intent-driven-software · DubovskiyIM · May 8, 2026 · May 8, 2026
diff --git a/bin/mcp-idf.js b/bin/mcp-idf.js
@@ -40,15 +40,18 @@ mcp-idf — MCP stdio-сервер поверх IDF agent-layer
 
 Usage:
   mcp-idf [--domain=<name>] [--server=<url>] [--ontology-path=<path>]
-          [--agent-email=<email>] [--no-bootstrap]
+          [--agent-email=<email>] [--agent-role=<role>] [--agent-scope=<json>]
+          [--no-bootstrap]
 
 Env:
   IDF_DOMAIN, IDF_SERVER, IDF_ONTOLOGY_PATH, IDF_AGENT_EMAIL, IDF_BOOTSTRAP
+  IDF_AGENT_ROLE, IDF_AGENT_SCOPE (JSON-string, e.g. '{"environment":"staging"}')
 
 Examples:
   mcp-idf --domain=booking
-  mcp-idf --domain=freelance --server=http://localhost:3001
-  IDF_DOMAIN=invest mcp-idf
+  mcp-idf --domain=infra --agent-role=staging-agent \\
+          --agent-scope='{"environment":"staging"}'
+  IDF_AGENT_ROLE=infra-operator mcp-idf --domain=infra
   mcp-idf --no-bootstrap   # ontology уже зарегистрирована другим клиентом
 `);
 }
@@ -63,6 +66,17 @@ async function main() {
   const domain = args.domain || process.env.IDF_DOMAIN || "booking";
   const server = args.server || process.env.IDF_SERVER || "http://localhost:3001";
   const agentEmail = args["agent-email"] || process.env.IDF_AGENT_EMAIL || "mcp-agent@local";
+  const agentRole = args["agent-role"] || process.env.IDF_AGENT_ROLE || null;
+  const scopeRaw = args["agent-scope"] || process.env.IDF_AGENT_SCOPE || null;
+  let agentScope = null;
+  if (scopeRaw) {
+    try {
+      agentScope = JSON.parse(scopeRaw);
+    } catch (e) {
+      console.error(`[mcp-idf] invalid --agent-scope JSON: ${e.message}`);
+      process.exit(1);
+    }
+  }
   const envBootstrap = process.env.IDF_BOOTSTRAP;
   const doBootstrap = args.noBootstrap
     ? false
@@ -74,12 +88,16 @@ async function main() {
   const ontologyPath = args["ontology-path"] || process.env.IDF_ONTOLOGY_PATH || defaultOntology;
 
   const log = (...xs) => console.error("[mcp-idf]", ...xs);
-  log(`starting; server=${server} domain=${domain} bootstrap=${doBootstrap}`);
+  const roleNote = agentRole ? ` role=${agentRole}` : "";
+  const scopeNote = agentScope ? ` scope=${JSON.stringify(agentScope)}` : "";
+  log(`starting; server=${server} domain=${domain} bootstrap=${doBootstrap}${roleNote}${scopeNote}`);
 
   const { connectStdio } = await createIdfMcpServer({
     server,
     domain,
     agentEmail,
+    agentRole,
+    agentScope,
     ontologyPath,
     doBootstrap,
     logger: log,

diff --git a/src/auth.js b/src/auth.js
@@ -4,6 +4,12 @@
  * Если login (email+password) возвращает 200 — использует его JWT.
  * Иначе register + login.
  *
+ * opts (optional) пробрасывается в register для домен-специфичных ролей
+ * и scope: { role: "staging-agent", scope: { environment: "staging" } }.
+ * Без opts host runtime fall'ит на DEFAULT_ROLE='agent', что НЕ работает
+ * для доменов, где такой роли нет (e.g. infra с staging-agent/infra-operator
+ * — host вернёт 400 role_unknown).
+ *
  * Будущие версии: PAT (personal access token) через `IDF_API_KEY`.
  */
 
@@ -15,6 +21,7 @@ export async function agentLogin({
   email,
   password = DEFAULT_PASSWORD,
   name = DEFAULT_NAME,
+  opts = null,
   logger = () => {},
 }) {
   const loginRes = await fetch(`${server}/api/auth/login`, {
@@ -28,16 +35,20 @@ export async function agentLogin({
     return token;
   }
 
+  const body = { email, password, name };
+  if (opts && (opts.role || opts.scope)) body.opts = opts;
   const regRes = await fetch(`${server}/api/auth/register`, {
     method: "POST",
     headers: { "Content-Type": "application/json" },
-    body: JSON.stringify({ email, password, name }),
+    body: JSON.stringify(body),
   });
   if (!regRes.ok) {
     const text = await regRes.text();
     throw new Error(`register failed: ${regRes.status} ${text}`);
   }
   const { token } = await regRes.json();
-  logger(`registered + login OK: ${email}`);
+  const roleNote = opts?.role ? ` role=${opts.role}` : "";
+  const scopeNote = opts?.scope ? ` scope=${JSON.stringify(opts.scope)}` : "";
+  logger(`registered + login OK: ${email}${roleNote}${scopeNote}`);
   return token;
 }
diff --git a/src/server.js b/src/server.js
@@ -32,6 +32,8 @@ export async function createIdfMcpServer({
   server: idfServer = "http://localhost:3001",
   domain = "booking",
   agentEmail = "mcp-agent@local",
+  agentRole = null,
+  agentScope = null,
   ontologyPath = null,
   doBootstrap = true,
   logger = () => {},
@@ -50,10 +52,18 @@ export async function createIdfMcpServer({
     }
   }
 
-  // 2. Login → JWT.
+  // 2. Login → JWT. opts (role/scope) попадает в новый user.metadata —
+  //    необходимо для доменов с custom-ролями (host fallback'ится на
+  //    DEFAULT_ROLE='agent', но если такой роли нет в ontology — 400
+  //    role_unknown). Existing user'ы (login OK) уже имеют metadata из БД.
+  const opts = (agentRole || agentScope) ? {
+    ...(agentRole ? { role: agentRole } : {}),
+    ...(agentScope ? { scope: agentScope } : {}),
+  } : null;
   const token = await agentLogin({
     server: idfServer,
     email: agentEmail,
+    opts,
     logger,
   });