Glossary
Terms as Gig'MCP uses them. Alphabetical.
Bubblewrap (bwrap)
The unprivileged sandboxing tool the gateway uses to spawn each MCP server as an isolated child process inside its own container — no Docker socket involved. Bubblewrap sets up user, PID, mount, and network namespaces; a trusted in-sandbox bootstrap then configures networking, drops all capabilities, drops to uid 65534 (nobody), installs the seccomp filter, and execves the untrusted server. See Sandbox isolation.
cgroups
Linux control groups. Each sandbox already gets its own cgroup namespace (bubblewrap's --unshare-all); per-sandbox resource limits (CPU, memory) are a planned hardening item alongside Landlock.
DEK / KEK
Data Encryption Key / Key Encryption Key — the two layers of envelope encryption. Each secret gets its own DEK; DEKs are wrapped by the master KEK supplied via GIG_MASTER_KEY. The KEK is never stored in the database. See Vault.
Digest pinning
Registry manifests reference OCI images by their immutable sha256: digest, not by a mutable tag. The gateway verifies the digest after pulling, so what the registry maintainers approved is byte-for-byte what runs. A manifest with a placeholder digest is not installable.
Egress allowlist
The set of hostnames a sandboxed server is permitted to reach, declared in its manifest's entitlements.egress (exact hostnames or single-suffix wildcards like *.slack.com). Enforced as a hard cap by the MITM egress proxy at CONNECT time, before any TLS leaf is minted. Registry lint CI blocks bare * wildcards and known exfiltration domains.
Entitlements
A manifest's author-declared, PR-gated set of permissions — chiefly the egress allowlist. The proxy enforces entitlements as a hard cap; manifest changes on update force re-consent in every gateway that has the server installed.
Entrusted tier
Credential Tier 2: the real secret is placed in the sandbox environment (inject.env), for cases the proxy can't rewrite — database connection strings, certificate-pinned clients. The egress allowlist still applies, but an entrusted server could exfiltrate its own secret through an allowed domain, which is why the tier is surfaced prominently. Compare Sealed tier.
Envelope encryption
The vault's encryption scheme: each secret is encrypted with its own per-secret DEK using XChaCha20-Poly1305; the DEK is in turn wrapped by the master KEK from GIG_MASTER_KEY. Ciphertext headers carry versioned key IDs for rotation. See Vault.
Gateway
The single Go binary at the center of Gig'MCP. It is the MCP aggregator/router, auth authority, REST API, vault, sandbox supervisor, and egress proxy in one process, deployed via Docker Compose alongside the Next.js dashboard. In the threat model the gateway is trusted infrastructure; the servers it runs are not. See System overview.
Landlock
A Linux kernel LSM for unprivileged filesystem sandboxing. In Gig'MCP it is a planned hardening layer (the design's sandbox stack lists it alongside namespaces and seccomp), not yet applied — today filesystem restriction comes from bubblewrap's mount namespace and read-only binds.
Manifest
A per-server YAML file in the registry (manifests/<name>/<version>.yaml) declaring the server's source repo and tag, digest-pinned image, security tier, egress entitlements, credential schema (including how the proxy injects the secret), and the tool subset exposed by default. PR-gated and lint-enforced. See Manifests.
MCP (Model Context Protocol)
The open protocol that lets AI clients (Claude Code, Cursor, …) call tools served by MCP servers. Gig'MCP aggregates many MCP servers behind one streamable-HTTP MCP endpoint per profile.
Meta-tools mode
A per-profile opt-in where instead of exposing every tool directly, the gateway exposes search/load meta-tools that let the client discover and pull in tools on demand. The per-profile flag exists in the schema today; the meta-tools serving path itself is not yet implemented.
MITM egress proxy
The gateway's embedded man-in-the-middle HTTPS proxy — a hand-rolled net/http CONNECT proxy with a runtime ECDSA P-256 CA that mints per-host leaf certificates. Every sandbox's only network route leads to it. It identifies the calling tenant by the connection's source IP, checks the egress allowlist, and swaps the placeholder token for the real, vault-decrypted credential. Route isolation, not the HTTPS_PROXY environment variable, is the enforcement. See Egress proxy.
Network namespace (netns)
A Linux namespace giving a process its own isolated network stack. Each sandbox gets one, connected to the gateway by a dedicated veth pair on a /30 subnet — so a sandbox can only source its own IP, which is what makes proxy identity binding unforgeable.
OCI image
The standard container image format. Registry CI builds each server from the author's tagged source into an OCI image; the gateway pulls it, verifies the pinned digest, extracts the rootfs, and runs the entrypoint under bubblewrap — there is no Docker daemon in the path.
Placeholder token
The fake secret (e.g. PLACEHOLDER) a sealed-tier sandbox receives in its environment instead of the real key. The egress proxy recognizes it on outbound HTTPS requests and substitutes the real credential — but only for allowlisted hosts.
Profile
A named bundle of installed servers exposed at one MCP endpoint, /mcp/p/<slug>, authenticated by its own bearer token. Profiles belong to a user; one sandboxed server instance is spawned per (server × profile), never shared across users. See Profiles.
Registry
The gigmcp-registry repository: a curated catalog of MCP servers as digest-pinned OCI images plus PR-gated entitlement manifests. CI lints manifests, builds images, and publishes a signed index that gateways consume — never the raw repo. See Registry overview.
registryctl
The registry's CLI (cmd/registryctl): lint, lint-toolspecs, build-index, sign, verify, keygen, and build-args. Used by registry CI and by contributors locally. See registryctl.
Sealed tier
Credential Tier 1, the default: the real key never enters the sandbox. The server gets only a placeholder token; the MITM egress proxy injects the real key into outbound requests to allowlisted domains. Compare Entrusted tier.
seccomp
Linux syscall filtering. Two layers are relevant: the Docker-level profile (currently seccomp=unconfined, required for bubblewrap's unprivileged user namespaces — a custom profile is a planned hardening item), and the gateway's own application-level seccomp-BPF filter installed inside every sandbox before execve, which kills processes attempting namespace escapes (unshare, setns, clone(CLONE_NEWUSER)), mount operations, ptrace, kernel-module loading, and other escalation vectors. See Sandbox isolation.
Signed index
index.json — the compiled, ed25519-signed artifact registry CI publishes on every merge to main. It is the only thing gateways trust: the gateway verifies the signature with GIG_REGISTRY_PUBKEY before honoring any entry.
Toolpack
A generic, static Go MCP engine (github.com/gigmcp/toolpack) that serves an entire service's tools from a declarative toolspec instead of bespoke server code — one templated HTTP request per tool, the Composio model. It is the planned path to making the registry's long tail of cataloged services installable. See Builders.
Toolspec
A declarative YAML file (toolspecs/<name>/<version>.yaml) mapping MCP tools to HTTP requests — base URL, method, path templates, parameter schemas — consumed by the toolpack engine. Paired 1:1 with a manifest version and lint-enforced against it (tool sets must match, hosts must pass the manifest's egress rules). See Toolspecs.
Vault
The gateway's credential store: secrets envelope-encrypted with XChaCha20-Poly1305 at rest in the database (SQLite today; the store interface is designed for a Postgres driver too), decrypted only on the trusted side of the sandbox boundary when the egress proxy injects them. See Vault.
veth pair
A virtual Ethernet cable between two network namespaces. At sandbox spawn the gateway creates one per sandbox, moves one end into the sandbox's netns, and records the assigned /30 IP — that IP is the sandbox's identity at the proxy.