stacklok / toolhive / 24163599188

push

github

Log when authorization policies filter list responses (#4690)

* Log when authorization policies filter list responses

When Cedar policies deny access to tools, prompts, or resources during
list filtering, items are silently removed from the response. This makes
it difficult to diagnose authorization issues since the MCP client shows
empty capabilities with no explanation.

Add DEBUG-level logs for each denied item and an INFO-level summary
after filtering completes so operators can see that items were filtered
and enable DEBUG to see which ones.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add rate-limited claim key logging and use DEBUG for authz diagnostics

Add a generic AtMost utility (pkg/syncutil) that executes a function at
most once per configurable interval, safe for concurrent use. Use it in
the Cedar authorizer to emit a rate-limited DEBUG log of resolved JWT
claim keys, helping operators see what claims are available for writing
Cedar policies without enabling verbose per-request logging.

Downgrade the authorization filtering summary logs from INFO to DEBUG to
follow the "silent success" convention — a policy correctly denying
access is working as intended, not something that warrants INFO output.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add AtMost to codespell ignore list

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

50 of 50 new or added lines in 4 files covered. (100.0%)

55062 of 84787 relevant lines covered (64.94%)

63.44 hits per line