Improved gateway duplication check allowing same url with certain conditions

[kevalmahajan]

🐛 Bug-fix PR

---

📌 Summary

Closes #1392 (name uniqueness is already present, url uniqueness check is updated)

Implemented visibility-scoped uniqueness validation with credential-aware duplicate detection that handles encrypted authentication data and OAuth configurations, respecting user, team, and public boundaries. This ensures that each URL + credentials combination is unique within its visibility scope while allowing flexibility across different contexts.

Added corresponding alembic script for removing the existing url uniqueness constraint, as it handled in application layer now allowing duplicate url but with additional checks.

🔁 Reproduction Steps

1. Registers a server with URL https://internal-api.company.com and credentials client_id=dev
2. Someone else register's a gateway with the same URL https://internal-api.company.com but different credentials client_id=test
3. Bug: Registration fails, preventing from independently accessing the same API/url with different credentials. This was possible with private level resource, but if multiple people want to access that resource from the same team, that wasn't possible.

Expected: Different teams should access the same API with their own credentials
Actual: Rejected due to URL-only conflict check

🐞 Root Cause

Restrictive URL-Only Constraint

💡 Fix Description

High-Level Approach
Transformed the validation from "URL must be unique" to "URL + Credentials combination must be unique within scope":

OLD BEHAVIOR:

• Same URL -> Always blocked (even with different credentials)
• Same URL + Same credentials -> Sometimes allowed (encryption issues)

NEW BEHAVIOR:

• Same URL + Different credentials -> Allowed
• Same URL + Same credentials -> Blocked within scope
• Proper encryption handling -> Accurate duplicate detection

Visibility	Scope	Uniqueness Rule	Allows Duplicates?
Private	User-level	URL + credentials must be unique per user	❌ No - for the same user ✅ Yes - across different users
Team	Team-level	URL + credentials must be unique within the same team	❌ No - within the same team ✅ Yes - across different teams
Public	Global	URL + credentials must be globally unique	❌ No - anywhere globally

1. Encrypted Credential Comparison: Decrypts auth_value before comparing to prevent false duplicates from different encryption outputs
2. OAuth Configuration Matching: Compares key OAuth fields (grant_type, client_id, authorization_url, token_url, scope)
3. Mandatory Authentication: Prevents URL-only gateways (must have either auth_value or oauth_config)
4. Update Safety: Excludes current gateway when checking during updates
5. User-Scoped Private Gateways: Each user can have unique URL+credential combinations in their private workspace

🧪 Verification

Check	Command	Status
Lint suite	make lint
Unit tests	make test
Coverage ≥ 90 %	make coverage
Manual regression no longer fails	steps / screenshots

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[omprak]

@kevalmahajan Our company is looking for this feature from long time and would like to access using helm deployment , would you be able to share image tag for helm chart to pull this fix ?

[kevalmahajan]

Hi @omprak,
Sure, once this PR is tested and approved, I can share the new image tag once that is created.

[rakdutta]

Test Summary
All scenarios with different combinations of user, team, visibility, URL ,and credential, were tested.

🧩 Result:
All cases are working as expected — access behavior matches the configured visibility and credential rules.

S.No	User	Team	Visibility	URL	Credential	Allowed
1	admin	dev	public	http://localhost:8001/sse	same	yes
2	admin	dev	public	http://localhost:8001/sse	same	no
3	admin	dev	team	http://localhost:8001/sse	same	yes
4	admin	dev	team	http://localhost:8001/sse	same	no
5	admin	dev	private	http://localhost:8001/sse	same	yes
6	admin	dev	private	http://localhost:8001/sse	same	no
7	rakhibiswas	dev	public	http://localhost:8001/sse	same	no
8	rakhibiswas	dev	team	http://localhost:8001/sse	same	no
9	rakhibiswas	dev	private	http://localhost:8001/sse	same	yes
10	admin	dev	team	http://localhost:8001/sse	different	yes
11	admin	dev	private	http://localhost:8001/sse	different	yes
12	admin	dev	public	http://localhost:8001/sse	different	yes

[omprak]

@kevalmahajan We are using Helm/Argo to deploy context forge gateway , Would you be able to advise how to use "main" branch code as image id to pull latest changes for this Jira and other blocker Jira -#1412. We would like to replace with image id of Main branch code

image:
repository: ghcr.io/ibm/mcp-context-forge
tag: latest # pin a specific immutable tag in production
#pullPolicy: IfNotPresent
pullPolicy: Always # always pull the latest image; useful for dev/testing