toolhive icon indicating copy to clipboard operation
toolhive copied to clipboard
Published 3 weeks ago verified publisher icon stacklok

Add audit logging middleware to vMCP server

Open JAORMX opened this issue 3 weeks ago • 0 comments

Summary

Add audit logging to the vMCP server to track all MCP operations for security, compliance, and debugging purposes.

Background

ToolHive has a comprehensive audit logging system (pkg/audit/) that provides:

  • NIST SP 800-53 compliant audit events
  • Structured JSON-based event logging
  • MCP-specific event types (tool calls, connections, resource access)
  • HTTP middleware for automatic capture

The vMCP server currently lacks audit logging, which is critical for enterprise deployments requiring security compliance and operational visibility.

Reusable Components

Component Location Description
Auditor pkg/audit/auditor.go Main audit middleware
Event Model pkg/audit/event.go Audit event structures
MCP Events pkg/audit/mcp_events.go MCP-specific event types

Existing MCP Event Types (from pkg/audit/mcp_events.go)

mcp_initialize       // Client initialization
mcp_tool_call        // Tool execution (tracks tool name, status, duration)
mcp_tools_list       // Tool discovery
mcp_resource_read    // Resource access
mcp_prompts_get      // Prompt retrieval
sse_connection       // SSE connection establishment

Implementation

  1. Add audit middleware to vMCP server (pkg/vmcp/server/server.go)

    • Wrap HTTP handlers with audit.Auditor middleware
    • Set component identifier as vmcp-server

  2. Add vMCP-specific audit events

    vmcp_backend_discovery    // Backend discovered/lost
vmcp_backend_auth         // Token exchange events
vmcp_composite_workflow   // Composite tool execution start/complete
vmcp_composite_step       // Individual workflow step execution

  3. Capture audit context

    • Source: Client IP, user agent, request ID
    • Subject: User identity (from incoming auth token)
    • Target: Backend name, tool name, workflow ID
    • Outcome: Success, failure, denied, error
    • Metadata: Duration, transport type, response size

  4. Add configuration support

    • Enable/disable audit logging
    • Configure audit log output (stdout, file, external)

Acceptance Criteria

  • [ ] vMCP server uses existing audit middleware
  • [ ] All MCP operations logged (tool calls, connections, resource access)
  • [ ] Backend routing decisions logged
  • [ ] Composite workflow execution logged (start, steps, completion)
  • [ ] User identity captured from auth token
  • [ ] Audit logs in structured JSON format
  • [ ] Configuration for audit output destination
  • [ ] Unit tests for audit event emission
  • [ ] Documentation updated

JAORMX avatar Dec 02 '25 20:12 JAORMX