All rules / MCP08

MCP08 — Logging & Error Handling

mediumlow active

Summary

Tool invocations are not logged, errors leak internals to clients, or no global uncaughtException handler is installed.

Detection

AST inspection of tool handlers (missing structured log call — Medium), catch blocks that re-throw raw errors to the client (Low), and absence of a global process.on("uncaughtException") (Low).

Bad example

// BAD — leaks internal error
server.tool('do', async (args) => {
    return runJob(args); // throws raw Error to client
});

Good example

// GOOD — log + sanitise
server.tool('do', async (args, ctx) => {
    log.info('tool.do', { user: ctx.user });
    try { return await runJob(args); }
    catch (err) { log.error('tool.do.failed', { err }); throw new Error('internal'); }
});

Fix

Wrap every tool body in a try/catch; log structured events for invocation and failure; install a global uncaughtException handler.

References

• OWASP MCP Top 10 — MCP08