ADR-024: Unified Gateway Architecture with Mode-Based Configuration
Metadataβ
| Field | Value |
|---|---|
| Status | β Accepted |
| Date | 2026-01-26 |
| Updated | 2026-01-26 |
| Linear | CAB-958 |
Contextβ
STOA Platform has naming confusion between two gateway components:
mcp-gateway/(Python/FastAPI) β production, MCP protocol supportstoa-gateway/(Rust/Axum) β emerging, research
This creates cognitive load for contributors and users. Even the project creator forgot the distinction. This is day-0 technical debt before having a single customer.
The Problemβ
"Is it mcp-gateway or stoa-gateway? What's the difference?" β Every new contributor
Decisionβ
Adopt a unified gateway architecture with 4 deployment modes, configured via --mode flag.
Naming Conventionβ
| Artifact | Name |
|---|---|
| Component name | stoa-gateway |
| Binary | stoa-gateway |
| Helm Chart | stoa-gateway |
| Docker Image | ghcr.io/hlfh/stoa-gateway |
| Config file | stoa-gateway.yaml |
| K8s resources | stoa-gateway |
KILL: mcp-gateway as component name. It's just --mode=edge-mcp.
Four Deployment Modesβ
Unified Gateway Architecture
Single stoa-gateway binary with 4 deployment modes via --mode flag. From passive observation to full AI-native gateway.
Mode Overviewβ
| Mode | Position | Function | Use Case |
|---|---|---|---|
| edge-mcp | AI agents front | MCP protocol, tools/call, SSE | Claude, GPT, custom LLM agents |
| sidecar | Behind 3rd-party GW | Observability, enrichment | Kong, webMethods, Apigee existing |
| proxy | Inline active | Policy enforcement, rate limit, transform | Classic API Management |
| shadow | Passive MITM | Observe, log, auto-generate UAC | Legacy APIs, undocumented progiciels |
Mode Detailsβ
Edge-MCP Modeβ
Status: β Production (Python) β Rust Q2 2026
AI-native API gateway implementing Model Context Protocol:
- SSE transport for real-time streaming
- JSON-RPC 2.0 message handling
- Dynamic tool registry from K8s CRDs
- OAuth2/OIDC authentication via Keycloak
stoa-gateway --mode=edge-mcp --port=3001
Configurationβ
gateway:
mode: edge-mcp
mcp:
protocol_version: "2024-11-05"
transports:
- http
- websocket
- sse
tool_discovery:
enabled: true
cache_ttl: 300s
rate_limiting:
requests_per_minute: 1000
authentication:
type: jwt
issuer: https://auth.<YOUR_DOMAIN>
Proxy Modeβ
Status: π Planned Q3 2026
Classic API gateway with policy enforcement:
- OPA policy evaluation
- Rate limiting per tenant/consumer
- Request/response transformation
- Circuit breaker patterns
stoa-gateway --mode=proxy --upstream=http://backend:8080
Configurationβ
gateway:
mode: proxy
proxy:
routing:
strip_path: true
preserve_host: false
rate_limiting:
enabled: true
requests_per_second: 100
authentication:
type: jwt
issuer: https://auth.<YOUR_DOMAIN>
transforms:
request:
add_headers:
X-Tenant-ID: "{{ .tenant }}"
response:
remove_headers:
- X-Internal-Secret
Sidecar Modeβ
Status: π Planned Q2 2026
Deploy behind existing API gateways to add STOA capabilities:
- Observability injection (OpenTelemetry)
- Metering events to Kafka
- UAC compliance validation
- Error snapshot capture
stoa-gateway --mode=sidecar --primary-gateway=kong
Configurationβ
gateway:
mode: sidecar
sidecar:
upstream_gateway: kong # or: webmethods, apigee, custom
features:
error_snapshot: true # Time-travel debugging
observability: true # Prometheus, traces
uac_validation: true # Contract compliance
pii_masking: true # RGPD compliance
passthrough:
preserve_headers: true
preserve_body: true
Shadow Mode (π Killer Feature)β
Status: π¬ Experimental β Python shadow middleware exists in mcp-gateway/src/middleware/shadow.py (passive capture only, no modification). Rust implementation deferred to Q4 2026.
Passive traffic observation for legacy API discovery:
- Zero modification to requests/responses
- Capture traffic patterns
- Auto-generate UAC contracts (no ML, just HTTP parsing + heuristics)
- Human-in-the-loop validation before promotion
stoa-gateway --mode=shadow --target=http://legacy-erp:8080
Configurationβ
gateway:
mode: shadow
shadow:
capture:
requests: true
responses: true
headers: true
bodies: true # PII masking applied
uac_generation:
enabled: true
confidence_threshold: 0.8
export_to_control_plane: true
require_human_review: true
target:
backend: http://legacy-erp:8080
Security Deferral Checklistβ
Shadow mode captures potentially sensitive traffic. Implementation deferred until:
- PII detection/masking before Kafka emission
- Explicit opt-in per API/tenant (no silent capture)
- Retention policy < 30 days with auto-purge
- Audit log: who accessed observations, when, why
- RGPD Article 25 (Privacy by Design) compliance documentation
- Team Coca security review sign-off
Transition Strategy: Shadow β Proxyβ
For organizations migrating from observation to enforcement:
gateway:
mode: proxy
shadow:
keep_observing: true # Dual-mode: enforce AND observe
canary:
enabled: true
proxy_percentage: 10 # 10% through proxy, 90% direct
observation_percentage: 100 # All traffic observed
Migration Pathβ
- Week 1-2: Shadow mode β observe, generate UAC drafts
- Week 3: Human review β validate contracts, adjust
- Week 4: Canary β 10% through Proxy with enforcement
- Week 5-6: Ramp up β 50%, 80%, 100%
- Week 7+: Full Proxy β disable Shadow or keep for audit
Current Stateβ
mcp-gateway/ # Python/FastAPI β PRODUCTION
βββ src/
β βββ handlers/mcp_sse.py # SSE transport
β βββ services/tool_registry/ # Tool management
β βββ k8s/watcher.py # CRD watcher
βββ Dockerfile
stoa-gateway/ # Rust/Axum β EMERGING/RESEARCH
βββ src/
β βββ uac/enforcer.rs # UAC enforcement
β βββ mcp/handlers.rs # MCP handlers
β βββ router/shadow.rs # Shadow router
βββ Cargo.toml
Target State (Q4 2026)β
Single stoa-gateway Rust binary with --mode flag:
stoa-gateway/ # Rust/Tokio/Hyper β TARGET
βββ src/
β βββ main.rs # Entry point, --mode flag
β βββ modes/
β β βββ mod.rs # Mode trait
β β βββ edge_mcp.rs # MCP protocol (port from Python)
β β βββ sidecar.rs # Behind 3rd-party gateway
β β βββ proxy.rs # Inline policy enforcement
β β βββ shadow.rs # Traffic capture, UAC generation
β βββ auth/
β β βββ oidc.rs # Keycloak JWT validation
β βββ observability/
β βββ metrics.rs # Prometheus
βββ Cargo.toml
βββ Dockerfile
Python mcp-gateway/ deprecated after Rust reaches feature parity.
Migration Strategyβ
- Keep Python mcp-gateway in production during transition
- Port mode-by-mode to Rust (edge-mcp first, shadow last)
- Shadow mirror Python vs Rust for validation
- Cut over when Rust achieves >99.9% request compatibility
Migration Phasesβ
| Phase | Timeline | Deliverable |
|---|---|---|
| Phase 16 | Now | ADR + documentation (this document) |
| Phase 17 | Q2 2026 | Rust gateway foundation + edge-mcp port |
| Phase 18 | Q3 2026 | proxy + sidecar modes |
| Phase 19 | Q4 2026 | shadow mode (after security review) |
Configuration Referenceβ
Environment Variablesβ
# Mode selection
GATEWAY_MODE=edge-mcp # edge-mcp | sidecar | proxy | shadow
# Common settings
GATEWAY_PORT=3001
GATEWAY_LOG_LEVEL=info
# Keycloak (all modes)
KEYCLOAK_URL=https://auth.<YOUR_DOMAIN>
KEYCLOAK_REALM=stoa
KEYCLOAK_CLIENT_ID=stoa-gateway
# Mode-specific
SHADOW_TARGET_BACKEND=http://legacy:8080
SIDECAR_PRIMARY_GATEWAY=kong
PROXY_OPA_ENDPOINT=http://opa:8181
Helm Valuesβ
gateway:
mode: edge-mcp
image:
repository: ghcr.io/hlfh/stoa-gateway
tag: latest
edgeMcp:
enabled: true
port: 3001
sidecar:
enabled: false
primaryGateway: ""
proxy:
enabled: false
opaEndpoint: ""
shadow:
enabled: false # Experimental β Python middleware exists, Rust deferred Q4 2026
Consequencesβ
Positiveβ
- Clear naming: one component, multiple modes
- Single language (Rust) for all new gateway code
- Incremental migration reduces risk
- No breaking changes during transition
- Shadow mode differentiation: Auto UAC generation from observed traffic
Negativeβ
- Two codebases during transition period
- Documentation overhead: must clarify "current (Python)" vs "target (Rust)"
- Binary size: Four modes in one binary may increase size (mitigated by feature flags)
Validationβ
OSS Contributor Personaβ
"Encore un projet qui veut tout faire? Shadow + Proxy + MCP + Sidecar dans le mΓͺme binaire? Γa va Γͺtre un monstre inmaintenable."
Response:
- Core commun minimal (HTTP handling, auth, metrics)
- Modes = feature flags, not separate code branches
- Shadow is simplest (read-only)
- Complexity increases progressively: Shadow < Proxy < Sidecar < Edge-MCP
Enterprise Architect Personaβ
"Le mode Shadow c'est exactement ce qu'il nous faut pour les progiciels. On a 50 APIs non documentΓ©es, les Γ©diteurs ne rΓ©pondent plus, les devs d'origine sont partis."
Validated:
- β Shadow = minimal risk (passive, read-only)
- β UAC generation = automatic documentation
- β Natural progression: Shadow β Proxy β Full governance
- β Compatible with existing gateways (sidecar mode)
"Par contre, comment on gΓ¨re la transition Shadow β Proxy sans coupure?"
Response:
- Dual-mode: Shadow continues observing while Proxy enforces
- Canary: 10% through Proxy, 90% direct, 100% observed
- Feature flag:
shadow.keep_observing=trueeven in Proxy mode
Commercial Pitch (30 seconds)β
"Got legacy APIs with no docs? Deploy STOA in Shadow mode for 2 weeks. It observes traffic and auto-generates interface contracts with minimal disruption to existing infrastructure. Then you decide: keep just the docs, or activate governance."
Referencesβ
Decision Recordβ
| Date | Decision | Author |
|---|---|---|
| 2026-01-26 | ADR created, unified architecture adopted | CAB-958 |
| 2026-01-26 | Shadow mode deferred for security review | Team Coca |
| 2026-01-26 | Added YAML configs, transition strategy, validation personas | CAB-958 |
Standard Marchemalo: A 40-year veteran architect understands in 30 seconds β