Extend whoami and profile metadata for environment.service.identity addressing #104

Open
opened 2026-07-02 17:37:14 -05:00 by sysadmin · 0 comments
Owner

Summary

Extend safe profile metadata and whoami output to support the profiles.json v2 environment → service → identity model.

Source discussion

Refs #100

Scope

Expose safe metadata such as:

  • environment
  • service
  • identity
  • role
  • profile address
  • execution profile
  • audit label
  • auth source type only, not secret value
  • normalized allowed operations
  • normalized forbidden operations

Security requirements

  • Never expose tokens, passwords, API keys, or raw keychain secret values.
  • Runtime whoami identity remains the source of truth.
  • Config-declared role is metadata only and must not bypass self-review/self-merge checks.
  • Metadata must make it obvious whether the active identity is author, reviewer, reader, or another service role.

Expected behavior

Examples:

prgs.gitea.author
prgs.gitea.reviewer
mdcps.gitea.author
mdcps.gitea.reviewer
mdcps.jenkins.reader
mdcps.glitchtip.reader

should surface safe context for handoff reports and controller debugging.

Non-goals

  • Do not implement v2 parser unless Issue #103 is already complete or this work is deliberately combined.
  • Do not change merge eligibility logic except to consume safe metadata if needed.
  • Do not expose secrets.
  • Do not create tags or release changes.

Acceptance criteria

  • whoami or equivalent profile inspection shows safe v2 metadata.
  • output includes environment/service/identity/role where available.
  • output remains safe for handoff reports.
  • tests confirm no secret values are exposed.
  • tests confirm runtime authenticated user remains separate from config-declared username/role.
## Summary Extend safe profile metadata and `whoami` output to support the `profiles.json v2` environment → service → identity model. ## Source discussion Refs #100 ## Scope Expose safe metadata such as: - environment - service - identity - role - profile address - execution profile - audit label - auth source type only, not secret value - normalized allowed operations - normalized forbidden operations ## Security requirements - Never expose tokens, passwords, API keys, or raw keychain secret values. - Runtime `whoami` identity remains the source of truth. - Config-declared role is metadata only and must not bypass self-review/self-merge checks. - Metadata must make it obvious whether the active identity is author, reviewer, reader, or another service role. ## Expected behavior Examples: ```text prgs.gitea.author prgs.gitea.reviewer mdcps.gitea.author mdcps.gitea.reviewer mdcps.jenkins.reader mdcps.glitchtip.reader ``` should surface safe context for handoff reports and controller debugging. ## Non-goals * Do not implement v2 parser unless Issue #103 is already complete or this work is deliberately combined. * Do not change merge eligibility logic except to consume safe metadata if needed. * Do not expose secrets. * Do not create tags or release changes. ## Acceptance criteria * `whoami` or equivalent profile inspection shows safe v2 metadata. * output includes environment/service/identity/role where available. * output remains safe for handoff reports. * tests confirm no secret values are exposed. * tests confirm runtime authenticated user remains separate from config-declared username/role.
sysadmin added the mcpsecurityenhancement labels 2026-07-02 17:38:18 -05:00
Sign in to join this conversation.