Audit and Logging
Every public MCP tool call can produce an audit event. Write attempts must produce audit events before guarded write tools are enabled.
Audit entries should include:
- user id
- client id
- tool name
- requested scope
- preview id or idempotency key
- decision
- affected record ids
- timestamp
Logs should avoid storing full raw statement content unless explicitly required for troubleshooting.
The server includes persistence adapters for:
mcp_audit_eventsidempotency_records
These tables are created by the Supabase migration supabase-mcp-audit-idempotency-migration.sql.