterations in standalone mode. We probably don't need to expose the entire seed and fallback mechanisms now when running the CLI, but allowing to configure the iterations will be helpful to make it easier to benchmark EAIGW with different configurations. **Related Issues/PRs (if applicable)** Follow-up of: #1598 **Special notes for reviewers (if applicable)** N/A Signed-off-by: Ignasi Barrera <nacx@apache.org>
diff --git a/cmd/aigw/main.go b/cmd/aigw/main.go
@@ -41,12 +41,15 @@ type (
 	}
 	// cmdRun corresponds to `aigw run` command.
 	cmdRun struct {
-		Debug     bool                   `help:"Enable debug logging emitted to stderr."`
-		Path      string                 `arg:"" name:"path" optional:"" help:"Path to the AI Gateway configuration yaml file. Defaults to $AIGW_CONFIG_HOME/config.yaml if exists, otherwise optional when at least OPENAI_API_KEY, AZURE_OPENAI_API_KEY or ANTHROPIC_API_KEY is set." type:"path"`
-		AdminPort int                    `help:"HTTP port for the admin server (serves /metrics and /health endpoints)." default:"1064"`
-		McpConfig string                 `name:"mcp-config" help:"Path to MCP servers configuration file." type:"path"`
-		McpJSON   string                 `name:"mcp-json" help:"JSON string of MCP servers configuration."`
-		RunID     string                 `name:"run-id" env:"AIGW_RUN_ID" help:"Run identifier for this invocation. Defaults to timestamp-based ID or $AIGW_RUN_ID. Use '0' for Docker/Kubernetes."`
+		Debug     bool   `help:"Enable debug logging emitted to stderr."`
+		Path      string `arg:"" name:"path" optional:"" help:"Path to the AI Gateway configuration yaml file. Defaults to $AIGW_CONFIG_HOME/config.yaml if exists, otherwise optional when at least OPENAI_API_KEY, AZURE_OPENAI_API_KEY or ANTHROPIC_API_KEY is set." type:"path"`
+		AdminPort int    `help:"HTTP port for the admin server (serves /metrics and /health endpoints)." default:"1064"`
+		McpConfig string `name:"mcp-config" help:"Path to MCP servers configuration file." type:"path"`
+		McpJSON   string `name:"mcp-json" help:"JSON string of MCP servers configuration."`
+		RunID     string `name:"run-id" env:"AIGW_RUN_ID" help:"Run identifier for this invocation. Defaults to timestamp-based ID or $AIGW_RUN_ID. Use '0' for Docker/Kubernetes."`
+
+		MCPSessionEncryptionIterations int `name:"mcp-session-encryption-iterations" help:"Number of iterations for MCP session encryption key derivation." default:"100000"`
+
 		mcpConfig *autoconfig.MCPServers `kong:"-"` // Internal field: normalized MCP JSON data
 		dirs      *xdg.Directories       `kong:"-"` // Internal field: XDG directories, set by BeforeApply
 		runOpts   *runOpts               `kong:"-"` // Internal field: run options, set by Validate
diff --git a/cmd/aigw/main_test.go b/cmd/aigw/main_test.go
@@ -136,6 +136,9 @@ Flags:
       --run-id=STRING         Run identifier for this invocation. Defaults to
                               timestamp-based ID or $AIGW_RUN_ID. Use '0' for
                               Docker/Kubernetes ($AIGW_RUN_ID).
+      --mcp-session-encryption-iterations=100000
+                              Number of iterations for MCP session encryption
+                              key derivation.
 `,
 			expPanicCode: ptr.To(0),
 		},
diff --git a/cmd/aigw/run.go b/cmd/aigw/run.go
@@ -78,6 +78,8 @@ type runCmdContext struct {
 	// fakeClientSet is the fake client set for the k8s resources. The objects are written to this client set and updated
 	// during the translation.
 	fakeClientSet *fake.Clientset
+	// mcpSessionEncryptionIterations is the number of iterations for MCP session encryption key derivation.
+	mcpSessionEncryptionIterations int
 }
 
 // run starts the AI Gateway locally for a given configuration.
@@ -361,6 +363,7 @@ func (runCtx *runCmdContext) mustStartExtProc(
 		"--extProcAddr", fmt.Sprintf("unix://%s", runCtx.udsPath),
 		"--adminPort", fmt.Sprintf("%d", runCtx.adminPort),
 		"--mcpAddr", ":" + strconv.Itoa(internalapi.MCPProxyPort),
+		"--mcpSessionEncryptionIterations", strconv.Itoa(runCtx.mcpSessionEncryptionIterations),
 	}
 	if runCtx.isDebug {
 		args = append(args, "--logLevel", "debug")
