Found during the devel integration review (PR #15).
_require_human_user in the MCP server only checks that the supplied user_id matches an active User row. An agent can pass any discoverable user id and baseline/batch-baseline succeeds — the "agents draft, humans baseline" policy is not actually enforced by any out-of-band confirmation.
Decide whether the gate should be real (e.g. signed confirmation token, baseline only via web UI queue, or an approval table the MCP can't write) or whether the documented policy should be softened to "MCP baselines are attributed to the supplied user".
🤖 Generated with Claude Code
Found during the devel integration review (PR #15).
_require_human_userin the MCP server only checks that the supplieduser_idmatches an active User row. An agent can pass any discoverable user id and baseline/batch-baseline succeeds — the "agents draft, humans baseline" policy is not actually enforced by any out-of-band confirmation.Decide whether the gate should be real (e.g. signed confirmation token, baseline only via web UI queue, or an approval table the MCP can't write) or whether the documented policy should be softened to "MCP baselines are attributed to the supplied user".
🤖 Generated with Claude Code