Skip to Content
DocsSDKsDefaults

Default Implementations

🚫

The @ithena-one/mcp-governance SDK provides default implementations for its core interfaces primarily for rapid development, testing, and demonstration purposes. Most defaults are NOT suitable for production and should be replaced with robust alternatives integrated with your infrastructure.

The SDK provides several default implementations for its core interfaces. These are primarily intended for rapid development, testing, and demonstration purposes.

Default Logger (ConsoleLogger)

  • Interface: Logger
  • File: src/defaults/logger.ts
  • Behavior: Logs structured JSON messages to console. Supports levels and child loggers.
  • Production Readiness:
    ⚠️
    NO. Dev/Debug only. Replace with adapter for production logging library (Pino, Winston) sending to aggregation system.

Default Audit Stores (NoOpAuditLogStore, ConsoleAuditLogStore)

  • Interface: AuditLogStore
  • File: src/defaults/audit.ts
  • Behavior:
    • NoOpAuditLogStore (Default if auditStore omitted): Does nothing (auditing disabled).
    • ConsoleAuditLogStore: Logs complete AuditRecord JSON to console.
  • Production Readiness:
    ⚠️
    NO. NoOp provides no auditing. Console is for debug only. Replace with implementation sending to SIEM, log platform (ELK, Splunk), or DB.

Default RBAC Stores (InMemoryRoleStore, InMemoryPermissionStore)

  • Interface: RoleStore, PermissionStore
  • File: src/defaults/permissions.ts
  • Behavior: Simple in-memory storage for user-role and role-permission mappings. InMemoryPermissionStore supports * wildcard.
  • Production Readiness:
    ⚠️
    NO. Volatile (lost on restart), not scalable. Replace with implementation querying actual authorization system (LDAP, DB, IDP).

Default Permission Derivation (defaultDerivePermission)

  • Interface: GovernedServerOptions['derivePermission']
  • File: src/defaults/permissions.ts
  • Behavior: Generates basic permission strings (e.g., tool:call:cleanup, resource:read:uri). Returns null for ping, initialize.
  • Production Readiness:
    Maybe. Reasonable starting point, but review if more granular permissions are needed. Customize if necessary. See Authorization.

Default Audit Sanitization (defaultSanitizeForAudit)

  • Interface: GovernedServerOptions['sanitizeForAudit']
  • File: src/defaults/sanitization.ts
  • Behavior: Attempts to mask common credential patterns (keywords, Bearer tokens) and truncates long strings in AuditRecord fields.
  • Production Readiness:
    🚫

    The default patterns are generic and might miss sensitive data or incorrectly mask non-sensitive data. You MUST review this function’s behavior with your actual data and likely customize it significantly to ensure PII, business secrets, etc., are properly redacted. See Auditing & Logging and Security.

Default Trace Context Provider (defaultTraceContextProvider)

  • Interface: TraceContextProvider
  • File: src/defaults/tracing.ts
  • Behavior: Extracts trace context from W3C Trace Context headers (traceparent, tracestate).
  • Production Readiness:
    Yes, if using W3C Trace Context. Provide custom function for other formats (e.g., B3).
Last updated on
SecurityImplementing Basic Governance