From 1454f56adb8a83124c572286708305c3482b5954 Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 25 Mar 2026 17:45:21 -0700
Subject: [PATCH] Populate AccountType in auth shim from mcdsl

Now that mcdsl/auth.TokenInfo carries AccountType (from the updated
MCIAS validate response), the MCR auth shim passes it through to
Claims.AccountType. Policy engine rules matching on account type
now work correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/auth/client.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/internal/auth/client.go b/internal/auth/client.go
index 37a2cee..a11f865 100644
--- a/internal/auth/client.go
+++ b/internal/auth/client.go
@@ -57,7 +57,8 @@ func (c *Client) ValidateToken(token string) (*Claims, error) {
 		return nil, ErrMCIASUnavailable
 	}
 	return &Claims{
-		Subject: info.Username,
-		Roles:   info.Roles,
+		Subject:     info.Username,
+		AccountType: info.AccountType,
+		Roles:       info.Roles,
 	}, nil
 }