Summary

Verify that we can identify incoming users from request headers and extract data relevant to that user. Implement a single read-only MCP tool as a proof of concept, for example an alternative to the principals GET endpoint.

Details

The MCP server needs to extract the user identity from the x-rh-identity header to scope responses to the authenticated user. FastMCP supports accessing HTTP headers via dependency injection or the get_http_headers function:
https://gofastmcp.com/servers/dependency-injection#http-headers

A single tool should be implemented to validate this approach end-to-end (e.g. a tool that returns the user's principals).

Authentication Note

The x-rh-identity header will be replaced by a different authentication method in the future. Currently, our infrastructure does not allow following the MCP spec to the letter regarding authentication. Work is being done to determine the proper approach that follows both the MCP spec and Red Hat guidelines for auth.

Until a compliant auth solution is in place, the MCP server must not be exposed outside of stage.

Acceptance Criteria

• User identity is successfully extracted from request headers.
• A single read-only MCP tool is implemented that returns user-scoped data (e.g. principals).
• The tool correctly scopes its response to the authenticated user.