Detect whether the current process runs inside the AWF sandbox with the MCP gateway active. Heuristic matches scripts/mcp-setup.sh:
MCP_GATEWAY_API_KEY env var present (checked via hasMcpGatewayApiKey in config/auth.ts โ the single auditable sink for token-bearing env reads), OR
gateway.apiKey present in mcp-config.json, OR
mcpServers['riksdag-regering'].headers.Authorization present in mcp-config.json (populated by the gateway bootstrap).
When true, the client must route through the gateway domain/port resolved by buildAwfGatewayUrl rather than the direct onrender HTTPS URL. The AWF api-proxy performs TLS MITM on outbound HTTPS which produces EPROTO SSL wrong version number when Node.js hits onrender.com directly, so gateway routing is mandatory inside the sandbox even when scripts/mcp-setup.sh was not sourced first.
Detect whether the current process runs inside the AWF sandbox with the MCP gateway active. Heuristic matches
scripts/mcp-setup.sh:MCP_GATEWAY_API_KEYenv var present (checked viahasMcpGatewayApiKeyinconfig/auth.tsโ the single auditable sink for token-bearing env reads), ORgateway.apiKeypresent inmcp-config.json, ORmcpServers['riksdag-regering'].headers.Authorizationpresent inmcp-config.json(populated by the gateway bootstrap).When true, the client must route through the gateway domain/port resolved by buildAwfGatewayUrl rather than the direct onrender HTTPS URL. The AWF api-proxy performs TLS MITM on outbound HTTPS which produces
EPROTO SSL wrong version numberwhen Node.js hits onrender.com directly, so gateway routing is mandatory inside the sandbox even whenscripts/mcp-setup.shwas not sourced first.