mcp-governance-sdk

The @ithena-one/mcp-governance SDK provides a governance layer that you can wrap around your existing MCP server implementation. It standardizes identity resolution, RBAC, credential access, auditing, and structured logging so you can enforce governance policies across MCP requests and notifications. Use this SDK when you want a plug-in governance pipeline that can work with your core MCP business logic while emitting consistent audit trails and enforcing permissions. The SDK exposes interfaces and pluggable components (IdentityResolver, RoleStore, PermissionStore, CredentialResolver, AuditLogStore, and Logger) that you implement or swap out to match your enterprise systems (IDPs, secret managers, SIEMs, etc.). This lets you focus on building your MCP prompts and handlers while governance concerns are handled by the framework. Explore the documentation sections on Core Concepts, Interfaces, and Auditing to understand how the pipeline wires together with your request handlers. You can integrate with the Ithena Managed Platform in the future, if you opt into hosted governance backends.

Prerequisites:

• Node.js 14+ and npm/yarn installed
• A basic MCP server/project using the @modelcontextprotocol/typescript-sdk or compatible setup

Installation steps:

1. Install the governance SDK as a dependency in your project npm install @ithena-one/mcp-governance

2. Initialize your MCP server to wrap the base Server with Governance

   • Import the GovernedServer (or equivalent) from the SDK
   • Provide your IdentityResolver, RoleStore, PermissionStore, CredentialResolver, AuditLogStore, and Logger implementations
   • Attach the governance pipeline to your MCP Server start-up

3. Configure governance components

   • Implement and wire Identity resolution against your IdP
   • Implement RBAC stores and permission checks
   • Implement credential resolution and auditing hooks
   • Enable structured logging and trace context propagation

4. Run your server node path/to/your-server.js

Tips and common issues:

• Ensure all governance interfaces (IdentityResolver, RoleStore, etc.) are non-blocking and return promises to avoid event-loop stalls.
• Use the AuditLogStore to emit consistent logs for requests, decisions, and errors to satisfy compliance needs.
• If you’re migrating from a non-governed MCP server, implement a compatibility shim to map your existing handlers to the GovernedServer pipeline.
• Validate environment-specific configuration (IDs, secrets, and RBAC data) in a secure config store rather than hard-coding values.
• When enabling tracing, make sure your TraceContextProvider is compatible with your observability backend (Jaeger, OpenTelemetry, etc.).
• Refer to the Documentation > Core Concepts and Interfaces for detailed guidance on implementing each plug-in.