@thotischner/observability-mcp 1.7.0 → 1.8.1

package/config/products.yaml.example

@@ -0,0 +1,48 @@
+# MCP Products catalog — copy to products.yaml + set OMCP_PRODUCTS_FILE
+# to its path. See docs/products.md for the field reference.
+#
+# Every entry needs at minimum an id + name. Everything else is
+# optional. The server validates this file at boot via the same
+# parseProductsText pipeline the loader test suite exercises — a
+# typo (e.g. `toolss:` instead of `tools:`) fails the boot loudly
+# rather than silently dropping a grant.
+
+products:
+  - id: ops-bundle
+    name: Operations Bundle
+    description: Incident-response tools for the on-call SRE agent.
+    tools:
+      - query_logs
+      - query_metrics
+      - get_service_health
+    version: "1.0.0"
+    status: published
+    branding:
+      iconUrl: https://example.com/icons/ops.svg
+      color: "#3178c6"
+
+  - id: dev-bundle
+    name: Developer Bundle
+    description: Discovery + topology tools for the coding agent. Read-only.
+    tools:
+      - list_services
+      - get_topology
+    status: published
+
+  - id: experimental-bundle
+    name: Experimental Bundle
+    description: New tools being trialled internally. Hidden from agents.
+    tools:
+      - query_logs
+      - get_topology
+    status: staging                    # admin-only until promoted
+
+  # Multi-tenant example: a product visible only to the "acme" tenant.
+  # Remove the tenant: line (or leave it unset) to land in "default".
+  - id: acme-compliance
+    name: Acme Compliance Read-Only
+    description: Logs query for Acme's compliance team agent.
+    tools:
+      - query_logs
+    status: published
+    tenant: acme

package/dist/audit/log.d.ts

@@ -0,0 +1,99 @@
+/**
+ * Append-only audit log for the management plane.
+ *
+ * Distinct from the enterprise-gate audit (`enterprise/audit/`) which
+ * records every gated MCP tool call. This one records every mutating
+ * `/api/*` request (sources/settings/health-thresholds/connectors)
+ * so an operator can answer "who changed what, when".
+ *
+ * On-disk format is JSONL with one entry per line. Each line includes
+ * `prevHash` and `hash` (SHA-256 over the canonical JSON of the entry
+ * without the hash field itself, plus the previous hash) — a
+ * tamper-evident chain that `scripts/verify-audit.mjs` can walk.
+ *
+ * In-memory mode (no `OMCP_MGMT_AUDIT_FILE`) keeps the last
+ * `inMemoryCap` entries in a ring buffer so the UI's audit tab still
+ * shows something even without persistence configured. This is the
+ * default in the demo / single-user case.
+ */
+export interface AuditEntry {
+    /** RFC-3339 UTC timestamp. */
+    ts: string;
+    /** Monotonically-increasing per-process sequence number. */
+    seq: number;
+    /** Identity that triggered the change. "anonymous" when auth is off. */
+    actor: {
+        sub: string;
+        name?: string;
+    };
+    /** Tenant the actor belonged to at the time of the action.
+     *  Omitted on pre-E7 entries; readers default to "default". */
+    tenant?: string;
+    /** Logical resource + action, mirrors the RBAC vocabulary. */
+    resource: string;
+    action: string;
+    /** Full request method + path for easy reading in the UI. */
+    method: string;
+    path: string;
+    /** HTTP status code emitted by the gated handler. */
+    status: number;
+    /** Source IP, best-effort (honours X-Forwarded-For when trust-proxy is set). */
+    ip?: string;
+    /** Optional resource identifier extracted from the path (`:name` param). */
+    target?: string;
+    /** Tamper-evident chain. */
+    prevHash: string;
+    hash: string;
+}
+export interface AuditLogConfig {
+    /** Absolute path to a JSONL file. When undefined, the log lives in
+     * memory only. */
+    file?: string;
+    /** How many recent entries to keep in memory regardless of file mode. */
+    inMemoryCap?: number;
+}
+export declare const DEFAULT_IN_MEMORY_CAP = 500;
+export declare class AuditLog {
+    private readonly cap;
+    private readonly file;
+    private ring;
+    private lastHash;
+    private seq;
+    private writeQueue;
+    private bootstrapped;
+    constructor(cfg?: AuditLogConfig);
+    /**
+     * If a file is configured, replay it to recover seq + lastHash so a
+     * server restart picks up the chain exactly where it left off.
+     * Safe to call multiple times — bootstraps once and caches.
+     */
+    bootstrap(): Promise<void>;
+    /**
+     * Record an event. Returns the canonical entry (with chain fields)
+     * once enqueued; persistence to disk completes asynchronously.
+     */
+    record(input: Omit<AuditEntry, "ts" | "seq" | "prevHash" | "hash">): Promise<AuditEntry>;
+    /** Snapshot of the in-memory ring (most recent last). */
+    list(opts?: {
+        from?: string;
+        to?: string;
+        actor?: string;
+        action?: string;
+        limit?: number;
+        tenant?: string;
+    }): AuditEntry[];
+    /** For verification scripts. */
+    get tipHash(): string;
+    get nextSeq(): number;
+}
+/** Stable hash of an entry-without-hash, against `prevHash` already present. */
+export declare function chainHash(entryWithoutHash: Omit<AuditEntry, "hash">): string;
+/** Walk a JSONL file end-to-end and confirm every entry's hash matches
+ * the chain. Used by the offline verifier CLI. */
+export declare function verifyChain(entries: AuditEntry[]): {
+    ok: true;
+} | {
+    ok: false;
+    brokenAt: number;
+    reason: string;
+};

package/dist/audit/log.js

@@ -0,0 +1,180 @@
+/**
+ * Append-only audit log for the management plane.
+ *
+ * Distinct from the enterprise-gate audit (`enterprise/audit/`) which
+ * records every gated MCP tool call. This one records every mutating
+ * `/api/*` request (sources/settings/health-thresholds/connectors)
+ * so an operator can answer "who changed what, when".
+ *
+ * On-disk format is JSONL with one entry per line. Each line includes
+ * `prevHash` and `hash` (SHA-256 over the canonical JSON of the entry
+ * without the hash field itself, plus the previous hash) — a
+ * tamper-evident chain that `scripts/verify-audit.mjs` can walk.
+ *
+ * In-memory mode (no `OMCP_MGMT_AUDIT_FILE`) keeps the last
+ * `inMemoryCap` entries in a ring buffer so the UI's audit tab still
+ * shows something even without persistence configured. This is the
+ * default in the demo / single-user case.
+ */
+import { createHash } from "node:crypto";
+import { appendFile, readFile } from "node:fs/promises";
+export const DEFAULT_IN_MEMORY_CAP = 500;
+const GENESIS_HASH = "0".repeat(64);
+export class AuditLog {
+    cap;
+    file;
+    ring = [];
+    lastHash = GENESIS_HASH;
+    seq = 0;
+    writeQueue = Promise.resolve();
+    bootstrapped = null;
+    constructor(cfg = {}) {
+        this.cap = cfg.inMemoryCap ?? DEFAULT_IN_MEMORY_CAP;
+        this.file = cfg.file;
+    }
+    /**
+     * If a file is configured, replay it to recover seq + lastHash so a
+     * server restart picks up the chain exactly where it left off.
+     * Safe to call multiple times — bootstraps once and caches.
+     */
+    async bootstrap() {
+        if (!this.file)
+            return;
+        if (this.bootstrapped)
+            return this.bootstrapped;
+        this.bootstrapped = (async () => {
+            let raw;
+            try {
+                raw = await readFile(this.file, "utf8");
+            }
+            catch {
+                return; // first run, fine
+            }
+            for (const line of raw.split("\n")) {
+                const t = line.trim();
+                if (!t)
+                    continue;
+                try {
+                    const entry = JSON.parse(t);
+                    if (typeof entry.seq === "number")
+                        this.seq = Math.max(this.seq, entry.seq);
+                    if (typeof entry.hash === "string")
+                        this.lastHash = entry.hash;
+                    if (this.ring.length === this.cap)
+                        this.ring.shift();
+                    this.ring.push(entry);
+                }
+                catch {
+                    // skip malformed line — don't fail boot on a single corrupt entry
+                }
+            }
+        })();
+        return this.bootstrapped;
+    }
+    /**
+     * Record an event. Returns the canonical entry (with chain fields)
+     * once enqueued; persistence to disk completes asynchronously.
+     */
+    async record(input) {
+        if (this.bootstrapped)
+            await this.bootstrapped;
+        this.seq += 1;
+        const ts = new Date().toISOString();
+        const base = { ts, seq: this.seq, prevHash: this.lastHash, ...input };
+        const hash = chainHash(base);
+        const entry = { ...base, hash };
+        this.lastHash = hash;
+        if (this.ring.length === this.cap)
+            this.ring.shift();
+        this.ring.push(entry);
+        if (this.file) {
+            const file = this.file;
+            // Serialize disk writes so concurrent records don't interleave bytes.
+            this.writeQueue = this.writeQueue.then(() => appendFile(file, JSON.stringify(entry) + "\n", "utf8").catch(() => {
+                // intentionally swallow — losing a single audit line is
+                // strictly better than crashing the management plane.
+            }));
+        }
+        return entry;
+    }
+    /** Snapshot of the in-memory ring (most recent last). */
+    list(opts = {}) {
+        // Coerce non-finite / non-positive limits (NaN from a bad query
+        // string, negative, undefined) to the 100 default. Previously
+        // NaN propagated through Math.min / Math.max and the comparison
+        // `out.length < NaN` was always false, so `?limit=foo` returned
+        // an empty array instead of the default page.
+        const requested = typeof opts.limit === "number" && Number.isFinite(opts.limit) && opts.limit > 0
+            ? Math.floor(opts.limit)
+            : 100;
+        const lim = Math.min(requested, this.cap);
+        const out = [];
+        for (let i = this.ring.length - 1; i >= 0 && out.length < lim; i--) {
+            const e = this.ring[i];
+            if (opts.from && e.ts < opts.from)
+                continue;
+            if (opts.to && e.ts > opts.to)
+                continue;
+            if (opts.actor && e.actor.sub !== opts.actor)
+                continue;
+            if (opts.action && e.action !== opts.action)
+                continue;
+            if (opts.tenant) {
+                const entryTenant = e.tenant || "default";
+                if (entryTenant !== opts.tenant)
+                    continue;
+            }
+            out.push(e);
+        }
+        return out;
+    }
+    /** For verification scripts. */
+    get tipHash() { return this.lastHash; }
+    get nextSeq() { return this.seq + 1; }
+}
+/** Stable hash of an entry-without-hash, against `prevHash` already present. */
+export function chainHash(entryWithoutHash) {
+    // Canonical JSON: recursively sort keys so the digest is reproducible
+    // independent of insertion order. Cannot use JSON.stringify's
+    // string-array replacer here — that one filters at every level, which
+    // would strip nested properties (e.g. actor.sub) and collapse two
+    // distinct entries to the same canonical form.
+    return createHash("sha256").update(canonicalJson(entryWithoutHash)).digest("hex");
+}
+/** Deterministic JSON for hashing — keys sorted at every depth.
+ * Mirrors JSON.stringify's "drop undefined values" rule so a freshly-
+ * recorded entry and a round-tripped JSON.parse() of the same entry
+ * (which silently drops undefineds) hash identically. */
+function canonicalJson(v) {
+    if (v === undefined)
+        return ""; // caller must filter at the parent level
+    if (v === null || typeof v !== "object")
+        return JSON.stringify(v);
+    if (Array.isArray(v))
+        return "[" + v.map((x) => canonicalJson(x ?? null)).join(",") + "]";
+    const o = v;
+    const keys = Object.keys(o).filter((k) => o[k] !== undefined).sort();
+    return "{" +
+        keys
+            .map((k) => JSON.stringify(k) + ":" + canonicalJson(o[k]))
+            .join(",") +
+        "}";
+}
+/** Walk a JSONL file end-to-end and confirm every entry's hash matches
+ * the chain. Used by the offline verifier CLI. */
+export function verifyChain(entries) {
+    let prev = GENESIS_HASH;
+    for (let i = 0; i < entries.length; i++) {
+        const e = entries[i];
+        if (e.prevHash !== prev) {
+            return { ok: false, brokenAt: i, reason: `prevHash mismatch (expected ${prev}, got ${e.prevHash})` };
+        }
+        const { hash: _ignored, ...without } = e;
+        const expectedHash = chainHash(without);
+        if (e.hash !== expectedHash) {
+            return { ok: false, brokenAt: i, reason: `hash mismatch (expected ${expectedHash}, got ${e.hash})` };
+        }
+        prev = e.hash;
+    }
+    return { ok: true };
+}

package/dist/audit/log.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/audit/log.test.js

@@ -0,0 +1,147 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtemp, readFile, rm } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { AuditLog, verifyChain, chainHash } from "./log.js";
+function sample(seq, prevHash) {
+    const base = {
+        ts: `2026-05-28T00:00:${String(seq).padStart(2, "0")}Z`,
+        seq,
+        prevHash,
+        actor: { sub: "alice" },
+        resource: "sources",
+        action: "write",
+        method: "POST",
+        path: "/api/sources",
+        status: 200,
+    };
+    const hash = chainHash(base);
+    return { ...base, hash };
+}
+test("AuditLog in-memory — record + list", async () => {
+    const log = new AuditLog();
+    await log.record({
+        actor: { sub: "alice", name: "Alice" },
+        resource: "sources",
+        action: "write",
+        method: "POST",
+        path: "/api/sources",
+        status: 200,
+    });
+    await log.record({
+        actor: { sub: "bob" },
+        resource: "settings",
+        action: "write",
+        method: "PUT",
+        path: "/api/settings",
+        status: 200,
+    });
+    const entries = log.list();
+    assert.equal(entries.length, 2);
+    // Most recent first.
+    assert.equal(entries[0].actor.sub, "bob");
+    assert.equal(entries[1].actor.sub, "alice");
+    // Chain is intact: prevHash of entry 2 equals hash of entry 1
+    // (entries[1] is the FIRST chronologically here).
+    assert.equal(entries[0].prevHash, entries[1].hash);
+});
+test("AuditLog — list filters by actor + action + window", async () => {
+    const log = new AuditLog();
+    await log.record({ actor: { sub: "alice" }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+    await log.record({ actor: { sub: "bob" }, resource: "sources", action: "delete", method: "DELETE", path: "/api/sources/x", status: 200 });
+    await log.record({ actor: { sub: "alice" }, resource: "settings", action: "write", method: "PUT", path: "/api/settings", status: 200 });
+    assert.equal(log.list({ actor: "alice" }).length, 2);
+    assert.equal(log.list({ action: "delete" }).length, 1);
+    assert.equal(log.list({ actor: "bob", action: "delete" }).length, 1);
+    // Empty window → nothing
+    assert.equal(log.list({ from: "2099-01-01", to: "2099-12-31" }).length, 0);
+});
+test("AuditLog — tenant filter scopes results; entries with no tenant treated as 'default'", async () => {
+    const log = new AuditLog();
+    await log.record({ actor: { sub: "alice" }, tenant: "acme", resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+    await log.record({ actor: { sub: "bob" }, tenant: "bigco", resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+    // No tenant on this entry → treated as "default" when filtering
+    await log.record({ actor: { sub: "carol" }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+    assert.equal(log.list({ tenant: "acme" }).length, 1);
+    assert.equal(log.list({ tenant: "bigco" }).length, 1);
+    assert.equal(log.list({ tenant: "default" }).length, 1);
+    // No tenant filter → all three visible
+    assert.equal(log.list({}).length, 3);
+});
+test("AuditLog — in-memory ring honours cap", async () => {
+    const log = new AuditLog({ inMemoryCap: 3 });
+    for (let i = 0; i < 10; i++) {
+        await log.record({ actor: { sub: `u${i}` }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+    }
+    const entries = log.list({ limit: 100 });
+    assert.equal(entries.length, 3);
+    // Only the three most recent should survive.
+    assert.deepEqual(entries.map((e) => e.actor.sub), ["u9", "u8", "u7"]);
+});
+test("AuditLog.list — non-finite / non-positive limit falls back to the 100 default", async () => {
+    const log = new AuditLog({ inMemoryCap: 10 });
+    for (let i = 0; i < 5; i++) {
+        await log.record({ actor: { sub: `u${i}` }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+    }
+    // NaN — what /api/audit?limit=foo previously produced via parseInt
+    assert.equal(log.list({ limit: Number.NaN }).length, 5);
+    // Negative — no point pretending the caller meant "minus three entries"
+    assert.equal(log.list({ limit: -3 }).length, 5);
+    // Zero — same. The default keeps the response useful.
+    assert.equal(log.list({ limit: 0 }).length, 5);
+    // Sanity: a sensible positive limit still constrains the result
+    assert.equal(log.list({ limit: 2 }).length, 2);
+    // Decimal positive — floored, so 2.9 → 2
+    assert.equal(log.list({ limit: 2.9 }).length, 2);
+});
+test("AuditLog — file mode persists and bootstraps", async () => {
+    const dir = await mkdtemp(join(tmpdir(), "omcp-audit-"));
+    const file = join(dir, "audit.jsonl");
+    try {
+        const log1 = new AuditLog({ file });
+        await log1.bootstrap();
+        await log1.record({ actor: { sub: "alice" }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+        await log1.record({ actor: { sub: "alice" }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+        // Allow the write queue to flush.
+        await new Promise((r) => setTimeout(r, 30));
+        const raw = await readFile(file, "utf8");
+        const lines = raw.trim().split("\n");
+        assert.equal(lines.length, 2);
+        // Restart: bootstrap should pick up seq + lastHash.
+        const log2 = new AuditLog({ file });
+        await log2.bootstrap();
+        assert.equal(log2.nextSeq, 3, "expected nextSeq to resume at 3 after replay");
+        const next = await log2.record({ actor: { sub: "alice" }, resource: "sources", action: "write", method: "POST", path: "/api/sources", status: 200 });
+        assert.equal(next.seq, 3);
+        // prevHash chain continued from the replayed tip.
+        const firstChain = JSON.parse(lines[0]);
+        const secondChain = JSON.parse(lines[1]);
+        assert.equal(secondChain.prevHash, firstChain.hash);
+        assert.equal(next.prevHash, secondChain.hash);
+    }
+    finally {
+        await rm(dir, { recursive: true, force: true });
+    }
+});
+test("verifyChain — accepts a clean chain", () => {
+    const e1 = sample(1, "0".repeat(64));
+    const e2 = sample(2, e1.hash);
+    const r = verifyChain([e1, e2]);
+    assert.deepEqual(r, { ok: true });
+});
+test("verifyChain — rejects a flipped prevHash", () => {
+    const e1 = sample(1, "0".repeat(64));
+    const e2 = { ...sample(2, e1.hash), prevHash: "deadbeef".repeat(8) };
+    const r = verifyChain([e1, e2]);
+    assert.equal(r.ok, false);
+    if (!r.ok)
+        assert.equal(r.brokenAt, 1);
+});
+test("verifyChain — rejects an entry whose hash doesn't match its content", () => {
+    const e1 = sample(1, "0".repeat(64));
+    // Tamper with `actor` AFTER hashing.
+    const e1Tampered = { ...e1, actor: { sub: "mallory" } };
+    const r = verifyChain([e1Tampered]);
+    assert.equal(r.ok, false);
+});

package/dist/audit/middleware.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Express middleware that records one audit entry per mutating
+ * /api/* request after the response has been sent. Skips read-only
+ * methods. In anonymous mode the actor is reported as
+ * `anonymous`; in basic mode the session's sub/name are used.
+ */
+import type { RequestHandler } from "express";
+import { AuditLog } from "./log.js";
+export interface AuditMiddlewareConfig {
+    audit: AuditLog;
+    resource: string;
+    action: string;
+}
+/**
+ * Build a per-route audit middleware. Pairs cleanly with the RBAC
+ * `need(resource, action)` calls already on the route — pass the same
+ * (resource, action) pair so the audit entry matches the policy
+ * decision that just ran.
+ */
+export declare function buildAuditMiddleware(cfg: AuditMiddlewareConfig): RequestHandler;

package/dist/audit/middleware.js

@@ -0,0 +1,50 @@
+/**
+ * Express middleware that records one audit entry per mutating
+ * /api/* request after the response has been sent. Skips read-only
+ * methods. In anonymous mode the actor is reported as
+ * `anonymous`; in basic mode the session's sub/name are used.
+ */
+const MUTATING = new Set(["POST", "PUT", "PATCH", "DELETE"]);
+/**
+ * Build a per-route audit middleware. Pairs cleanly with the RBAC
+ * `need(resource, action)` calls already on the route — pass the same
+ * (resource, action) pair so the audit entry matches the policy
+ * decision that just ran.
+ */
+export function buildAuditMiddleware(cfg) {
+    return function audit(req, res, next) {
+        if (!MUTATING.has(req.method)) {
+            next();
+            return;
+        }
+        res.on("finish", () => {
+            const sess = req.session;
+            // Pick the most-likely identifier from the route params so the
+            // audit entry's `target` lines up with what the operator
+            // typed. Most routes use `:name`; products use `:id`; fall
+            // through if neither (the entry still records method+path).
+            const target = typeof req.params?.name === "string"
+                ? req.params.name
+                : typeof req.params?.id === "string" ? req.params.id : undefined;
+            cfg.audit
+                .record({
+                actor: sess
+                    ? { sub: sess.sub, name: sess.name }
+                    : { sub: "anonymous" },
+                tenant: sess?.tenant || "default",
+                resource: cfg.resource,
+                action: cfg.action,
+                method: req.method,
+                path: req.path,
+                status: res.statusCode,
+                ip: req.ip || undefined,
+                target,
+            })
+                .catch(() => {
+                // record() already swallows file errors — this catch only
+                // covers the synchronous Promise wiring.
+            });
+        });
+        next();
+    };
+}

package/dist/auth/credentials.d.ts

@@ -10,6 +10,17 @@
  *                  (a bare "tok_xyz" is allowed; name defaults to "key")
  *   OMCP_KEY_SOURCES="agent=prom-prod|loki-prod;ci=prom-staging"
  *                  # optional coarse per-key source allow-list
+ *   OMCP_KEY_BYPASS_REDACTION="agent,ci"
+ *                  # optional comma-separated list of key NAMES allowed
+ *                  # to bypass log-payload redaction on per-call request
+ *                  # via the bypass_redaction tool arg. Off by default
+ *                  # for every key — pair with the redaction:bypass
+ *                  # RBAC permission for the management-plane angle.
+ *   OMCP_KEY_TENANTS="agent=acme;ci=bigco"
+ *                  # optional per-key tenant assignment. Unlisted keys
+ *                  # land in the "default" tenant — identical to the
+ *                  # pre-E7 single-namespace world. See docs/tenancy.md
+ *                  # (slice 5) for the cross-cutting model.
  *
  * Rich role-based access control (tools/services/lookback/read-only, the
  * full governance object) is intentionally NOT here — this is only the
@@ -19,6 +30,13 @@ export interface Credential {
     name: string;
     token: string;
     allowedSources?: string[];
+    /** True when the operator opted this credential into the per-call
+     *  redaction bypass. The bypass still requires the MCP tool caller
+     *  to explicitly set `bypass_redaction: true` in the tool args —
+     *  this flag only authorises it; it never auto-disables redaction. */
+    bypassRedaction?: boolean;
+    /** Tenant this credential belongs to. Omitted → DEFAULT_TENANT. */
+    tenant?: string;
 }
 /** Parse credentials from env. Returns an empty list when unconfigured. */
 export declare function loadCredentials(env?: NodeJS.ProcessEnv): Credential[];

package/dist/auth/credentials.js

@@ -10,11 +10,23 @@
  *                  (a bare "tok_xyz" is allowed; name defaults to "key")
  *   OMCP_KEY_SOURCES="agent=prom-prod|loki-prod;ci=prom-staging"
  *                  # optional coarse per-key source allow-list
+ *   OMCP_KEY_BYPASS_REDACTION="agent,ci"
+ *                  # optional comma-separated list of key NAMES allowed
+ *                  # to bypass log-payload redaction on per-call request
+ *                  # via the bypass_redaction tool arg. Off by default
+ *                  # for every key — pair with the redaction:bypass
+ *                  # RBAC permission for the management-plane angle.
+ *   OMCP_KEY_TENANTS="agent=acme;ci=bigco"
+ *                  # optional per-key tenant assignment. Unlisted keys
+ *                  # land in the "default" tenant — identical to the
+ *                  # pre-E7 single-namespace world. See docs/tenancy.md
+ *                  # (slice 5) for the cross-cutting model.
  *
  * Rich role-based access control (tools/services/lookback/read-only, the
  * full governance object) is intentionally NOT here — this is only the
  * authentication + identity + coarse source-scoping primitive.
  */
+import { parseKeyTenants } from "../tenancy/context.js";
 function parseKeySources(raw) {
     const m = new Map();
     if (!raw)
@@ -27,12 +39,19 @@ function parseKeySources(raw) {
     }
     return m;
 }
+function parseBypassSet(raw) {
+    if (!raw)
+        return new Set();
+    return new Set(raw.split(",").map((s) => s.trim()).filter(Boolean));
+}
 /** Parse credentials from env. Returns an empty list when unconfigured. */
 export function loadCredentials(env = process.env) {
     const raw = env.OMCP_API_KEYS?.trim();
     if (!raw)
         return [];
     const keySources = parseKeySources(env.OMCP_KEY_SOURCES);
+    const bypassNames = parseBypassSet(env.OMCP_KEY_BYPASS_REDACTION);
+    const keyTenants = parseKeyTenants(env.OMCP_KEY_TENANTS);
     const creds = [];
     for (const part of raw.split(",").map((s) => s.trim()).filter(Boolean)) {
         const idx = part.indexOf(":");
@@ -40,7 +59,13 @@ export function loadCredentials(env = process.env) {
         const token = (idx > 0 ? part.slice(idx + 1) : part).trim();
         if (!token)
             continue;
-        creds.push({ name, token, allowedSources: keySources.get(name) });
+        creds.push({
+            name,
+            token,
+            allowedSources: keySources.get(name),
+            bypassRedaction: bypassNames.has(name) || undefined,
+            tenant: keyTenants.get(name) || undefined,
+        });
     }
     return creds;
 }