Problem

Currently, the coder mcp server needs both the user and agent tokens to operate. This means agents running in a workspace have the same level of authority as the user and can execute actions on their behalf, where most agents simply need to report tasks to the web UI. This is a security concern for most customers who want to lock down coding agents.

Proposal

By default, the mcp server should only require an agent token. If administrators want to increase the abilities of coding agents, they should still have the option to manually provide a user token.

Additionally, we allow admins to reduce the scope of an instance of coder_agent in our TF provider. Two options would be supported:

• default allows current capability (pulling gitssh, external auth)
• no-user-data: Only allows connection, blocking the /external-auth, /gitsshkey, and /gitauth routes

Thus, the agent token can be locked down to never expose user data via the mcp server.

Validated implementation with engineering cc @Emyrk.