ComfyUI MCP Server

Overview Schema Related Servers Score Discussions

comfy_mcp
docs

LOGGING_IMPLEMENTATION_SUMMARY.md•7.19 KiB

# Logging Implementation Summary **Date**: January 2025 **Status**: ✅ Complete **Version**: FastMCP v3 with Parameter Sanitization --- ## Overview Enhanced the `@log_call` decorator to support optional parameter logging with automatic sensitive data redaction for improved debugging and security. --- ## Implementation ### 1. Core Enhancement: `@log_call` Decorator **File**: `src/utils/logging.py` **New Parameters**: ```python @log_call( action_name="function_name", level_name="route", log_params=True, # ✨ NEW: Enable parameter logging sensitive_params=["api_key"] # ✨ NEW: List of params to redact ) ``` **Features**: - **Correlation ID Tracking**: Automatic request tracing across all layers - **Parameter Logging**: Optional parameter logging (disabled by default) - **Sensitive Data Redaction**: Automatic `[REDACTED]` replacement for sensitive params - **Security-First**: Common sensitive parameter patterns pre-configured - **Works with async/sync**: Supports both function types **Example Output**: ``` [abc123] [route] download_model - ENTER params={'url': '[REDACTED]', 'api_key': '[REDACTED]'} [abc123] [route] download_model - SUCCESS (2.345s) ``` ### 2. Security: Common Sensitive Parameters The following parameter names are automatically redacted: - `password`, `passwd`, `pwd` - `secret`, `webhook_secret`, `client_secret` - `token`, `auth_token`, `access_token`, `bearer_token` - `api_key`, `apikey`, `key` - `credential`, `credentials`, `authorization` - URLs (may contain tokens in query strings) ### 3. Applied to Production Code **File**: `src/routes/model_upload.py` Applied parameter logging with URL sanitization to protect API tokens: ```python @log_call( action_name="download_model_from_url", level_name="route", log_params=True, sensitive_params=["url"] # URL may contain API tokens in query string ) async def download_model_from_url(...) ``` **Why URLs?**: Services like CivitAI include API keys in URL query strings: ``` https://civitai.com/api/download/models/12345?token=SECRET_API_KEY ``` --- ## Documentation Updates ### 1. MCP Logging Skill (`.github/skills/mcp-logging/SKILL.md`) **Added**: - ✅ Core principle: "Sensitive Parameter Sanitization" - ✅ Parameter logging section with examples - ✅ Security checklist - ✅ Common sensitive parameter patterns table - ✅ Integration guidance ### 2. Example Code (`.github/skills/mcp-logging/examples/04_parameter_sanitization.py`) **Created**: Comprehensive example demonstrating: - Webhook payload sanitization - File upload metadata logging - API call with tokens - Multiple sensitive parameters - Environment-based logging control ### 3. Reference Documentation (`docs/REFERENCE.md`) **Added**: New "Logging and Observability" section covering: - Correlation ID tracking - Log levels - Parameter logging usage - Common sensitive parameters - Reference to complete logging documentation ### 4. Architecture Documentation (`docs/ARCHITECTURE.md`) **Added**: New "Logging & Observability" component section covering: - @log_call decorator capabilities - CorrelationLogger design - Correlation context management - Security features - Usage examples ### 5. Refactoring Summary (`docs/REFACTORING_SUMMARY.md`) **Updated**: Logging utilities section with: - Parameter sanitization feature - Correlation ID tracking - Context management via contextvars - Security benefits ### 6. Routes AGENTS.md (`src/routes/AGENTS.md`) **Updated**: Decorator-based logging section with: - New `log_params` and `sensitive_params` parameters - Parameter sanitization example - Security rationale - Reference to complete documentation --- ## Testing **Verified**: 1. ✅ Parameter logging works correctly 2. ✅ Sensitive parameters show `[REDACTED]` 3. ✅ Correlation IDs propagate across layers 4. ✅ Works with both async and sync functions 5. ✅ Zero impact when `log_params=False` (default) **Example Test Output**: ```bash $ DEBUG_LOGGING=true python .github/skills/mcp-logging/examples/04_parameter_sanitization.py [abc123] [webhook] process_webhook - ENTER params={'payload': '[REDACTED]', 'signature': '[REDACTED]'} [abc123] [webhook] process_webhook - SUCCESS (0.001s) ``` --- ## Usage Guidelines ### When to Enable Parameter Logging ✅ **Use parameter logging for**: - Debugging complex issues in development/staging - Troubleshooting API integration failures - Investigating workflow execution problems ❌ **Do NOT use in production** (unless specifically debugging): - Large performance impact (logs can be massive) - Potential PII exposure even with sanitization - Increased log storage costs ### When to Add Sensitive Parameters Add parameters to `sensitive_params` when: 1. **Authentication Data**: Tokens, API keys, passwords 2. **User Data**: Email addresses, phone numbers, personal info 3. **Security Data**: Signatures, credentials, secrets 4. **URLs**: Any URL that might contain tokens/keys in query strings ### Best Practices ```python # ✅ GOOD: Explicit sensitive parameters @log_call( action_name="api_call", level_name="route", log_params=True, sensitive_params=["api_key", "token", "url"] ) # ❌ BAD: No sensitive params specified (may leak tokens) @log_call( action_name="api_call", level_name="route", log_params=True ) # ⚠️ CAUTION: Generic parameter names may not be caught @log_call( action_name="process_data", level_name="route", log_params=True, sensitive_params=["data"] # If "data" contains nested secrets ) ``` --- ## Benefits ### Security - **Automatic Redaction**: No manual sanitization needed - **Pre-configured Patterns**: Common sensitive parameter names built-in - **Defense in Depth**: Multiple layers of protection ### Debugging - **End-to-End Tracing**: Correlation IDs across all layers - **Parameter Visibility**: See what values are being passed - **Timing Information**: Identify performance bottlenecks ### Maintainability - **Zero Boilerplate**: No manual logging code needed - **Consistent Format**: All logs follow same pattern - **Easy to Extend**: Add new sensitive params per function --- ## Related Documentation - **Complete Guide**: `.github/skills/mcp-logging/SKILL.md` - **Examples**: `.github/skills/mcp-logging/examples/` - **Architecture**: `docs/ARCHITECTURE.md` (Logging & Observability section) - **API Reference**: `docs/REFERENCE.md` (Logging and Observability section) --- ## Future Enhancements **Potential Improvements**: 1. **Configurable Redaction Patterns**: Allow regex-based parameter matching 2. **Environment-Based Defaults**: Auto-enable/disable based on `DEBUG_LOGGING` 3. **Structured Logging**: JSON output for log aggregation systems 4. **Performance Monitoring**: Track slow requests automatically 5. **Audit Logging**: Separate audit trail for sensitive operations --- ## Summary ✅ **Implemented**: Comprehensive parameter logging with automatic sensitive data redaction ✅ **Documented**: Updated all relevant documentation files ✅ **Tested**: Verified functionality with example code ✅ **Applied**: Enabled on production route functions where appropriate ✅ **Secure**: Automatic protection against common data leak patterns **Status**: Ready for production use with DEBUG_LOGGING feature flag.

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jaewilson07/comfy_mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

LOGGING_IMPLEMENTATION_SUMMARY.md•7.19 KiB