feat(security): implement policy audit trail and decision logging#3191
Open
crivetimihai wants to merge 6 commits intomainfrom
Open
feat(security): implement policy audit trail and decision logging#3191crivetimihai wants to merge 6 commits intomainfrom
crivetimihai wants to merge 6 commits intomainfrom
Conversation
Signed-off-by: Kelly Costello <kellycostello@Kellys-Air.localdomain>
Integrate policy decision audit logging into the gateway, replacing the standalone mcp_servers/ implementation. Fixes all six reviewer issues: SQL injection (allowlist validation), blocking async (sync sessions), missing auth (require_admin_auth), return type mismatch (always returns PolicyDecision), print→logging, and the integration gap. Adds SIEM export service (Splunk HEC, Elasticsearch, webhook) with batch processing, retry/backoff, and lifecycle management in main.py. Wires policy logging into RBAC enforcement middleware. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Kelly Costello <kellycostello@Kellys-MacBook-Air.local>
- Fix Alembic migration: rename to hex revision, merge two heads - Remove duplicate mcp-servers/audit/ standalone implementation - Add sort_by/sort_order pattern validation on GET endpoint - Remove unnecessary db.commit() from read-only queries - Separate health endpoint into unauthenticated router - Add plugin-auth decision logging in rbac.py - Honor per-decision audit toggles (log_allowed/log_denied) - Fix deprecated asyncio.get_event_loop() -> get_running_loop() - Fix timezone-naive datetime.now() in siem_export_service - Upgrade audit failure log level to warning - Clean up docs/audit/ artifacts - Include health_router in main.py - Add per-decision toggle and health endpoint tests Closes #2225 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Kelly Costello <kellycostello@Kellys-MacBook-Air.local>
- Rewrite PolicyDecision ORM model to Mapped[]/mapped_column() style matching AuditTrail convention in db.py - Remove duplicate index=True from columns covered by composite indexes - Add missing named indexes to migration, make downgrade idempotent - Extract lazy-cached singleton for policy_decision_service in rbac.py - Convert f-string logging to %s style in service and router modules - Add bounded queue with drop-oldest to SIEMBatchProcessor - Add shutdown no-progress guard to prevent _flush_all hanging - Add tests for flush_all, shutdown hang prevention, and queue bounds - Register PolicyDecision on Base.metadata for create_all bootstrap - Trim TESTING_GUIDE.md to reference actual test paths - Update copyright years to 2026 Signed-off-by: Jonathan Springer <jps@s390x.com>
- Add SIEM export service tests (39 tests covering all exporters and batch processor) - Add policy_audit ORM model serialization tests - Add policy_decision_service tests for SIEM queuing, query filters, and statistics - Add API error handler tests for 500 responses - Fix import ordering (isort) and pre-commit formatting - Merge third Alembic head (w6g7h8i9j0k1) to resolve multiple-heads error - Exclude untracked ip_control files from coverage Coverage: 99% (53,217 stmts, 458 missed) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Kelly Costello <kellycostello@Kellys-Air.localdomain>
…1l2 (#2225) The migration's down_revision was pointing to w6g7h8i9j0k1 (parent of current head) instead of x7h8i9j0k1l2 (the jwks_uri migration that is the actual current head on main). This would have created multiple Alembic heads and broken migrations. Also adds the x7h8i9j0k1l2 migration file from upstream main so the revision chain is complete on this branch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Kelly Costello <kellycostello@Kellys-Air.localdomain>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📋 Issue
Closes #2225
🎯 Summary
Implements comprehensive policy audit trail and decision logging system for IBM MCP Context Forge, meeting all requirements from issue #2225.
📦 Changes
New Files
mcp-servers/audit/- Core audit logging implementation (5 modules)tests/audit/- Comprehensive test suite (45+ tests)docs/audit/- Complete documentationFeatures Implemented
✅ User Stories Completed
US-1: Security Analyst - Query Access Decisions
US-2: Security Team - Export to SIEM
🧪 Testing
All tests passing ✅
Run basic tests:
python3 tests/audit/test_mcp_audit.py # Result: 16/16 tests passedRun comprehensive tests:
pytest tests/audit/test_mcp_audit_comprehensive.py -v # Result: 45+ tests passed📚 Documentation
docs/audit/MCP_AUDIT_IMPLEMENTATION.mddocs/audit/TESTING_GUIDE.mddocs/audit/QUICKSTART_TESTING.mddocs/audit/TEST_SUMMARY.md🔗 Related Issues