feat(auth/identity): add self introspection tools for caller token and entity context#84
feat(auth/identity): add self introspection tools for caller token and entity context#84czembower wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Adds caller-context (“self”) introspection tools to the Vault MCP server to enable workflows that need to understand the current token and its associated identity entity.
Changes:
- Added
lookup_selftool to readauth/token/lookup-selffor the current token. - Added
introspect_selftool to combine token lookup data with identity entity data whenentity_idis present. - Added
read_entity_selftool to resolveentity_idfrom token lookup and read the corresponding identity entity. - Registered the new tools in the global tool initialization.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| pkg/tools/tools.go | Registers the new auth/identity “self” tools with the MCP server. |
| pkg/tools/auth/lookup_self.go | Implements a tool that returns lookup-self token details (with optional namespace). |
| pkg/tools/auth/introspect_self.go | Implements a tool that returns token lookup plus (optionally) entity data. |
| pkg/tools/identity/read_entity_self.go | Implements a tool that reads the caller’s identity entity via entity_id resolution. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| args, ok := req.Params.Arguments.(map[string]interface{}) | ||
| if !ok { | ||
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil |
There was a problem hiding this comment.
These tool params are optional (only namespace with a default), but the handler hard-requires req.Params.Arguments to be a map[string]interface{}. If the client omits the arguments field entirely, this will always return "Missing or invalid arguments format" and the tool can’t be called with defaults. Consider treating a nil/absent Arguments as an empty map and only erroring when Arguments is present but of the wrong type.
| args, ok := req.Params.Arguments.(map[string]interface{}) | |
| if !ok { | |
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil | |
| var args map[string]interface{} | |
| if req.Params.Arguments == nil { | |
| args = map[string]interface{}{} | |
| } else { | |
| var ok bool | |
| args, ok = req.Params.Arguments.(map[string]interface{}) | |
| if !ok { | |
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil | |
| } |
| args, ok := req.Params.Arguments.(map[string]interface{}) | ||
| if !ok { | ||
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil |
There was a problem hiding this comment.
These tool params are optional (only namespace with a default), but the handler hard-requires req.Params.Arguments to be a map[string]interface{}. If the client omits the arguments field entirely, this will always return "Missing or invalid arguments format" and the tool can’t be called with defaults. Consider treating a nil/absent Arguments as an empty map and only erroring when Arguments is present but of the wrong type.
| args, ok := req.Params.Arguments.(map[string]interface{}) | |
| if !ok { | |
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil | |
| var args map[string]interface{} | |
| if req.Params.Arguments == nil { | |
| args = map[string]interface{}{} | |
| } else { | |
| var ok bool | |
| args, ok = req.Params.Arguments.(map[string]interface{}) | |
| if !ok { | |
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil | |
| } |
| args, ok := req.Params.Arguments.(map[string]interface{}) | ||
| if !ok { | ||
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil |
There was a problem hiding this comment.
These tool params are optional (only namespace with a default), but the handler hard-requires req.Params.Arguments to be a map[string]interface{}. If the client omits the arguments field entirely, this will always return "Missing or invalid arguments format" and the tool can’t be called with defaults. Consider treating a nil/absent Arguments as an empty map and only erroring when Arguments is present but of the wrong type.
| args, ok := req.Params.Arguments.(map[string]interface{}) | |
| if !ok { | |
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil | |
| var args map[string]interface{} | |
| if req.Params.Arguments == nil { | |
| args = map[string]interface{}{} | |
| } else { | |
| var ok bool | |
| args, ok = req.Params.Arguments.(map[string]interface{}) | |
| if !ok { | |
| return mcp.NewToolResultError("Missing or invalid arguments format"), nil | |
| } |
| } | ||
| } | ||
|
|
||
| jsonResult, err := json.MarshalIndent(result, "", " ") |
There was a problem hiding this comment.
Repository tools generally marshal JSON responses with json.Marshal(...) (compact). Using json.MarshalIndent(...) here makes this tool’s output inconsistent and increases payload size without adding structured typing. Consider switching to json.Marshal for consistency with other tools.
| jsonResult, err := json.MarshalIndent(result, "", " ") | |
| jsonResult, err := json.Marshal(result) |
| "entity": entitySecret.Data, | ||
| } | ||
|
|
||
| jsonResult, err := json.MarshalIndent(result, "", " ") |
There was a problem hiding this comment.
Repository tools generally marshal JSON responses with json.Marshal(...) (compact). Using json.MarshalIndent(...) here makes this tool’s output inconsistent and increases payload size without adding structured typing. Consider switching to json.Marshal for consistency with other tools.
| jsonResult, err := json.MarshalIndent(result, "", " ") | |
| jsonResult, err := json.Marshal(result) |
| "data": secret.Data, | ||
| } | ||
|
|
||
| jsonResult, err := json.MarshalIndent(result, "", " ") |
There was a problem hiding this comment.
Repository tools generally marshal JSON responses with json.Marshal(...) (compact). Using json.MarshalIndent(...) here makes this tool’s output inconsistent and increases payload size without adding structured typing. Consider switching to json.Marshal for consistency with other tools.
| jsonResult, err := json.MarshalIndent(result, "", " ") | |
| jsonResult, err := json.Marshal(result) |
Adds:
Enables caller-context-aware analysis workflows.
Registers all tools.
Scope: pkg/tools/auth/lookup_self.go, pkg/tools/auth/introspect_self.go, pkg/tools/identity/read_entity_self.go, pkg/tools/tools.go