Summary
Follow-up to #419 (admin-managed AgentCore Gateway target registration). #419 shipped deliberately with zero new agent-side runtime code, so for protocol=mcp (Gateway) tools the catalog stores per-tool approval flags and requires_oauth_provider, but nothing enforces them at runtime. This issue tracks the agent-side wiring to actually enforce both.
Today both mechanisms are wired only for mcp_external tools.
⛔ Dependency
Backend for #419 is merged to develop (#450, #452, #453). This builds on the MCPGatewayConfig model + the protocol=mcp catalog rows it produces.
The enabling prerequisite (do this first)
Gateway tools currently bypass the catalog entirely at runtime — they surface straight from the Gateway discovery path as gateway_<target>___<tool> and RBAC is AppRole-based by that full id (apis/app_api/admin/services/tool_access.py). For either feature below to work, the agent loop must correlate a runtime gateway tool with its protocol=mcp catalog row (by target/tool name). That correlation unlocks both features at once.
Scope
1. Per-tool approval flags for gateway tools
- Extend
GatewayIntegration (agents/main_agent/tools/gateway_integration.py) to expose approval_names_for_client() mirroring ExternalMCPIntegration.approval_names_for_client(), populated from the catalog row's mcp_gateway_config.approval_required_names() at client-creation time.
- Add a gateway path to the approval-hook lookup closure in
base_agent.py (today MCPExternalApprovalHook resolves only mcp_external clients).
- Gotcha: the catalog's
tools[].name must match the raw MCP tool name, not the prefixed gateway_* id.
2. oauth_required (3LO) consent for gateway tools
- Extend
GatewayIntegration to track provider_id per client (from the row's requires_oauth_provider), and add gateway to the provider_lookup closure in base_agent.py. The existing OAuthConsentHook + oauth_required SSE machinery (session/hooks/oauth_consent.py) then works unchanged — it just needs the lookup to cover gateway clients.
- Verify against a live target: that outbound 3LO via the Gateway needs the user's vaulted token present before the Gateway's on-behalf-of exchange (i.e. consent must complete first). Confirm
customParameters used at consent match those on the registered target (token-vault-key gotcha).
Out of scope
🤖 Generated with Claude Code
Summary
Follow-up to #419 (admin-managed AgentCore Gateway target registration). #419 shipped deliberately with zero new agent-side runtime code, so for
protocol=mcp(Gateway) tools the catalog stores per-tool approval flags andrequires_oauth_provider, but nothing enforces them at runtime. This issue tracks the agent-side wiring to actually enforce both.Today both mechanisms are wired only for
mcp_externaltools.⛔ Dependency
Backend for #419 is merged to
develop(#450, #452, #453). This builds on theMCPGatewayConfigmodel + theprotocol=mcpcatalog rows it produces.The enabling prerequisite (do this first)
Gateway tools currently bypass the catalog entirely at runtime — they surface straight from the Gateway discovery path as
gateway_<target>___<tool>and RBAC is AppRole-based by that full id (apis/app_api/admin/services/tool_access.py). For either feature below to work, the agent loop must correlate a runtime gateway tool with itsprotocol=mcpcatalog row (by target/tool name). That correlation unlocks both features at once.Scope
1. Per-tool approval flags for gateway tools
GatewayIntegration(agents/main_agent/tools/gateway_integration.py) to exposeapproval_names_for_client()mirroringExternalMCPIntegration.approval_names_for_client(), populated from the catalog row'smcp_gateway_config.approval_required_names()at client-creation time.base_agent.py(todayMCPExternalApprovalHookresolves onlymcp_externalclients).tools[].namemust match the raw MCP tool name, not the prefixedgateway_*id.2.
oauth_required(3LO) consent for gateway toolsGatewayIntegrationto trackprovider_idper client (from the row'srequires_oauth_provider), and add gateway to theprovider_lookupclosure inbase_agent.py. The existingOAuthConsentHook+oauth_requiredSSE machinery (session/hooks/oauth_consent.py) then works unchanged — it just needs the lookup to cover gateway clients.customParametersused at consent match those on the registered target (token-vault-key gotcha).Out of scope
🤖 Generated with Claude Code