Services send service_name and tags in POST /v1/auth/login.
MCIAS evaluates auth:login policy with these as the resource
context after credentials are verified, enabling rules like:
deny guest/viewer human accounts from env:restricted services
deny guest accounts from specific named services
- loginRequest: add ServiceName and Tags fields
- handleLogin: evaluate policy after credential+TOTP check;
policy deny returns 403 (not 401) to distinguish access
restriction from bad credentials
- Go client: Options.ServiceName/Tags stored on Client,
sent automatically in every Login() call
- Python client: service_name/tags on __init__, sent in login()
- Rust client: ClientOptions.service_name/tags, LoginRequest
fields, Client stores and sends them in login()
- openapi.yaml: document service_name/tags request fields
and 403 response for policy-denied logins
- engineering-standards.md: document service_name/tags in
[mcias] config section with policy examples
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Kyle Isom
39d9ffb79a