npm - @softeria/ms-365-mcp-server - Versions diffs - 0.112.1 → 0.113.0 - Mend

@softeria/ms-365-mcp-server 0.112.1 → 0.113.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/audit-log.js ADDED Viewed

@@ -0,0 +1,72 @@
+import winston from "winston";
+import path from "path";
+import fs from "fs";
+import os from "os";
+const logsDir = process.env.MS365_MCP_LOG_DIR || path.join(os.homedir(), ".ms-365-mcp-server", "logs");
+const FILE_MODE = 384;
+const auditLogPath = path.join(logsDir, "audit.log");
+try {
+  if (!fs.existsSync(logsDir)) {
+    fs.mkdirSync(logsDir, { recursive: true, mode: 448 });
+  }
+  if (fs.existsSync(auditLogPath)) {
+    fs.chmodSync(auditLogPath, FILE_MODE);
+  }
+} catch {
+}
+const auditLogger = winston.createLogger({
+  level: "info",
+  format: winston.format.combine(
+    winston.format.timestamp({ format: "YYYY-MM-DDTHH:mm:ss.SSSZ" }),
+    winston.format.json()
+  ),
+  defaultMeta: {
+    service: "ms-365-mcp-server",
+    stream: "audit"
+  },
+  transports: [
+    new winston.transports.Console({
+      // Route audit events to stderr so they don't collide with JSON-RPC on
+      // stdout when this server runs in stdio mode. Container platforms
+      // (Container Apps, App Service, Docker) capture both stdout and stderr
+      // and forward to Log Analytics, so the production audit sink is
+      // unaffected. Vitest sets `VITEST=true`; staying silent there avoids
+      // polluting unrelated tests that exercise the real graph-tools module.
+      stderrLevels: ["info"],
+      silent: process.env.SILENT === "true" || process.env.SILENT === "1" || process.env.VITEST === "true"
+    }),
+    new winston.transports.File({
+      filename: auditLogPath,
+      options: { flags: "a", mode: FILE_MODE }
+    })
+  ]
+});
+function isAuditLogEnabled() {
+  return process.env.MS365_MCP_AUDIT_LOG !== "false";
+}
+function auditLog(evt) {
+  if (!isAuditLogEnabled()) return;
+  auditLogger.info(evt);
+}
+function getUserIdentityForAudit(token) {
+  if (!token) return void 0;
+  try {
+    const parts = token.split(".");
+    if (parts.length < 2) return void 0;
+    let b64 = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+    const padNeeded = (4 - b64.length % 4) % 4;
+    b64 = b64 + "=".repeat(padNeeded);
+    const payload = JSON.parse(Buffer.from(b64, "base64").toString("utf-8"));
+    const candidate = payload.upn || payload.preferred_username || payload.email || payload.sub;
+    return typeof candidate === "string" ? candidate : void 0;
+  } catch {
+    return void 0;
+  }
+}
+const __testing = { auditLogger, auditLogPath };
+export {
+  __testing,
+  auditLog,
+  getUserIdentityForAudit,
+  isAuditLogEnabled
+};

package/dist/crash-logging.js ADDED Viewed

@@ -0,0 +1,41 @@
+function dumpError(reason, depth = 0) {
+  if (depth > 5) {
+    return { truncated: true };
+  }
+  if (reason instanceof Error) {
+    const dump = {
+      name: reason.name,
+      constructor: reason.constructor?.name,
+      message: reason.message,
+      stack: reason.stack
+    };
+    const properties = {};
+    for (const key of Object.getOwnPropertyNames(reason)) {
+      if (key === "name" || key === "message" || key === "stack" || key === "cause") continue;
+      properties[key] = reason[key];
+    }
+    if (Object.keys(properties).length > 0) {
+      dump.properties = properties;
+    }
+    if ("cause" in reason && reason.cause !== void 0) {
+      dump.cause = dumpError(reason.cause, depth + 1);
+    }
+    return dump;
+  }
+  return { type: typeof reason, value: reason };
+}
+function getActiveResources() {
+  const fn = process.getActiveResourcesInfo;
+  if (typeof fn !== "function") {
+    return "unavailable (node < 17.3)";
+  }
+  try {
+    return fn.call(process);
+  } catch (err) {
+    return `error: ${err.message}`;
+  }
+}
+export {
+  dumpError,
+  getActiveResources
+};

package/dist/graph-tools.js CHANGED Viewed

@@ -1,4 +1,6 @@
+import { randomUUID } from "crypto";
 import logger from "./logger.js";
+import { auditLog, getUserIdentityForAudit } from "./audit-log.js";
 import {
   getEndpointRequiredScopes,
   getMissingAllowedScopes,
@@ -151,6 +153,10 @@ function registerUtilityToolWithMcp(server, utility, ctx) {
 }
 async function executeGraphTool(tool, config, graphClient, params, authManager) {
   logger.info(`Tool ${tool.alias} called with params: ${JSON.stringify(params)}`);
+  const requestId = randomUUID();
+  const startTime = Date.now();
+  const upn = getUserIdentityForAudit(getRequestTokens()?.accessToken);
+  const httpMethod = tool.method.toUpperCase();
   try {
     let accountAccessToken;
     if (authManager && !authManager.isOAuthModeEnabled() && !getRequestTokens()) {
@@ -394,13 +400,34 @@ async function executeGraphTool(tool, config, graphClient, params, authManager)
       type: "text",
       text: item.text
     }));
+    auditLog({
+      event: "tool.call",
+      request_id: requestId,
+      user_principal_name: upn,
+      tool: tool.alias,
+      http_method: httpMethod,
+      status: response.isError ? "error" : "success",
+      duration_ms: Date.now() - startTime
+    });
     return {
       content,
       _meta: response._meta,
       isError: response.isError
     };
   } catch (error) {
+    const err = error;
     logger.error(`Error in tool ${tool.alias}: ${error.message}`);
+    auditLog({
+      event: "tool.call",
+      request_id: requestId,
+      user_principal_name: upn,
+      tool: tool.alias,
+      http_method: httpMethod,
+      status: "error",
+      duration_ms: Date.now() - startTime,
+      error_type: err?.name || "Error",
+      error_code: err?.status ?? err?.code
+    });
     return {
       content: [
         {

package/dist/index.js CHANGED Viewed

@@ -10,7 +10,27 @@ import {
   shouldUseLocalAuthStorage
 } from "./startup-pinning.js";
 import { createTokenCacheStorage } from "./token-cache-storage.js";
+import { dumpError, getActiveResources } from "./crash-logging.js";
 import { version } from "./version.js";
+process.on("unhandledRejection", (reason) => {
+  const dump = {
+    kind: "unhandledRejection",
+    reason: dumpError(reason),
+    activeResources: getActiveResources()
+  };
+  console.error("[ms365-mcp] unhandledRejection", JSON.stringify(dump));
+  logger.error("unhandledRejection", dump);
+});
+process.on("uncaughtException", (err, origin) => {
+  const dump = {
+    kind: "uncaughtException",
+    origin,
+    error: dumpError(err),
+    activeResources: getActiveResources()
+  };
+  console.error("[ms365-mcp] uncaughtException", JSON.stringify(dump));
+  logger.error("uncaughtException", dump);
+});
 async function main() {
   try {
     const args = parseArgs();

package/dist/server.js CHANGED Viewed

@@ -25,6 +25,7 @@ import { isAllowedRedirectUri, parseAllowlist } from "./lib/redirect-uri-validat
 import { getSecrets } from "./secrets.js";
 import { getCloudEndpoints } from "./cloud-config.js";
 import { requestContext } from "./request-context.js";
+import { dumpError } from "./crash-logging.js";
 import crypto from "node:crypto";
 import OboClient from "./obo-client.js";
 function parseHttpOption(httpOption) {
@@ -537,6 +538,9 @@ class MicrosoftGraphServer {
       }
     } else {
       const transport = new StdioServerTransport();
+      transport.onerror = (error) => {
+        logger.error("Stdio transport error", { error: dumpError(error) });
+      };
       await this.server.connect(transport);
       logger.info("Server connected to stdio transport");
     }

package/docs/deployment.md CHANGED Viewed

@@ -208,6 +208,7 @@ The client automatically discovers OAuth endpoints and opens a browser for authe
 - **Read-only mode**: use `--read-only` to disable all write operations (send, delete, update, create)
 - **Tool filtering**: use `--enabled-tools <regex>` or `--preset <names>` to restrict available tools
 - **CORS**: configure `MS365_MCP_CORS_ORIGIN` to restrict allowed origins (defaults to `http://localhost:3000`); set explicitly when clients run on a different origin
+- **Structured audit log**: enabled by default. Every tool invocation emits one JSON line on stdout (captured by the container platform's log collector) and to `~/.ms-365-mcp-server/logs/audit.log` (mode `0o600`) with `{ event, request_id, user_principal_name, tool, http_method, status, duration_ms, error_type?, error_code? }`. The schema is intentionally narrow — tool parameters and Graph response bodies are NEVER recorded, and error messages are reduced to `error_type` / `error_code` so upstream library errors do not leak token fragments or query-string PII. Forms the "who accessed what, when" trail required for GDPR / HIPAA / PIPEDA / SOC 2 audit. Opt-out: `MS365_MCP_AUDIT_LOG=false`
 ## Exposed Endpoints

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@softeria/ms-365-mcp-server",
-  "version": "0.112.1",
+  "version": "0.113.0",
   "description": " A Model Context Protocol (MCP) server for interacting with Microsoft 365 and Office services through the Graph API",
   "type": "module",
   "main": "dist/index.js",