Scope MCP tool calls to the authenticated tenant

[vincenzopalazzo]

User story

As an operator running OpenMemory in multi-tenant HTTP mode, when I store a memory through the MCP openmemory_store tool with my API key, I want that memory to appear in MCP openmemory_list and in the REST /memory/all / dashboard views scoped to my tenant — and not to appear in any other tenant's views — so that the MCP and REST surfaces share one consistent picture of "my" data, and other tenants never see mine.

Today, none of that holds:

• The memory I just stored via MCP is written with user_id="anonymous", so my tenant-scoped REST /memory/all and dashboard list don't return it. From my point of view the write looks silently lost — exactly what the bug report (bug-mcp-store-not-in-list.md) describes.
• Worse, any other tenant on the same deployment can read, fetch, query, delete, or reinforce my MCP-stored memories, because MCP reads run with no tenant filter at all. The hardening PR (chore(openmemory-js): security & test hardening (P1+P2 close-out) #172) closed this on the REST routes but left MCP untouched.

After this PR, both halves hold: writes are stamped with the authenticated tenant, reads are filtered to it, and explicit user_id args that disagree are rejected with tenant_mismatch — the same contract REST already enforces.

Summary

• The HTTP MCP route (POST /mcp) goes through the global authenticate_api_request middleware (src/server/index.ts:83), so req.tenant is populated for every authenticated MCP request — but the tool handlers in src/ai/mcp.ts never consulted it.
• Result: MCP openmemory_store / openmemory_store_project wrote rows with user_id="anonymous" regardless of the authenticated tenant, which is invisible to REST GET /memory/all (which filters WHERE user_id = \$1). That divergence is the symptom in the bug report: a memory stored via MCP never appears in the tenant-scoped list.
• The read tools (openmemory_list, openmemory_get, openmemory_query, openmemory_delete) ran without any tenant filter, so they returned/touched memories belonging to every tenant on the deployment — a cross-tenant data leak that survived the hardening PR (chore(openmemory-js): security & test hardening (P1+P2 close-out) #172).
• openmemory_reinforce had no ownership check at all.

Root cause

create_mcp_srv() was a no-arg factory and the per-request handle_req never extracted req.tenant, so tool handlers could not see who was calling. This was a missed seam from the multi-tenant hardening that landed for the REST routes (require_tenant + reject_tenant_mismatch).

Fix

• create_mcp_srv(tenant?: string) accepts a tenant captured in closures.
• handle_req reads req.tenant and threads it in.
• New resolve_user_id(tenant, arg) helper enforces the same contract as the REST middleware: when a tenant is bound it is the source of truth; an explicit user_id arg that disagrees is rejected with a tenant_mismatch error.
• Each tool that takes user_id (openmemory_query, openmemory_store, openmemory_store_project, openmemory_list, openmemory_get, openmemory_delete) now calls resolve_user_id(tenant, user_id) instead of uid(user_id).
• openmemory_reinforce (which takes no user_id) gains a tenant ownership check before the salience bump.

Stdio back-compat

start_mcp_stdio still calls create_mcp_srv() with no tenant — there is no HTTP request to carry an API key. Local Claude Code setups keep the existing "anonymous" / unfiltered behaviour. A regression test pins this.

Test plan

• npm run typecheck — clean
• npm test — 33/33 pass (28 pre-existing + 5 new in tests/mcp_per_tenant.test.ts)
• npm run build — clean
• Removed the fix locally and reran the new spec: 4/5 fail (the regression scenario, cross-tenant isolation, store-binding, and forge rejection). Restored — all green again.
• Remote CI green on this PR (Test Node.js SDK, Test Python SDK, Test Docker Build).

New spec covers:

1. openmemory_store writes the row with user_id = tenant (not "anonymous").
2. openmemory_list returns the tenant's own MCP-stored memories on the same session — the literal reproduction from the bug report.
3. Two tenants' MCP openmemory_list calls do not cross-leak.
4. openmemory_store with a mismatching explicit user_id returns isError: true and surfaces tenant_mismatch.
5. Stdio-mode (no tenant) preserves the "anonymous" write + unfiltered read contract.

Drive-by CI fix (commit `8c2d056`)

.github/workflows/ci.yml was still invoking npx tsx tests/test_omnibus.ts, but that file was renamed to tests/omnibus.test.ts in cbc8c84 ("port ad-hoc tsx scripts to vitest specs"). The test-node job has been red on every PR since (#172, #174, #178 all merged with it failing). Switched the step to npm test so the omnibus spec, the existing temporal / multilingual / webhook / verify suites, and the new per-tenant MCP regression all run.

🤖 Generated with Claude Code