mcpg-config-* (config tooling)
The seven standalone tools that scaffold, validate, document, and inspect the MCPG gateway AppConfig.
Seven standalone binaries (not mcpg subcommands) for authoring, checking,
and understanding the gateway AppConfig. Invoke each directly. They share the
same config loader as the gateway, so what they validate is exactly what the
gateway will boot.
| Binary | Purpose | Usage |
|---|---|---|
mcpg-config-init | Scaffold a config.yaml from a deployment template (or interactive wizard) | mcpg-config-init [--list] [--template <name>] [--output config.yaml] [--force] |
mcpg-config-check | Pre-flight validate config (CI / pre-commit) — exit 0/1/2 | mcpg-config-check <config.yaml> [<override.yaml> …] |
mcpg-config-schema | Emit the full JSON Schema of AppConfig (IDE autocomplete) | mcpg-config-schema > config.schema.json |
mcpg-config-doc | Emit a Markdown config reference (deterministic; for docs) | mcpg-config-doc > configuration.md |
mcpg-config-explain | Describe one config field by dotted path (type / default / enum / doc) | mcpg-config-explain [governance.audit.on_failure] |
mcpg-config-secrets | List every secret reference (${$env.VAR}, scheme://…) the gateway will resolve | mcpg-config-secrets [--json] <config.yaml> … |
mcpg-config-wiring | Print the wiring report — which kind: each consumer slot resolves to + loaded plugins | mcpg-config-wiring <config.yaml> … |
Templates
mcpg-config-init --list prints the available templates:
| Template | Shape |
|---|---|
dev-single-node | Laptop dev, mock binding, stderr logs |
production-single-redis | Single-instance prod, Redis, OIDC |
production-redis-cluster | Multi-replica via Redis, S3 audit |
production-nats-cluster | NATS JetStream variant |
air-gapped | Zero-outbound, static JWKS, file storage |
multi-tenant | Per-tenant quota + rate limit + group-gated tools |
mcpg-config-init exit codes: 0 (config written), 1 (refused to overwrite
without --force, or unknown --template), 2 (usage / I/O error). With no
flags it runs an interactive wizard.
Examples
mcpg-config-init --template multi-tenant --output ./tenant-prod.yaml # scaffold
mcpg-config-check base.yaml production.yaml # ✓ valid (8 bindings, audit on)
mcpg-config-explain governance.audit.on_failure # Type: enum, default fail_closed
mcpg-config-secrets --json prod.yaml # machine-readable secret inventory
mcpg-config-wiring config.yaml # consumer slots → resolved kinds
mcpg-config-schema > config.schema.json # then add a yaml-language-server $schema
mcpg-config-explain with no argument lists the top-level AppConfig blocks
(mcp, governance, gateway, observability, feature_flags, debug,
schema_registry, storage, cluster, plugins); pass any dotted path to
drill in.
Notes
check/secretsread the on-disk files only (noMCPG_*env overrides), so they review the source of truth you commit.wiringuses the full runtime loader (so it folds inMCPG_*overrides and runs validation).- Multiple files merge in argument order with later-wins semantics — the same
as
MCPG_CONFIG=a.yaml:b.yamlat runtime. Object fields deep-merge; arrays and scalars replace wholesale. schema/docare deterministic emitters — CI candiffa committed copy to catch drift. They take no arguments and write to stdout.- Add the schema reference to your YAML for IDE autocomplete:
# yaml-language-server: $schema=./config.schema.json.
For the field-by-field surface these tools describe, see the configuration reference.