Production-grade security, observability, and governance for Model Context Protocol (MCP) servers
Make any MCP server enterprise-ready in minutes with built-in authentication, RBAC, audit logging, compliance templates, cost management, and observability.
MCP servers are powerful but lack enterprise features needed for production:
- β No authentication or authorization
- β No observability (metrics, tracing, logs)
- β No governance (approvals, audit logs)
- β No compliance support (SOX, HIPAA, GDPR)
- β No cost management or rate limiting
Enterprise MCP Framework solves all of this.
- Authentication: OAuth, SAML, API Keys, LDAP
- Authorization: Role-Based Access Control (RBAC)
- Encryption: TLS in-transit + at-rest encryption
- Secrets Management: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
- Metrics: Prometheus-compatible metrics
- Tracing: OpenTelemetry distributed tracing
- Logging: Structured JSON logging
- Dashboards: Pre-built Grafana dashboards
- Approvals: Slack, Jira, Email workflows
- Audit Logs: Comprehensive audit trails
- Policies: Open Policy Agent (OPA) integration
- Compliance: SOX, HIPAA, GDPR templates
- Tracking: Token usage and API call tracking
- Limits: Rate limiting and quotas per user/team
- Budgets: Budget alerts and cost allocation
- Reports: Chargeback and showback reports
pip install enterprise-mcp-frameworkBefore (Basic PostgreSQL MCP):
from mcp_postgres import PostgresServer
server = PostgresServer(host="localhost", database="mydb")
server.start()After (Enterprise Features):
from enterprise_mcp import EnterpriseProxy, SecurityConfig, ObservabilityConfig
proxy = EnterpriseProxy(
target_server="postgresql-mcp",
security=SecurityConfig(
auth_provider="oauth",
rbac_enabled=True
),
observability=ObservabilityConfig(
metrics=True,
tracing=True
)
)
proxy.start() # β
Now with auth, metrics, audit logs, etc.Enterprise MCP Framework acts as a transparent proxy between LLM applications and MCP servers:
ββββββββββββββββββββ
β LLM Application β (Claude, ChatGPT, etc.)
ββββββββββ¬ββββββββββ
β MCP Protocol
β
ββββββββββββββββββββββββββββββββββ
β Enterprise MCP Framework β
β ββββββββββββββββββββββββββββ β
β β Security Layer β β β Auth, RBAC, Encryption
β ββββββββββββββββββββββββββββ€ β
β β Observability Layer β β β Metrics, Tracing, Logs
β ββββββββββββββββββββββββββββ€ β
β β Governance Layer β β β Approvals, Audit, Policies
β ββββββββββββββββββββββββββββ€ β
β β Cost Management Layer β β β Tracking, Limits, Budgets
β ββββββββββββββββββββββββββββ β
ββββββββββ¬ββββββββββββββββββββββββ
β MCP Protocol
β
ββββββββββββββββββββββ
β Any MCP Server β (PostgreSQL, AWS, Slack, etc.)
ββββββββββββββββββββββ
Key Benefits:
- β Zero Code Changes: Wrap existing MCP servers
- β Policy-Based: Configure via YAML, no coding
- β Production-Ready: Battle-tested enterprise patterns
- β Observable: See everything that happens
- β Compliant: Meet regulatory requirements
- Proxy Server: Intercepts MCP protocol requests/responses
- Middleware Chain: Security β Observability β Governance β Cost
- Configuration Engine: YAML-based configuration
- Policy Engine: Open Policy Agent for authorization
- Metrics Exporter: Prometheus-compatible metrics
- Audit Logger: Structured audit trail storage
# PostgreSQL with SOX compliance
proxy = EnterpriseProxy(
target_server="postgresql-mcp",
governance=GovernanceConfig(
compliance="sox",
audit_retention_days=2555, # 7 years
approval_required_for=["DELETE", "DROP"]
)
)# Isolate tenants with RBAC
proxy = EnterpriseProxy(
target_server="slack-mcp",
security=SecurityConfig(
rbac_enabled=True,
tenant_isolation=True
),
cost_management=CostConfig(
per_tenant_limits=True
)
)# AWS operations require approval
proxy = EnterpriseProxy(
target_server="aws-mcp",
governance=GovernanceConfig(
approvals=[{
"operations": ["ec2.terminate", "s3.delete"],
"approvers": ["slack:#ops-team"],
"required": 2
}]
)
)# config/security.yaml
authentication:
providers:
- type: oauth
provider: okta
client_id: ${OKTA_CLIENT_ID}
- type: api_key
header: X-API-Key
authorization:
rbac:
enabled: true
roles:
- name: admin
permissions: ["*"]
- name: developer
permissions: ["read", "execute"]
- name: viewer
permissions: ["read"]
encryption:
tls:
enabled: true
cert: /etc/certs/server.crt
at_rest:
provider: aws_kms
key_id: ${KMS_KEY_ID}# config/observability.yaml
metrics:
enabled: true
port: 9090
path: /metrics
tracing:
enabled: true
provider: opentelemetry
endpoint: http://jaeger:14268/api/traces
logging:
level: info
format: json
output: stdout# config/governance.yaml
approvals:
- name: high_risk_operations
conditions:
operations: ["database.delete", "aws.ec2.terminate"]
approvers:
- slack: "#dba-approvals"
- email: "[email protected]"
timeout: 3600 # 1 hour
required_approvals: 2
audit:
enabled: true
storage: postgresql
retention_days: 2555 # 7 years for SOX
compliance:
templates:
- sox
- hipaa# Request metrics
mcp_requests_total{server,operation,status}
mcp_request_duration_seconds{server,operation}
mcp_errors_total{server,operation,error_type}
# Cost metrics
mcp_token_usage_total{server,user,operation}
mcp_cost_usd{server,user}
# Governance metrics
mcp_approvals_pending{operation}
mcp_approvals_approved{operation}
mcp_approvals_rejected{operation}
Pre-built dashboards included:
- Overview: Request rates, error rates, latency
- Security: Auth attempts, RBAC decisions, encryption status
- Cost: Token usage, cost per user, budget alerts
- Governance: Approval workflows, audit trail, policy violations
Export telemetry to enterprise observability platforms:
Jaeger (Open Source):
from agent_monitor.exporters import OpenTelemetryExporter, create_jaeger_config
config = create_jaeger_config(service_name="mcp-server")
exporter = OpenTelemetryExporter(config)
exporter.start()Datadog (Commercial):
from agent_monitor.exporters import create_datadog_config
config = create_datadog_config(
service_name="mcp-server",
api_key=os.getenv("DD_API_KEY")
)
exporter = OpenTelemetryExporter(config)
exporter.start()New Relic (Commercial):
from agent_monitor.exporters import create_newrelic_config
config = create_newrelic_config(
service_name="mcp-server",
api_key=os.getenv("NEW_RELIC_API_KEY")
)
exporter = OpenTelemetryExporter(config)
exporter.start()Supported Platforms:
- β Jaeger (open-source distributed tracing)
- β Datadog (full-stack APM)
- β New Relic (full-stack observability)
- β Grafana Cloud
- β Prometheus
- β AWS X-Ray
- β Google Cloud Trace
docker run -d \
-p 8080:8080 \
-p 9090:9090 \
-v $(pwd)/config:/config \
cogniolab/enterprise-mcp-frameworkhelm repo add enterprise-mcp https://charts.cogniolab.com
helm install my-mcp enterprise-mcp/framework \
--set security.auth.provider=oauth \
--set observability.metrics.enabled=trueversion: '3.8'
services:
mcp-proxy:
image: cogniolab/enterprise-mcp-framework
ports:
- "8080:8080"
- "9090:9090"
volumes:
- ./config:/config
environment:
- AUTH_PROVIDER=oauth
- METRICS_ENABLED=true- β 7-year audit retention
- β Change approvals required
- β Segregation of duties
- β Access controls and logging
- β PHI encryption at rest and in transit
- β Access logs and audit trails
- β Role-based access control
- β Data retention policies
- β Data access logging
- β Right to erasure support
- β Consent management
- β Data portability
Overhead: < 5ms latency added by framework Throughput: 10,000+ requests/second per instance Scalability: Horizontal scaling with load balancers Availability: 99.99% uptime with HA setup
Join our community to ask questions, share ideas, and connect with other developers building enterprise MCP systems!
- GitHub Discussions - Ask questions, share your work, and discuss best practices
- GitHub Issues - Bug reports and feature requests
- Email: [email protected]
We're building a supportive community where developers help each other make MCP production-ready for enterprises. Whether you're just getting started or scaling to production, your questions and contributions are welcome!
For production deployments and enterprise requirements:
- π§ Email: [email protected]
- π Consulting: Custom integrations and training
- πΌ SLA: Priority support with guaranteed response times
Explore examples/ for:
- GitHub MCP: Repository management with RBAC and approvals
- Jira MCP: Ticket management with SOX compliance
- Notion MCP: Knowledge management with GDPR compliance
- OpenTelemetry Integration: Export to Jaeger, Datadog, New Relic
- Multi-Tenant: SaaS deployment patterns
MIT License - see LICENSE
Built by Cognio AI Lab to make MCP production-ready for enterprises.
Special thanks to:
- Anthropic for creating MCP
- The open-source community
- Early adopters and contributors
Ready to make your MCP servers enterprise-ready? Get Started β