feat: mcp gateway schema types (auth, outbound auth, OAuth credentials)

aidandaly24 · aidandaly24 · commit 67759c4c09f5 · 2026-02-23T00:03:45.000Z
diff --git a/src/schema/schemas/__tests__/mcp.test.ts b/src/schema/schemas/__tests__/mcp.test.ts
@@ -261,6 +261,11 @@ describe('AgentCoreGatewayTargetSchema', () => {
       name: 'myTarget',
       targetType: 'lambda',
       toolDefinitions: [validToolDef],
+      compute: {
+        host: 'Lambda',
+        implementation: { language: 'Python', path: 'tools', handler: 'h' },
+        pythonVersion: 'PYTHON_3_12',
+      },
     });
     expect(result.success).toBe(true);
   });
@@ -270,6 +275,11 @@ describe('AgentCoreGatewayTargetSchema', () => {
       name: 'myTarget',
       targetType: 'lambda',
       toolDefinitions: [],
+      compute: {
+        host: 'Lambda',
+        implementation: { language: 'Python', path: 'tools', handler: 'h' },
+        pythonVersion: 'PYTHON_3_12',
+      },
     });
     expect(result.success).toBe(false);
   });
@@ -303,6 +313,11 @@ describe('AgentCoreGatewaySchema', () => {
         name: 'target1',
         targetType: 'lambda',
         toolDefinitions: [validToolDef],
+        compute: {
+          host: 'Lambda',
+          implementation: { language: 'Python', path: 'tools', handler: 'h' },
+          pythonVersion: 'PYTHON_3_12',
+        },
       },
     ],
   };
@@ -387,7 +402,16 @@ describe('AgentCoreMcpSpecSchema', () => {
       agentCoreGateways: [
         {
           name: 'gw1',
-          targets: [{ name: 't1', targetType: 'lambda', toolDefinitions: [validToolDef] }],
+          targets: [{
+            name: 't1',
+            targetType: 'lambda',
+            toolDefinitions: [validToolDef],
+            compute: {
+              host: 'Lambda',
+              implementation: { language: 'Python', path: 'tools', handler: 'h' },
+              pythonVersion: 'PYTHON_3_12',
+            },
+          }],
         },
       ],
     });
diff --git a/src/schema/schemas/agentcore-project.ts b/src/schema/schemas/agentcore-project.ts
@@ -71,9 +71,6 @@ export type Memory = z.infer<typeof MemorySchema>;
 // Credential Schema
 // ============================================================================
 
-export const CredentialTypeSchema = z.literal('ApiKeyCredentialProvider');
-export type CredentialType = z.infer<typeof CredentialTypeSchema>;
-
 export const CredentialNameSchema = z
   .string()
   .min(3, 'Credential name must be at least 3 characters')
@@ -83,11 +80,36 @@ export const CredentialNameSchema = z
     'Must contain only alphanumeric characters, underscores, dots, and hyphens (3-255 chars)'
   );
 
-export const CredentialSchema = z.object({
-  type: CredentialTypeSchema,
+export const CredentialTypeSchema = z.enum(['ApiKeyCredentialProvider', 'OAuthCredentialProvider']);
+export type CredentialType = z.infer<typeof CredentialTypeSchema>;
+
+export const ApiKeyCredentialSchema = z.object({
+  type: z.literal('ApiKeyCredentialProvider'),
+  name: CredentialNameSchema,
+});
+
+export type ApiKeyCredential = z.infer<typeof ApiKeyCredentialSchema>;
+
+export const OAuthCredentialSchema = z.object({
+  type: z.literal('OAuthCredentialProvider'),
   name: CredentialNameSchema,
+  /** OIDC discovery URL for the OAuth provider */
+  discoveryUrl: z.string().url(),
+  /** Scopes this credential provider supports */
+  scopes: z.array(z.string()).default([]),
+  /** Credential provider vendor type */
+  vendor: z.string().default('CustomOauth2'),
+  /** Whether this credential was auto-created by the CLI (e.g., for CUSTOM_JWT inbound auth) */
+  managed: z.boolean().optional(),
 });
 
+export type OAuthCredential = z.infer<typeof OAuthCredentialSchema>;
+
+export const CredentialSchema = z.discriminatedUnion('type', [
+  ApiKeyCredentialSchema,
+  OAuthCredentialSchema,
+]);
+
 export type Credential = z.infer<typeof CredentialSchema>;
 
 // ============================================================================
diff --git a/src/schema/schemas/mcp.ts b/src/schema/schemas/mcp.ts
@@ -15,7 +15,7 @@ export type GatewayTargetType = z.infer<typeof GatewayTargetTypeSchema>;
 // Gateway Authorization Schemas
 // ============================================================================
 
-export const GatewayAuthorizerTypeSchema = z.enum(['NONE', 'CUSTOM_JWT']);
+export const GatewayAuthorizerTypeSchema = z.enum(['NONE', 'AWS_IAM', 'CUSTOM_JWT']);
 export type GatewayAuthorizerType = z.infer<typeof GatewayAuthorizerTypeSchema>;
 
 /** OIDC well-known configuration endpoint suffix (per OpenID Connect Discovery 1.0 spec) */
@@ -44,6 +44,7 @@ export const CustomJwtAuthorizerConfigSchema = z.object({
   allowedAudience: z.array(z.string().min(1)),
   /** List of allowed client IDs */
   allowedClients: z.array(z.string().min(1)).min(1),
+  allowedScopes: z.array(z.string().min(1)).optional(),
 });
 
 export type CustomJwtAuthorizerConfig = z.infer<typeof CustomJwtAuthorizerConfigSchema>;
@@ -57,6 +58,17 @@ export const GatewayAuthorizerConfigSchema = z.object({
 
 export type GatewayAuthorizerConfig = z.infer<typeof GatewayAuthorizerConfigSchema>;
 
+export const OutboundAuthTypeSchema = z.enum(['OAUTH', 'API_KEY', 'NONE']);
+export type OutboundAuthType = z.infer<typeof OutboundAuthTypeSchema>;
+
+export const OutboundAuthSchema = z.object({
+  type: OutboundAuthTypeSchema.default('NONE'),
+  credentialName: z.string().min(1).optional(),
+  scopes: z.array(z.string()).optional(),
+}).strict();
+
+export type OutboundAuth = z.infer<typeof OutboundAuthSchema>;
+
 export const McpImplLanguageSchema = z.enum(['TypeScript', 'Python']);
 export type McpImplementationLanguage = z.infer<typeof McpImplLanguageSchema>;
 
@@ -262,10 +274,37 @@ export const AgentCoreGatewayTargetSchema = z
   .object({
     name: z.string().min(1),
     targetType: GatewayTargetTypeSchema,
-    toolDefinitions: z.array(ToolDefinitionSchema).min(1),
+    /** Tool definitions. Required for Lambda targets. Optional for MCP Server (discovered via tools/list). */
+    toolDefinitions: z.array(ToolDefinitionSchema).optional(),
+    /** Compute configuration. Required for Lambda/Runtime scaffold targets. */
     compute: ToolComputeConfigSchema.optional(),
+    /** MCP Server endpoint URL. Required for external MCP Server targets. */
+    endpoint: z.string().url().optional(),
+    /** Outbound auth configuration for the target. */
+    outboundAuth: OutboundAuthSchema.optional(),
   })
-  .strict();
+  .strict()
+  .refine(
+    data => {
+      // External MCP Server: needs endpoint, no compute
+      if (data.targetType === 'mcpServer' && !data.compute && !data.endpoint) {
+        return false;
+      }
+      // Lambda target: needs compute and tool definitions
+      if (data.targetType === 'lambda') {
+        if (!data.compute) return false;
+        if (!data.toolDefinitions || data.toolDefinitions.length === 0) return false;
+      }
+      // Outbound auth with credential needs a credential name
+      if (data.outboundAuth && data.outboundAuth.type !== 'NONE' && !data.outboundAuth.credentialName) {
+        return false;
+      }
+      return true;
+    },
+    {
+      message: 'Invalid target configuration. MCP Server targets need an endpoint or compute. Lambda targets need compute and tool definitions. OAuth/API_KEY auth needs a credential name.',
+    }
+  );
 
 export type AgentCoreGatewayTarget = z.infer<typeof AgentCoreGatewayTargetSchema>;
 
