fix: CDK template types and credential ARN passthrough for gateway deploy

[aidandaly24]

Description

Fixes CDK template types, credential handling, and deploy flow ordering for gateway target deployment.

CDK template type mismatches (1ee255f)

• McpSpec → AgentCoreMcpSpec (type was renamed in CDK package)
• Removed McpDeployedState — no longer exists in CDK package
• Fixed prop names passed to AgentCoreMcp: projectName, mcpSpec, agentCoreApplication
• Removed unused fs import from bin/cdk.ts

API key credential ARNs not collected during deploy (e178d79)

• createApiKeyProvider and updateApiKeyProvider now fetch and return credentialProviderArn via Get call after create/update
• ApiKeyProviderSetupResult now includes credentialProviderArn field
• Unified deployedCredentials map collects ARNs from both API Key and OAuth credential providers (previously only OAuth ARNs were collected)
• Moved credential setup BEFORE CDK synth (was after synth) so credential ARNs are available when the CDK template reads deployed state
• Writes partial deployed state with credential ARNs before synth without corrupting existing agents/gateways/stackName

CDK template credential passthrough (ac4a5af)

• bin/cdk.ts reads deployed-state.json and extracts credential ARNs per deployment target
• cdk-stack.ts accepts credentials prop and passes it to AgentCoreMcp construct
• Gateway targets with outbound auth (API Key, OAuth) can now resolve credential provider ARNs during CDK synth

TUI deploy flow reorder (e01a7fc)

• Moved credential check (hasIdentityApiProviders + hasIdentityOAuthProviders) before CDK synth in TUI preflight
• Identity-setup handler writes partial deployed state and re-synths after credential creation
• Both CLI and TUI deploy paths now create credentials before synth

OAuth credential ARN fetch (8303abc)

• createOAuth2Provider and updateOAuth2Provider now fetch credentialProviderArn via Get call after create/update (same pattern as API Key fix)

Gateway output parser (c54ade7)

• Handle Mcp prefix in CloudFormation output keys (CDK nests gateway under Mcp/Gateway{Name}, producing output keys like McpGatewayMyGatewayUrlOutput instead of GatewayMyGatewayUrlOutput)

CDK version bump (1d78ead)

• Bump aws-cdk-lib to 2.239.0 in project template — required for credentialProviderConfigurations to be optional (NoAuth support for MCP server targets)

Without these fixes, deploying a gateway target with outbound auth fails with Credential "X" not found in deployed state.

Related Issue

Part of the MCP Gateway Phase 1 integration (gateway-integration branch).

Type of Change

• Bug fix

Testing

• I ran npm run test:unit and npm run test:integ
• I ran npm run typecheck
• I ran npm run lint
• If I modified src/assets/, I ran npm run test:update-snapshots and committed the updated snapshots

End-to-end tested: deployed gateway targets with both OAuth and NoAuth, agent successfully invoked tools through the gateway.

Checklist

• I have read the CONTRIBUTING document
• I have added any necessary tests that prove my fix is effective or my feature works
• I have updated the documentation accordingly
• I have added an appropriate example to the documentation to outline the feature, or no new docs are needed
• My changes generate no new warnings
• Any dependent changes have been merged and published

[jesseturner21]

lgtm