Merge branch 'main' into user/luca/rust-fast-time-sse

Author: lucarlig

.secrets.baseline

@@ -240,31 +240,31 @@
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 218,
+        "line_number": 230,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7b4455a56fbf1d198e45e04c437488514645a82c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 220,
+        "line_number": 232,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "90bd1b48e958257948487b90bee080ba5ed00caa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 292,
+        "line_number": 304,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "48ffbad96aa9c2b33f9486f5a3c2108198acb518",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 293,
+        "line_number": 305,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -3363,24 +3363,6 @@
         "verified_result": null
       }
     ],
-    "docs/docs/using/agents/beeai.md": [
-      {
-        "hashed_secret": "5546721ffdfc2e5b0e4c0da38f10774f9ad50b09",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 35,
-        "type": "Secret Keyword",
-        "verified_result": null
-      },
-      {
-        "hashed_secret": "ec545cfb40ff2f1b4eb959dbd0e3177236c540fa",
-        "is_secret": false,
-        "is_verified": false,
-        "line_number": 203,
-        "type": "Secret Keyword",
-        "verified_result": null
-      }
-    ],
     "docs/docs/using/clients/claude-desktop.md": [
       {
         "hashed_secret": "11c78bef19ce10e34aff236b1f8e37779a74cf24",

AGENTS.md

@@ -194,6 +194,18 @@ Observability write operations use **independent database sessions** that commit
 
 **Pattern**: Follows existing SQL instrumentation approach in `instrumentation/sqlalchemy.py:58-87`
 
+## Audit Trail Transaction Behavior
+
+**Issue #2871 - Separate Session Pattern**
+
+`AuditTrailService.log_action()` (`mcpgateway/services/audit_trail_service.py`) always opens its own `SessionLocal()` when no `db` is supplied, and closes/rolls back that session itself. Callers in `tool_service.py`, `resource_service.py`, `gateway_service.py`, `prompt_service.py`, `server_service.py`, and `admin.py` must **never** pass `db=db` (the caller's request-scoped session) to `log_action()`. In `admin.py`, plugin-view audit logging goes through `log_audit()`, which is a thin wrapper over `log_action()` and inherits the same optional-session behavior.
+
+Passing the shared session caused **"This transaction is inactive"** errors: the main CRUD operation already calls `db.commit()` before the audit call, and reusing that same session for a second commit after it has already committed leaves the session in a state that breaks rollback on subsequent errors.
+
+- `log_action()` swallows its own exceptions internally and returns `None` on failure — it does not propagate them to the caller in production.
+- The main resource (tool/gateway/resource/prompt/server) is committed **before** `log_action()` runs, so an audit-logging failure never rolls back already-persisted data — but callers' generic `except Exception` handlers still call `db.rollback()` and surface an error to the API caller even though the underlying row was already committed.
+- Do not add `db: Session` back to a `log_action()` call site. If a service needs the audit entry guaranteed within the same transaction as the main write, that is a deliberate design change requiring review, not a default.
+
 **Middleware**: `ObservabilityMiddleware` no longer creates `request.state.db`. Each observability operation creates its own short-lived session.
 
 **Security**: Query operations use request-scoped sessions for RBAC/token scoping. Write operations are not RBAC-protected (observability visibility is platform-wide).

docs/docs/using/agents/beeai.md

@@ -32,7 +32,7 @@ Prepare the ContextForge connection values used in the examples:
 
 ```bash
 export MCPGATEWAY_BEARER_TOKEN="<gateway-token>"
-export MCP_AUTH="Bearer ${MCPGATEWAY_BEARER_TOKEN}"
+export MCP_AUTH="Bearer ${MCPGATEWAY_BEARER_TOKEN}" # pragma: allowlist secret
 
 # Virtual server endpoint used by mcpgateway-wrapper.
 export MCP_SERVER_URL="http://localhost:4444/servers/UUID_OF_SERVER_1/mcp"
@@ -200,7 +200,7 @@ await client.connect(
     args: ["-m", "mcpgateway.wrapper"],
     env: {
       MCP_SERVER_URL: process.env.MCP_SERVER_URL!,
-      MCP_AUTH: process.env.MCP_AUTH!,
+      MCP_AUTH: process.env.MCP_AUTH!, # pragma: allowlist secret
       MCP_WRAPPER_LOG_LEVEL: "OFF",
     },
   })

mcpgateway/admin.py

@@ -17759,7 +17759,7 @@ async def get_plugin_details(name: str, request: Request, db: Session = Depends(
 
         # Create audit trail for plugin access
         audit_service.log_audit(
-            user_id=get_user_id(user), user_email=get_user_email(user), resource_type="plugin", resource_id=name, action="view", description=f"Viewed plugin '{name}' details in marketplace", db=db
+            user_id=get_user_id(user), user_email=get_user_email(user), resource_type="plugin", resource_id=name, action="view", description=f"Viewed plugin '{name}' details in marketplace"
         )
 
         return PluginDetail(**plugin)

mcpgateway/services/audit_trail_service.py

@@ -169,7 +169,13 @@ def log_action(  # noqa: PLR0917  # pylint: disable=too-many-positional-argument
         # Use provided session or create new one
         close_db = False
         if db is None:
-            db = SessionLocal()
+            try:
+                db = SessionLocal()
+            except Exception as e:  # pragma: no cover - defensive
+                logger.error(
+                    "Failed to create audit trail session: %s", e, exc_info=True, extra={"correlation_id": correlation_id, "action": action, "resource_type": resource_type, "resource_id": resource_id}
+                )
+                return None
             close_db = True
 
         try:

mcpgateway/services/gateway_service.py

@@ -1748,7 +1748,6 @@ async def register_gateway(
                 context={
                     "created_via": created_via,
                 },
-                db=db,
             )
 
             # Structured logging: Log successful gateway creation
@@ -2892,7 +2891,6 @@ async def update_gateway(
                     context={
                         "modified_via": modified_via,
                     },
-                    db=db,
                 )
 
                 # Structured logging: Log successful gateway update
@@ -3378,7 +3376,6 @@ async def set_gateway_state(self, db: Session, gateway_id: str, activate: bool,
                         "action": "activate" if activate else "deactivate",
                         "only_update_reachable": only_update_reachable,
                     },
-                    db=db,
                 )
 
                 # Structured logging: Log successful gateway state change
@@ -3581,7 +3578,6 @@ async def delete_gateway(self, db: Session, gateway_id: str, user_email: Optiona
             db.commit()
 
             await self._finalize_gateway_deletion(
-                db=db,
                 gateway_id=str(gateway_id),
                 gateway_info=gateway_info,
                 gateway_name=gateway_name,
@@ -3657,7 +3653,6 @@ def _hard_delete_gateway(self, db: Session, gateway: DbGateway) -> None:
 
     async def _finalize_gateway_deletion(
         self,
-        db: Session,
         gateway_id: str,
         gateway_info: Dict[str, Any],
         gateway_name: str,
@@ -3700,7 +3695,6 @@ async def _finalize_gateway_deletion(
                 "name": gateway_name,
                 "url": gateway_info["url"],
             },
-            db=db,
         )
 
         structured_logger.log(
@@ -3995,7 +3989,6 @@ async def _process_deleting_gateway(self, db: Session, gateway: DbGateway) -> No
         db.commit()
 
         await self._finalize_gateway_deletion(
-            db=db,
             gateway_id=str(gateway.id),
             gateway_info=gateway_info,
             gateway_name=gateway_name,

mcpgateway/services/prompt_service.py

@@ -902,7 +902,6 @@ async def register_prompt(
                     "import_batch_id": import_batch_id,
                     "federation_source": federation_source,
                 },
-                db=db,
             )
 
             # Structured logging: Log successful prompt creation
@@ -1335,7 +1334,6 @@ async def register_prompts_bulk(
                             "federation_source": federation_source,
                             "conflict_strategy": conflict_strategy,
                         },
-                        db=db,
                     )
 
                 logger.info("Bulk registered %s prompts, updated %s prompts in chunk", len(prompts_to_add), len(prompts_to_update))
@@ -2124,7 +2122,6 @@ async def get_prompt(
                         "arguments_provided": arguments_supplied,
                         "request_id": request_id,
                     },
-                    db=db,
                 )
 
                 structured_logger.log(
@@ -2422,7 +2419,6 @@ async def update_prompt(
                 user_agent=modified_user_agent,
                 new_values={"name": prompt.name, "version": prompt.version},
                 context={"modified_via": modified_via},
-                db=db,
             )
 
             structured_logger.log(
@@ -2647,7 +2643,6 @@ async def set_prompt_state(self, db: Session, prompt_id: int, activate: bool, us
                     team_id=prompt.team_id,
                     new_values={"enabled": prompt.enabled},
                     context={"action": "activate" if activate else "deactivate"},
-                    db=db,
                 )
 
                 structured_logger.log(
@@ -2767,7 +2762,6 @@ async def get_prompt_details(
             resource_name=prompt.name,
             team_id=prompt.team_id,
             context={"include_inactive": include_inactive},
-            db=db,
         )
 
         structured_logger.log(
@@ -2859,7 +2853,6 @@ async def delete_prompt(self, db: Session, prompt_id: Union[int, str], user_emai
                 user_email=user_email,
                 team_id=prompt_team_id,
                 old_values={"name": prompt_name},
-                db=db,
             )
 
             # Structured logging: Log successful prompt deletion

mcpgateway/services/resource_service.py

@@ -622,7 +622,6 @@ async def register_resource(
                     "import_batch_id": import_batch_id,
                     "federation_source": federation_source,
                 },
-                db=db,
             )
 
             # Structured logging: Log successful resource creation
@@ -998,7 +997,6 @@ async def register_resources_bulk(
                             "federation_source": federation_source,
                             "conflict_strategy": conflict_strategy,
                         },
-                        db=db,
                     )
 
                 logger.info("Bulk registered %s resources, updated %s resources in chunk", len(resources_to_add), len(resources_to_update))
@@ -2750,7 +2748,6 @@ async def set_resource_state(self, db: Session, resource_id: int, activate: bool
                     context={
                         "action": "activate" if activate else "deactivate",
                     },
-                    db=db,
                 )
 
                 # Structured logging: Log successful resource state change
@@ -3153,7 +3150,6 @@ async def update_resource(
                     "modified_via": modified_via,
                     "changes": ", ".join(changes) if changes else "metadata only",
                 },
-                db=db,
             )
 
             # Structured logging: Log successful resource update
@@ -3399,7 +3395,6 @@ async def delete_resource(self, db: Session, resource_id: Union[int, str], user_
                     "uri": resource_uri,
                     "name": resource_name,
                 },
-                db=db,
             )
 
             # Structured logging: Log successful resource deletion

mcpgateway/services/server_service.py

@@ -1157,7 +1157,6 @@ async def get_server(
             user_id="system",
             team_id=getattr(server, "team_id", None),
             context={"enabled": server.enabled},
-            db=db,
         )
 
         return server_read

mcpgateway/services/tool_service.py

@@ -2071,7 +2071,6 @@ async def register_tool(
                     "import_batch_id": import_batch_id,
                     "federation_source": federation_source,
                 },
-                db=db,
             )
 
             # Structured logging: Log successful tool creation
@@ -2377,7 +2376,6 @@ def _process_tool_chunk(
                     resource_type="tool",
                     resource_id=None,
                     details={"count": len(tools_to_add) + len(tools_to_update), "import_batch_id": import_batch_id},
-                    db=db,
                 )
 
         except Exception as e:
@@ -3368,7 +3366,6 @@ async def delete_tool(self, db: Session, tool_id: str, user_email: Optional[str]
                 old_values={
                     "name": tool_name,
                 },
-                db=db,
             )
 
             # Structured logging: Log successful tool deletion
@@ -3542,7 +3539,6 @@ async def set_tool_state(self, db: Session, tool_id: str, activate: bool, reacha
                     context={
                         "action": "activate" if activate else "deactivate",
                     },
-                    db=db,
                 )
 
                 # Structured logging: Log successful tool state change
@@ -6462,7 +6458,6 @@ async def update_tool(
                     "modified_via": modified_via,
                     "changes": ", ".join(changes) if changes else "metadata only",
                 },
-                db=db,
             )
 
             # Structured logging: Log successful tool update