feat: Implement Trino user impersonation and query attribution (#132)

* feat: Implement Trino user impersonation and query attribution

This commit introduces user impersonation for Trino, allowing queries to be executed on behalf of authenticated OAuth users. This enhances auditability and enables Trino's native access control to enforce user-specific permissions.

Key features include:
- **User Impersonation**: MCP now propagates the authenticated OAuth user's identity to Trino via the `X-Trino-User` header. This ensures that Trino logs and access control reflect the actual user executing the query, rather than a generic service account.
- **Configurable Principal Field**: Users can configure which JWT claim (username, email, or subject) is used as the impersonated user in Trino.
- **Query Attribution**: MCP now consistently sets the `X-Trino-Source` header, identifying `mcp-trino` and its version as the source of queries, improving monitoring and debugging.
- **Comprehensive Documentation**: A new `impersonation.md` guide provides detailed setup instructions, configuration options, security considerations, and troubleshooting for Trino impersonation.

Closes: #118

* Extend trino impersonation to cover all tools

* Clean up logging as suggested by CodeRabbit

---------

Co-authored-by: Scott Strickland <[email protected]>
Co-authored-by: Tommy Nguyen <[email protected]>

Author: 3 people

README.md

@@ -101,6 +101,7 @@ graph TB
 - ✅ StreamableHTTP support with JWT authentication (upgraded from SSE)
 - ✅ Backward compatibility with SSE endpoints
 - ✅ Compatible with Cursor, Claude Desktop, Windsurf, ChatWise, and any MCP-compatible clients.
+- ✅ User Impersonation for authenticated users via Trino's `X-Trino-User` header
 
 ## Installation & Quick Start
 
@@ -156,7 +157,19 @@ export JWT_SECRET=$(openssl rand -hex 32)  # Required for multi-pod deployments
 export TRINO_ALLOWED_SCHEMAS="hive.analytics,hive.marts,hive.reporting"
 ```
 
-For complete configuration, see [Deployment Guide](docs/deployment.md), [OAuth Architecture](docs/oauth.md), and [Allowlists Guide](docs/allowlists.md).
+**User Impersonation:**
+
+```bash
+# Enable Trino user impersonation (requires OAuth)
+export TRINO_ENABLE_IMPERSONATION=true
+
+# Optional: Configure which JWT field to use (default: username)
+export TRINO_IMPERSONATION_FIELD=email  # Options: username, email, subject
+
+# MCP will execute queries as the authenticated OAuth user via X-Trino-User header
+```
+
+For complete configuration, see [Deployment Guide](docs/deployment.md), [OAuth Guide](docs/oauth.md), [Allowlists Guide](docs/allowlists.md), and [Impersonation Guide](docs/impersonation.md).
 
 ## OAuth Implementation
 

cmd/main.go

@@ -23,7 +23,7 @@ func main() {
 
 	// Initialize Trino configuration
 	log.Println("Loading Trino configuration...")
-	trinoConfig, err := config.NewTrinoConfig()
+	trinoConfig, err := config.NewTrinoConfigWithVersion(Version)
 	if err != nil {
 		log.Fatalf("Failed to load configuration: %v", err)
 	}