@@ -28,9 +28,10 @@ internal/
2828 adapters/allure/
2929 client.go — HTTP client, JWT caching, per-session token callback
3030 models.go — request/response DTOs
31- config/config.go — env-var loading and validation
31+ config/config.go — env-var loading and validation (users, audit config)
3232 core/logger.go — structured JSON logging (stdout), 4 levels
33- session/session.go — context-based session ID (StdioID = "stdio")
33+ session/session.go — context-based session ID, user name, remote addr
34+ audit/audit.go — daily JSONL audit log, configurable retention, auto-cleanup
3435```
3536
3637### Transport modes
@@ -41,11 +42,13 @@ internal/
4142- Used for Claude Desktop local integration
4243
4344**HTTP + SSE** (multi-user team server):
44- - `GET /sse` — opens SSE stream, returns `session_id` as first event
45- - `POST /messages?sessionId=<id>` — sends JSON-RPC request for a session
45+ - `POST /mcp` — streamable HTTP transport (MCP spec 2025-03-26), recommended
46+ - `GET /sse` — legacy SSE stream, returns `session_id` as first event
47+ - `POST /messages?sessionId=<id>` — legacy JSON-RPC request for a session
4648- Per-session `X-Allure-Token` header stored in Registry
47- - Optional `Authorization: Bearer <MCP_AUTH_TOKEN >` for endpoint protection
49+ - Named user auth via `Authorization: Bearer <token >` (`MCP_AUTH_TOKENS=alice:tok,...`)
4850- Heartbeat every 25 s, max 64 queued messages per session, 1 MiB max body
51+ - Every non-notification request is written to the audit log (user, tool, duration, status)
4952
5053### Session token isolation
5154
@@ -69,8 +72,11 @@ Each HTTP session gets its own Allure API token. Priority:
6972| `REQUEST_TIMEOUT` | No | 30 | HTTP timeout seconds (1–600) |
7073| `PORT` | No | `:3000` | HTTP server port (auto-prefixed with `:` if needed) |
7174| `LOG_LEVEL` | No | `INFO` | `DEBUG` / `INFO` / `WARN` / `ERROR` |
72- | `MCP_AUTH_TOKEN` | No | — | Bearer token required on HTTP; warn if unset |
75+ | `MCP_AUTH_TOKENS` | No | — | Named user tokens: `alice:tok1,bob:tok2` (preferred) |
76+ | `MCP_AUTH_TOKEN` | No | — | Single legacy token; treated as user `"default"` |
7377| `CORS_ALLOWED_ORIGIN` | No | `*` | CORS `Access-Control-Allow-Origin` value |
78+ | `AUDIT_LOG_PATH` | No | `audit` | Directory for daily audit JSONL files |
79+ | `AUDIT_RETENTION_DAYS` | No | `30` | Days to keep audit files before auto-deletion |
7480
7581---
7682
@@ -926,7 +932,8 @@ Tools return errors as MCP error responses. Common causes:
926932
927933- Never log API tokens (masked in logs)
928934- `configure_allure_token` warns users: token is session-only, not persisted
929- - HTTP mode: always set `MCP_AUTH_TOKEN` in production
935+ - HTTP mode: configure `MCP_AUTH_TOKENS` with per-user named tokens in production
936+ - Audit log records every request: user, session, remote addr, method, tool, status, duration
930937- Use HTTPS in production (nginx/Caddy reverse proxy)
931938- Set `CORS_ALLOWED_ORIGIN` to specific origin (not `*`) in production
932939
0 commit comments