Skip to content

feat: add observability (APPLICATION_LOGS + USAGE_LOGS + X-Ray + Identity) to MCP server runtimes (#83)#86

Open
sdlc-ai-developer[bot] wants to merge 1 commit into
mainfrom
feat/issue-83
Open

feat: add observability (APPLICATION_LOGS + USAGE_LOGS + X-Ray + Identity) to MCP server runtimes (#83)#86
sdlc-ai-developer[bot] wants to merge 1 commit into
mainfrom
feat/issue-83

Conversation

@sdlc-ai-developer

Copy link
Copy Markdown
Contributor

What

Extends the RuntimeObservability construct (introduced in PR #80 for the coding assistant) to all MCP server runtimes — source-control, project-management, and every developer MCP server. Each MCP runtime now gets the same 5 delivery pipelines: Runtime APPLICATION_LOGS + USAGE_LOGS + X-Ray TRACES, and Identity APPLICATION_LOGS + TRACES.

Why

Closes #83

How

  • lib/constructs/runtime/mcp-server.ts: added the two IAM statements the vended-log delivery pipeline requires on the runtime execution role — bedrock-agentcore:AllowVendedLogDeliveryForResource and cloudwatch:PutMetricData (scoped to the bedrock-agentcore namespace), mirroring the coding-assistant construct. The existing AwsSolutions-IAM5 suppression reason was updated to cover AgentCore observability. runtimeId was already exposed by the construct, so no change was needed there.
  • lib/nested/source-control-stack.ts and lib/nested/project-management-stack.ts: instantiate RuntimeObservability after the McpServer, with logRetentionDays: 30 and enableIdentityLogs left at its default (true) — matching the assistant stack.
  • lib/nested/developer-mcp-stack.ts: instantiate RuntimeObservability once per server inside the existing loop, with a unique construct id per server (Observability + server name).

The shared Identity log group is created idempotently by the existing custom-resource Lambda, so multiple runtimes deploying the construct do not conflict. Delivery source/destination names stay within the 60-char limit (runtimeId truncated to 49 chars + suffix).

Testing

  • npx cdk synth --quiet passes (no TypeScript or cdk-nag errors).
  • npm test passes.
  • Post-deploy: each MCP server runtime should show APPLICATION_LOGS + USAGE_LOGS deliveries on the Runtime tab and APPLICATION_LOGS on the Identity tab in the AgentCore console, with X-Ray traces for MCP invocations.

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

ASH Security Scan | Commit: fc32516 | 2026-06-08 20:48:15 UTC

ASH Security Scan Report

  • Report generated: 2026-06-08T20:48:15+00:00
  • Time since scan: 0 minutes

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-06-08T20:47:39+00:00
  • ASH version: 3.5.3

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

  • Severity levels:
    • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
    • Critical (C): Highest severity findings that require immediate attention
    • High (H): Serious findings that should be addressed soon
    • Medium (M): Moderate risk findings
    • Low (L): Lower risk findings
    • Info (I): Informational findings with minimal risk
  • Duration (Time): Time taken by the scanner to complete its execution
  • Actionable: Number of findings at or above the threshold severity level that require attention
  • Result:
    • PASSED = No findings at or above threshold
    • FAILED = Findings at or above threshold
    • MISSING = Required dependencies not available
    • SKIPPED = Scanner explicitly disabled
    • ERROR = Scanner execution error
  • Threshold: The minimum severity level that will cause a scanner to fail
    • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
    • Source: Values in parentheses indicate where the threshold is set:
      • global (global_settings section in the ASH_CONFIG used)
      • config (scanner config section in the ASH_CONFIG used)
      • scanner (default configuration in the plugin, if explicitly set)
  • Statistics calculation:
    • All statistics are calculated from the final aggregated SARIF report
    • Suppressed findings are counted separately and do not contribute to actionable findings
    • Scanner status is determined by comparing actionable findings to the threshold
Scanner Suppressed Critical High Medium Low Info Actionable Result Threshold
bandit 0 0 0 0 0 0 0 PASSED HIGH (global)
cdk-nag 0 0 0 0 0 0 0 MISSING HIGH (global)
cfn-nag 0 0 0 0 0 0 0 MISSING HIGH (global)
checkov 0 0 0 0 0 0 0 PASSED HIGH (global)
detect-secrets 0 0 0 0 0 0 0 PASSED HIGH (global)
grype 0 0 0 0 0 0 0 MISSING HIGH (global)
npm-audit 0 0 0 0 0 0 0 PASSED HIGH (global)
opengrep 0 0 0 0 0 0 0 MISSING HIGH (global)
semgrep 0 0 0 0 0 0 0 SKIPPED HIGH (global)
syft 0 0 0 0 0 0 0 MISSING HIGH (global)

Report generated by Automated Security Helper (ASH) at 2026-06-08T20:48:15+00:00

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

feat: add observability (APPLICATION_LOGS + USAGE_LOGS + X-Ray + Identity) to MCP server runtimes

0 participants