Claude Code MCP - Agent Orchestration Platform

audit.py•21.1 KiB

""" Tamper-Resistant Audit Logging with Cryptographic Integrity This module provides comprehensive audit logging for the Agent Orchestration Platform with cryptographic signatures to detect tampering and ensure complete accountability. Architecture Integration: - Design Patterns: Observer pattern for event collection, Chain of Responsibility for handlers - Security Model: Immutable audit trail with cryptographic integrity and non-repudiation - Performance Profile: O(1) logging operations with batched writes and async I/O Technical Decisions: - ECDSA Signatures: Compact signatures with fast verification for high-frequency logging - Structured Logging: JSON format with standardized fields for analysis and compliance - Append-Only Log: Immutable log file structure with rotation for long-term storage - Background Processing: Async logging to avoid blocking critical operations Dependencies & Integration: - External: None beyond standard library for maximum reliability - Internal: crypto.py for signature operations, types for domain modeling Quality Assurance: - Test Coverage: Property-based testing for signature verification and log integrity - Error Handling: Graceful degradation with local fallback when crypto fails Author: Adder_4 | Created: 2025-06-26 | Last Modified: 2025-06-26 """ import asyncio import json import logging import threading import uuid from contextlib import asynccontextmanager from dataclasses import asdict, dataclass, field from datetime import datetime, timezone from enum import Enum, auto from pathlib import Path from typing import Any, AsyncGenerator, Dict, List, Optional, Union from src.utils.contracts_shim import ensure, require from .crypto import ( CryptographicError, KeyId, SignatureBytes, get_key_manager, sign_audit_data, verify_audit_signature, ) class AuditLevel(Enum): """Audit event severity levels with security focus.""" DEBUG = "debug" INFO = "info" WARNING = "warning" SECURITY = "security" ERROR = "error" CRITICAL = "critical" class AuditCategory(Enum): """Categories for audit events to enable filtering and analysis.""" AGENT_LIFECYCLE = "agent_lifecycle" SESSION_MANAGEMENT = "session_management" AUTHENTICATION = "authentication" AUTHORIZATION = "authorization" CRYPTOGRAPHIC = "cryptographic" FILE_SYSTEM = "file_system" COMMUNICATION = "communication" SYSTEM_HEALTH = "system_health" ERROR_HANDLING = "error_handling" PERFORMANCE = "performance" @dataclass(frozen=True) class AuditEvent: """ Immutable audit event with cryptographic integrity protection. All audit events are signed to prevent tampering and ensure accountability. The signature covers all event data to detect any modification attempts. """ # Core Event Identity event_id: str timestamp: datetime level: AuditLevel category: AuditCategory # Event Details operation: str resource_type: str resource_id: str user_id: Optional[str] session_id: Optional[str] agent_id: Optional[str] # Outcome and Context success: bool error_message: Optional[str] metadata: Dict[str, Any] # Security Information source_ip: Optional[str] user_agent: Optional[str] # Cryptographic Integrity signature: Optional[SignatureBytes] = None signature_key_id: Optional[KeyId] = None def __post_init__(self): """Validate audit event consistency.""" if not self.operation: raise ValueError("Operation cannot be empty") if not self.resource_type: raise ValueError("Resource type cannot be empty") if not self.resource_id: raise ValueError("Resource ID cannot be empty") def to_dict(self) -> Dict[str, Any]: """Convert to dictionary for JSON serialization.""" data = asdict(self) data["timestamp"] = self.timestamp.isoformat() data["level"] = self.level.value data["category"] = self.category.value if self.signature: data["signature"] = self.signature.hex() return data def get_signing_data(self) -> bytes: """Get canonicalized data for signature generation.""" # Create consistent representation for signing signing_dict = { "event_id": self.event_id, "timestamp": self.timestamp.isoformat(), "level": self.level.value, "category": self.category.value, "operation": self.operation, "resource_type": self.resource_type, "resource_id": self.resource_id, "user_id": self.user_id, "session_id": self.session_id, "agent_id": self.agent_id, "success": self.success, "error_message": self.error_message, "metadata": self.metadata, "source_ip": self.source_ip, "user_agent": self.user_agent, } # Canonical JSON representation json_str = json.dumps(signing_dict, sort_keys=True, separators=(",", ":")) return json_str.encode("utf-8") def with_signature(self, signature: SignatureBytes, key_id: KeyId) -> "AuditEvent": """Create new event with cryptographic signature.""" from dataclasses import replace return replace(self, signature=signature, signature_key_id=key_id) def verify_integrity(self) -> bool: """Verify event integrity using cryptographic signature.""" if not self.signature or not self.signature_key_id: return False signing_data = self.get_signing_data() return verify_audit_signature( signing_data, self.signature, self.signature_key_id ) class AuditException(Exception): """Exception for audit logging failures.""" pass class AuditLogWriter: """ Thread-safe audit log writer with rotation and compression. Implements append-only logging with automatic file rotation based on size and time constraints to ensure logs remain manageable while preserving history. """ def __init__( self, log_directory: Path, max_file_size: int = 50 * 1024 * 1024, # 50MB max_files: int = 100, compress_old: bool = True, ): """Initialize audit log writer with rotation settings.""" self.log_directory = log_directory self.max_file_size = max_file_size self.max_files = max_files self.compress_old = compress_old self.log_directory.mkdir(parents=True, exist_ok=True, mode=0o700) self.current_log_file: Optional[Path] = None self.current_file_size = 0 self.write_lock = threading.Lock() self._ensure_current_log_file() def _ensure_current_log_file(self) -> None: """Ensure current log file exists and is ready for writing.""" if ( self.current_log_file is None or not self.current_log_file.exists() or self.current_file_size >= self.max_file_size ): self._rotate_log_file() def _rotate_log_file(self) -> None: """Create new log file and optionally compress old one.""" timestamp = datetime.utcnow().strftime("%Y%m%d_%H%M%S") self.current_log_file = self.log_directory / f"audit_{timestamp}.log" self.current_file_size = 0 # Cleanup old files if necessary self._cleanup_old_files() def _cleanup_old_files(self) -> None: """Remove old log files if exceeding maximum count.""" log_files = sorted( self.log_directory.glob("audit_*.log*"), key=lambda p: p.stat().st_mtime ) while len(log_files) >= self.max_files: oldest_file = log_files.pop(0) try: oldest_file.unlink() except OSError: pass # Best effort cleanup @require(lambda event: event.signature is not None) @require(lambda event: event.signature_key_id is not None) def write_event(self, event: AuditEvent) -> None: """ Write signed audit event to log file. Contracts: Preconditions: - Event must have valid signature - Event must have signature key ID Postconditions: - Event written to persistent storage - File integrity maintained - Thread-safe operation completed Invariants: - Log files remain append-only - File size limits respected - Concurrent writes properly synchronized """ with self.write_lock: self._ensure_current_log_file() try: event_json = json.dumps(event.to_dict()) + "\n" event_bytes = event_json.encode("utf-8") with open(self.current_log_file, "ab") as f: f.write(event_bytes) f.flush() self.current_file_size += len(event_bytes) except (OSError, IOError) as e: raise AuditException(f"Failed to write audit event: {e}") def read_events( self, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None, level: Optional[AuditLevel] = None, category: Optional[AuditCategory] = None, ) -> List[AuditEvent]: """Read audit events with optional filtering.""" events = [] log_files = sorted( self.log_directory.glob("audit_*.log"), key=lambda p: p.stat().st_mtime ) for log_file in log_files: try: with open(log_file, "r") as f: for line in f: try: event_dict = json.loads(line.strip()) event = self._dict_to_event(event_dict) # Apply filters if start_time and event.timestamp < start_time: continue if end_time and event.timestamp > end_time: continue if level and event.level != level: continue if category and event.category != category: continue events.append(event) except (json.JSONDecodeError, ValueError): continue # Skip malformed entries except (OSError, IOError): continue # Skip inaccessible files return events def _dict_to_event(self, event_dict: Dict[str, Any]) -> AuditEvent: """Convert dictionary back to AuditEvent.""" signature = None if "signature" in event_dict and event_dict["signature"]: signature = SignatureBytes(bytes.fromhex(event_dict["signature"])) return AuditEvent( event_id=event_dict["event_id"], timestamp=datetime.fromisoformat(event_dict["timestamp"]), level=AuditLevel(event_dict["level"]), category=AuditCategory(event_dict["category"]), operation=event_dict["operation"], resource_type=event_dict["resource_type"], resource_id=event_dict["resource_id"], user_id=event_dict.get("user_id"), session_id=event_dict.get("session_id"), agent_id=event_dict.get("agent_id"), success=event_dict["success"], error_message=event_dict.get("error_message"), metadata=event_dict.get("metadata", {}), source_ip=event_dict.get("source_ip"), user_agent=event_dict.get("user_agent"), signature=signature, signature_key_id=( KeyId(event_dict["signature_key_id"]) if event_dict.get("signature_key_id") else None ), ) class SecureAuditLogger: """ High-level audit logger with cryptographic integrity and async processing. Provides convenient interface for audit logging throughout the system while ensuring all events are cryptographically signed and persistently stored. """ def __init__(self, log_directory: Path): """Initialize secure audit logger.""" self.log_writer = AuditLogWriter(log_directory) self.background_queue: asyncio.Queue = asyncio.Queue() self.background_task: Optional[asyncio.Task] = None self.running = False async def start(self) -> None: """Start background processing for audit events.""" if not self.running: self.running = True self.background_task = asyncio.create_task(self._background_processor()) async def stop(self) -> None: """Stop background processing and flush remaining events.""" if self.running: self.running = False if self.background_task: await self.background_task async def _background_processor(self) -> None: """Background task to process audit events asynchronously.""" while self.running: try: # Process events with timeout to prevent blocking event = await asyncio.wait_for(self.background_queue.get(), timeout=1.0) # Sign and write event self._sign_and_write_event(event) self.background_queue.task_done() except asyncio.TimeoutError: continue # Check running status except Exception as e: # Log error but continue processing logging.error(f"Audit background processor error: {e}") def _sign_and_write_event(self, event: AuditEvent) -> None: """Sign event and write to persistent storage.""" try: # Get signing data and create signature signing_data = event.get_signing_data() signature, key_id = sign_audit_data(signing_data) # Create signed event and write signed_event = event.with_signature(signature, key_id) self.log_writer.write_event(signed_event) except CryptographicError as e: # Fall back to unsigned logging for critical events logging.error(f"Failed to sign audit event {event.event_id}: {e}") # Could implement fallback unsigned logging here if needed async def log_event( self, level: AuditLevel, category: AuditCategory, operation: str, resource_type: str, resource_id: str, success: bool = True, user_id: Optional[str] = None, session_id: Optional[str] = None, agent_id: Optional[str] = None, error_message: Optional[str] = None, metadata: Optional[Dict[str, Any]] = None, source_ip: Optional[str] = None, user_agent: Optional[str] = None, ) -> str: """ Log audit event asynchronously with cryptographic signing. Returns the event ID for correlation and follow-up. """ event_id = str(uuid.uuid4()) event = AuditEvent( event_id=event_id, timestamp=datetime.now(timezone.utc), level=level, category=category, operation=operation, resource_type=resource_type, resource_id=resource_id, user_id=user_id, session_id=session_id, agent_id=agent_id, success=success, error_message=error_message, metadata=metadata or {}, source_ip=source_ip, user_agent=user_agent, ) # Queue for background processing await self.background_queue.put(event) return event_id # Convenience methods for common audit scenarios async def log_agent_created( self, agent_id: str, session_id: str, user_id: str, metadata: Optional[Dict[str, Any]] = None, ) -> str: """Log agent creation event.""" return await self.log_event( level=AuditLevel.INFO, category=AuditCategory.AGENT_LIFECYCLE, operation="create_agent", resource_type="agent", resource_id=agent_id, user_id=user_id, session_id=session_id, metadata=metadata or {}, ) async def log_authentication_attempt( self, user_id: str, success: bool, source_ip: Optional[str] = None, error_message: Optional[str] = None, ) -> str: """Log authentication attempt.""" return await self.log_event( level=AuditLevel.SECURITY if not success else AuditLevel.INFO, category=AuditCategory.AUTHENTICATION, operation="authenticate", resource_type="user", resource_id=user_id, success=success, error_message=error_message, source_ip=source_ip, ) async def log_security_violation( self, operation: str, resource_type: str, resource_id: str, violation_details: str, user_id: Optional[str] = None, source_ip: Optional[str] = None, ) -> str: """Log security policy violation.""" return await self.log_event( level=AuditLevel.CRITICAL, category=AuditCategory.AUTHORIZATION, operation=operation, resource_type=resource_type, resource_id=resource_id, success=False, user_id=user_id, error_message=violation_details, source_ip=source_ip, ) async def log_file_access( self, file_path: str, operation: str, agent_id: Optional[str] = None, success: bool = True, error_message: Optional[str] = None, ) -> str: """Log file system access.""" return await self.log_event( level=AuditLevel.INFO, category=AuditCategory.FILE_SYSTEM, operation=operation, resource_type="file", resource_id=file_path, agent_id=agent_id, success=success, error_message=error_message, ) def verify_log_integrity( self, start_time: Optional[datetime] = None, end_time: Optional[datetime] = None ) -> Dict[str, Any]: """ Verify integrity of audit log entries using cryptographic signatures. Returns summary of verification results including any tampering detected. """ events = self.log_writer.read_events(start_time, end_time) verification_results = { "total_events": len(events), "verified_events": 0, "failed_events": 0, "unsigned_events": 0, "tampering_detected": False, "failed_event_ids": [], } for event in events: if not event.signature: verification_results["unsigned_events"] += 1 continue if event.verify_integrity(): verification_results["verified_events"] += 1 else: verification_results["failed_events"] += 1 verification_results["tampering_detected"] = True verification_results["failed_event_ids"].append(event.event_id) return verification_results # Global audit logger instance _audit_logger_instance: Optional[SecureAuditLogger] = None def get_audit_logger() -> SecureAuditLogger: """Get global audit logger instance.""" global _audit_logger_instance if _audit_logger_instance is None: raise RuntimeError( "Audit logger not initialized. Call initialize_audit_system() first." ) return _audit_logger_instance def initialize_audit_system(log_directory: Path) -> SecureAuditLogger: """Initialize global audit logging system.""" global _audit_logger_instance _audit_logger_instance = SecureAuditLogger(log_directory) return _audit_logger_instance @asynccontextmanager async def audit_context(): """Context manager for audit logger lifecycle.""" logger = get_audit_logger() await logger.start() try: yield logger finally: await logger.stop() # Convenience functions for common audit operations async def audit_agent_created( agent_id: str, session_id: str, user_id: str, **metadata ) -> str: """Convenience function for agent creation audit.""" logger = get_audit_logger() return await logger.log_agent_created(agent_id, session_id, user_id, metadata) async def audit_authentication( user_id: str, success: bool, source_ip: str = None, error: str = None ) -> str: """Convenience function for authentication audit.""" logger = get_audit_logger() return await logger.log_authentication_attempt(user_id, success, source_ip, error) async def audit_security_violation( operation: str, resource_type: str, resource_id: str, details: str, user_id: str = None, source_ip: str = None, ) -> str: """Convenience function for security violation audit.""" logger = get_audit_logger() return await logger.log_security_violation( operation, resource_type, resource_id, details, user_id, source_ip )

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Nexus-Digital-Automations/Claude_Code_MCP_2'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

audit.py•21.1 KiB