Support dynamic QUERY_TAG values from HTTP request headers

[fspoljar]

Problem

When deploying MCP server behind an authentication layer, user identity is available in request headers but cannot be passed to Snowflake's QUERY_TAG. All queries appear in QUERY_HISTORY with the same static tag, making it impossible to attribute queries to specific users.

Current behavior:

• Auth layer validates request → identifies user "alice" → sets header
• MCP executes query with static tag: {"origin": "sf_sit", "name": "mcp_server"}
• Query history shows no user attribution

Desired behavior:

• Auth layer validates request → identifies user "alice" → sets header
• MCP reads header and includes in tag: {"origin": "sf_sit", "name": "mcp_server", "user": "alice"}
• Query history shows which user ran each query

Use Case

Multi-tenant deployments where:

• Audit & Compliance — Track who accessed what data
• Cost Allocation — Attribute compute costs to users/teams
• Debugging — Identify problematic queries by user
• Security Monitoring — Detect anomalous access patterns

Proposed Solution

Add optional configuration to include HTTP header values in query tags:

query_tag_config:
  include_headers:
    - header: "x-authorized-user"
      field: "user"

Expected Result in QUERY_HISTORY

{
  "origin": "sf_sit",
  "name": "mcp_server",
  "user": "alice"
}

Additional Context

• Applies to HTTP-based transports only
• Existing query_tag infrastructure already sets static tags via QUERY_TAG session parameter — this feature would extend it to include dynamic values

[todddube]

+1 on this for our work at my company!!1