fix(gateway): harden inbound auth schema and rename credential flags (#598)

* fix(gateway): harden inbound auth schema and rename credential flags

- Enforce HTTPS on OIDC discovery URL in schema and CLI validation
- Make allowedAudience/allowedClients optional with at-least-one
  superRefine constraint (audience, clients, or scopes)
- Add .strict() to CustomJwtAuthorizerConfigSchema
- Rename --agent-client-id/--agent-client-secret to
  --client-id/--client-secret across CLI, TUI, and primitives
- Add HTTPS validation to TUI discovery URL input
- Update deployed-state schema to match (optional audience/clients,
  add allowedScopes)
- Update unit tests for new validation rules and field names

Constraint: OIDC spec requires HTTPS for discovery endpoints
Rejected: Keep --agent-client-id naming | confusing since these are
  gateway-level OAuth credentials, not agent credentials
Confidence: high
Scope-risk: moderate

* fix(tui): make allowedClients optional in JWT wizard

The schema allows allowedClients to be empty when audience or scopes
are provided, but the TUI wizard sub-step still rejected empty input
via customValidation. Add allowEmpty and placeholder to match the
audience and scopes sub-steps, and remove the now-unused
validateCommaSeparated helper.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: aidandaly24

src/cli/commands/add/__tests__/add-gateway.test.ts

@@ -167,9 +167,9 @@ describe('add gateway command', () => {
           'client1',
           '--allowed-scopes',
           'scope1,scope2',
-          '--agent-client-id',
+          '--client-id',
           'agent-cid',
-          '--agent-client-secret',
+          '--client-secret',
           'agent-secret',
           '--json',
         ],

src/cli/commands/add/__tests__/validate.test.ts

@@ -220,24 +220,40 @@ describe('validate', () => {
       expect(result.error?.includes('Invalid authorizer type')).toBeTruthy();
     });
 
-    // AC11: CUSTOM_JWT requires discoveryUrl and allowedClients (allowedAudience is optional)
-    it('returns error for CUSTOM_JWT missing required fields', () => {
-      const jwtFields: { field: keyof AddGatewayOptions; error: string }[] = [
-        { field: 'discoveryUrl', error: '--discovery-url is required for CUSTOM_JWT authorizer' },
-        { field: 'allowedClients', error: '--allowed-clients is required for CUSTOM_JWT authorizer' },
-      ];
+    // AC11: CUSTOM_JWT requires discoveryUrl
+    it('returns error for CUSTOM_JWT missing discoveryUrl', () => {
+      const opts = { ...validGatewayOptionsJwt, discoveryUrl: undefined };
+      const result = validateAddGatewayOptions(opts);
+      expect(result.valid).toBe(false);
+      expect(result.error).toBe('--discovery-url is required for CUSTOM_JWT authorizer');
+    });
 
-      for (const { field, error } of jwtFields) {
-        const opts = { ...validGatewayOptionsJwt, [field]: undefined };
-        const result = validateAddGatewayOptions(opts);
-        expect(result.valid, `Should fail for missing ${String(field)}`).toBe(false);
-        expect(result.error).toBe(error);
-      }
+    // AC11b: at least one of audience/clients/scopes required
+    it('returns error when all of audience, clients, and scopes are missing', () => {
+      const opts = {
+        ...validGatewayOptionsJwt,
+        allowedAudience: undefined,
+        allowedClients: undefined,
+        allowedScopes: undefined,
+      };
+      const result = validateAddGatewayOptions(opts);
+      expect(result.valid).toBe(false);
+      expect(result.error).toContain('At least one of');
+    });
+
+    it('allows CUSTOM_JWT with only allowedScopes', () => {
+      const opts = {
+        ...validGatewayOptionsJwt,
+        allowedAudience: undefined,
+        allowedClients: undefined,
+        allowedScopes: 'scope1',
+      };
+      const result = validateAddGatewayOptions(opts);
+      expect(result.valid).toBe(true);
     });
 
-    // AC11b: allowedAudience is optional
-    it('allows CUSTOM_JWT without allowedAudience', () => {
-      const opts = { ...validGatewayOptionsJwt, allowedAudience: undefined };
+    it('allows CUSTOM_JWT with only allowedAudience', () => {
+      const opts = { ...validGatewayOptionsJwt, allowedClients: undefined, allowedScopes: undefined };
       const result = validateAddGatewayOptions(opts);
       expect(result.valid).toBe(true);
     });
@@ -255,11 +271,19 @@ describe('validate', () => {
       expect(result.error?.includes('.well-known/openid-configuration')).toBeTruthy();
     });
 
-    // AC13: Empty comma-separated clients rejected (audience can be empty)
-    it('returns error for empty clients', () => {
-      const result = validateAddGatewayOptions({ ...validGatewayOptionsJwt, allowedClients: '  ,  ' });
+    it('returns error for HTTP discoveryUrl (HTTPS required)', () => {
+      const result = validateAddGatewayOptions({
+        ...validGatewayOptionsJwt,
+        discoveryUrl: 'http://example.com/.well-known/openid-configuration',
+      });
       expect(result.valid).toBe(false);
-      expect(result.error).toBe('At least one client value is required');
+      expect(result.error).toBe('Discovery URL must use HTTPS');
+    });
+
+    it('allows CUSTOM_JWT with only allowedClients', () => {
+      const opts = { ...validGatewayOptionsJwt, allowedAudience: undefined, allowedScopes: undefined };
+      const result = validateAddGatewayOptions(opts);
+      expect(result.valid).toBe(true);
     });
 
     // AC14: Valid options pass
@@ -268,42 +292,42 @@ describe('validate', () => {
       expect(validateAddGatewayOptions(validGatewayOptionsJwt)).toEqual({ valid: true });
     });
 
-    // AC15: agentClientId and agentClientSecret must be provided together
-    it('returns error when agentClientId provided without agentClientSecret', () => {
+    // AC15: clientId and clientSecret must be provided together
+    it('returns error when clientId provided without clientSecret', () => {
       const result = validateAddGatewayOptions({
         ...validGatewayOptionsJwt,
-        agentClientId: 'my-client-id',
+        clientId: 'my-client-id',
       });
       expect(result.valid).toBe(false);
-      expect(result.error).toBe('Both --agent-client-id and --agent-client-secret must be provided together');
+      expect(result.error).toBe('Both --client-id and --client-secret must be provided together');
     });
 
-    it('returns error when agentClientSecret provided without agentClientId', () => {
+    it('returns error when clientSecret provided without clientId', () => {
       const result = validateAddGatewayOptions({
         ...validGatewayOptionsJwt,
-        agentClientSecret: 'my-secret',
+        clientSecret: 'my-secret',
       });
       expect(result.valid).toBe(false);
-      expect(result.error).toBe('Both --agent-client-id and --agent-client-secret must be provided together');
+      expect(result.error).toBe('Both --client-id and --client-secret must be provided together');
     });
 
-    // AC16: agent credentials only valid with CUSTOM_JWT
-    it('returns error when agent credentials used with non-CUSTOM_JWT authorizer', () => {
+    // AC16: OAuth credentials only valid with CUSTOM_JWT
+    it('returns error when OAuth credentials used with non-CUSTOM_JWT authorizer', () => {
       const result = validateAddGatewayOptions({
         ...validGatewayOptionsNone,
-        agentClientId: 'my-client-id',
-        agentClientSecret: 'my-secret',
+        clientId: 'my-client-id',
+        clientSecret: 'my-secret',
       });
       expect(result.valid).toBe(false);
-      expect(result.error).toBe('Agent OAuth credentials are only valid with CUSTOM_JWT authorizer');
+      expect(result.error).toBe('OAuth client credentials are only valid with CUSTOM_JWT authorizer');
     });
 
-    // AC17: valid CUSTOM_JWT with agent credentials passes
-    it('passes for CUSTOM_JWT with agent credentials', () => {
+    // AC17: valid CUSTOM_JWT with OAuth credentials passes
+    it('passes for CUSTOM_JWT with OAuth credentials', () => {
       const result = validateAddGatewayOptions({
         ...validGatewayOptionsJwt,
-        agentClientId: 'my-client-id',
-        agentClientSecret: 'my-secret',
+        clientId: 'my-client-id',
+        clientSecret: 'my-secret',
         allowedScopes: 'scope1,scope2',
       });
       expect(result.valid).toBe(true);

src/cli/commands/add/types.ts

@@ -37,8 +37,8 @@ export interface AddGatewayOptions {
   allowedAudience?: string;
   allowedClients?: string;
   allowedScopes?: string;
-  agentClientId?: string;
-  agentClientSecret?: string;
+  clientId?: string;
+  clientSecret?: string;
   agents?: string;
   semanticSearch?: boolean;
   exceptionLevel?: string;

src/cli/commands/add/validate.ts

@@ -263,7 +263,10 @@ export function validateAddGatewayOptions(options: AddGatewayOptions): Validatio
     }
 
     try {
-      new URL(options.discoveryUrl);
+      const url = new URL(options.discoveryUrl);
+      if (url.protocol !== 'https:') {
+        return { valid: false, error: 'Discovery URL must use HTTPS' };
+      }
     } catch {
       return { valid: false, error: 'Discovery URL must be a valid URL' };
     }
@@ -272,30 +275,29 @@ export function validateAddGatewayOptions(options: AddGatewayOptions): Validatio
       return { valid: false, error: `Discovery URL must end with ${OIDC_WELL_KNOWN_SUFFIX}` };
     }
 
-    // allowedAudience is optional - empty means no audience validation
-
-    if (!options.allowedClients) {
-      return { valid: false, error: '--allowed-clients is required for CUSTOM_JWT authorizer' };
-    }
-
-    const clients = options.allowedClients
-      .split(',')
-      .map(s => s.trim())
-      .filter(Boolean);
-    if (clients.length === 0) {
-      return { valid: false, error: 'At least one client value is required' };
+    // allowedAudience, allowedClients, allowedScopes are all optional individually,
+    // but at least one must be provided
+    const hasAudience = !!options.allowedAudience?.trim();
+    const hasClients = !!options.allowedClients?.trim();
+    const hasScopes = !!options.allowedScopes?.trim();
+    if (!hasAudience && !hasClients && !hasScopes) {
+      return {
+        valid: false,
+        error:
+          'At least one of --allowed-audience, --allowed-clients, or --allowed-scopes must be provided for CUSTOM_JWT authorizer',
+      };
     }
   }
 
-  // Validate agent OAuth credentials
-  if (options.agentClientId && !options.agentClientSecret) {
-    return { valid: false, error: 'Both --agent-client-id and --agent-client-secret must be provided together' };
+  // Validate OAuth client credentials
+  if (options.clientId && !options.clientSecret) {
+    return { valid: false, error: 'Both --client-id and --client-secret must be provided together' };
   }
-  if (options.agentClientSecret && !options.agentClientId) {
-    return { valid: false, error: 'Both --agent-client-id and --agent-client-secret must be provided together' };
+  if (options.clientSecret && !options.clientId) {
+    return { valid: false, error: 'Both --client-id and --client-secret must be provided together' };
   }
-  if (options.agentClientId && options.authorizerType !== 'CUSTOM_JWT') {
-    return { valid: false, error: 'Agent OAuth credentials are only valid with CUSTOM_JWT authorizer' };
+  if (options.clientId && options.authorizerType !== 'CUSTOM_JWT') {
+    return { valid: false, error: 'OAuth client credentials are only valid with CUSTOM_JWT authorizer' };
   }
 
   // Validate exception level if provided

src/cli/primitives/GatewayPrimitive.ts

@@ -23,8 +23,8 @@ export interface AddGatewayOptions {
   allowedAudience?: string;
   allowedClients?: string;
   allowedScopes?: string;
-  agentClientId?: string;
-  agentClientSecret?: string;
+  clientId?: string;
+  clientSecret?: string;
   agents?: string;
   enableSemanticSearch?: boolean;
   exceptionLevel?: string;
@@ -157,8 +157,8 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
       .option('--allowed-audience <audience>', 'Comma-separated allowed audiences (for CUSTOM_JWT)')
       .option('--allowed-clients <clients>', 'Comma-separated allowed client IDs (for CUSTOM_JWT)')
       .option('--allowed-scopes <scopes>', 'Comma-separated allowed scopes (for CUSTOM_JWT)')
-      .option('--agent-client-id <id>', 'Agent OAuth client ID')
-      .option('--agent-client-secret <secret>', 'Agent OAuth client secret')
+      .option('--client-id <id>', 'OAuth client ID for gateway bearer token')
+      .option('--client-secret <secret>', 'OAuth client secret')
       .option('--agents <agents>', 'Comma-separated agent names')
       .option('--no-semantic-search', 'Disable semantic search for tool discovery')
       .option('--exception-level <level>', 'Exception verbosity level', 'NONE')
@@ -191,8 +191,8 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
             allowedAudience: cliOptions.allowedAudience,
             allowedClients: cliOptions.allowedClients,
             allowedScopes: cliOptions.allowedScopes,
-            agentClientId: cliOptions.agentClientId,
-            agentClientSecret: cliOptions.agentClientSecret,
+            clientId: cliOptions.clientId,
+            clientSecret: cliOptions.clientSecret,
             agents: cliOptions.agents,
             enableSemanticSearch: cliOptions.semanticSearch !== false,
             exceptionLevel: cliOptions.exceptionLevel,
@@ -303,30 +303,32 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
     };
 
     if (options.authorizerType === 'CUSTOM_JWT' && options.discoveryUrl) {
+      const allowedAudience = options.allowedAudience
+        ? options.allowedAudience
+            .split(',')
+            .map(s => s.trim())
+            .filter(Boolean)
+        : undefined;
+      const allowedClients = options.allowedClients
+        ? options.allowedClients
+            .split(',')
+            .map(s => s.trim())
+            .filter(Boolean)
+        : undefined;
+      const allowedScopes = options.allowedScopes
+        ? options.allowedScopes
+            .split(',')
+            .map(s => s.trim())
+            .filter(Boolean)
+        : undefined;
+
       config.jwtConfig = {
         discoveryUrl: options.discoveryUrl,
-        allowedAudience: options.allowedAudience
-          ? options.allowedAudience
-              .split(',')
-              .map(s => s.trim())
-              .filter(Boolean)
-          : [],
-        allowedClients: options.allowedClients
-          ? options.allowedClients
-              .split(',')
-              .map(s => s.trim())
-              .filter(Boolean)
-          : [],
-        ...(options.allowedScopes
-          ? {
-              allowedScopes: options.allowedScopes
-                .split(',')
-                .map(s => s.trim())
-                .filter(Boolean),
-            }
-          : {}),
-        ...(options.agentClientId ? { agentClientId: options.agentClientId } : {}),
-        ...(options.agentClientSecret ? { agentClientSecret: options.agentClientSecret } : {}),
+        ...(allowedAudience?.length ? { allowedAudience } : {}),
+        ...(allowedClients?.length ? { allowedClients } : {}),
+        ...(allowedScopes?.length ? { allowedScopes } : {}),
+        ...(options.clientId ? { clientId: options.clientId } : {}),
+        ...(options.clientSecret ? { clientSecret: options.clientSecret } : {}),
       };
     }
 
@@ -374,8 +376,8 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
     mcpSpec.agentCoreGateways.push(gateway);
     await this.configIO.writeMcpSpec(mcpSpec);
 
-    // Auto-create OAuth credential if agent client credentials are provided
-    if (config.jwtConfig?.agentClientId && config.jwtConfig?.agentClientSecret) {
+    // Auto-create OAuth credential if client credentials are provided
+    if (config.jwtConfig?.clientId && config.jwtConfig?.clientSecret) {
       await this.createManagedOAuthCredential(config.name, config.jwtConfig);
     }
 
@@ -408,10 +410,9 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
     });
     await this.writeProjectSpec(project);
 
-    // Write client ID and client secret to .env
-    const envVarPrefix = computeDefaultCredentialEnvVarName(credentialName);
-    await setEnvVar(`${envVarPrefix}_CLIENT_ID`, jwtConfig.agentClientId!);
-    await setEnvVar(`${envVarPrefix}_CLIENT_SECRET`, jwtConfig.agentClientSecret!);
+    // Write client secret to .env
+    const envVarName = computeDefaultCredentialEnvVarName(credentialName);
+    await setEnvVar(envVarName, jwtConfig.clientSecret!);
   }
 
   /**
@@ -425,11 +426,9 @@ export class GatewayPrimitive extends BasePrimitive<AddGatewayOptions, Removable
     return {
       customJwtAuthorizer: {
         discoveryUrl: config.jwtConfig.discoveryUrl,
-        allowedAudience: config.jwtConfig.allowedAudience,
-        allowedClients: config.jwtConfig.allowedClients,
-        ...(config.jwtConfig.allowedScopes && config.jwtConfig.allowedScopes.length > 0
-          ? { allowedScopes: config.jwtConfig.allowedScopes }
-          : {}),
+        ...(config.jwtConfig.allowedAudience?.length ? { allowedAudience: config.jwtConfig.allowedAudience } : {}),
+        ...(config.jwtConfig.allowedClients?.length ? { allowedClients: config.jwtConfig.allowedClients } : {}),
+        ...(config.jwtConfig.allowedScopes?.length ? { allowedScopes: config.jwtConfig.allowedScopes } : {}),
       },
     };
   }

src/cli/tui/hooks/useCreateMcp.ts

@@ -31,8 +31,8 @@ export function useCreateGateway() {
         allowedAudience: config.jwtConfig?.allowedAudience?.join(','),
         allowedClients: config.jwtConfig?.allowedClients?.join(','),
         allowedScopes: config.jwtConfig?.allowedScopes?.join(','),
-        agentClientId: config.jwtConfig?.agentClientId,
-        agentClientSecret: config.jwtConfig?.agentClientSecret,
+        clientId: config.jwtConfig?.clientId,
+        clientSecret: config.jwtConfig?.clientSecret,
         enableSemanticSearch: config.enableSemanticSearch,
         exceptionLevel: config.exceptionLevel,
         policyEngine: config.policyEngineConfiguration?.policyEngineName,