Skip to Content
DocsSDKsConfiguration

Configuration Options (GovernedServerOptions)

Overview

You configure the behavior of the @ithena-one/mcp-governance SDK by passing an options object to the GovernedServer constructor.

Example Instantiation
import { GovernedServer, GovernedServerOptions } from '@ithena-one/mcp-governance';
import { Server as BaseServer } from '@modelcontextprotocol/sdk/server';
 
// Assume baseServer, myCustomLogger, myIdentityResolver etc. are defined elsewhere
const baseServer = new BaseServer({ name: "MyServer", version: "1.0" });
 
const options: GovernedServerOptions = {
    logger: myCustomLogger,
    identityResolver: myIdentityResolver,
    roleStore: myRoleStore,
    permissionStore: myPermissionStore,
    auditStore: myAuditStore,
    enableRbac: true,
    auditDeniedRequests: true,
    sanitizeForAudit: mySanitizer,
    // ... other options
};
 
const governedServer = new GovernedServer(baseServer, options);

Available Options

Below are the available options:

identityResolver

  • Type: IdentityResolver
  • Default: undefined
  • Required For: RBAC
  • Description: Your implementation to resolve the caller’s identity from the request context (e.g., headers, tokens). See Interfaces.

roleStore

  • Type: RoleStore
  • Default: undefined
  • Required For: RBAC
  • Description: Your implementation to fetch the roles associated with a resolved identity. See Interfaces.

permissionStore

  • Type: PermissionStore
  • Default: undefined
  • Required For: RBAC
  • Description: Your implementation to check if a role grants a specific permission string. See Interfaces.

credentialResolver

  • Type: CredentialResolver
  • Default: undefined
  • Required For: -
  • Description: Your implementation to securely fetch credentials (secrets, API keys) needed by handlers. See Interfaces.

auditStore

  • Type: AuditLogStore
  • Default: NoOpAuditLogStore
  • Required For: Auditing
  • Description: Your implementation to log detailed audit records. Defaults to doing nothing. See Interfaces.

logger

  • Type: Logger
  • Default: ConsoleLogger
  • Required For: Logging
  • Description: A structured logger instance. Defaults to logging JSON to the console. See Interfaces.

traceContextProvider

  • Type: TraceContextProvider
  • Default: defaultTraceContextProvider
  • Required For: Tracing
  • Description: Extracts distributed tracing context (e.g., W3C traceparent). Defaults to checking headers. See Interfaces.

enableRbac

  • Type: boolean
  • Default: false
  • Required For: RBAC
  • Description: Set to true to activate the RBAC checks in the pipeline. Requires identityResolver, roleStore, and permissionStore to be provided.

failOnCredentialResolutionError

  • Type: boolean
  • Default: true
  • Required For: -
  • Description: If true, requests will fail if the credentialResolver throws an error. If false, errors are logged, and the pipeline continues.

auditDeniedRequests

  • Type: boolean
  • Default: true
  • Required For: Auditing
  • Description: If true, audit records are generated and sent to the auditStore even for requests that were denied by RBAC.

auditNotifications

  • Type: boolean
  • Default: false
  • Required For: Auditing
  • Description: If true, audit records are generated for incoming MCP notifications. Requires auditStore and sanitizeForAudit.

derivePermission

  • Type: (req: Request, transportCtx: TransportContext) => string | null
  • Default: defaultDerivePermission
  • Required For: RBAC
  • Description: A function that generates the permission string (e.g., tool:call:my_tool) needed for a specific request. Return null to skip the permission check for that request. See Authorization.

sanitizeForAudit

  • Type: (record: AuditRecord) => AuditRecord
  • Default: defaultSanitizeForAudit
  • Required For: Auditing
  • Description: CRITICAL: A function to remove or mask sensitive data (PII, secrets) from the AuditRecord before it’s logged. Review the default implementation carefully. See Auditing & Logging.

postAuthorizationHook

  • Type: (identity: UserIdentity, opCtx: OperationContext) => Promise<void>
  • Default: undefined
  • Required For: -
  • Description: An optional asynchronous function called after a request passes authorization checks (or if RBAC is disabled/not applicable). Can be used for secondary checks or setup based on identity.

serviceIdentifier

  • Type: string
  • Default: undefined
  • Required For: -
  • Description: An optional string identifying this specific instance of your MCP server. Included in logs and audit records for easier correlation.

Important Considerations

🚫

If enableRbac is set to true, you must provide implementations for identityResolver, roleStore, and permissionStore. Omitting them will cause an error when creating the GovernedServer.

⚠️

Effective auditing relies on providing a functional auditStore. More importantly, you must review and likely customize the sanitizeForAudit function to prevent sensitive data (PII, secrets) from being inadvertently logged. The default implementation might not be sufficient for your needs.

The default components like ConsoleLogger, NoOpAuditLogStore, InMemoryRoleStore, etc., are primarily for demonstration. Replace them with robust, production-grade implementations suitable for your environment. Refer to Defaults and Security for more guidance.

Last updated on
Core ConceptsAuthorization