Compliance-grade audit logging for MCP client operations

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for wallacedanielk from gravatar.com wallacedanielk

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: AGPL-3.0-only
    SPDX License Expression
  • Author: Lokryn LLC
  • Tags audit , compliance , hipaa , logging , mcp , soc2
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

lokryn-mcp-log

Compliance-grade audit logging for MCP (Model Context Protocol) client operations.

What It Does

Wraps the official MCP Python SDK's ClientSession and logs every operation—tool calls, resource access, prompt executions—in a format that satisfies SOC2, HIPAA, and PCI audit requirements.

Logs conform to the lokryn-compliance-log-schema, an open standard for audit logging (schema vendored in this package, will be extracted to separate PyPI package).

Installation

pip install lokryn-mcp-log

Or with uv:

uv add lokryn-mcp-log

Quick Start

from mcp import ClientSession, StdioServerParameters
from mcp.client.stdio import stdio_client
from lokryn_mcp_log import with_logging, StdoutSink

server_params = StdioServerParameters(command="python", args=["server.py"])

async def main():
    async with stdio_client(server_params) as (read, write):
        async with ClientSession(read, write) as session:
            await session.initialize()

            # Wrap with logging
            logged = with_logging(
                session,
                sink=StdoutSink(),
                environment="development",
            )

            # Use exactly like normal
            await logged.call_tool("add", {"a": 1, "b": 2})

Sinks

StdoutSink

from lokryn_mcp_log import StdoutSink

sink = StdoutSink()           # JSON to stdout
sink = StdoutSink(pretty=True) # Pretty-printed

FileSink

from lokryn_mcp_log import FileSink

sink = FileSink("/var/log/mcp-audit.jsonl")

HTTPSink

import os
from lokryn_mcp_log import HTTPSink

# JSON format (default)
sink = HTTPSink(
    endpoint="https://your-log-collector.com/ingest",
    headers={"Authorization": "Bearer <token>"},
)

# Protobuf format
sink = HTTPSink(
    endpoint="https://your-log-collector.com/ingest/proto",
    format="protobuf",
)

# With HMAC signing
sink = HTTPSink(
    endpoint="https://your-log-collector.com/ingest",
    hmac_key="your-secret-key",
)

# Using environment variables
sink = HTTPSink(
    endpoint=os.environ["LOG_ENDPOINT"],
    hmac_key=os.environ.get("LOG_HMAC_KEY"),
    format=os.environ.get("LOG_FORMAT", "json"),
)

Custom Sink

Implement the Sink protocol:

from lokryn_mcp_log.schema import log_pb2

class MySink:
    async def emit(self, record: log_pb2.LogRequest) -> None:
        # Your logic here
        pass

Configuration

from lokryn_mcp_log import with_logging
from lokryn_mcp_log.schema import log_pb2

logged = with_logging(
    session,
    sink=my_sink,
    environment="production",           # Required
    actor_id="agent-001",                # Optional, auto-generated if omitted
    component="my-agent",                # Defaults to "mcp-client"
    policy_tags=["SOC2", "HIPAA"],       # Optional compliance tags
    default_sensitivity=log_pb2.SENSITIVITY_CONFIDENTIAL,
)

What Gets Logged

Operation Event Type Resource
initialize() EVENT_MCP_INITIALIZE session/initialize
list_tools() EVENT_TOOL_LIST tools/list
call_tool(name, args) EVENT_TOOL_INVOCATION tools/{name}
list_resources() EVENT_RESOURCE_LIST resources/list
read_resource(uri) EVENT_RESOURCE_READ {uri}
list_prompts() EVENT_PROMPT_LIST prompts/list
get_prompt(name) EVENT_PROMPT_EXECUTION prompts/{name}
(session close) EVENT_LOGOUT session/close

Each log includes:

  • Timestamp
  • Actor ID (session/agent identifier)
  • Session ID
  • Duration (milliseconds)
  • Trace ID (for distributed tracing)
  • MCP payload (tool name, arguments, resource URI)
  • Outcome (success/failure)
  • Error details (on failure)

Error Handling

This is a library, not a service. If the sink fails, the exception propagates to your code. Handle it as appropriate for your use case.

Field Notes Integration

Send logs directly to Field Notes for tamper-evident storage and querying:

from lokryn_mcp_log import FieldNotesSink

# Configure via environment variables:
# FIELDNOTES_HMAC_KEY=your-secret-key
# FIELDNOTES_FORMAT=json  (or "protobuf")

sink = FieldNotesSink()

# Or pass explicitly
sink = FieldNotesSink(hmac_key="your-secret-key", format="protobuf")

License

AGPL-3.0. Commercial license available—contact license@lokryn.com.

Links

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for wallacedanielk from gravatar.com wallacedanielk

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: AGPL-3.0-only
    SPDX License Expression
  • Author: Lokryn LLC
  • Tags audit , compliance , hipaa , logging , mcp , soc2
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.4.0

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

lokryn_mcp_log-0.4.0.tar.gz (81.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

lokryn_mcp_log-0.4.0-py3-none-any.whl (25.6 kB view details)

Uploaded Python 3

File details

Details for the file lokryn_mcp_log-0.4.0.tar.gz.

File metadata

  • Download URL: lokryn_mcp_log-0.4.0.tar.gz
  • Upload date:
  • Size: 81.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for lokryn_mcp_log-0.4.0.tar.gz
Algorithm Hash digest
SHA256 8f1c22a2227f403d5668c4dbf3bf42950f1c75cfbbd08ea9555f26ca421be696
MD5 0ea23aff660932c7dd35b9491a4147f7
BLAKE2b-256 00cea6ea438e194da58dda8408a0440f4c5fa427c62d7b60386f4595e6c64177

See more details on using hashes here.

Provenance

The following attestation bundles were made for lokryn_mcp_log-0.4.0.tar.gz:

Publisher: publish.yml on lokryn-llc/mcp-log

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file lokryn_mcp_log-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: lokryn_mcp_log-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 25.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for lokryn_mcp_log-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 31c3f2471e0d2e3f3dc2498b4c6a2a37046bc1470f68fdf28d41c93ce0fc77fc
MD5 346362e09df1beccd258f0c98e1fb98f
BLAKE2b-256 a764e3092cd68a2025f808ef85368354a7d59b0ee84de344c183efee396fec40

See more details on using hashes here.

Provenance

The following attestation bundles were made for lokryn_mcp_log-0.4.0-py3-none-any.whl:

Publisher: publish.yml on lokryn-llc/mcp-log

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page