Feature: Add sensitive data sanitization to ServerSession.Log()

[nader-ziada]

Describe the solution you'd like
The MCP specification logging section states that servers should "Remove sensitive information" and that log messages MUST NOT contain "Credentials or secrets" or "Personal identifying information." Every server implementation will need to implement this same logic. It would be beneficial to have baseline sanitization built into the SDK.

[jba]

What would that look like? What is common to all such efforts?

[nader-ziada]

It would either be implemented in the sdk itself by using regex patterns that usually catch different kinds of secrets or using some library, I'm not aware of a standard library that does that and commonly used.

[jba]

I don't think we have enough information to add something to the SDK. To add a feature like that, we'd need to see multiple uses in the real world so we can design the best API.

If you want this, you could point to those uses, or show what other MCP SDKs are doing.

[nader-ziada]

The reason I suggested the sdk is because the MCP specification logging section mentions it should be there. the use case I have is logging and having to remove the secrets from any logs

[maciej-kisiel]

The specification often prescribes behavior for the MCP client or server. When it does, it refers to MCP protocol communication parties, which are broader terms than just the SDK entities of the same name. Some aspects of the specification are impractical for the SDK to offer out of the box because, for example it lacks all the application specific context. Logging sanitization is one such aspect: the application layer provides all the data to be logged and the SDK is unaware of its semantics. What is important for the SDK is to allow an easy way to comply with the specification. I believe in this case it's already possible by using SendingMiddleware, where you can introduce logic to sanitize outgoing log notifications. Another idea is to avoid putting sensitive information into logs in the first place. 

[maciej-kisiel]

Given that there has been no response for 2 weeks, I'll tentatively close the issue. Please comment if you'd like to continue the discussion.