Fix filesystem and playwright MCP server configurations in stress test (#844)

Nightly stress test detected configuration errors in two MCP servers:
filesystem expected directories as CLI arguments but received
environment variables, and playwright had redundant host list entries.

## Changes

**filesystem server**
- Changed from `env.ALLOWED_PATHS` to `entrypointArgs: ["/workspace"]`
- Server requires directory paths as positional arguments after
container name

**playwright server**  
- Simplified allowed-hosts/origins from
`localhost;localhost:*;127.0.0.1;127.0.0.1:*` to
`localhost:*;127.0.0.1:*`
- Removed redundant non-wildcard entries

## Configuration structure

Gateway converts workflow YAML to Docker commands following this
pattern:
```bash
docker run [args...] <container> [entrypointArgs...]
```

- `args`: Docker runtime flags (e.g., `--init`, `--network host`) -
before container
- `entrypointArgs`: Application arguments - after container

## Testing

Added `TestLoadFromStdin_FilesystemServerConfig` and
`TestLoadFromStdin_PlaywrightServerConfig` to validate argument
placement and prevent similar configuration errors.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1254119737/b275/launcher.test
/tmp/go-build1254119737/b275/launcher.test
-test.testlogfile=/tmp/go-build1254119737/b275/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/opt/hostedtoolcache/go/1.25.6/x64/src/runtime/cgo 6765506/b184/
ache/Python/3.12.12/x64/bin/as --gdwarf-5 --64 -o as 6765�� d -n 10 -I
docker-buildx --gdwarf-5 --64 -o docker-buildx` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3908585129/b001/config.test
/tmp/go-build3908585129/b001/config.test
-test.testlogfile=/tmp/go-build3908585129/b001/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true go1.25.6 -c=4
-nolocalimports -importcfg /tmp/go-build2196765506/b210/importcfg -pack
/opt/hostedtoolcache/go/1.25.6/x64/src/net/http/httptest/httptest.go
conf�� go k/gh-aw-mcpg/gh-aw-mcpg/tools.go--gdwarf2
ache/Python/3.12.12/x64/bin/bash--64
k/gh-aw-mcpg/gh-/opt/hostedtoolcache/go/1.25.6/x64/pkg/tool/linux_amd64/compile
k/gh-aw-mcpg/gh--o k/gh-aw-mcpg/gh-/tmp/go-build2196765506/b125/_pkg_.a
.o` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1254119737/b275/launcher.test
/tmp/go-build1254119737/b275/launcher.test
-test.testlogfile=/tmp/go-build1254119737/b275/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/opt/hostedtoolcache/go/1.25.6/x64/src/runtime/cgo 6765506/b184/
ache/Python/3.12.12/x64/bin/as --gdwarf-5 --64 -o as 6765�� d -n 10 -I
docker-buildx --gdwarf-5 --64 -o docker-buildx` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1254119737/b275/launcher.test
/tmp/go-build1254119737/b275/launcher.test
-test.testlogfile=/tmp/go-build1254119737/b275/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/opt/hostedtoolcache/go/1.25.6/x64/src/runtime/cgo 6765506/b184/
ache/Python/3.12.12/x64/bin/as --gdwarf-5 --64 -o as 6765�� d -n 10 -I
docker-buildx --gdwarf-5 --64 -o docker-buildx` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1254119737/b284/mcp.test
/tmp/go-build1254119737/b284/mcp.test
-test.testlogfile=/tmp/go-build1254119737/b284/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/tmp/go-build2196765506/b218/_pkg_.a 6765506/b184/ p/bin/as -p
github.com/githu-unsafeptr=false -lang=go1.25 as 6765�� d -n 10
--debug-prefix-map ache/go/1.25.6/x64/pkg/tool/linux_amd64/vet -I
/opt/hostedtoolcmod -I ache/go/1.25.6/x64/pkg/tool/linuf() { test
&#34;$1&#34; = get &amp;&amp; echo &#34;******&#34;; }; f sto-w` (dns
block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>


----

*This section details on the original issue you should resolve*

<issue_title>[mcp-stress-test] Server Configuration Failures Detected -
filesystem & playwright</issue_title>
<issue_description>The nightly stress test detected 2 servers with
configuration errors (not authentication issues).

## Test Summary

- **Test Session:** stress-test-20260208-034257
- **Test Date:** 2026-02-08T03:42:57Z
- **Total Configuration Failures:** 2

## Failed Servers

### 1. filesystem - Command Arguments Error

**Container:** mcp/filesystem

**Issue Type:** Configuration Error

**Error:**
``````
Usage: mcp-server-filesystem (allowed-directory) [additional-directories...]
``````

**Analysis:**
The filesystem server expects allowed directories as positional
command-line arguments, but the configuration is passing them as
environment variables (`ALLOWED_PATHS`). The docker command structure
needs to be updated.

**Current Configuration Issue:**
The server is launched with environment variable but expects positional
args.

**Suggested Fix:**
Update configuration to pass directories as positional arguments:

``````json
{
  "filesystem": {
    "type": "stdio",
    "container": "mcp/filesystem",
    "args": ["/workspace", "/additional/path"]
  }
}
``````

Or update the docker args to include the directory paths:
```````json
{
  "filesystem": {
    "type": "stdio",
    "command": "docker",
    "args": ["run", "--rm", "-i", "-v", "/tmp/mcp-test-fs:/workspace:rw", "mcp/filesystem", "/workspace"]
  }
}
``````

**Suggested Investigation:**
- [ ] Review filesystem server documentation for correct argument format
- [ ] Update gateway configuration to pass directories correctly
- [ ] Test with simple single directory first
- [ ] Consider if server should be updated to support env vars

---

### 2. playwright - Duplicate Flag Error

**Container:** mcr.microsoft.com/playwright/mcp

**Issue Type:** Configuration Error

**Error:**
``````
error: unknown option '--init'
``````

**Analysis:**
The docker command includes the `--init` flag twice - once as a docker
option (correct) and once passed to the playwright binary (incorrect).
The playwright binary doesn't recognize the `--init` flag and fails.

**Current Configuration Issue:**
``````
docker run --rm -i --init --network host mcr.microsoft.com/playwright/mcp --output-dir ... --init --network host
```````

Notice `--init` and `--network host` appear twice.

**Suggested Fix:**
Remove the duplicate flags from the playwright server arguments:

``````json
{
  "playwright": {
    "type": "stdio",
    "command": "docker",
    "args": [
      "run", "--rm", "-i",
      "--init",
      "--network", "host",
      "-v", "/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw",
      "mcr.microsoft.com/playwright/mcp",
      "--output-dir", "/tmp/gh-aw/mcp-logs/playwright",
      "--allowed-hosts", "localhost,localhost:*,127.0.0.1,127.0.0.1:*",
      "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*"
    ]
  }
}
``````

**Suggested Investigation:**
- [ ] Review playwright MCP server documentation
- [ ] Remove duplicate `--init` and `--network host` from args array
- [ ] Verify correct flag order for playwright binary
- [ ] Test with corrected configuration

---

## Gateway Logs

From the gateway logs, both issues are clearly configuration-related,
not authentication or protocol issues:

**filesystem:**
- Server expects CLI args but receives env vars
- Quick fix: restructure docker command args

**playwright:**
- Duplicate flags passed to both docker and playwright binary
- Quick fix: remove duplicate flags from args array

## Test Configuration Used

The test used the following configuration:
- Startup Timeout: 60s
- Tool Timeout: 30s
- Test Method: Sequential server testing
- Gateway: Successfully handled all requests

## Impact

These configuration issues prevent 2 MCP servers from launching:
1. **filesystem** - Would provide file system access if configured
correctly
2. **playwright** - Would provide browser automation if configured
correctly

Both are fixable with configuration changes and don't require code
modifications.

## Next Steps

1. **Priority: High** - Fix filesystem configuration
   - Update docker args to pass directories as positional arguments
   - Test with `/workspace` mount
   
2. **Priority: High** - Fix playwright configuration
   - Remove duplicate `--init` and `--network host` flags
   - Verify flag order matches playwright binary expectations

3. Re-run stress test to verify fixes
4. Update documentation with correct configuration examples

---
*Generated by Nightly MCP Stress Test*  
*Test Session: stress-test-20260208-034257*

**Full Test Results:** See workflow run artifacts at
`/tmp/mcp-stress-results/`




> AI generated by [Nightly MCP Server Stress
Test](https://github.com/github/gh-aw-mcpg/actions/runs/21791681391)

<!-- gh-aw-agentic-workflow: Nightly MCP Server Stress Test, engine:
copilot, run:
https://github.com/github/gh-aw-mcpg/actions/runs/2179168139...

</details>


> **Custom agent used: agentic-workflows**
> GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade
AI-powered workflows with intelligent prompt routing



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes #843

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/github/gh-aw-mcpg/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Author: lpcox

.github/workflows/nightly-mcp-stress-test.md

@@ -33,8 +33,7 @@ mcp-servers:
   filesystem:
     type: stdio
     container: "mcp/filesystem"
-    env:
-      ALLOWED_PATHS: "/tmp,/workspace"
+    entrypointArgs: ["/workspace"]
     mounts:
       - "/tmp/mcp-test-fs:/workspace:rw"
   memory:
@@ -95,7 +94,7 @@ mcp-servers:
     type: stdio
     container: "mcr.microsoft.com/playwright:v1.49.1-noble"
     args: ["--init", "--network", "host"]
-    entrypointArgs: ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com", "--allowed-origins", "localhost;localhost:*;127.0.0.1;127.0.0.1:*;github.com"]
+    entrypointArgs: ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--allowed-hosts", "localhost:*;127.0.0.1:*;github.com", "--allowed-origins", "localhost:*;127.0.0.1:*;github.com"]
 #    env:
 #      PLAYWRIGHT_BROWSERS_PATH: "/ms-playwright"
       # Launch options to prevent ERR_BLOCKED_BY_CLIENT errors in CI testing

internal/config/config_test.go

@@ -1243,3 +1243,155 @@ args = ["run", "--rm", "-i", "test/container:latest"]
 	// Error should mention the duplicate key
 	assert.Contains(t, err.Error(), "line", "Error should mention line number")
 }
+
+// TestLoadFromStdin_FilesystemServerConfig tests that filesystem server configuration
+// correctly passes directories as entrypointArgs instead of environment variables.
+func TestLoadFromStdin_FilesystemServerConfig(t *testing.T) {
+	jsonConfig := `{
+		"mcpServers": {
+			"filesystem": {
+				"type": "stdio",
+				"container": "mcp/filesystem",
+				"entrypointArgs": ["/workspace"],
+				"mounts": ["/tmp/mcp-test-fs:/workspace:rw"]
+			}
+		},
+		"gateway": {
+			"port": 8080,
+			"domain": "localhost",
+			"apiKey": "test-key"
+		}
+	}`
+
+	r, w, _ := os.Pipe()
+	oldStdin := os.Stdin
+	os.Stdin = r
+	go func() {
+		w.Write([]byte(jsonConfig))
+		w.Close()
+	}()
+
+	cfg, err := LoadFromStdin()
+	os.Stdin = oldStdin
+
+	require.NoError(t, err, "LoadFromStdin() failed")
+	server, ok := cfg.Servers["filesystem"]
+	require.True(t, ok, "Server 'filesystem' not found")
+
+	assert.Equal(t, "docker", server.Command)
+	assert.True(t, contains(server.Args, "mcp/filesystem"), "Container name not found")
+
+	// Check that mount is present
+	hasMount := false
+	for i := 0; i < len(server.Args)-1; i++ {
+		if server.Args[i] == "-v" && server.Args[i+1] == "/tmp/mcp-test-fs:/workspace:rw" {
+			hasMount = true
+			break
+		}
+	}
+	assert.True(t, hasMount, "Mount not found in args")
+
+	// Check that /workspace is passed as an entrypoint arg (after the container name)
+	containerIdx := -1
+	for i, arg := range server.Args {
+		if arg == "mcp/filesystem" {
+			containerIdx = i
+			break
+		}
+	}
+	require.NotEqual(t, -1, containerIdx, "Container name not found in args")
+
+	// Verify that /workspace appears after the container name as an entrypoint arg
+	hasWorkspaceArg := false
+	for i := containerIdx + 1; i < len(server.Args); i++ {
+		if server.Args[i] == "/workspace" {
+			hasWorkspaceArg = true
+			break
+		}
+	}
+	assert.True(t, hasWorkspaceArg, "Expected /workspace as entrypoint arg after container name")
+}
+
+// TestLoadFromStdin_PlaywrightServerConfig tests that playwright server configuration
+// correctly separates Docker runtime flags (args) from playwright binary arguments (entrypointArgs).
+func TestLoadFromStdin_PlaywrightServerConfig(t *testing.T) {
+	jsonConfig := `{
+		"mcpServers": {
+			"playwright": {
+				"type": "stdio",
+				"container": "mcr.microsoft.com/playwright:v1.49.1-noble",
+				"args": ["--init", "--network", "host"],
+				"entrypointArgs": [
+					"--output-dir", "/tmp/gh-aw/mcp-logs/playwright",
+					"--allowed-hosts", "localhost:*;127.0.0.1:*",
+					"--allowed-origins", "localhost:*;127.0.0.1:*"
+				]
+			}
+		},
+		"gateway": {
+			"port": 8080,
+			"domain": "localhost",
+			"apiKey": "test-key"
+		}
+	}`
+
+	r, w, _ := os.Pipe()
+	oldStdin := os.Stdin
+	os.Stdin = r
+	go func() {
+		w.Write([]byte(jsonConfig))
+		w.Close()
+	}()
+
+	cfg, err := LoadFromStdin()
+	os.Stdin = oldStdin
+
+	require.NoError(t, err, "LoadFromStdin() failed")
+	server, ok := cfg.Servers["playwright"]
+	require.True(t, ok, "Server 'playwright' not found")
+
+	assert.Equal(t, "docker", server.Command)
+
+	// Find the container name position in args
+	containerIdx := -1
+	for i, arg := range server.Args {
+		if arg == "mcr.microsoft.com/playwright:v1.49.1-noble" {
+			containerIdx = i
+			break
+		}
+	}
+	require.NotEqual(t, -1, containerIdx, "Container name not found in args")
+
+	// Verify Docker flags (--init, --network host) appear BEFORE the container name
+	hasInitBeforeContainer := false
+	hasNetworkBeforeContainer := false
+	for i := 0; i < containerIdx; i++ {
+		if server.Args[i] == "--init" {
+			hasInitBeforeContainer = true
+		}
+		if server.Args[i] == "--network" && i+1 < containerIdx && server.Args[i+1] == "host" {
+			hasNetworkBeforeContainer = true
+		}
+	}
+	assert.True(t, hasInitBeforeContainer, "Docker flag --init should appear before container name")
+	assert.True(t, hasNetworkBeforeContainer, "Docker flag --network host should appear before container name")
+
+	// Verify playwright binary args appear AFTER the container name
+	hasOutputDirAfterContainer := false
+	hasAllowedHostsAfterContainer := false
+	for i := containerIdx + 1; i < len(server.Args); i++ {
+		if server.Args[i] == "--output-dir" && i+1 < len(server.Args) && server.Args[i+1] == "/tmp/gh-aw/mcp-logs/playwright" {
+			hasOutputDirAfterContainer = true
+		}
+		if server.Args[i] == "--allowed-hosts" {
+			hasAllowedHostsAfterContainer = true
+		}
+	}
+	assert.True(t, hasOutputDirAfterContainer, "Playwright arg --output-dir should appear after container name")
+	assert.True(t, hasAllowedHostsAfterContainer, "Playwright arg --allowed-hosts should appear after container name")
+
+	// Verify Docker flags do NOT appear as duplicate entrypoint args after container
+	for i := containerIdx + 1; i < len(server.Args); i++ {
+		assert.NotEqual(t, "--init", server.Args[i], "Docker flag --init should not appear after container name")
+	}
+}