feat(broker): per-user credential-brokering audit records (spec 074 T10)#694
Open
Dumbris wants to merge 1 commit into
Open
feat(broker): per-user credential-brokering audit records (spec 074 T10)#694Dumbris wants to merge 1 commit into
Dumbris wants to merge 1 commit into
Conversation
Emit a secret-free activity-log record on every per-user credential operation — acquisition, refresh, injection, and connect — carrying attribution (user id, server, request id), the acquisition method, and the outcome (success/failure + coarse reason). No token/refresh/secret value is ever recorded (FR-028, FR-029, SC-006; User Story 4 payoff). - broker.AuditEvent/AuditSink: a structurally secret-free audit port (no field can hold a credential) with a default no-op sink. - CredentialResolver.Resolve emits one classified event per resolution (acquire / refresh / inject / connect), threading the action out of the single-flight acquire so success and failure are attributed correctly. - OAuthConnector.Complete/Deny emit the connect-flow event; failure reasons are fixed coarse labels, never the raw upstream token-endpoint body. - storage.ActivityTypeCredentialBroker + an activity-log-backed AuditSink adapter (SaveActivityAsync, non-blocking) that reuses the existing activity log; wired into the live connect flow via NewCredentialHandlers. TDD: resolver/connector emit correct attribution on success and failure and never leak token material; the adapter persists records with no secret.
Deploying mcpproxy-docs with
|
| Latest commit: |
10eec4d
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ba48e9ee.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://074-t10-broker-audit.mcpproxy-docs.pages.dev |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27603208239 --repo smart-mcp-proxy/mcpproxy-go
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Spec 074 T10 — Audit integration: per-user brokering activity records
Closes the per-user attribution payoff (User Story 4). Emits a secret-free activity-log record on every per-user credential operation — acquisition, refresh, injection, connect — carrying attribution (user id, server, request id), the acquisition method (
token_exchange/entra_obo/connect), and the outcome (success/failure + a coarse reason). No token/refresh/secret value is ever recorded (FR-028, FR-029, SC-006).Design
broker.AuditEvent/broker.AuditSink(internal/serveredition/broker/audit.go): a structurally secret-free port — the event struct has no field able to hold a credential, so auditing cannot leak a secret. Default is a no-op sink.CredentialResolver.Resolveemits exactly one classified event per resolution. The action (acquire/refresh/injectcache-hit /connectnot-connected) is threaded out of the single-flightacquireso success and failure are attributed correctly. Exchanger errors are already sanitized upstream;NotConnectedError/PolicyDeniedError/sentinels are coarse and secret-free.OAuthConnector.Complete/Denyemit the connect-flow event (the connect completion path is REST-driven and never flows throughResolve). Failure reasons are fixed coarse labels, never the raw upstream token-endpoint body.Refreshstays unaudited at the connector — the resolver owns refresh auditing (no double-count).storage.ActivityTypeCredentialBroker+ an activity-log-backed adapter (api.NewActivityAuditSink) usingSaveActivityAsync(non-blocking on the request path). This reuses the existing activity log. Wired into the live connect flow viaNewCredentialHandlers→connectorProvider→NewOAuthConnector.Tests (TDD)
audit_resolver_test.go— cache-hit→inject, fresh→acquire, near-expiry→refresh, entra_obo method mapping, exchange-failure (reason, no secret), policy-denied→inject failure, not-connected→connect failure, store-disabled, anonymous (no event).audit_connector_test.go— connect Complete success/failure (coarse reason, no upstream body), invalid-state, Deny; asserts no upstream token / client secret in any event.broker_audit_test.go— adapter persists a realcredential_brokerrecord with attribution + request_id and no secret; nil-storage → nil sink.Verification
go build ./cmd/mcpproxy(personal) +go build -tags server ./cmd/mcpproxy✅go test -tags server ./internal/serveredition/... -race✅go test ./internal/storage/... ./internal/runtime/... -race -short✅golangci-lint v2.5.0 --config .github/.golangci.yml --new-from-rev=origin/main→ 0 issues ✅Docs
docs/features/activity-log.mdanddocs/cli/activity-commands.mdupdated with the newcredential_brokeractivity type.Related spec 074 (blockers MCP-1039/T6, MCP-1040/T7 merged in #691).