Documentation
¶
Overview ¶
Package audit provides audit event structures and utilities for the ToolHive ecosystem, ensuring NIST SP 800-53 compliance.
The core type is AuditEvent, which captures the minimal information needed to audit an event in a uniform, serializable format. Use NewAuditEvent to create events with a generated audit ID and UTC timestamp, or NewAuditEventWithID when the caller provides the ID.
Event Structure ¶
Each audit event records:
- Type: a short identifier for what happened (e.g. "mcp_tool_call")
- Source: where the request originated (network address, local process)
- Outcome: success, failure, error, or denied
- Subjects: identity of who triggered the event
- Component: which system component logged the event
- Target: optional target of the operation
- Data: optional extra payload for forensic analysis
Builder Pattern ¶
Events support a fluent builder pattern for optional fields:
event := audit.NewAuditEvent(
audit.EventTypeMCPToolCall,
audit.EventSource{Type: audit.SourceTypeNetwork, Value: "10.0.0.1"},
audit.OutcomeSuccess,
map[string]string{audit.SubjectKeyUser: "alice"},
"my-service",
).WithTarget(map[string]string{
audit.TargetKeyType: audit.TargetTypeTool,
audit.TargetKeyName: "calculator",
})
Logging ¶
Use AuditEvent.LogTo to emit the event to a log/slog.Logger at a specified level. This produces structured JSON output suitable for audit log collection.
Well-Known Constants ¶
The package defines well-known constants for event types, outcomes, source types, target types, and map keys used in Subjects, Target, Source.Extra, and Metadata.Extra fields. Using these constants ensures consistency across the ToolHive ecosystem.
Stability ¶
This package is Alpha stability. The API may change without notice. See the toolhive-core README for stability level definitions.
Index ¶
Constants ¶
const ( // OutcomeSuccess indicates the event was successful OutcomeSuccess = "success" // OutcomeFailure indicates the event failed OutcomeFailure = "failure" // OutcomeError indicates the event resulted in an error OutcomeError = "error" // OutcomeDenied indicates the event was denied (e.g., by authorization) OutcomeDenied = "denied" )
Common event outcomes
const ( // SourceTypeNetwork indicates the event came from a network request SourceTypeNetwork = "network" // SourceTypeLocal indicates the event came from a local source SourceTypeLocal = "local" )
Common source types
const ( // ComponentToolHive is the component name for ToolHive API audit events. // Note that events directed for an MCP server will have the name of the // MCP server as the component instead. ComponentToolHive = "toolhive-api" )
Component name for ToolHive
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuditEvent ¶
type AuditEvent struct {
Metadata EventMetadata `json:"metadata"`
// Type: Defines the type of event that occurred
// This is a small identifier to quickly determine what happened.
// e.g. UserLogin, UserLogout, UserCreate, UserDelete, etc.
Type string `json:"type"`
// LoggedAt: determines when the event occurred.
// Note that this should have sufficient information to authoritatively
// determine the exact time the event was logged at. The output must be in
// Coordinated Universal Time (UTC) format, a modern continuation of
// Greenwich Mean Time (GMT), or local time with an offset from UTC to satisfy
// NIST SP 800-53 requirement AU-8.
LoggedAt time.Time `json:"loggedAt"`
// Source: determines the source of the event.
// Normally, using the IP address of the client, or pod name is sufficient.
// One must be careful of the data that's added here as we don't want to
// leak Personally Identifiable Information.
Source EventSource `json:"source"`
// Outcome: determines whether the event was successful or not, e.g. successful login
// It may also determine if the event was approved or denied.
Outcome string `json:"outcome"`
// Subject: is the identity of the subject of the event.
// e.g. who triggered the event? Additional information
// may be added, such as group membership and/or role
Subjects map[string]string `json:"subjects"`
// Component: allows to determine in which component the event occurred
// (Answering the "Where" question of section c in the NIST SP 800-53
// Revision 5.1 Control AU-3).
Component string `json:"component"`
// Target: Defines where the target of the operation. e.g. the path of
// the REST resource
// (Answering the "Where" question of section c in the NIST SP 800-53
// Revision 5.1 Control AU-3 as well as indicating an entity
// associated for section f).
Target map[string]string `json:"target,omitempty"`
// Data: enhances the audit event with extra information that may be
// useful for forensic analysis.
Data *json.RawMessage `json:"data,omitempty"`
}
AuditEvent represents an audit event. It provides the minimal information needed to audit an event, as well as a uniform format to persist the events in audit logs.
It is highly recommended to use the NewAuditEvent function to create audit events and set the required fields.
func NewAuditEvent ¶
func NewAuditEvent( eventType string, source EventSource, outcome string, subjects map[string]string, component string, ) *AuditEvent
NewAuditEvent returns a new AuditEvent with an appropriately set AuditID and logging time.
func NewAuditEventWithID ¶
func NewAuditEventWithID( auditID string, eventType string, source EventSource, outcome string, subjects map[string]string, component string, ) *AuditEvent
NewAuditEventWithID returns a new AuditEvent with the passed AuditID.
func (*AuditEvent) LogTo ¶
LogTo logs the audit event to the provided slog.Logger using the custom audit level.
func (*AuditEvent) WithData ¶
func (e *AuditEvent) WithData(data *json.RawMessage) *AuditEvent
WithData sets the data of the event.
func (*AuditEvent) WithDataFromString ¶
func (e *AuditEvent) WithDataFromString(data string) *AuditEvent
WithDataFromString sets the data of the event from a string. Note that validating that this is properly JSON-formatted is the responsibility of the caller.
func (*AuditEvent) WithTarget ¶
func (e *AuditEvent) WithTarget(target map[string]string) *AuditEvent
WithTarget sets the target of the event.
type EventMetadata ¶
type EventMetadata struct {
// AuditID: is a unique identifier for the audit event.
AuditID string `json:"auditId"`
// Extra allows for including additional information about the event
// that aids in tracking, parsing or auditing
Extra map[string]any `json:"extra,omitempty"`
}
EventMetadata contains metadata about the audit event.
type EventSource ¶
type EventSource struct {
// Type indicates the source type. e.g. Network, File, local, etc.
// The intent is to determine where a request came from.
Type string `json:"type"`
// Value aims to indicate the source of the event. e.g. IP address,
// hostname, etc.
Value string `json:"value"`
// Extra allows for including additional information about the event
// source that aids in tracking, parsing or auditing
Extra map[string]any `json:"extra,omitempty"`
}
EventSource represents the source of an audit event.
Source Files