The web UI now validates the MCIAS token after login and rejects
accounts with the guest role before setting the session cookie.
This is defense-in-depth alongside the env:restricted MCIAS tag.
The webserver.New() constructor takes a new ValidateFunc parameter
that inspects token roles post-authentication. MCIAS login does not
return roles, so this requires an extra ValidateToken round-trip at
login time (result is cached for 30s).
Security: guest role accounts are denied web UI access
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Kyle Isom
9d7043a594