feat: configurable HTTP header forwarding to ClickHouse

[isushkov-akamai]

Summary

Adds configurable forwarding of incoming HTTP headers from MCP requests to ClickHouse.
This enables getClientHTTPHeader() in ClickHouse row policies and INVOKER views for
multi-tenant Row-Level Security without per-tenant ClickHouse users.

• New --forward-http-headers CLI flag / FORWARD_HTTP_HEADERS env var / config file option
• Supports exact header names (X-Tenant-Id) and trailing wildcards (X-*)
• Default: empty (no headers forwarded) — opt-in for security
• Covers all transport paths: OpenAPI, MCP JSON-RPC (HTTP + SSE), dynamic tools
• STDIO transport unaffected (no HTTP headers available)

Security

• Opt-in: default is empty — no headers forwarded unless explicitly configured
• No values logged: debug log shows only header names, never values

[Slach]

PR Review

Good feature, clean approach via context. A few observations:

1. cmd/altinity-mcp/main.go:240-245 — Spaces instead of tabs

The new forward-http-headers flag uses spaces for indentation while the rest of the file uses tabs. Should be consistent.

2. cmd/altinity-mcp/main.go:1003-1006 — Dead code (DefaultForwardHTTPHeaders)

if len(cfg.Server.ForwardHTTPHeaders) == 0 && !cmd.IsSet("forward-http-headers") {
    cfg.Server.ForwardHTTPHeaders = altinitymcp.DefaultForwardHTTPHeaders
}

DefaultForwardHTTPHeaders is declared as var DefaultForwardHTTPHeaders []string — which is nil. This block assigns nil to an already empty slice. It's a no-op, should be removed.

3. pkg/server/server.go — "sort" import not in alphabetical order

sort is placed after strconv, should go before it.

4. PR description vs code: "Pattern validation: rejects invalid patterns" — but no validation exists

The PR description states: "Pattern validation: rejects invalid patterns (*Foo, X-*Z)", but there is no pattern validation at config load time. matchesAnyPattern simply won't match such patterns, but the user gets no error on misconfiguration. Either add validation with an error at startup, or remove this claim from the description.

5. PR description vs code: "Immutable context: headers are cloned on store and retrieve" — no clone on retrieve

ForwardedHeadersFromContext returns the map directly without copying. If a caller mutates the map, it affects all subsequent calls. Either clone on retrieve or remove this claim from the description.

6. pkg/server/server.go — Pattern "*" forwards all headers including Authorization and Cookie

Pattern * matches everything (since strings.HasPrefix(anything, "") is always true). This could unintentionally leak sensitive headers to ClickHouse. Consider either adding a blocklist (Authorization, Cookie, Host) or at least emitting a log.Warn when * is configured.

7. No test for CORSAllowHeaders

The CORSAllowHeaders function has no test coverage, and it contains non-trivial wildcard → * logic.

8. No test for GetClickHouseClientWithHeaders

The core function of this PR — merging extraHeaders into chConfig.HttpHeaders — is not tested.

[Slach]

could you resolve conflicts?

[isushkov-akamai]

could you resolve conflicts?

done

[Slach]

Спасибо за исправления! Большинство замечаний закрыто. Осталось два нерешённых пункта — см. комментарии к коду.

[Slach]

unit tests didn't pass

[Slach]

    server_test.go:2071: 
        	Error Trace:	/home/runner/work/altinity-mcp/altinity-mcp/pkg/server/server_test.go:2071
        	Error:      	Received unexpected error:
        	            	failed to create ClickHouse client from JWE: failed to connect to ClickHouse: connection ping failed: failed to query server hello: failed to query server hello info: sendQuery: Post "http://default@localhost:8123?client_protocol_version=54460&database=default&default_format=Native&max_execution_time=14": dial tcp [::1]:8123: connect: connection refused
        	Test:       	TestGetClickHouseClientWithHeaders_MergesExtraHeaders

use
go test -run -v TestGetClickHouseClientWithHeaders_MergesExtraHeaders ./... to figure out