Add service-context login policy enforcement

Services send service_name and tags in POST /v1/auth/login.
MCIAS evaluates auth:login policy with these as the resource
context after credentials are verified, enabling rules like:
  deny guest/viewer human accounts from env:restricted services
  deny guest accounts from specific named services

- loginRequest: add ServiceName and Tags fields
- handleLogin: evaluate policy after credential+TOTP check;
  policy deny returns 403 (not 401) to distinguish access
  restriction from bad credentials
- Go client: Options.ServiceName/Tags stored on Client,
  sent automatically in every Login() call
- Python client: service_name/tags on __init__, sent in login()
- Rust client: ClientOptions.service_name/tags, LoginRequest
  fields, Client stores and sends them in login()
- openapi.yaml: document service_name/tags request fields
  and 403 response for policy-denied logins
- engineering-standards.md: document service_name/tags in
  [mcias] config section with policy examples

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

clients/go/client.go

@@ -185,16 +185,28 @@ type Options struct {
 	CACertPath string
 	// Token is an optional pre-existing bearer token.
 	Token string
+	// ServiceName is the name of this service as registered in MCIAS. It is
+	// sent with every Login call so MCIAS can evaluate service-context policy
+	// rules (e.g. deny guest users from logging into this service).
+	// Populate from [mcias] service_name in the service's config file.
+	ServiceName string
+	// Tags are the service-level tags sent with every Login call. MCIAS
+	// evaluates auth:login policy against these tags, enabling rules such as
+	// "deny guest accounts from services tagged env:restricted".
+	// Populate from [mcias] tags in the service's config file.
+	Tags []string
 }
 
 // Client is a thread-safe MCIAS REST API client.
 // Security: the bearer token is guarded by a sync.RWMutex; it is never
 // written to logs or included in error messages in this library.
 type Client struct {
-	baseURL string
-	http    *http.Client
-	mu      sync.RWMutex
-	token   string
+	baseURL     string
+	http        *http.Client
+	serviceName string
+	tags        []string
+	mu          sync.RWMutex
+	token       string
 }
 
 // ---------------------------------------------------------------------------
@@ -224,9 +236,11 @@ func New(serverURL string, opts Options) (*Client, error) {
 	}
 	transport := &http.Transport{TLSClientConfig: tlsCfg}
 	c := &Client{
-		baseURL: serverURL,
-		http:    &http.Client{Transport: transport},
-		token:   opts.Token,
+		baseURL:     serverURL,
+		http:        &http.Client{Transport: transport},
+		token:       opts.Token,
+		serviceName: opts.ServiceName,
+		tags:        opts.Tags,
 	}
 	return c, nil
 }
@@ -343,16 +357,28 @@ func (c *Client) GetPublicKey() (*PublicKey, error) {
 // Login authenticates with username and password. On success the token is
 // stored in the Client and returned along with the expiry timestamp.
 // totpCode may be empty for accounts without TOTP.
+//
+// The client's ServiceName and Tags (from Options) are included in the
+// request so MCIAS can evaluate service-context policy rules.
 func (c *Client) Login(username, password, totpCode string) (token, expiresAt string, err error) {
-	req := map[string]string{"username": username, "password": password}
+	body := map[string]interface{}{
+		"username": username,
+		"password": password,
+	}
 	if totpCode != "" {
-		req["totp_code"] = totpCode
+		body["totp_code"] = totpCode
+	}
+	if c.serviceName != "" {
+		body["service_name"] = c.serviceName
+	}
+	if len(c.tags) > 0 {
+		body["tags"] = c.tags
 	}
 	var resp struct {
 		Token     string `json:"token"`
 		ExpiresAt string `json:"expires_at"`
 	}
-	if err := c.do(http.MethodPost, "/v1/auth/login", req, &resp); err != nil {
+	if err := c.do(http.MethodPost, "/v1/auth/login", body, &resp); err != nil {
 		return "", "", err
 	}
 	c.setToken(resp.Token)

clients/python/mcias_client/_client.py

@@ -20,9 +20,13 @@ class Client:
         ca_cert_path: str | None = None,
         token: str | None = None,
         timeout: float = 30.0,
+        service_name: str | None = None,
+        tags: list[str] | None = None,
     ) -> None:
         self._base_url = server_url.rstrip("/")
         self.token = token
+        self._service_name = service_name
+        self._tags = tags or []
         ssl_context: ssl.SSLContext | bool
         if ca_cert_path is not None:
             ssl_context = ssl.create_default_context(cafile=ca_cert_path)
@@ -115,6 +119,9 @@ class Client:
     ) -> tuple[str, str]:
         """POST /v1/auth/login — authenticate and obtain a JWT.
         Returns (token, expires_at). Stores the token on self.token.
+
+        The client's service_name and tags are included so MCIAS can evaluate
+        service-context policy rules (e.g. deny guests from restricted services).
         """
         payload: dict[str, Any] = {
             "username": username,
@@ -122,6 +129,10 @@ class Client:
         }
         if totp_code is not None:
             payload["totp_code"] = totp_code
+        if self._service_name is not None:
+            payload["service_name"] = self._service_name
+        if self._tags:
+            payload["tags"] = self._tags
         data = self._request("POST", "/v1/auth/login", json=payload)
         assert data is not None
         token = str(data["token"])

clients/rust/src/lib.rs

@@ -227,6 +227,10 @@ struct LoginRequest<'a> {
     password: &'a str,
     #[serde(skip_serializing_if = "Option::is_none")]
     totp_code: Option<&'a str>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    service_name: Option<&'a str>,
+    #[serde(skip_serializing_if = "Vec::is_empty")]
+    tags: Vec<String>,
 }
 
 #[derive(Deserialize)]
@@ -268,6 +272,16 @@ pub struct ClientOptions {
 
     /// Optional pre-existing bearer token.
     pub token: Option<String>,
+
+    /// This service's name as registered in MCIAS. Sent with every login
+    /// request so MCIAS can evaluate service-context policy rules.
+    /// Populate from `[mcias] service_name` in the service config.
+    pub service_name: Option<String>,
+
+    /// Service-level tags sent with every login request. MCIAS evaluates
+    /// `auth:login` policy against these tags.
+    /// Populate from `[mcias] tags` in the service config.
+    pub tags: Vec<String>,
 }
 
 // ---- Client ----
@@ -280,6 +294,8 @@ pub struct ClientOptions {
 pub struct Client {
     base_url: String,
     http: reqwest::Client,
+    service_name: Option<String>,
+    tags: Vec<String>,
     /// Bearer token storage. `Arc<RwLock<...>>` so clones share the token.
     /// Security: the token is never logged or included in error messages.
     token: Arc<RwLock<Option<String>>>,
@@ -306,6 +322,8 @@ impl Client {
         Ok(Self {
             base_url: base_url.trim_end_matches('/').to_owned(),
             http,
+            service_name: opts.service_name,
+            tags: opts.tags,
             token: Arc::new(RwLock::new(opts.token)),
         })
     }
@@ -336,6 +354,8 @@ impl Client {
             username,
             password,
             totp_code,
+            service_name: self.service_name.as_deref(),
+            tags: self.tags.clone(),
         };
         let resp: TokenResponse = self.post("/v1/auth/login", &body).await?;
         *self.token.write().await = Some(resp.token.clone());