feat(agent-sentinel): add gateway support for MCP servers

[saifsmailbox98]

Context

This PR enables MCP servers within private networks to be accessible via Infisical via the gateway

Screenshots

Steps to verify the change

Test the MCP server addition + tool list fetching + tool calling with MCP endpoints for the following cases (I have tested already):

#	Gateway	Mode	Auth Type	MCP Server Used	Status
1	Internet Gateway	Shared	OAuth	Notion	✅ Tested
2	Internet Gateway	Shared	Bearer	Demo Local MCP	✅ Tested
3	Internet Gateway	Personal	OAuth	Notion Personal	✅ Tested
4	Internet Gateway	Personal	Bearer	Demo Local MCP	✅ Tested
5	Private Gateway	Shared	OAuth	—	❌ Not Applicable
6	Private Gateway	Shared	Bearer	Demo Docker Network MCP	✅ Tested
7	Private Gateway	Personal	OAuth	—	❌ Not Applicable
8	Private Gateway	Personal	Bearer	Demo Docker Network MCP	✅ Tested

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Read the contributing guide

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR adds gateway support for MCP (Model Context Protocol) servers, enabling connections to MCP servers on private networks through Infisical's gateway infrastructure.

Key Changes:

• Added gatewayId column to ai_mcp_servers table with foreign key to gateway_v2
• Implemented gateway-aware HTTP request wrappers for OAuth discovery and token exchange
• Created long-lived gateway proxies for MCP session connections with proper cleanup handlers
• Added UI controls to select gateways with permission checks (OrgPermissionGatewayActions.AttachGateways)
• Blocked OAuth authentication when using gateways (only Bearer/Basic auth supported)
• Updated documentation with gateway usage guide and limitations

Security Issues Found:

• The createMcpServer function does not validate the URL hostname before storing it in the database, creating a potential SSRF vulnerability when used with gateways
• User-controlled URLs determine the targetHost for gateway proxy connections, which could redirect to unintended internal services

Non-Breaking: All changes are additive - the gatewayId field is optional and nullable.

Confidence Score: 3/5

• This PR has security vulnerabilities that should be addressed before merging
• The implementation is well-structured with proper permission checks and clean separation of concerns. However, there are critical security issues: (1) Missing URL validation in createMcpServer allows storing potentially malicious URLs that could redirect gateway connections to internal services (SSRF), and (2) URL construction in gateway proxy helpers uses user-controlled input to determine target hosts without re-validation. The migration is idempotent and the frontend properly blocks OAuth when gateways are selected. These security issues need to be fixed before merging.
• Pay close attention to backend/src/ee/services/ai-mcp-server/ai-mcp-server-service.ts - add URL validation in createMcpServer function

Important Files Changed

Filename	Overview
backend/src/db/migrations/20260121000000_add-gateway-id-to-ai-mcp-servers.ts	Idempotent migration adds nullable gatewayId column with foreign key to GatewayV2
backend/src/ee/services/ai-mcp-server/ai-mcp-server-service.ts	Added gateway support for MCP server connections with OAuth validation; check URL handling security
backend/src/ee/routes/v1/ai-mcp-server-router.ts	Added gatewayId parameter validation to OAuth and MCP server endpoints
backend/src/ee/services/ai-mcp-endpoint/ai-mcp-endpoint-service.ts	Implemented long-lived gateway proxies for MCP sessions with cleanup; check URL construction
frontend/src/pages/ai/MCPPage/components/MCPServersTab/AddMCPServerModal/AuthenticationStep.tsx	Filters out OAuth when gateway selected and auto-switches to Bearer auth

[greptile-apps]

_{16 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

[x032205]

Works great!