Skip to content

feat: MCP Gateway with console UI, quota enforcement, and audit logging #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
hammadtq wants to merge 5 commits into
base: main
Choose a base branch
from
Open

feat: MCP Gateway with console UI, quota enforcement, and audit logging #50

hammadtq wants to merge 5 commits into from

Conversation

@hammadtq
Copy link
Collaborator

@hammadtq hammadtq commented Jan 17, 2026

Summary

This PR implements an OSS-friendly, local-first MCP (Model Context Protocol) Gateway layer for Attach Gateway. Key features:

  • MCP Reverse Proxy (/mcp/{server}) - JWT-protected JSON-RPC proxy to configured MCP servers
  • Console UI (/console) - Admin dashboard with public landing page and protected API endpoints
  • Per-user Quota Enforcement - Daily tool call limits with glob pattern matching (e.g., github.*: 200)
  • SQLite Audit Logging - Local audit trail of all MCP requests in ~/.attach/attach.db
  • CLI Commands - attach-gateway mcp add/list/enable/disable and attach-gateway claude install
  • OpenMeter Non-fatal Fallback - Missing API key warns instead of crashing

Design Principles

  • Opt-in only - MCP features disabled by default, enabled via ATTACH_ENABLE_MCP=true or ~/.attach/mcp.json
  • No breaking changes - Existing OIDC sidecar functionality unchanged
  • Namespace isolation - All new modules under attach/mcp/, attach/audit/, attach/console/
  • Local-first - All data stored locally in SQLite, no phone-home behavior

Files Changed

Area Description
attach/mcp/ Config, proxy, quota, router modules
attach/audit/ SQLite audit logging
attach/console/ Console UI router and static assets
attach/cli_mcp.py MCP server management CLI
attach/cli_claude.py Claude Code integration helper
middleware/auth.py Auth exclusions for console static assets
usage/factory.py OpenMeter non-fatal fallback

Test Coverage

  • 16 new integration tests covering MCP + auth + quota
  • 7 E2E tests with Ollama backend
  • All MCP-related tests pass (27/27)

Test plan

  • Run pytest tests/ - 55 passed, 5 pre-existing failures unrelated to this PR
  • Verify MCP endpoints require JWT authentication
  • Verify console landing page is public, API is protected
  • Verify per-user quota isolation works correctly
  • Verify audit logs capture all MCP requests
  • Verify E2E proxy to Ollama works with auth
  • Manual testing of CLI commands
  • Manual testing of console UI in browser

🤖 Generated with Claude Code

hammadtq and others added 5 commits January 6, 2026 21:17
@hammadtq
mcp server with console plan implementation
3d323b1
@hammadtq
fixed bugs
306fe38
@hammadtq
renamed namespaces of new packages
44d0906
@hammadtq @claude
test: add integration tests for MCP gateway, auth, and quota
51f816b 
Comprehensive integration tests covering:
- MCP endpoint authentication requirements
- Multi-tenant user isolation in audit logs
- Per-user quota enforcement and isolation
- Console public landing vs protected API auth model
- MCP opt-in/opt-out behavior
- End-to-end Ollama proxy with JWT auth
- Gateway health checks and CORS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@hammadtq @claude
chore: remove IMPLEMENTATION_SUMMARY.md
7b0e42f 
Implementation details are documented in the PR description.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hammadtq