feat: add opt-in Coder identity headers for MCP servers (#25153)

docs/ai-coder/agents/platform-controls/mcp-servers.md

@@ -33,11 +33,12 @@ This is an admin-only feature accessible at **Agents** > **Settings** >
 
 ### Availability
 
-| Field          | Required | Description                                                                                                                   |
-|----------------|----------|-------------------------------------------------------------------------------------------------------------------------------|
-| `enabled`      | No       | Master toggle. Disabled servers are hidden from non-admin users.                                                              |
-| `availability` | Yes      | Controls how the server appears in chat sessions. See [Availability policies](#availability-policies).                        |
-| `model_intent` | No       | When enabled, requires the model to describe each tool call's purpose in natural language, shown as a status label in the UI. |
+| Field                   | Required | Description                                                                                                                         |
+|-------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------|
+| `enabled`               | No       | Master toggle. Disabled servers are hidden from non-admin users.                                                                    |
+| `availability`          | Yes      | Controls how the server appears in chat sessions. See [Availability policies](#availability-policies).                              |
+| `model_intent`          | No       | When enabled, requires the model to describe each tool call's purpose in natural language, shown as a status label in the UI.       |
+| `forward_coder_headers` | No       | When enabled, forwards Coder identity headers on every outgoing MCP request. See [Coder identity headers](#coder-identity-headers). |
 
 #### Availability policies
 
@@ -129,6 +130,30 @@ Control which tools from a server are available in chat:
 | `tool_allow_list` | If non-empty, only the listed tool names are exposed. An empty list allows all tools. |
 | `tool_deny_list`  | Listed tool names are always blocked, even if they appear in the allow list.          |
 
+## Coder identity headers
+
+MCP servers configured with `forward_coder_headers = true` receive the
+following identity headers on every outgoing request, alongside the
+auth header for the configured `auth_type`:
+
+| Header                 | Description                                                                                                  |
+|------------------------|--------------------------------------------------------------------------------------------------------------|
+| `X-Coder-Owner-Id`     | Coder user who owns the chat that issued the tool call.                                                      |
+| `X-Coder-Chat-Id`      | Top-level (parent) chat ID. For root chats this is the chat's own ID; for subchats it is the parent chat ID. |
+| `X-Coder-Subchat-Id`   | Subchat ID. Only present when the request originates from a child chat.                                      |
+| `X-Coder-Workspace-Id` | Workspace associated with the chat, if any.                                                                  |
+
+These are the same headers Coder sends to LLM providers (see
+[Coder agents headers](../../ai-gateway/clients/coder-agents.md)) so a
+first-party MCP server can correlate a tool call back to the
+originating chat.
+
+Because the headers leak chat identity, the option is **off by
+default** and should only be enabled for first-party or trusted
+internal MCP servers. If the auth header for the configured
+`auth_type` collides with one of these headers, the auth header
+wins.
+
 ## Permissions
 
 | Action                        | Required role             |