@ugend/mcp-compliance
v1.0.0
Published
MCP audit trail and compliance middleware — logs every tool call for FCA, GDPR, SOC2, and ISO 27001 compliance
Maintainers
ugendReadme
mcp-compliance
MCP Audit Trail & Compliance Middleware
An MCP server that logs every AI tool call — who called it, what inputs were passed, what was returned, which model made the call, and how long it took. Built for UK FCA-regulated firms, GDPR Article 30 compliance, SOC2 Type II, and ISO 27001.
The Problem
Companies deploying Claude agents have no audit trail for MCP tool calls. Every time an agent fetches data, sends a message, or executes code — there is no log. For FCA-regulated firms (PS22/9 operational resilience), GDPR Article 30 (records of processing), SOC2, and ISO 27001, this is a compliance blocker.
What It Does
Drop this MCP server into any Claude Desktop or Claude Code setup. It exposes six tools that allow your AI agents to self-log every tool call they make:
| Tool | Description |
|------|-------------|
| log_tool_call | Append a tool invocation record with inputs, outputs, timing, model |
| get_audit_log | Retrieve log entries filtered by date, tool, server, model |
| generate_compliance_report | FCA/GDPR/SOC2/ISO27001 formatted report |
| get_tool_call_stats | Aggregate metrics: calls per tool, error rates, models used |
| search_audit_log | Full-text search across inputs/outputs (for DSAR requests) |
| export_audit_log | CSV export for compliance submission |
Audit Log Schema
Each entry in audit.jsonl:
{
"id": "d7a2adde-...",
"timestamp": "2026-03-14T10:23:45.123Z",
"session_id": "optional-session-id",
"model": "claude-sonnet-4-6",
"tool_server": "betfair-edge",
"tool_name": "compute_bet_edge",
"inputs": { "fair_prob": 0.65, "market_odds": 1.85 },
"outputs": { "verdict": "VALUE BET", "edge_pct": 4.2 },
"duration_ms": 234,
"success": true,
"error": null,
"user_id": null,
"tags": []
}Stored as append-only JSONL at ~/.mcp-compliance/audit.jsonl (configurable).
Setup
1. Install
git clone <repo-url> mcp-compliance-mcp
cd mcp-compliance-mcp
npm install2. Add to Claude Desktop
Edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"mcp-compliance": {
"command": "node",
"args": ["/absolute/path/to/mcp-compliance-mcp/index.js"],
"env": {
"AUDIT_LOG_DIR": "/var/log/mcp-compliance"
}
}
}
}AUDIT_LOG_DIR is optional. Default: ~/.mcp-compliance/.
3. Add to Claude Code
{
"mcp-compliance": {
"command": "node",
"args": ["/absolute/path/to/mcp-compliance-mcp/index.js"]
}
}Usage Patterns
Log a tool call from your agent
log_tool_call({
"tool_server": "my-data-api",
"tool_name": "fetch_customer_record",
"model": "claude-sonnet-4-6",
"user_id": "user-42",
"inputs": { "customer_id": "C001" },
"outputs": { "name": "Jane Smith", "tier": "premium" },
"duration_ms": 180,
"success": true,
"tags": ["pii", "customer-data"]
})Generate a monthly compliance report
generate_compliance_report({
"start_date": "2026-03-01T00:00:00Z",
"end_date": "2026-03-31T23:59:59Z",
"format": "markdown"
})Respond to a DSAR (Data Subject Access Request)
search_audit_log({
"query": "user-42",
"field": "all"
})Export for auditors
export_audit_log({
"start_date": "2026-01-01T00:00:00Z",
"end_date": "2026-03-31T23:59:59Z"
})Compliance Coverage
| Standard | Coverage | |----------|----------| | FCA PS22/9 | Operational resilience — AI system audit trail, third-party dependency monitoring | | GDPR Article 30 | Records of processing activities, data category inference | | SOC2 Type II | CC6 (availability), CC7 (security logging) | | ISO 27001:2022 | A.8.15 (logging), A.8.16 (monitoring) |
Configuration
| Env Variable | Default | Description |
|-------------|---------|-------------|
| AUDIT_LOG_DIR | ~/.mcp-compliance/ | Directory for audit.jsonl |
Architecture
index.js — MCP server (6 tools, stdio transport)
audit-store.js — Append-only JSONL storage with query/search/stats/CSV
report.js — Compliance report generator (FCA/GDPR/SOC2/ISO27001)The audit log is append-only JSONL. Each line is one JSON record. Malformed lines (e.g. from a crash mid-write) are silently skipped on read — other entries remain intact.
Requirements
- Node.js 18+
@modelcontextprotocol/sdk^1.27.1