Current state
In OAuth mode, backend credentials resolve from environment variables (one shared identity for all callers) and the policy engine is static config — the JWT claims are ignored (state.rs CredentialSource::OAuth { .. } arms). No per-tenant separation.
Desired state
After the JWT is validated (see the OAuth-impl issue), extract tenant/scope claims and:
- map tenant → a scoped backend identity (e.g. a per-tenant Redis ACL user, provisioned by redisctl) + per-tenant policy;
- enforce that on every data-plane operation, so Redis itself provides isolation.
Why
Multi-tenant deployments need "separation by tenant" enforced from the token, not a single shared connection. Coarse persona/tool checks can live at the gateway; record/key-level isolation must land at the MCP-server-as-policy-layer + scoped Redis ACLs.
Acceptance
- A request's tenant/scope claim selects the correct scoped credentials + policy.
- Cross-tenant access is denied at the data plane.
Depends on
- OAuth/JWT verification for HTTP transport (must validate the token before trusting its claims).
Current state
In OAuth mode, backend credentials resolve from environment variables (one shared identity for all callers) and the policy engine is static config — the JWT claims are ignored (
state.rsCredentialSource::OAuth { .. }arms). No per-tenant separation.Desired state
After the JWT is validated (see the OAuth-impl issue), extract tenant/scope claims and:
Why
Multi-tenant deployments need "separation by tenant" enforced from the token, not a single shared connection. Coarse persona/tool checks can live at the gateway; record/key-level isolation must land at the MCP-server-as-policy-layer + scoped Redis ACLs.
Acceptance
Depends on