feat: raise default MCP_GATEWAY_SESSION_TIMEOUT from 2h to 6h (#3201)

The default unified-mode session timeout was 2h; 6h matches the GitHub
Actions default job timeout, preventing premature session expiry in
standard CI workflows.

## Changes

- **`internal/server/transport.go`** — default argument to
`GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", …)` changed from
`2*time.Hour` → `6*time.Hour`
- **`internal/envutil/envutil_test.go`** — updated real-world scenario
test to reflect the new default
- **`docs/ENVIRONMENT_VARIABLES.md`** / **`AGENTS.md`** — updated
default values and rationale in documentation

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1794183046/b514/launcher.test
/tmp/go-build1794183046/b514/launcher.test
-test.testlogfile=/tmp/go-build1794183046/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1794183046/b434/vet.cfg /mcp/connection.go /mcp/errors.go
x_amd64/vet
/tmp/go-build188/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
-imultiarch x86_64-linux-gnu-bool x_amd64/vet -W g_.a
/tmp/go-build188-ifaceassert x_amd64/vet . ernal/middleware-atomic --64
x_amd64/vet` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1794183046/b496/config.test
/tmp/go-build1794183046/b496/config.test
-test.testlogfile=/tmp/go-build1794183046/b496/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1794183046/b394/vet.cfg 5.0/internal/doc-c=4
5.0/internal/oau-nolocalimports x_amd64/vet
/tmp/go-build188/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
nal/strs x86_64-linux-gnu-bool x_amd64/vet abis�� g_.a -I x_amd64/vet`
(dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1794183046/b514/launcher.test
/tmp/go-build1794183046/b514/launcher.test
-test.testlogfile=/tmp/go-build1794183046/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1794183046/b434/vet.cfg /mcp/connection.go /mcp/errors.go
x_amd64/vet
/tmp/go-build188/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
-imultiarch x86_64-linux-gnu-bool x_amd64/vet -W g_.a
/tmp/go-build188-ifaceassert x_amd64/vet . ernal/middleware-atomic --64
x_amd64/vet` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1794183046/b514/launcher.test
/tmp/go-build1794183046/b514/launcher.test
-test.testlogfile=/tmp/go-build1794183046/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1794183046/b434/vet.cfg /mcp/connection.go /mcp/errors.go
x_amd64/vet
/tmp/go-build188/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
-imultiarch x86_64-linux-gnu-bool x_amd64/vet -W g_.a
/tmp/go-build188-ifaceassert x_amd64/vet . ernal/middleware-atomic --64
x_amd64/vet` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1794183046/b523/mcp.test
/tmp/go-build1794183046/b523/mcp.test
-test.testlogfile=/tmp/go-build1794183046/b523/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 9187�� .cfg pmgFoLvmr x_amd64/vet
. --gdwarf2 --64 x_amd64/vet .cfg�� 9187355/b400/_pkg_.a
64/src/net/http/httptest/httptest.go x_amd64/vet -p t/transform
-lang=go1.25 x_amd64/vet` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

AGENTS.md

@@ -376,7 +376,7 @@ DEBUG_COLORS=0 DEBUG=* ./awmg --config config.toml
 - `MCP_GATEWAY_PAYLOAD_DIR` - Large payload storage directory (sets default for `--payload-dir` flag, default: `/tmp/jq-payloads`)
 - `MCP_GATEWAY_PAYLOAD_PATH_PREFIX` - Path prefix for remapping payloadPath returned to clients (sets default for `--payload-path-prefix` flag, default: empty)
 - `MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD` - Size threshold in bytes for payload storage; payloads larger than this are stored to disk (sets default for `--payload-size-threshold` flag, default: `524288`)
-- `MCP_GATEWAY_SESSION_TIMEOUT` - Session timeout for unified mode (`/mcp`) stateful sessions. Accepts Go duration strings (e.g., `30m`, `1h`, `2h30m`). Routed mode is unaffected (hardcoded 30 min). (default: `2h`)
+- `MCP_GATEWAY_SESSION_TIMEOUT` - Session timeout for unified mode (`/mcp`) stateful sessions. Accepts Go duration strings (e.g., `30m`, `1h`, `2h30m`). Routed mode is unaffected (hardcoded 30 min). (default: `6h`)
 - `DOCKER_HOST` - Docker daemon socket path (default: `/var/run/docker.sock`)
 - `MCP_GATEWAY_GUARDS_SINK_SERVER_IDS` - Comma-separated server IDs whose RPC JSONL logs should include agent secrecy/integrity tag snapshots (sets default for `--guards-sink-server-ids`)
 - `MCP_GATEWAY_GUARDS_MODE` - Guards enforcement mode: `strict` (deny violations), `filter` (remove denied tools), `propagate` (auto-adjust agent labels) (sets default for `--guards-mode`, default: `strict`)

docs/ENVIRONMENT_VARIABLES.md

@@ -25,7 +25,7 @@ When running locally (`run.sh`), these variables are optional (warnings shown if
 | `MCP_GATEWAY_PAYLOAD_DIR` | Large payload storage directory (sets default for `--payload-dir` flag) | `/tmp/jq-payloads` |
 | `MCP_GATEWAY_PAYLOAD_PATH_PREFIX` | Path prefix for remapping payloadPath returned to clients (sets default for `--payload-path-prefix` flag) | (empty - use actual filesystem path) |
 | `MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD` | Size threshold in bytes for payload storage (sets default for `--payload-size-threshold` flag) | `524288` |
-| `MCP_GATEWAY_SESSION_TIMEOUT` | Session timeout for unified mode (`/mcp`) stateful sessions. Accepts Go duration strings (e.g., `30m`, `1h`). Default is 2 hours to accommodate long-running agentic workflows. Routed mode is unaffected (hardcoded 30 min). | `2h` |
+| `MCP_GATEWAY_SESSION_TIMEOUT` | Session timeout for unified mode (`/mcp`) stateful sessions. Accepts Go duration strings (e.g., `30m`, `1h`). Default is 6 hours to match the GitHub Actions default timeout. Routed mode is unaffected (hardcoded 30 min). | `6h` |
 | `MCP_GATEWAY_WASM_GUARDS_DIR` | Root directory for per-server WASM guards (`<root>/<serverID>/*.wasm`, first match is loaded) | (disabled) |
 | `MCP_GATEWAY_GUARDS_MODE` | Guards enforcement mode: `strict` (deny violations), `filter` (remove denied tools), `propagate` (auto-adjust agent labels) (sets default for `--guards-mode`) | `strict` |
 | `MCP_GATEWAY_GUARDS_SINK_SERVER_IDS` | Comma-separated sink server IDs for JSONL guards tag enrichment (sets default for `--guards-sink-server-ids`) | (disabled) |

internal/envutil/envutil_test.go

@@ -112,17 +112,17 @@ func TestGetEnvDurationRealWorldScenarios(t *testing.T) {
 		defer os.Unsetenv("MCP_GATEWAY_SESSION_TIMEOUT")
 
 		// Default case
-		result := GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 2*time.Hour)
-		assert.Equal(t, 2*time.Hour, result)
+		result := GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 6*time.Hour)
+		assert.Equal(t, 6*time.Hour, result)
 
 		// Override with shorter timeout
 		os.Setenv("MCP_GATEWAY_SESSION_TIMEOUT", "30m")
-		result = GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 2*time.Hour)
+		result = GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 6*time.Hour)
 		assert.Equal(t, 30*time.Minute, result)
 
 		// Override with longer timeout
 		os.Setenv("MCP_GATEWAY_SESSION_TIMEOUT", "4h")
-		result = GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 2*time.Hour)
+		result = GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 6*time.Hour)
 		assert.Equal(t, 4*time.Hour, result)
 	})
 }

internal/server/transport.go

@@ -38,7 +38,7 @@ func CreateHTTPServerForMCP(addr string, unifiedServer *UnifiedServer, apiKey st
 	}, &sdk.StreamableHTTPOptions{
 		Stateless:      false,                                                              // Support stateful sessions
 		Logger:         logger.NewSlogLoggerWithHandler(logTransport),                      // Integrate SDK logging with project logger
-		SessionTimeout: envutil.GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 2*time.Hour), // Configurable; 2h default accommodates long-running workflows with idle periods
+		SessionTimeout: envutil.GetEnvDuration("MCP_GATEWAY_SESSION_TIMEOUT", 6*time.Hour), // Configurable; 6h default matches GitHub Actions default timeout
 	})
 
 	// Apply standard middleware stack (SDK logging → shutdown check → auth)