middleware

package
v0.12.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 5, 2026 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package middleware provides the middleware chain for tool handlers.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func MCPAuditMiddleware added in v0.7.0 

func MCPAuditMiddleware(logger AuditLogger) mcp.Middleware

MCPAuditMiddleware creates MCP protocol-level middleware that logs tool calls for auditing purposes.

This middleware intercepts tools/call requests and:

  1. Records the start time
  2. Executes the tool handler
  3. Gets the PlatformContext (set by MCPToolCallMiddleware)
  4. Builds an audit event with all captured information
  5. Logs asynchronously (non-blocking) to avoid impacting response time

func MCPRuleEnforcementMiddleware added in v0.12.0 

func MCPRuleEnforcementMiddleware(engine *tuning.RuleEngine, hints *tuning.HintManager) mcp.Middleware

MCPRuleEnforcementMiddleware creates MCP protocol-level middleware that enforces operational rules and adds guidance to tool responses.

This middleware intercepts tools/call responses and: 1. Checks if the tool is a query tool that should have DataHub context first 2. Adds warnings for rule violations to the response 3. Does NOT block requests - it only adds informational guidance

func MCPSemanticEnrichmentMiddleware added in v0.7.0 

func MCPSemanticEnrichmentMiddleware(
	semanticProvider semantic.Provider,
	queryProvider query.Provider,
	storageProvider storage.Provider,
	cfg EnrichmentConfig,
) mcp.Middleware

MCPSemanticEnrichmentMiddleware creates MCP protocol-level middleware that enriches tool call responses with semantic context.

This middleware intercepts tools/call responses and adds cross-service context:

  • Trino results get DataHub metadata (descriptions, owners, tags, etc.)
  • DataHub results get Trino query context (can query? sample SQL?)
  • S3 results get semantic metadata for matching datasets

func MCPToolCallMiddleware added in v0.4.0 

func MCPToolCallMiddleware(authenticator Authenticator, authorizer Authorizer, toolkitLookup ToolkitLookup) mcp.Middleware

MCPToolCallMiddleware creates MCP protocol-level middleware that intercepts tools/call requests and enforces authentication and authorization.

This middleware runs at the MCP protocol level, intercepting all incoming requests before they reach tool handlers. For tools/call requests, it: 1. Extracts the tool name from the request 2. Creates a PlatformContext with the tool information 3. Looks up toolkit metadata (kind, name, connection) 4. Runs authentication to identify the user 5. Runs authorization to check if the user can access the tool 6. Either proceeds with the call or returns an access denied error

The toolkitLookup parameter is optional; if nil, toolkit metadata won't be populated.

func NewToolResultError 

func NewToolResultError(errMsg string) *mcp.CallToolResult

NewToolResultError creates an error result.

func NewToolResultText 

func NewToolResultText(text string) *mcp.CallToolResult

NewToolResultText creates a text result.

func WithPlatformContext 

func WithPlatformContext(ctx context.Context, pc *PlatformContext) context.Context

WithPlatformContext adds platform context to the context.

Types

type AuditEvent 

type AuditEvent struct {
	Timestamp    time.Time      `json:"timestamp"`
	RequestID    string         `json:"request_id"`
	UserID       string         `json:"user_id"`
	UserEmail    string         `json:"user_email"`
	Persona      string         `json:"persona"`
	ToolName     string         `json:"tool_name"`
	ToolkitKind  string         `json:"toolkit_kind"`
	ToolkitName  string         `json:"toolkit_name"`
	Connection   string         `json:"connection"`
	Parameters   map[string]any `json:"parameters"`
	Success      bool           `json:"success"`
	ErrorMessage string         `json:"error_message,omitempty"`
	DurationMS   int64          `json:"duration_ms"`
}

AuditEvent represents an auditable event.

type AuditLogger 

type AuditLogger interface {
	// Log records an audit event.
	Log(ctx context.Context, event AuditEvent) error
}

AuditLogger logs tool calls for auditing.

func NewAuditStoreAdapter added in v0.12.0 

func NewAuditStoreAdapter(store *auditpostgres.Store) AuditLogger

NewAuditStoreAdapter creates an AuditLogger that logs to a PostgreSQL audit store.

type Authenticator 

type Authenticator interface {
	// Authenticate validates credentials and returns user info.
	Authenticate(ctx context.Context) (*UserInfo, error)
}

Authenticator validates authentication credentials.

type Authorizer 

type Authorizer interface {
	// IsAuthorized checks if the user can use the tool.
	// Returns:
	//   - authorized: whether the user is authorized
	//   - personaName: the resolved persona name (for audit logging)
	//   - reason: reason for denial (empty if authorized)
	IsAuthorized(ctx context.Context, userID string, roles []string, toolName string) (authorized bool, personaName string, reason string)
}

Authorizer checks if a user is authorized for a tool.

func AllowAllAuthorizer 

func AllowAllAuthorizer() Authorizer

AllowAllAuthorizer authorizes all requests.

type EnrichmentConfig 

type EnrichmentConfig struct {
	// EnrichTrinoResults adds semantic context to Trino tool results.
	EnrichTrinoResults bool

	// EnrichDataHubResults adds query context to DataHub tool results.
	EnrichDataHubResults bool

	// EnrichS3Results adds semantic context to S3 tool results.
	EnrichS3Results bool

	// EnrichDataHubStorageResults adds storage context to DataHub tool results.
	EnrichDataHubStorageResults bool
}

EnrichmentConfig configures semantic enrichment.

type NoopAuditLogger 

type NoopAuditLogger struct{}

NoopAuditLogger discards all audit events.

func (*NoopAuditLogger) Log 

func (n *NoopAuditLogger) Log(_ context.Context, _ AuditEvent) error

Log does nothing.

type NoopAuthenticator 

type NoopAuthenticator struct {
	DefaultUserID string
	DefaultRoles  []string
}

NoopAuthenticator always succeeds authentication.

func (*NoopAuthenticator) Authenticate 

func (n *NoopAuthenticator) Authenticate(_ context.Context) (*UserInfo, error)

Authenticate always returns a default user.

type NoopAuthorizer 

type NoopAuthorizer struct{}

NoopAuthorizer always authorizes.

func (*NoopAuthorizer) IsAuthorized 

func (n *NoopAuthorizer) IsAuthorized(_ context.Context, _ string, _ []string, _ string) (bool, string, string)

IsAuthorized always returns true with empty persona name.

type PlatformContext 

type PlatformContext struct {
	// Request identification
	RequestID string
	StartTime time.Time

	// User information
	UserID      string
	UserEmail   string
	UserClaims  map[string]any
	Roles       []string
	PersonaName string

	// Tool information
	ToolName    string
	ToolkitKind string
	ToolkitName string
	Connection  string

	// Authorization
	Authorized bool
	AuthzError string

	// Results (populated after handler)
	Success      bool
	ErrorMessage string
	Duration     time.Duration
}

PlatformContext holds platform-specific context for a request.

func GetPlatformContext 

func GetPlatformContext(ctx context.Context) *PlatformContext

GetPlatformContext retrieves platform context from the context.

func MustGetPlatformContext 

func MustGetPlatformContext(ctx context.Context) *PlatformContext

MustGetPlatformContext retrieves platform context or panics.

func NewPlatformContext 

func NewPlatformContext(requestID string) *PlatformContext

NewPlatformContext creates a new platform context.

type TableRef added in v0.9.3 

type TableRef struct {
	Catalog  string
	Schema   string
	Table    string
	FullPath string
	Source   string // "FROM", "JOIN", "TABLE_FUNCTION"
}

TableRef represents an extracted table reference from SQL.

func ExtractTablesFromSQL added in v0.9.3 

func ExtractTablesFromSQL(sql string) []TableRef

ExtractTablesFromSQL extracts all table references from SQL. Uses regex for Trino-specific functions and standard table patterns. Combines ES raw_query indices with regular table references (e.g., JOINs). Filters out CTE references to only return physical tables.

type ToolkitLookup added in v0.12.1 

type ToolkitLookup interface {
	// GetToolkitForTool returns toolkit info (kind, name, connection) for a tool.
	// Returns found=false if the tool is not found in any registered toolkit.
	GetToolkitForTool(toolName string) (kind, name, connection string, found bool)
}

ToolkitLookup provides toolkit metadata for a given tool name.

type UserInfo 

type UserInfo struct {
	UserID   string
	Email    string
	Claims   map[string]any
	Roles    []string
	AuthType string // "oidc", "apikey", etc.
}

UserInfo holds authenticated user information.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.