feat(gateway_mode): Add gateway mode feature with direct_proxy support for pass-through MCP operations

[010gvr]

🔗 Related Issue

Closes #2171 and #2344

---

📝 Summary

Implements a new direct_proxy gateway mode that enables pass-through proxying of MCP operations directly to remote servers without database caching. This complements the existing cache mode (default) and provides flexibility for different use cases.

⚠️ The direct proxy assumes a stateless MCP server is built using Streamable HTTP transport. Further, RBAC architecture need to be analyzed.

• New field: Added gateway_mode column to gateways table with values cache (default) or direct_proxy

• Migration: Created idempotent Alembic migration

• Models: Updated Gateway ORM model in db.py with new field and documentation

• GatewayCreate: Added gateway_mode field with validation pattern ^(cache|direct_proxy)$

• GatewayUpdate: Added optional gateway_mode field for updates

• GatewayRead: Added gateway_mode field to response schema

gateway_service.py

• Added gateway_mode field handling in gateway creation and updates
• Passes gateway mode through initialization flow

tool_service.py

• Implements direct proxy mode detection via X-Gateway-Id header
• When in direct_proxy mode:
  • Bypasses database tool lookup/tool call
  • Creates minimal tool payload for direct proxying
  • Skips access control checks (delegated to remote server)
  • Skips metrics recording (no tool_id in direct mode)
• Enhanced error handling for extract_using_jq failures
• Added comprehensive logging for streamablehttp requests

resource_service.py

• Implements direct proxy mode for resource operations
• Proxies resources/read and resources/list requests directly to remote MCP servers when in direct_proxy mode
• Uses MCP SDK for proper protocol handling

streamablehttp_transport.py

• Proxy methods tools/list , tools/call, resources/list and resources/read

Features

• Fast lookups, access control enforced, metrics recorded
• Existing behavior unchanged
• All MCP operations proxied directly to remote server
• No database caching of tools/resources/prompts
• Client sends X-Context-Forge-Gateway-Id header to specify gateway
• Gateway must have gateway_mode: "direct_proxy"
• Minimal overhead, real-time data from remote server
• Access control delegated to remote server
• Existing tests should pass (default cache mode unchanged)

This is a backward-compatible feature addition with sensible defaults.

---

🏷️ Type of Change

• Bug fix
• Feature / Enhancement
• Documentation
• Refactor
• Chore (deps, CI, tooling)
• Other (describe below)

---

🧪 Verification

Check	Command	Status
Lint suite	make lint	✅
Unit tests	make test	✅
Coverage ≥ 80%	make coverage	✅

---

✅ Checklist

• Code formatted (make black isort pre-commit)
• Tests added/updated for changes
• Documentation updated (if applicable)
• No secrets or credentials committed

---

📓 Notes (optional)

TODOs:

1. Support for any MCP server/transport types
2. Improve Normalization. Maintenance overhead to keep up to rapidly changing MCP spec, Code can be simplified if Context Forge acted as a proxy if server is already MCP-compliant.

[010gvr]

There are many test cases where datetime.now() is used which pulls in local time. This may work if the developer is in UTC tz or around and tests may pass by fluke. Otherwise time can end up going backward. I'm fixing in this PR but I think a proper fix would really be to avoid adding test cases with plain datetime.now() if the implementation standardizes on UTC.

[crivetimihai]

Thanks for implementing the direct proxy feature, @010gvr! The concept is sound — not all use cases benefit from caching MCP server responses. The migration is clean and the schema validation looks good.

A few significant concerns:

1. RBAC bypass — When is_direct_proxy is true, the entire RBAC check block is skipped in tool_service.py. Any authenticated user who knows a gateway ID can invoke any tool regardless of team membership or visibility. At minimum, please verify the user has access to the gateway itself.
2. Code duplication — The auth header construction logic (~20 lines of bearer/basic/dict/str handling) is copy-pasted across 5-6 proxy functions. Please extract a shared build_gateway_auth_headers(gateway) helper.
3. No test coverage — All proxy logic is marked # pragma: no cover. The tests only cover schema validation and gateway registration, not the actual proxying behavior.
4. Inconsistent session.initialize() — Some proxy functions call it, others skip it. This should be consistent.
5. flake8: noqa broadening — mcp_session_pool.py changed from specific noqa: DAR101, DAR201, DAR401 to blanket noqa, which silences all flake8 warnings for the file.

Item 1 (RBAC) is the most critical — this is a privilege escalation risk in multi-tenant deployments.

[crivetimihai]

Code Review: direct_proxy Gateway Mode

Rebased onto main, resolved 2 merge conflicts (trivial comment differences), and fixed the Alembic migration head (was pointing to old parent 04cda6733305, updated to current head c1c2c3c4c5c6 — this was causing multiple Alembic heads which would break all tests).

---

Critical Issues (Must Fix Before Merge)

1. SECURITY: Missing check_gateway_access() in call_tool direct proxy path

• File: streamablehttp_transport.py:700-723
• The call_tool function's direct proxy shortcut calls invoke_tool_direct() without any gateway access check.
• invoke_tool_direct() (tool_service.py:2557-2627) also has no access check.
• Impact: Any authenticated user who knows a gateway ID can invoke tools on any direct_proxy gateway, regardless of visibility (public/team/private). This completely bypasses RBAC for tool invocation.
• Compare with list_tools (line 1014), list_resources (line 1248), and read_resource (line 1361) — all three correctly call check_gateway_access() before proxying. call_tool is the only one missing it.
• Note: The normal invoke_tool() path at tool_service.py:2707 does have the access check. The simplest fix would be to remove the shortcut path (lines 692-726) entirely and let invoke_tool() handle direct_proxy internally.

2. Silent fallback from direct_proxy to normal mode in call_tool

• File: streamablehttp_transport.py:724-726
• On any exception (including ToolNotFoundError for missing gateways), call_tool silently falls through to normal tool invocation mode.
• This is inconsistent — list_tools, list_resources, and read_resource do NOT have this fallback pattern; they return empty results or raise errors.
• Risk: A user expecting direct proxy behavior could silently get cached tool execution instead. If the remote server is temporarily unreachable, a different tool with the same name from a different gateway could be executed.
• Fix: Either remove the fallback and let the exception propagate, or explicitly return an error.

3. AttributeError crash in resource_service.py direct proxy path

• File: resource_service.py:2182-2229
• After the direct proxy successfully fetches content as TextResourceContents, the comment at line 2225 says "Skip the rest of the DB lookup logic" but there is no return, break, or control flow skip.
• The code falls through to line 2326: if isinstance(content, (ResourceContent, ResourceContents, TextContent)) — which matches TextResourceContents (inherits from ResourceContents).
• Line 2329: getattr(content, "id") raises AttributeError because TextResourceContents has no id field (verified).
• The crash is caught by the outer except Exception at line 2386, which re-raises and loses the successfully-fetched content.
• Fix: Add a return content or a flag to skip the invoke_resource() call when content was already fetched via direct proxy.

---

Medium Issues

4. Hardcoded timeout=30.0 in all proxy functions

• All proxy functions use timeout=30.0 while the normal mode uses settings.tool_timeout (default 60s). Should use the configurable value for consistency.

5. # pragma: no cover - integration test annotations are misleading

• The annotations claim integration tests exist, but tests/integration/ has zero references to direct_proxy or gateway_mode.
• The annotations hide the entire call_tool direct proxy path (including the missing access check) from coverage reports.
• Should either write integration tests or remove the misleading annotations.

6. Inconsistent gateway_mode access pattern

• getattr(gateway, "gateway_mode", "cache") used in some places (call_tool, list_tools, invoke_tool_direct), direct gateway.gateway_mode in others (list_resources, read_resource). Should be consistent.

---

Minor Issues

• Hardcoded "streamablehttp" transport in tool_service.py:2735 — SSE gateways registered with direct_proxy mode would fail.
• No format validation on gateway_id header — the X-Context-Forge-Gateway-Id header value is passed directly to a DB query without UUID format validation. SQLAlchemy parameterizes safely, but format validation would fail fast.
• Inconsistent extract_using_jq error returns — jq filter errors now return [TextContent(...)] (lines 288, 291) but JSON parse errors still return ['string'] (line 278). The REST API caller at line 3168 checks isinstance(filtered_response[0], TextContent) and would miss string-based errors.
• from sqlalchemy import select imported twice in list_tools function body (lines 1006 and 1038).
• 4 unrelated whitespace-only changes in noqa comments (registry_cache.py, tls_utils.py, db_isready.py, redis_isready.py).

What's Good

• Schema validation with pattern="^(cache|direct_proxy)$" is solid
• Idempotent Alembic migration follows project conventions
• check_gateway_access() is structurally consistent with existing _check_tool_access and _check_resource_access across all 8 decision steps
• build_gateway_auth_headers() has no credential leaking or injection risks
• list_tools, list_resources, and read_resource all have proper gateway access checks
• Good test coverage for schemas, gateway service, and transport-level access denial
• Backward compatible — existing cache mode behavior is unchanged
• The assumption of stateless MCP servers is explicitly documented

Recommendation

Issues #1, #2, and #3 need to be fixed before merge. The simplest fix for #1 and #2 is to remove the shortcut path in call_tool (lines 692-726) and let invoke_tool() handle direct_proxy internally — it already does correctly at lines 2700-2709 with proper access checks.

[010gvr]

@crivetimihai I addressed most of them in 01b1144.

Reg (1) though, the code block in tool_service.py was stale and used for debugging. I've removed it. I won't be able to use the current invoke_tool(..) to inject direct_proxy without significant changes. The problem is that (as I mentioned in the description) there are normalizations that are happening in the regular tool call and there's a close knit DB interaction to fetch tool info, auth and more importantly uses a mcp session pool which aren't needed for direct proxy. I'm looking to keep the change radar small to avoid breaking the existing cache setup. the direct_proxy can still become even more light-weight so it doesn't have to pass through the current mcp app fully, but may be for some other day. PTAL.

[crivetimihai]

Under review

[crivetimihai]

Review Fixes (abca2c6)

Addressed review feedback across two commits. Summary of all changes on this branch:

Security Fixes

• call_tool fail-closed — proxy failure now returns CallToolResult(isError=True) instead of silently falling back to cache mode. When a client explicitly targets a direct-proxy gateway, upstream errors must not result in execution from a different path.
• Error message sanitization — direct proxy error responses no longer leak raw exception details to clients. Detailed errors remain in server logs only.
• GatewayCreate gateway_mode=null — schema now rejects/defaults None to "cache" via a @field_validator(mode="before"), preventing DB integrity errors on the non-nullable column.
• read_resource auth denial — returns empty string directly instead of raising HTTPException(404) that was caught by the outer handler and silently swallowed.

Consistency Fixes

• Feature-flag gate in call_tool — added settings.mcpgateway_direct_proxy_enabled check, matching list_tools, list_resources, and read_resource. Previously call_tool entered the direct-proxy path without checking the flag.
• read_resource _meta removal — MCP SDK read_resource(uri) does not accept _meta (unlike call_tool which accepts meta). Removed the _meta injection that would cause TypeError at runtime.
• Admin config — exposed mcpgateway_direct_proxy_timeout in the Connection Timeouts section for operational visibility.
• Docstring fix — list_tools docstring referenced refresh_strategy but implementation uses gateway_mode.

Structural Fix

• Removed dead single-tool DB lookup path in invoke_tool() — the scalar_one_or_none() path (inside if not is_direct_proxy:) made the multi-tool scalars().all() path unreachable. The multi-tool path correctly handles both single and duplicate tool names across teams.

Test Fixes

• Fixed extract_using_jq test assertions to match [TextContent(...)] return type (changed in prior branch commit).
• Updated test_call_tool_direct_proxy_exception to verify error return instead of fallback.
• Added test_call_tool_direct_proxy_feature_disabled_falls_through test.
• Added autouse fixture for TestCallToolDirectProxy to enable feature flag.
• Updated test_read_resource_direct_proxy_with_meta to verify _meta is NOT forwarded.

Items Reviewed but Not Changed

• Prompts: Direct proxy for prompts is intentionally out of scope — feature targets tools and resources only.
• ResourceService narrow URI path: Transport layer handles direct_proxy via header; service-level check is a valid secondary path for URI-based lookups.

All 11,547 unit tests pass.

[crivetimihai]

Direct Proxy Mode — Feature Flag & Configuration

This feature is now controlled by two environment variables:

Variable	Default	Description
MCPGATEWAY_DIRECT_PROXY_ENABLED	false	Enable the direct_proxy gateway mode
MCPGATEWAY_DIRECT_PROXY_TIMEOUT	30	Timeout in seconds for proxied MCP operations

How it works:

1. Set MCPGATEWAY_DIRECT_PROXY_ENABLED=true to enable
2. Register a gateway with "gateway_mode": "direct_proxy" via POST /gateways
3. Send requests with the X-Context-Forge-Gateway-Id header set to that gateway's ID
4. All MCP operations (tools/list, tools/call, resources/list, resources/read) are proxied directly to the remote server, bypassing the caching layer

Safety guarantees:

• Feature is disabled by default across all config surfaces (.env.example, Helm values.yaml, docker-compose.yml)
• Registration of direct_proxy gateways is rejected when the flag is disabled
• Runtime checks silently fall back to cache mode when the flag is disabled
• Proxy failures return errors to the client (fail-closed, never fall through to cache)
• All direct_proxy paths enforce RBAC access checks before proxying
• Error messages are sanitized (no raw exception details leaked to clients)

[010gvr]

@crivetimihai Just leaving a comment here to revisit in the future if needed. The last commit be00451 has put back the session initialize() . This perfectly makes sense if Gateway is the "source" client. However, for a proxy case, this will be a redundant call. The code inside this gateway does really nothing on the initialize notification sent back (this is supposed to validate protocol, capabilities etc) as it might have been done already by the source client. We'll do some perf tests and then decide what to do here.