@centrali-io/centrali-mcp 5.0.3 → 5.1.0

package/README.md

@@ -266,7 +266,7 @@ After connecting, call `describe_centrali` first — it returns the full capabil
 ### Identity
 | Tool | Description |
 |------|-------------|
-| `get_current_identity` | Get the MCP's own service account ID and details |
+| `get_current_identity` | Get the current authenticated MCP identity (service account or OAuth user) |
 
 ### Structures (Deprecated)
 | Tool | Description |

package/dist/index.js

@@ -78,7 +78,10 @@ function main() {
         (0, validation_js_1.registerValidationTools)(server, sdk);
         (0, pages_js_1.registerPageTools)(server, sdk, baseUrl, workspaceId);
         (0, auth_providers_js_1.registerAuthProviderTools)(server, sdk, baseUrl, workspaceId);
-        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, clientId);
+        (0, service_accounts_js_1.registerServiceAccountTools)(server, sdk, baseUrl, workspaceId, {
+            clientId,
+            isServiceAccount: true,
+        });
         (0, describe_js_1.registerDescribeTools)(server);
         // Register resources
         (0, structures_js_2.registerCollectionResources)(server, sdk);

package/dist/tools/service-accounts.d.ts

@@ -1,3 +1,9 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { CentraliSDK } from "@centrali-io/centrali-sdk";
-export declare function registerServiceAccountTools(server: McpServer, sdk: CentraliSDK, centraliUrl: string, workspaceId: string, ownClientId?: string): void;
+export interface CurrentIdentityContext {
+    clientId?: string;
+    userId?: string;
+    scopes?: string[];
+    isServiceAccount?: boolean;
+}
+export declare function registerServiceAccountTools(server: McpServer, sdk: CentraliSDK, centraliUrl: string, workspaceId: string, currentIdentity?: CurrentIdentityContext): void;

package/dist/tools/service-accounts.js

@@ -85,16 +85,42 @@ function formatError(error, context) {
     }
     return `Error ${context}: ${error instanceof Error ? error.message : String(error)}`;
 }
-function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, ownClientId) {
+function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, currentIdentity) {
     const getSaClient = () => createIamClient(sdk, centraliUrl, workspaceId, "service-accounts");
+    const getUsersClient = () => createIamClient(sdk, centraliUrl, workspaceId, "users");
     const getRolesClient = () => createIamClient(sdk, centraliUrl, workspaceId, "roles");
     const getGroupsClient = () => createIamClient(sdk, centraliUrl, workspaceId, "groups");
     // ── Identity ─────────────────────────────────────────────────────
-    server.tool("get_current_identity", "Get the current MCP service account's identity — its numeric ID, clientId, name, roles, and groups. Call this first when you need to check or fix your own permissions (e.g., after a 403 error). Returns the SA details needed for scan_service_account_permissions and generate_remediation.", {}, () => __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c;
+    server.tool("get_current_identity", "Get the current authenticated MCP identity. In stdio/service-account mode, returns the MCP service account. In hosted OAuth mode, fetches the authenticated user's profile, roles, and groups from IAM.", {}, () => __awaiter(this, void 0, void 0, function* () {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p;
         try {
+            if ((currentIdentity === null || currentIdentity === void 0 ? void 0 : currentIdentity.userId) && !currentIdentity.isServiceAccount) {
+                const meRes = yield getUsersClient().get("/me");
+                const user = meRes.data;
+                return {
+                    content: [{
+                            type: "text",
+                            text: JSON.stringify({
+                                identityType: "user",
+                                userId: (_a = user.id) !== null && _a !== void 0 ? _a : currentIdentity.userId,
+                                email: (_b = user.email) !== null && _b !== void 0 ? _b : null,
+                                name: (_d = (_c = user.name) !== null && _c !== void 0 ? _c : user.displayName) !== null && _d !== void 0 ? _d : null,
+                                firstName: (_e = user.firstName) !== null && _e !== void 0 ? _e : null,
+                                lastName: (_f = user.lastName) !== null && _f !== void 0 ? _f : null,
+                                username: (_g = user.username) !== null && _g !== void 0 ? _g : null,
+                                roles: ((_h = user.roles) !== null && _h !== void 0 ? _h : []).map((r) => { var _a; return (_a = r.name) !== null && _a !== void 0 ? _a : r; }),
+                                groups: ((_j = user.groups) !== null && _j !== void 0 ? _j : []).map((g) => { var _a; return (_a = g.name) !== null && _a !== void 0 ? _a : g; }),
+                                scopes: (_k = currentIdentity.scopes) !== null && _k !== void 0 ? _k : [],
+                                workspace: workspaceId,
+                                oauthClientId: (_l = currentIdentity.clientId) !== null && _l !== void 0 ? _l : null,
+                                _hint: "Authenticated via OAuth user token. Roles and groups are fetched from IAM. Scopes come from the OAuth token. If a tool still returns 403, check both OAuth scopes and workspace IAM policies. Service-account remediation tools do not apply to user identities.",
+                            }, null, 2),
+                        }],
+                };
+            }
+            const ownClientId = currentIdentity === null || currentIdentity === void 0 ? void 0 : currentIdentity.clientId;
             const result = yield getSaClient().get("/", { params: { pageSize: 100 } });
-            const accounts = (_c = (_b = (_a = result.data) === null || _a === void 0 ? void 0 : _a.data) !== null && _b !== void 0 ? _b : result.data) !== null && _c !== void 0 ? _c : [];
+            const accounts = (_p = (_o = (_m = result.data) === null || _m === void 0 ? void 0 : _m.data) !== null && _o !== void 0 ? _o : result.data) !== null && _p !== void 0 ? _p : [];
             const me = Array.isArray(accounts)
                 ? accounts.find((sa) => sa.clientId === ownClientId)
                 : null;
@@ -105,7 +131,7 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, ownC
                             text: JSON.stringify({
                                 error: "Could not identify current service account",
                                 clientId: ownClientId,
-                                hint: "The service account may not have permission to list service accounts, or the clientId doesn't match any SA in this workspace.",
+                                hint: "The service account may not have permission to list service accounts, or the clientId doesn't match any service account in this workspace.",
                             }, null, 2),
                         }],
                     isError: true,
@@ -115,11 +141,13 @@ function registerServiceAccountTools(server, sdk, centraliUrl, workspaceId, ownC
                 content: [{
                         type: "text",
                         text: JSON.stringify({
+                            identityType: "service-account",
                             id: me.id,
                             clientId: me.clientId,
                             name: me.name,
                             description: me.description,
                             revoked: me.revoked,
+                            workspace: workspaceId,
                             _hint: "Use this 'id' (numeric) with scan_service_account_permissions, simulate_service_account_permission, and generate_remediation to check or fix your own permissions.",
                         }, null, 2),
                     }],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@centrali-io/centrali-mcp",
-  "version": "5.0.3",
+  "version": "5.1.0",
   "description": "Centrali MCP Server - AI assistant integration for Centrali workspaces",
   "main": "dist/index.js",
   "type": "commonjs",

package/src/index.ts

@@ -75,7 +75,10 @@ async function main() {
   registerValidationTools(server, sdk);
   registerPageTools(server, sdk, baseUrl, workspaceId);
   registerAuthProviderTools(server, sdk, baseUrl, workspaceId);
-  registerServiceAccountTools(server, sdk, baseUrl, workspaceId, clientId);
+  registerServiceAccountTools(server, sdk, baseUrl, workspaceId, {
+    clientId,
+    isServiceAccount: true,
+  });
   registerDescribeTools(server);
 
   // Register resources

package/src/tools/service-accounts.ts

@@ -78,8 +78,22 @@ function formatError(error: unknown, context: string): string {
   return `Error ${context}: ${error instanceof Error ? error.message : String(error)}`;
 }
 
-export function registerServiceAccountTools(server: McpServer, sdk: CentraliSDK, centraliUrl: string, workspaceId: string, ownClientId?: string) {
+export interface CurrentIdentityContext {
+  clientId?: string;
+  userId?: string;
+  scopes?: string[];
+  isServiceAccount?: boolean;
+}
+
+export function registerServiceAccountTools(
+  server: McpServer,
+  sdk: CentraliSDK,
+  centraliUrl: string,
+  workspaceId: string,
+  currentIdentity?: CurrentIdentityContext,
+) {
   const getSaClient = () => createIamClient(sdk, centraliUrl, workspaceId, "service-accounts");
+  const getUsersClient = () => createIamClient(sdk, centraliUrl, workspaceId, "users");
   const getRolesClient = () => createIamClient(sdk, centraliUrl, workspaceId, "roles");
   const getGroupsClient = () => createIamClient(sdk, centraliUrl, workspaceId, "groups");
 
@@ -87,10 +101,37 @@ export function registerServiceAccountTools(server: McpServer, sdk: CentraliSDK,
 
   server.tool(
     "get_current_identity",
-    "Get the current MCP service account's identity — its numeric ID, clientId, name, roles, and groups. Call this first when you need to check or fix your own permissions (e.g., after a 403 error). Returns the SA details needed for scan_service_account_permissions and generate_remediation.",
+    "Get the current authenticated MCP identity. In stdio/service-account mode, returns the MCP service account. In hosted OAuth mode, fetches the authenticated user's profile, roles, and groups from IAM.",
     {},
     async () => {
       try {
+        if (currentIdentity?.userId && !currentIdentity.isServiceAccount) {
+          const meRes = await getUsersClient().get("/me");
+          const user = meRes.data;
+
+          return {
+            content: [{
+              type: "text",
+              text: JSON.stringify({
+                identityType: "user",
+                userId: user.id ?? currentIdentity.userId,
+                email: user.email ?? null,
+                name: user.name ?? user.displayName ?? null,
+                firstName: user.firstName ?? null,
+                lastName: user.lastName ?? null,
+                username: user.username ?? null,
+                roles: (user.roles ?? []).map((r: any) => r.name ?? r),
+                groups: (user.groups ?? []).map((g: any) => g.name ?? g),
+                scopes: currentIdentity.scopes ?? [],
+                workspace: workspaceId,
+                oauthClientId: currentIdentity.clientId ?? null,
+                _hint: "Authenticated via OAuth user token. Roles and groups are fetched from IAM. Scopes come from the OAuth token. If a tool still returns 403, check both OAuth scopes and workspace IAM policies. Service-account remediation tools do not apply to user identities.",
+              }, null, 2),
+            }],
+          };
+        }
+
+        const ownClientId = currentIdentity?.clientId;
         const result = await getSaClient().get("/", { params: { pageSize: 100 } });
         const accounts = result.data?.data ?? result.data ?? [];
         const me = Array.isArray(accounts)
@@ -104,7 +145,7 @@ export function registerServiceAccountTools(server: McpServer, sdk: CentraliSDK,
               text: JSON.stringify({
                 error: "Could not identify current service account",
                 clientId: ownClientId,
-                hint: "The service account may not have permission to list service accounts, or the clientId doesn't match any SA in this workspace.",
+                hint: "The service account may not have permission to list service accounts, or the clientId doesn't match any service account in this workspace.",
               }, null, 2),
             }],
             isError: true,
@@ -115,11 +156,13 @@ export function registerServiceAccountTools(server: McpServer, sdk: CentraliSDK,
           content: [{
             type: "text",
             text: JSON.stringify({
+              identityType: "service-account",
               id: me.id,
               clientId: me.clientId,
               name: me.name,
               description: me.description,
               revoked: me.revoked,
+              workspace: workspaceId,
               _hint: "Use this 'id' (numeric) with scan_service_account_permissions, simulate_service_account_permission, and generate_remediation to check or fix your own permissions.",
             }, null, 2),
           }],