Skip to content

[compliance] Compliance Gap: Custom Server Schema Validation Not Implemented (MUST Violation) #1286

Closed
#1312
Closed
[compliance] Compliance Gap: Custom Server Schema Validation Not Implemented (MUST Violation)#1286
#1312
Assignees
lpcoxanthropic-code-agent
Labels
automationcompliancespecification
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 22, 2026

MCP Gateway Compliance Review - 2026-02-22

Summary

Found 1 critical compliance issue during daily review of the current codebase (commit a6346a9). The custom server type schema validation is incomplete - the gateway acknowledges custom schema URLs but does not fetch or apply them for validation, violating a MUST requirement in the specification.

Recent Changes Reviewed

Critical Issues (MUST violations)

1. Custom Server Schema Validation Not Implemented

Specification Section: 4.1.4 Custom Server Types
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#414-custom-server-types

Requirement (Spec v1.8.0, Section 4.1.4):

"If registered with an HTTPS URL, the gateway MUST fetch and apply the corresponding JSON Schema for validation"

This covers the compliance test T-CFG-012: "Validate custom configuration against registered schema."

Current State:

In internal/config/validation.go:194–200, the validateCustomServerConfig function explicitly skips schema validation with a TODO comment:

// Fetch and validate against custom schema
// For now, we just validate that the schema is fetchable
// Full JSON schema validation against custom schemas can be added in the future
logValidation.Printf("Custom schema validation passed: name=%s, type=%s", name, serverType)
return nil

The function returns nil (success) without fetching the schema URL or validating the server configuration against it.

Gap:

Any custom server configuration with any fields passes validation regardless of what its registered JSON Schema requires. For example, a custom type registered with a schema that requires a requiredField field will happily accept configs that omit that field entirely.

Severity: 🔴 Critical (MUST violation)

File References:

  • internal/config/validation.go:186–200validateCustomServerConfig function
  • internal/config/custom_types_test.go:105–183TestTCFG011_ValidateAgainstCustomSchema (test passes trivially because validation is never applied)

2. Test ID Numbering Misalignment for Custom Schema Tests

Specification Section: 10.1.1 Configuration Tests
Deep Link: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#1011-configuration-tests

Current State:

The spec defines custom schema compliance tests starting at T-CFG-010, but the test file internal/config/custom_types_test.go labels them starting at T-CFG-009:

Spec Test ID Spec Description Code Test ID in File
T-CFG-010 Valid custom server type with registered schema T-CFG-009
T-CFG-011 Reject custom type without schema registration T-CFG-010
T-CFG-012 Validate custom configuration against registered schema T-CFG-011
T-CFG-013 Reject custom type conflicting with reserved types T-CFG-012
T-CFG-014 Custom schema URL fetch and cache T-CFG-013

In the spec, T-CFG-009 is "Port range validation" (a standard test), but the code reuses T-CFG-009 for the first custom schema test.

Severity: ⚠️ Minor (Test labeling/documentation inconsistency)

File References:

  • internal/config/custom_types_test.go:16,76,105,186,227 — Test ID comments

Compliance Status

Requirement Section Status
✅ Configuration Parsing (JSON stdin) 4.1 Compliant
✅ Variable Expression Resolution 4.2 Compliant
✅ Containerization Requirement 3.2.1 Compliant
✅ Volume Mount Validation 4.1.5 Compliant
✅ Payload Directory Path Validation 4.1.3.1 Compliant
✅ Unknown Field Rejection 4.3.1 Compliant
✅ Required Field Detection 4.3.2 Compliant
❌ Custom Server Schema Validation 4.1.4 Non-compliant (MUST violation)
✅ Protocol Translation (stdio/http) 5.2 Compliant
✅ Close Endpoint 5.1.3 Compliant
✅ Health Monitoring (specVersion, gatewayVersion) 8.1.1 Compliant
✅ Authentication 7 Compliant
✅ Error Handling 9 Compliant
✅ HTTP Connection Failure Handling 5.2.2 Compliant

Suggested Remediation Tasks

Task 1: Implement Custom Schema Validation

Description: Complete the validateCustomServerConfig function to actually fetch and validate server configurations against their registered custom schemas.

Files: internal/config/validation.go:186–200, internal/config/validation_schema.go

Specification Reference: https://github.com/github/gh-aw/blob/main/docs/src/content/docs/reference/mcp-gateway.md#414-custom-server-types

Estimated Effort: Medium (4–8 hours)

Implementation Notes:

  1. Fetch the custom schema URL using the existing fetchAndFixSchema helper in validation_schema.go
  2. Compile the fetched schema using the existing jsonschema library already imported
  3. Validate the server configuration (as a JSON object) against the compiled schema
  4. Return a descriptive ValidationError on failure, not nil
  5. Consider caching fetched custom schemas (per T-CFG-014)

Test Changes Required:

  • Add a t.Run("invalid_custom_config", ...) sub-test to TestTCFG011_ValidateAgainstCustomSchema that provides a config missing required fields and asserts assert.Error(t, err). Currently this path is untested.
  • Rename test IDs T-CFG-009 → T-CFG-010, T-CFG-010 → T-CFG-011, etc. in internal/config/custom_types_test.go to match the spec numbering.

Task 2: Fix Test ID Numbering

Description: Update compliance test ID comments in custom_types_test.go to match the spec's T-CFG-010 through T-CFG-014 numbering.

Files: internal/config/custom_types_test.go:16,76,105,186,227

Estimated Effort: Trivial (15 minutes)

References

Generated by Daily Compliance Checker

Metadata

Metadata

Assignees

Labels

automationcompliancespecification

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions