fix: whoami verifies auth via initialize, not a Searchlight tool (GV-401)

[diogocabral]

Problem (live testing)

$ gv auth whoami
not_found: MCP error -32602: Tool get_current_user not found

gv auth whoami was hardcoded to call get_current_user — a Searchlight tool. GitVelocity's MCP surface (community/engineering analytics: list_community_orgs, get_top_performers, …) exposes no identity/current-user tool, so the server rejects it. Leftover from the port; the transport itself is fine (the SSE/Accept fix landed in #6 — this error is a real round-trip, not a 406).

Fix

There's nobody to "who am I" against, so whoami now proves the stored token is valid by issuing the authenticated initialize handshake and reporting the server it reached:

{"status":"authenticated","server":{"name":"GitVelocity MCP Server","version":"…"}}

A 401 still surfaces as logged-out/expired (permission_denied, exit 4).

Tests/docs

• Updated TestAuthWhoami_Integration: asserts an initialize (no tools/call) and status=authenticated + server block.
• README command table updated.

go test -race ./... ✅ · coverage 81.1% · lint ✅ · gosec ✅

Folds into the pending v0.1.1 release PR (#8) when merged before it.

🤖 Generated with Claude Code

[linear]

GV-401

[coderabbitai]

Warning

Review limit reached

@diogocabral, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 32 minutes and 26 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 581b6b57-8dae-454a-9aec-6b536fca387f

📥 Commits

Reviewing files that changed from the base of the PR and between c959317 and ee89ca2.

📒 Files selected for processing (3)

• README.md
• cmd/auth.go
• cmd/integration_test.go

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/whoami-no-current-user-tool

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gitvelocity-reviewer]

📊 Code Quality Score: 8/100

30 × 0.25 = 7.5, rounded to 8

Category	Score	Factors
🔭 Scope	5/20	2 files with meaningful changes; single subsystem (auth command); README update
🏗️ Architecture	4/20	Behavioral change to existing command; replaces one MCP call pattern with another; no new abstractions or dependencies introduced
⚙️ Implementation	6/20	Straightforward substitution requiring MCP protocol knowledge; choosing Initialize as auth-check proxy is non-obvious; clean output shape
⚠️ Risk	5/20	Changes observable CLI output shape for whoami; users relying on old JSON structure (email field) will see different output; low blast radius
✅ Quality	9/15	Test updated with positive+negative assertions; README updated; excellent inline comment explaining why Initialize is used; minor fragility from hardcoded version string in test
🔒 Perf / Security	1/5	Existing 30s timeout retained; no new security surface introduced

Was this score accurate? 👍 Yes · 👎 No

_{Scored by GitVelocity · How are scores calculated?}

[gitvelocity-reviewer]

📊 Code Quality Score: 7/100

28 × 0.25 (Micro ESF) = 7

Category	Score	Factors
🔭 Scope	5/20	2 meaningful files (auth.go + test), single command handler, no new APIs or subsystems; README is doc-only
🏗️ Architecture	4/20	Replaces tool call with initialize handshake — correct protocol primitive for auth-check; no new dependencies or abstractions
⚙️ Implementation	6/20	Clean substitution of CallTool with Initialize; structured output map; error handling preserved; no algorithmic complexity
⚠️ Risk	4/20	Breaking output format change (email → status+server), but old behavior was broken (non-existent tool); no migrations or infra changes
✅ Quality	8/15	Integration test updated with correct assertions including negative check (no tools/call); inline comment explains rationale; README updated; good behavioral spec coverage
🔒 Perf / Security	1/5	Auth token validation is the feature; no explicit perf/security additions beyond baseline

Was this score accurate? 👍 Yes · 👎 No

_{Scored by GitVelocity · How are scores calculated?}