Skip to content

mcp-data-platform-v1.55.2

Choose a tag to compare

View all tags
@github-actions github-actions released this 12 Apr 17:32
· 190 commits to main since this release
v1.55.2
863ccf7
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Resource permission system no longer hard-codes role names

The resource permission system (isPlatformAdmin and isPersonaAdmin) checked for literal role strings like "admin", "platform-admin", and "persona-admin:finance". This failed when roles carried an OIDC prefix configured via role_prefix — the raw role strings (e.g., myprefix_admin) didn't match the hard-coded literals even though the persona mapper correctly resolved the prefixed role to the admin persona.

Impact: Users with prefixed admin roles could not write to global-scope managed resources, and persona admins with prefixed roles could not write to their persona's resources. Deployments without a role_prefix were unaffected.

What changed

isPlatformAdmin — now checks Claims.IsAdmin (a boolean resolved at auth time by comparing the user's persona against the configured admin persona from Config.Admin.Persona). The existing literal role checks ("admin", "platform-admin") remain as backward-compatible fallback for deployments that assign roles directly without persona mapping.

isPersonaAdmin — now checks Claims.AdminOfPersonas (a string slice resolved at auth time by extracting persona names from roles matching the persona-admin: pattern, tolerating any prefix). The existing literal role check remains as fallback.

MCPToolCallMiddleware — now accepts a ToolCallConfig struct instead of individual parameters. The struct carries AdminPersona (from platform config) so the middleware can set PlatformContext.IsAdmin during auth/authz. This also resolved a lint violation (6 positional arguments exceeded the 5-argument limit).

Both code paths updated:

  • MCP path: MCPToolCallMiddleware sets PlatformContext.IsAdmin after persona resolution. The managed resources middleware propagates it to resource.Claims.
  • REST API path: buildResourceClaims sets Claims.IsAdmin and Claims.AdminOfPersonas from the persona registry and role patterns.

Upgrade notes

  • No config changes required. The fix reads the existing admin.persona config field (defaults to "admin") to determine which persona grants platform admin.
  • Deployments using role_prefix in their OIDC config will now correctly grant resource write permissions to admin and persona-admin users.
  • The ToolCallConfig struct is a breaking API change for anyone calling MCPToolCallMiddleware directly outside this codebase. The fix is to replace positional arguments with the struct.

Installation

Homebrew (macOS)

brew install txn2/tap/mcp-data-platform

Claude Code CLI

claude mcp add mcp-data-platform -- mcp-data-platform

Docker

docker pull ghcr.io/txn2/mcp-data-platform:v1.55.2

Verification

All release artifacts are signed with Cosign. Verify with:

cosign verify-blob --bundle mcp-data-platform_1.55.2_linux_amd64.tar.gz.sigstore.json \
  mcp-data-platform_1.55.2_linux_amd64.tar.gz
Assets 25
Loading