Observability | Roy Gabrielhttps://roygabriel.dev/tags/observability/Roy Gabriel: DevOps Architect & Applied AI Engineer. Technical blog on Go, MCP servers, Kubernetes, and production AI systems.Hugo -- gohugo.ioen-usFri, 27 Feb 2026 03:18:04 +0000MCP Servers in Production: Hardening, Backpressure, and Observability (Go)https://roygabriel.dev/blog/mcp-servers-production-hardening-go/Sat, 31 Jan 2026 09:00:00 -0500https://roygabriel.dev/blog/mcp-servers-production-hardening-go/<blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p><strong>As-of note:</strong> MCP is evolving. This article references the MCP specification versioned <strong>2025-11-25</strong> and related docs; verify details against the current spec before shipping changes. [1][2][4]</p> </blockquote> <h2 id="why-this-matters">Why this matters</h2> <p>Most “agent demos” fail in production for boring reasons: missing timeouts, unbounded concurrency, ambiguous tool interfaces, and logging that accidentally turns into data exfiltration.</p> <p>An <strong>MCP server</strong> isn’t “just an integration.” It’s a <strong>capability boundary</strong> between an LLM host (IDE, desktop app, agent runner) and the real world: files, APIs, databases, tickets, home automation, and anything else you wire up. MCP uses JSON-RPC 2.0 messages over transports like stdio (local) and Streamable HTTP (remote). [1][2][5]</p> <blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p><strong>As-of note:</strong> MCP is evolving. This article references the MCP specification versioned <strong>2025-11-25</strong> and related docs; verify details against the current spec before shipping changes. [1][2][4]</p> </blockquote> <h2 id="why-this-matters">Why this matters</h2> <p>Most “agent demos” fail in production for boring reasons: missing timeouts, unbounded concurrency, ambiguous tool interfaces, and logging that accidentally turns into data exfiltration.</p> <p>An <strong>MCP server</strong> isn’t “just an integration.” It’s a <strong>capability boundary</strong> between an LLM host (IDE, desktop app, agent runner) and the real world: files, APIs, databases, tickets, home automation, and anything else you wire up. MCP uses JSON-RPC 2.0 messages over transports like stdio (local) and Streamable HTTP (remote). [1][2][5]</p> <p>That means an MCP server is:</p> <ul> <li>an API gateway for tools</li> <li>a policy enforcement point (whether you intended it or not)</li> <li>a reliability hotspot (tool calls are where latency and failure concentrate)</li> <li>a security hotspot (tools are where “read” becomes “exfil” and “write” becomes “impact”)</li> </ul> <p>This post is a pragmatic checklist + a set of Go patterns to harden an MCP server so it keeps working when it’s under real load, and remains safe when the model gets “creative.”</p> <h2 id="tldr">TL;DR</h2> <ul> <li>Treat tool inputs as <strong>untrusted</strong>. Validate and constrain everything.</li> <li>Put <strong>budgets</strong> everywhere: timeouts, concurrency limits, rate limits, and payload caps.</li> <li>Build for <strong>partial failure</strong>: retries, idempotency keys, circuit breaking, fallbacks.</li> <li>Log like a security engineer: <strong>structured</strong>, <strong>redacted</strong>, <strong>auditable</strong>, and <strong>useful</strong>. [11]</li> <li>Instrument with traces/metrics early; “we’ll add telemetry later” is a trap. [13]</li> <li>Prefer Go for MCP servers because deployment and operational behavior are predictable: single binary, fast startup, structured concurrency via <code>context</code>, and a strong standard library.</li> </ul> <hr> <h2 id="contents">Contents</h2> <ul> <li><a href="#a-production-mental-model-for-mcp-servers">A production mental model for MCP servers</a> </li> <li><a href="#threat-model-what-actually-goes-wrong">Threat model: what actually goes wrong</a> </li> <li><a href="#hardening-layer-1-identity-and-authorization">Hardening layer 1: identity and authorization</a> </li> <li><a href="#hardening-layer-2-tool-contracts-that-resist-ambiguity">Hardening layer 2: tool contracts that resist ambiguity</a> </li> <li><a href="#hardening-layer-3-budgets-and-backpressure">Hardening layer 3: budgets and backpressure</a> </li> <li><a href="#hardening-layer-4-safe-networking-and-ssrf-containment">Hardening layer 4: safe networking and SSRF containment</a> </li> <li><a href="#hardening-layer-5-observability-without-leaking-secrets">Hardening layer 5: observability without leaking secrets</a> </li> <li><a href="#hardening-layer-6-versioning-and-rollout-discipline">Hardening layer 6: versioning and rollout discipline</a> </li> <li><a href="#a-production-checklist">A production checklist</a> </li> <li><a href="#references">References</a> </li> </ul> <hr> <h2 id="a-production-mental-model-for-mcp-servers">A production mental model for MCP servers</h2> <p>MCP’s docs describe a host (the AI application), a client (connector inside the host), and servers (capabilities/providers). Servers can be “local” (stdio) or “remote” (Streamable HTTP). [2][3]</p> <p>Here’s the production mental model that matters:</p> <ol> <li> <p><strong>Your MCP server is a tool gateway.</strong><br> Every tool is effectively an RPC method exposed to an agent. MCP uses JSON-RPC 2.0 semantics for requests/responses/notifications. [1][5]</p> </li> <li> <p><strong>LLM tool arguments are not trustworthy.</strong><br> Even if the LLM is “helpful,” arguments can be malformed, overbroad, or dangerous, especially under prompt injection or user-provided hostile input.</p> </li> <li> <p><strong>The host UI is not a security boundary.</strong><br> The spec emphasizes user consent and tool safety, but the protocol can’t enforce your policy for you. You still need server-side controls. [1]</p> </li> <li> <p><strong>Transport changes your blast radius, not your responsibilities.</strong><br> Stdio reduces network exposure, but doesn’t remove safety requirements. Streamable HTTP adds multi-client/multi-tenant concerns and requires real auth. [2][3]</p> </li> </ol> <p>If you remember nothing else: treat the MCP server like a production API you’d be willing to put on call for.</p> <hr> <h2 id="threat-model-what-actually-goes-wrong">Threat model: what actually goes wrong</h2> <p>When MCP servers cause incidents, it’s usually one of these:</p> <h3 id="1-input-ambiguity--destructive-actions">1) Input ambiguity → destructive actions</h3> <ul> <li>A “delete” tool with optional filters</li> <li>A “run command” tool with free-form strings</li> <li>A “sync” tool that can touch thousands of objects</li> </ul> <p><strong>Mitigation:</strong> schema + semantic validation, safe defaults, two-phase commit patterns (preview then apply), and explicit “danger gates.”</p> <h3 id="2-prompt-injection--tool-misuse">2) Prompt injection → tool misuse</h3> <p>The model can be tricked into calling tools with attacker-provided arguments. If your tool can read internal data or call internal APIs, you’ve created an exfil path.</p> <p><strong>Mitigation:</strong> least privilege, allowlists, strong auth, egress controls, and redaction.</p> <h3 id="3-ssrf--network-pivoting">3) SSRF / network pivoting</h3> <p>Any tool that fetches URLs, loads webhooks, or calls dynamic endpoints can be abused to hit internal networks or metadata endpoints. OWASP treats SSRF as a major category for a reason. [10]</p> <p><strong>Mitigation:</strong> deny-by-default networking (CIDR blocks, DNS/IP resolution checks, allowlisted destinations).</p> <h3 id="4-unbounded-concurrency--resource-collapse">4) Unbounded concurrency → resource collapse</h3> <p>Agents can fire tools in parallel. Without limits you’ll blow up:</p> <ul> <li>API quotas</li> <li>DB connections</li> <li>CPU/memory</li> <li>downstream latency</li> </ul> <p><strong>Mitigation:</strong> per-tenant rate limiting, concurrency caps, queues, and backpressure.</p> <h3 id="5-helpful-logs--data-leak">5) “Helpful logs” → data leak</h3> <p>Tool arguments and tool responses often contain secrets, tokens, or private data. If you log everything, you’ve built an involuntary data lake.</p> <p><strong>Mitigation:</strong> structured + redacted logging, security logging guidelines, and minimal retention. [11][12]</p> <hr> <h2 id="hardening-layer-1-identity-and-authorization">Hardening layer 1: identity and authorization</h2> <p>If you run <strong>Streamable HTTP</strong>, assume:</p> <ul> <li>multiple clients</li> <li>untrusted networks</li> <li>tokens will leak eventually</li> </ul> <p>MCP’s architecture guidance recommends standard HTTP authentication methods and mentions OAuth as a recommended way to obtain tokens for remote servers. [2][3]</p> <h3 id="practical-rules">Practical rules</h3> <ul> <li><strong>Authenticate every request.</strong><br> Use bearer tokens or mTLS depending on environment.</li> <li><strong>Authorize per tool.</strong><br> “Authenticated” ≠ “allowed to run <code>delete_everything</code>”.</li> <li><strong>Prefer short-lived tokens</strong> and rotate them. [12]</li> <li><strong>Multi-tenant?</strong> Put the tenant identity into: <ul> <li>auth token claims, or</li> <li>an explicit, validated tenant header (signed), then</li> <li>enforce it everywhere.</li> </ul> </li> </ul> <h3 id="go-pattern-a-minimal-auth-middleware-skeleton-http-transport">Go pattern: a minimal auth middleware skeleton (HTTP transport)</h3> <blockquote class="border-l-4 border-neutral-300 dark:border-neutral-600 pl-4 italic text-neutral-600 dark:text-neutral-400 my-6"> <p>This is <em>not</em> a full MCP implementation, just the hardening pattern you’ll wrap around your MCP handler.</p> </blockquote> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="c1">// Pseudocode-ish middleware skeleton. Replace verifyToken with your auth logic.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">func</span><span class="w"> </span><span class="nf">authMiddleware</span><span class="p">(</span><span class="nx">next</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">Handler</span><span class="p">)</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">Handler</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nf">HandlerFunc</span><span class="p">(</span><span class="kd">func</span><span class="p">(</span><span class="nx">w</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">ResponseWriter</span><span class="p">,</span><span class="w"> </span><span class="nx">r</span><span class="w"> </span><span class="o">*</span><span class="nx">http</span><span class="p">.</span><span class="nx">Request</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">token</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">strings</span><span class="p">.</span><span class="nf">TrimPrefix</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nx">Header</span><span class="p">.</span><span class="nf">Get</span><span class="p">(</span><span class="s">&#34;Authorization&#34;</span><span class="p">),</span><span class="w"> </span><span class="s">&#34;Bearer &#34;</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">token</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="s">&#34;&#34;</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nf">Error</span><span class="p">(</span><span class="nx">w</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;missing auth&#34;</span><span class="p">,</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">StatusUnauthorized</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ident</span><span class="p">,</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nf">verifyToken</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nf">Context</span><span class="p">(),</span><span class="w"> </span><span class="nx">token</span><span class="p">)</span><span class="w"> </span><span class="c1">// includes tenant + scopes</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">err</span><span class="w"> </span><span class="o">!=</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nf">Error</span><span class="p">(</span><span class="nx">w</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;invalid auth&#34;</span><span class="p">,</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">StatusUnauthorized</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ctx</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">context</span><span class="p">.</span><span class="nf">WithValue</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nf">Context</span><span class="p">(),</span><span class="w"> </span><span class="nx">ctxKeyIdentity</span><span class="p">{},</span><span class="w"> </span><span class="nx">ident</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">next</span><span class="p">.</span><span class="nf">ServeHTTP</span><span class="p">(</span><span class="nx">w</span><span class="p">,</span><span class="w"> </span><span class="nx">r</span><span class="p">.</span><span class="nf">WithContext</span><span class="p">(</span><span class="nx">ctx</span><span class="p">))</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">})</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></div><p><strong>Key point:</strong> authorization should happen <em>after</em> you parse the requested tool name, but <em>before</em> you execute anything.</p> <hr> <h2 id="hardening-layer-2-tool-contracts-that-resist-ambiguity">Hardening layer 2: tool contracts that resist ambiguity</h2> <p>Most MCP tool failures are self-inflicted: tool interfaces are too vague.</p> <h3 id="design-tools-like-production-apis">Design tools like production APIs</h3> <p><strong>Bad tool signature:</strong></p> <ul> <li><code>run(command: string)</code></li> </ul> <p><strong>Better:</strong></p> <ul> <li><code>run_command(program: enum, args: string[], cwd: string, timeout_ms: int, dry_run: bool)</code></li> </ul> <p>Why it’s better:</p> <ul> <li>forces structure</li> <li>allows you to enforce allowlists</li> <li>gives you timeouts and safe defaults</li> </ul> <h3 id="add-a-preview--apply-flow-for-risky-tools">Add a “preview → apply” flow for risky tools</h3> <p>For any tool that writes data or triggers side effects, do a two-step approach:</p> <ol> <li><code>plan_*</code> returns a machine-readable plan + a <code>plan_id</code></li> <li><code>apply_*</code> requires <code>plan_id</code> and optional user confirmation token</li> </ol> <p>This mirrors how we run infra changes (plan/apply) and dramatically reduces accidental blast radius.</p> <hr> <h2 id="hardening-layer-3-budgets-and-backpressure">Hardening layer 3: budgets and backpressure</h2> <p>Production systems are budget systems.</p> <p>If you don’t set explicit budgets, your MCP server will eventually allocate them for you via outages.</p> <h3 id="budget-checklist">Budget checklist</h3> <ul> <li><strong>Server timeouts</strong> (header read, request read, write, idle)</li> <li><strong>Request body caps</strong></li> <li><strong>Outbound timeouts</strong> to dependencies</li> <li><strong>Concurrency caps</strong> per tool and per tenant</li> <li><strong>Rate limits</strong> per tenant and per identity</li> <li><strong>Queue limits</strong> (bounded channels) to avoid memory blowups</li> <li><strong>Circuit breaking</strong> for flaky downstream dependencies</li> </ul> <h3 id="go-server-timeouts-are-not-optional">Go: server timeouts are not optional</h3> <p>Go’s <code>net/http</code> provides explicit server timeouts; leaving them at zero is a common footgun. [6][7]</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">srv</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="o">&amp;</span><span class="nx">http</span><span class="p">.</span><span class="nx">Server</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Addr</span><span class="p">:</span><span class="w"> </span><span class="s">&#34;:8080&#34;</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Handler</span><span class="p">:</span><span class="w"> </span><span class="nx">handler</span><span class="p">,</span><span class="w"> </span><span class="c1">// your MCP handler + middleware</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ReadHeaderTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ReadTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">WriteTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">IdleTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">60</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="nx">log</span><span class="p">.</span><span class="nf">Fatal</span><span class="p">(</span><span class="nx">srv</span><span class="p">.</span><span class="nf">ListenAndServe</span><span class="p">())</span><span class="w"> </span></span></span></code></pre></div><h3 id="go-propagate-cancellation-everywhere-with-context">Go: propagate cancellation everywhere with <code>context</code></h3> <p><code>context.Context</code> is the backbone of “structured concurrency” in Go: deadlines and cancellation signals flow through your call stack. [8][9]</p> <p>Rule: <strong>every tool execution must accept a <code>context.Context</code></strong>, and every outbound call must honor it.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">func</span><span class="w"> </span><span class="p">(</span><span class="nx">s</span><span class="w"> </span><span class="o">*</span><span class="nx">Server</span><span class="p">)</span><span class="w"> </span><span class="nf">toolCall</span><span class="p">(</span><span class="nx">ctx</span><span class="w"> </span><span class="nx">context</span><span class="p">.</span><span class="nx">Context</span><span class="p">,</span><span class="w"> </span><span class="nx">req</span><span class="w"> </span><span class="nx">ToolRequest</span><span class="p">)</span><span class="w"> </span><span class="p">(</span><span class="nx">ToolResponse</span><span class="p">,</span><span class="w"> </span><span class="kt">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ctx</span><span class="p">,</span><span class="w"> </span><span class="nx">cancel</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">context</span><span class="p">.</span><span class="nf">WithTimeout</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span><span class="w"> </span><span class="mi">15</span><span class="o">*</span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nf">cancel</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// ... outbound calls use ctx</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">s</span><span class="p">.</span><span class="nx">integration</span><span class="p">.</span><span class="nf">Do</span><span class="p">(</span><span class="nx">ctx</span><span class="p">,</span><span class="w"> </span><span class="nx">req</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></div><h3 id="go-per-tenant-rate-limiting-with-xtimerate">Go: per-tenant rate limiting with <code>x/time/rate</code></h3> <p><code>golang.org/x/time/rate</code> implements a token bucket limiter. [9]</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="kd">type</span><span class="w"> </span><span class="nx">limiters</span><span class="w"> </span><span class="kd">struct</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">mu</span><span class="w"> </span><span class="nx">sync</span><span class="p">.</span><span class="nx">Mutex</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">m</span><span class="w"> </span><span class="kd">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="nx">rate</span><span class="p">.</span><span class="nx">Limiter</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">func</span><span class="w"> </span><span class="p">(</span><span class="nx">l</span><span class="w"> </span><span class="o">*</span><span class="nx">limiters</span><span class="p">)</span><span class="w"> </span><span class="nf">get</span><span class="p">(</span><span class="nx">key</span><span class="w"> </span><span class="kt">string</span><span class="p">)</span><span class="w"> </span><span class="o">*</span><span class="nx">rate</span><span class="p">.</span><span class="nx">Limiter</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">l</span><span class="p">.</span><span class="nx">mu</span><span class="p">.</span><span class="nf">Lock</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">defer</span><span class="w"> </span><span class="nx">l</span><span class="p">.</span><span class="nx">mu</span><span class="p">.</span><span class="nf">Unlock</span><span class="p">()</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">l</span><span class="p">.</span><span class="nx">m</span><span class="w"> </span><span class="o">==</span><span class="w"> </span><span class="kc">nil</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nx">l</span><span class="p">.</span><span class="nx">m</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="kd">map</span><span class="p">[</span><span class="kt">string</span><span class="p">]</span><span class="o">*</span><span class="nx">rate</span><span class="p">.</span><span class="nx">Limiter</span><span class="p">{}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">lim</span><span class="p">,</span><span class="w"> </span><span class="nx">ok</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">l</span><span class="p">.</span><span class="nx">m</span><span class="p">[</span><span class="nx">key</span><span class="p">];</span><span class="w"> </span><span class="nx">ok</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">lim</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c1">// Example: 5 req/sec with bursts up to 10</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">lim</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nx">rate</span><span class="p">.</span><span class="nf">NewLimiter</span><span class="p">(</span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="mi">10</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">l</span><span class="p">.</span><span class="nx">m</span><span class="p">[</span><span class="nx">key</span><span class="p">]</span><span class="w"> </span><span class="p">=</span><span class="w"> </span><span class="nx">lim</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">lim</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="kd">func</span><span class="w"> </span><span class="nf">rateLimitMiddleware</span><span class="p">(</span><span class="nx">lims</span><span class="w"> </span><span class="o">*</span><span class="nx">limiters</span><span class="p">,</span><span class="w"> </span><span class="nx">next</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">Handler</span><span class="p">)</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">Handler</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nf">HandlerFunc</span><span class="p">(</span><span class="kd">func</span><span class="p">(</span><span class="nx">w</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">ResponseWriter</span><span class="p">,</span><span class="w"> </span><span class="nx">r</span><span class="w"> </span><span class="o">*</span><span class="nx">http</span><span class="p">.</span><span class="nx">Request</span><span class="p">)</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ident</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="nf">mustIdentity</span><span class="p">(</span><span class="nx">r</span><span class="p">.</span><span class="nf">Context</span><span class="p">())</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="p">!</span><span class="nx">lims</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">ident</span><span class="p">.</span><span class="nx">TenantID</span><span class="p">).</span><span class="nf">Allow</span><span class="p">()</span><span class="w"> </span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nf">Error</span><span class="p">(</span><span class="nx">w</span><span class="p">,</span><span class="w"> </span><span class="s">&#34;rate limited&#34;</span><span class="p">,</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">StatusTooManyRequests</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="k">return</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">next</span><span class="p">.</span><span class="nf">ServeHTTP</span><span class="p">(</span><span class="nx">w</span><span class="p">,</span><span class="w"> </span><span class="nx">r</span><span class="p">)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">})</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></div><h3 id="backpressure-choose-a-policy">Backpressure: choose a policy</h3> <p>When you’re overloaded, you need a policy. Pick one explicitly:</p> <ul> <li><strong>Fail fast</strong> with 429 / “busy” (simplest, safest)</li> <li><strong>Queue</strong> with bounded depth (more complex; must cap memory)</li> <li><strong>Degrade</strong> by disabling expensive tools first</li> </ul> <p>The “fail fast” approach is often correct for tool gateways.</p> <hr> <h2 id="hardening-layer-4-safe-networking-and-ssrf-containment">Hardening layer 4: safe networking and SSRF containment</h2> <p>If any tool can fetch a user-provided URL or call a user-influenced endpoint, SSRF is on the table. [10]</p> <h3 id="ssrf-containment-strategies-that-actually-work">SSRF containment strategies that actually work</h3> <p>OWASP’s SSRF guidance boils down to a few themes: don’t trust user-controlled URLs, use allowlists, and enforce network controls. [10]</p> <p>In practice, for MCP servers:</p> <ol> <li> <p><strong>Prefer allowlists over blocklists.</strong><br> “Only these domains” beats “block internal IPs.” Attackers are creative.</p> </li> <li> <p><strong>Resolve and validate IPs before dialing.</strong><br> DNS can be weaponized. Validate the final destination IP (and re-validate on redirects).</p> </li> <li> <p><strong>Disable redirects or re-validate each hop.</strong><br> Redirect chains are SSRF’s favorite tool.</p> </li> <li> <p><strong>Enforce egress policy at the network layer too.</strong><br> Kubernetes NetworkPolicies / firewall rules are your last line of defense.</p> </li> </ol> <h3 id="go-pattern-an-outbound-http-client-with-strict-timeouts">Go pattern: an outbound HTTP client with strict timeouts</h3> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">client</span><span class="w"> </span><span class="o">:=</span><span class="w"> </span><span class="o">&amp;</span><span class="nx">http</span><span class="p">.</span><span class="nx">Client</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Timeout</span><span class="p">:</span><span class="w"> </span><span class="mi">10</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span><span class="c1">// whole request budget</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Transport</span><span class="p">:</span><span class="w"> </span><span class="o">&amp;</span><span class="nx">http</span><span class="p">.</span><span class="nx">Transport</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Proxy</span><span class="p">:</span><span class="w"> </span><span class="nx">http</span><span class="p">.</span><span class="nx">ProxyFromEnvironment</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">DialContext</span><span class="p">:</span><span class="w"> </span><span class="p">(</span><span class="o">&amp;</span><span class="nx">net</span><span class="p">.</span><span class="nx">Dialer</span><span class="p">{</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">Timeout</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">KeepAlive</span><span class="p">:</span><span class="w"> </span><span class="mi">30</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">}).</span><span class="nx">DialContext</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">TLSHandshakeTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ResponseHeaderTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">ExpectContinueTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">1</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">MaxIdleConns</span><span class="p">:</span><span class="w"> </span><span class="mi">100</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nx">IdleConnTimeout</span><span class="p">:</span><span class="w"> </span><span class="mi">90</span><span class="w"> </span><span class="o">*</span><span class="w"> </span><span class="nx">time</span><span class="p">.</span><span class="nx">Second</span><span class="p">,</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="p">},</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="p">}</span><span class="w"> </span></span></span></code></pre></div><p>Then wrap URL validation around any request creation. Keep it boring and strict.</p> <hr> <h2 id="hardening-layer-5-observability-without-leaking-secrets">Hardening layer 5: observability without leaking secrets</h2> <p>Telemetry is how you prove:</p> <ul> <li>you’re within budgets</li> <li>tools behave as expected</li> <li>failures are localized</li> <li>incidents can be diagnosed without “ssh and guess”</li> </ul> <p>But logging is also where teams accidentally leak sensitive data.</p> <p>OWASP’s logging guidance emphasizes logging that supports detection/response while avoiding sensitive data exposure. [11] Pair that with secrets management discipline. [12]</p> <h3 id="what-to-measure-minimum-viable-mcp-telemetry">What to measure (minimum viable MCP telemetry)</h3> <p><strong>Counters</strong></p> <ul> <li>tool_calls_total{tool, tenant, status}</li> <li>auth_failures_total{reason}</li> <li>rate_limited_total{tenant}</li> </ul> <p><strong>Histograms</strong></p> <ul> <li>tool_latency_seconds{tool}</li> <li>outbound_latency_seconds{dependency}</li> </ul> <p><strong>Gauges</strong></p> <ul> <li>in_flight_tool_calls{tool}</li> <li>queue_depth{tool}</li> </ul> <h3 id="trace-boundaries">Trace boundaries</h3> <p>Instrument:</p> <ul> <li>request → tool routing</li> <li>tool execution span</li> <li>downstream calls span</li> </ul> <p>OpenTelemetry’s Go docs show how to add instrumentation and emit traces/metrics. [13]</p> <h3 id="logging-rules-that-save-you-later">Logging rules that save you later</h3> <ul> <li>Use structured logging (JSON).</li> <li>Add correlation IDs (trace IDs) to logs.</li> <li>Redact: <ul> <li>Authorization headers</li> <li>tokens</li> <li>cookies</li> <li>tool payload fields known to contain secrets</li> </ul> </li> <li>Log <em>events</em>, not raw payloads: <ul> <li>“tool X called”</li> <li>“resource Y read”</li> <li>“write operation requested (dry_run=true)”</li> </ul> </li> </ul> <p><strong>Audit logs</strong></p> <ul> <li>For high-impact tools, write an append-only audit record: <ul> <li>who (identity)</li> <li>what (tool + parameters summary)</li> <li>when</li> <li>result (success/failure)</li> <li>plan_id / idempotency_key</li> </ul> </li> </ul> <p>Audit logs should be treated as security data.</p> <hr> <h2 id="hardening-layer-6-versioning-and-rollout-discipline">Hardening layer 6: versioning and rollout discipline</h2> <p>MCP uses string-based version identifiers like <code>YYYY-MM-DD</code> to represent the last date of backwards-incompatible changes. [4]</p> <p>That’s helpful, but it doesn’t solve the operational problem:</p> <ul> <li>clients upgrade at different times</li> <li>schema changes drift</li> <li>hosts differ in which capabilities they support</li> </ul> <h3 id="practical-compatibility-rules">Practical compatibility rules</h3> <ul> <li><strong>Pin your server’s supported protocol version</strong> and expose it in <code>health</code> or diagnostics.</li> <li><strong>Add contract tests</strong> that run against: <ul> <li>one “current” client</li> <li>one “previous” client version</li> </ul> </li> <li><strong>Support additive changes</strong> first: <ul> <li>new tools</li> <li>new optional fields</li> </ul> </li> <li>Use feature flags for risky tools.</li> </ul> <h3 id="rollout-like-a-platform-team">Rollout like a platform team</h3> <ul> <li>Canaries for remote servers</li> <li>“Shadow mode” for new tools (log what would happen)</li> <li>Slow ramp with budget monitoring</li> </ul> <hr> <h2 id="a-production-checklist">A production checklist</h2> <p>If you’re building (or inheriting) an MCP server, run this checklist:</p> <h3 id="safety">Safety</h3> <ul> <li><input disabled="" type="checkbox"> Tool contracts are structured (no free-form “do anything” strings).</li> <li><input disabled="" type="checkbox"> Every tool has a safe default (<code>dry_run=true</code>, <code>limit</code> required, etc.).</li> <li><input disabled="" type="checkbox"> Destructive tools require a plan/apply step (or explicit confirmation gates).</li> <li><input disabled="" type="checkbox"> Tool inputs are validated and bounded (length, ranges, enums).</li> </ul> <h3 id="identity--access">Identity &amp; access</h3> <ul> <li><input disabled="" type="checkbox"> Remote transport requires authentication and per-tool authorization.</li> <li><input disabled="" type="checkbox"> Tokens are short-lived and rotated; secrets are not in source control. [12]</li> <li><input disabled="" type="checkbox"> Tenant identity is enforced at every access point (not “best effort”).</li> </ul> <h3 id="budgets--resilience">Budgets &amp; resilience</h3> <ul> <li><input disabled="" type="checkbox"> HTTP server timeouts are configured. [6][7]</li> <li><input disabled="" type="checkbox"> Outbound clients have timeouts and connection limits.</li> <li><input disabled="" type="checkbox"> Rate limiting exists per tenant/identity. [9]</li> <li><input disabled="" type="checkbox"> Concurrency caps exist per tool; overload behavior is explicit (fail fast / queue).</li> <li><input disabled="" type="checkbox"> Retries are bounded and idempotent where side effects exist.</li> </ul> <h3 id="networking">Networking</h3> <ul> <li><input disabled="" type="checkbox"> URL fetch tools have allowlists and SSRF protections. [10]</li> <li><input disabled="" type="checkbox"> Redirect policies are explicit (disabled or re-validated).</li> <li><input disabled="" type="checkbox"> Egress is constrained at the network layer (not only in code).</li> </ul> <h3 id="observability">Observability</h3> <ul> <li><input disabled="" type="checkbox"> Metrics cover tool calls, latency, errors, and rate limiting.</li> <li><input disabled="" type="checkbox"> Tracing exists across tool execution and downstream calls. [13]</li> <li><input disabled="" type="checkbox"> Logs are structured, correlated, and redacted. [11]</li> <li><input disabled="" type="checkbox"> Audit logging exists for high-impact tools.</li> </ul> <h3 id="operations">Operations</h3> <ul> <li><input disabled="" type="checkbox"> Health checks and readiness checks exist.</li> <li><input disabled="" type="checkbox"> Configuration is explicit and validated on startup.</li> <li><input disabled="" type="checkbox"> Versioning strategy is documented and tested. [4]</li> </ul> <hr> <h2 id="references">References</h2> <ol> <li>Model Context Protocol (MCP) Specification (version 2025-11-25): <a href="https://modelcontextprotocol.io/specification/2025-11-25" target="_blank" rel="noopener noreferrer">https://modelcontextprotocol.io/specification/2025-11-25</a> </li> <li>MCP Architecture Overview (participants, transports, concepts): <a href="https://modelcontextprotocol.io/docs/learn/architecture" target="_blank" rel="noopener noreferrer">https://modelcontextprotocol.io/docs/learn/architecture</a> </li> <li>MCP Transport details (Streamable HTTP transport overview): <a href="https://modelcontextprotocol.io/specification/2025-03-26/basic/transports" target="_blank" rel="noopener noreferrer">https://modelcontextprotocol.io/specification/2025-03-26/basic/transports</a> </li> <li>MCP Versioning: <a href="https://modelcontextprotocol.io/specification/versioning" target="_blank" rel="noopener noreferrer">https://modelcontextprotocol.io/specification/versioning</a> </li> <li>JSON-RPC 2.0 Specification: <a href="https://www.jsonrpc.org/specification" target="_blank" rel="noopener noreferrer">https://www.jsonrpc.org/specification</a> </li> <li>Go <code>net/http</code> package documentation: <a href="https://pkg.go.dev/net/http" target="_blank" rel="noopener noreferrer">https://pkg.go.dev/net/http</a> </li> <li>Cloudflare: “The complete guide to Go net/http timeouts”: <a href="https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/" target="_blank" rel="noopener noreferrer">https://blog.cloudflare.com/the-complete-guide-to-golang-net-http-timeouts/</a> </li> <li>Go <code>context</code> package documentation: <a href="https://pkg.go.dev/context" target="_blank" rel="noopener noreferrer">https://pkg.go.dev/context</a> </li> <li>Go <code>x/time/rate</code> documentation: <a href="https://pkg.go.dev/golang.org/x/time/rate" target="_blank" rel="noopener noreferrer">https://pkg.go.dev/golang.org/x/time/rate</a> </li> <li>OWASP SSRF Prevention Cheat Sheet / SSRF category references:</li> </ol> <ul> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html" target="_blank" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html</a> </li> <li><a href="https://owasp.org/Top10/2021/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/" target="_blank" rel="noopener noreferrer">https://owasp.org/Top10/2021/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/</a> </li> </ul> <ol start="11"> <li>OWASP Logging Cheat Sheet (security-focused logging guidance): <a href="https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html" target="_blank" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Logging_Cheat_Sheet.html</a> </li> <li>Secrets management guidance:</li> </ol> <ul> <li>OWASP Secrets Management Cheat Sheet: <a href="https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html" target="_blank" rel="noopener noreferrer">https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html</a> </li> <li>Kubernetes “Good practices for Kubernetes Secrets”: <a href="https://kubernetes.io/docs/concepts/security/secrets-good-practices/" target="_blank" rel="noopener noreferrer">https://kubernetes.io/docs/concepts/security/secrets-good-practices/</a> </li> </ul> <ol start="13"> <li>OpenTelemetry Go instrumentation docs: <a href="https://opentelemetry.io/docs/languages/go/instrumentation/" target="_blank" rel="noopener noreferrer">https://opentelemetry.io/docs/languages/go/instrumentation/</a> </li> </ol>Agent Observability That Doesn't Liehttps://roygabriel.dev/blog/agent-observability-that-doesnt-lie/Sat, 20 Dec 2025 12:00:00 -0500https://roygabriel.dev/blog/agent-observability-that-doesnt-lie/<h2 id="why-this-matters">Why this matters</h2> <p>Most &ldquo;agent observability&rdquo; is either:</p> <ul> <li><strong>too shallow</strong> (a chat transcript and a couple logs), or</li> <li><strong>too noisy</strong> (every token logged, every tool payload stored, no signal)</li> </ul> <p>Neither works in production.</p> <p>If you&rsquo;re serious about operating agents, you need observability that answers three questions quickly:</p> <ol> <li><strong>What happened?</strong> (forensics)</li> <li><strong>Why did it happen?</strong> (debuggability)</li> <li><strong>How often does it happen?</strong> (reliability)</li> </ol> <p>OpenTelemetry exists to standardize how you instrument, generate, and export telemetry across traces, metrics, and logs. [1] W3C Trace Context defines how trace context propagates across service boundaries. [2]</p><h2 id="why-this-matters">Why this matters</h2> <p>Most &ldquo;agent observability&rdquo; is either:</p> <ul> <li><strong>too shallow</strong> (a chat transcript and a couple logs), or</li> <li><strong>too noisy</strong> (every token logged, every tool payload stored, no signal)</li> </ul> <p>Neither works in production.</p> <p>If you&rsquo;re serious about operating agents, you need observability that answers three questions quickly:</p> <ol> <li><strong>What happened?</strong> (forensics)</li> <li><strong>Why did it happen?</strong> (debuggability)</li> <li><strong>How often does it happen?</strong> (reliability)</li> </ol> <p>OpenTelemetry exists to standardize how you instrument, generate, and export telemetry across traces, metrics, and logs. [1] W3C Trace Context defines how trace context propagates across service boundaries. [2]</p> <p>Agents add two new requirements:</p> <ul> <li>tool calls are part of your &ldquo;distributed trace&rdquo;</li> <li>&ldquo;decisioning&rdquo; is a first-class component (not just business logic)</li> </ul> <p>This article is a practical blueprint.</p> <hr> <h2 id="tldr">TL;DR</h2> <ul> <li>Instrument agents like distributed systems:</li> <li><strong>traces</strong> for causality (what triggered what)</li> <li><strong>metrics</strong> for health (p95 latency, error rates)</li> <li><strong>logs</strong> for human context (but redacted)</li> <li>Propagate a single trace across:</li> <li>agent runtime -&gt; MCP gateway -&gt; MCP tool servers -&gt; upstream APIs</li> <li>Capture <strong>decision summaries</strong>, not chain-of-thought.</li> <li>Treat cost as a production signal: emit per-run and per-tool cost metrics.</li> <li>Use semantic conventions where possible to keep telemetry queryable. [3]</li> <li>Don&rsquo;t turn observability into a data breach: OWASP highlights sensitive info disclosure and prompt injection as key risks. [7]</li> </ul> <hr> <h2 id="contents">Contents</h2> <ul> <li><a href="#what-to-observe-in-an-agent-system">What to observe in an agent system</a> </li> <li><a href="#a-trace-model-for-agents">A trace model for agents</a> </li> <li><a href="#metrics-that-matter">Metrics that matter</a> </li> <li><a href="#logs-and-redaction">Logs and redaction</a> </li> <li><a href="#audit-events-vs-debug-logs">Audit events vs debug logs</a> </li> <li><a href="#dashboards-and-alerts">Dashboards and alerts</a> </li> <li><a href="#a-production-checklist">A production checklist</a> </li> <li><a href="#references">References</a> </li> </ul> <hr> <h2 id="what-to-observe-in-an-agent-system">What to observe in an agent system</h2> <p>Agents have four observable subsystems:</p> <ol> <li><strong>Planner/Reasoner</strong> (creates the plan, chooses tools)</li> <li><strong>Tool execution</strong> (calls MCP tools and interprets results)</li> <li><strong>Memory/state</strong> (what was stored or retrieved)</li> <li><strong>Policy/budget</strong> (what was allowed or blocked)</li> </ol> <p>If you only observe #2, you&rsquo;ll miss why the agent chose the wrong tool. If you only observe #1, you&rsquo;ll miss production failures.</p> <p>You need the full chain.</p> <hr> <h2 id="a-trace-model-for-agents">A trace model for agents</h2> <h3 id="the-core-idea">The core idea</h3> <p>A single &ldquo;agent run&rdquo; is a distributed trace:</p> <ul> <li>it spans model calls</li> <li>tool calls</li> <li>downstream system calls</li> </ul> <p>Use W3C Trace Context (<code>traceparent</code>, <code>tracestate</code>) to propagate the trace across boundaries. [2]</p> <h3 id="suggested-spans-minimum-viable">Suggested spans (minimum viable)</h3> <p><strong>Root span</strong></p> <ul> <li><code>agent.run</code></li> <li>attributes: <code>agent.name</code>, <code>tenant</code>, <code>user</code>, <code>session</code>, <code>goal_hash</code></li> </ul> <p><strong>Planner</strong></p> <ul> <li><code>agent.plan</code></li> <li>attributes: <code>planner.model</code>, <code>plan.step_count</code></li> </ul> <p><strong>Model calls</strong></p> <ul> <li><code>llm.call</code></li> <li>attributes: <code>model</code>, <code>prompt_tokens</code>, <code>completion_tokens</code>, <code>latency_ms</code></li> </ul> <p><strong>Tool selection</strong></p> <ul> <li><code>agent.tool_select</code></li> <li>attributes: <code>selector.version</code>, <code>candidate_count</code>, <code>selected_count</code></li> </ul> <p><strong>Tool call</strong></p> <ul> <li><code>tool.call</code></li> <li>attributes: <code>tool.name</code>, <code>tool.class</code> (read/write/danger), <code>tool.server</code>, <code>status</code></li> </ul> <p><strong>Policy</strong></p> <ul> <li><code>policy.check</code></li> <li>attributes: <code>policy.rule_id</code>, <code>decision</code> (allow/deny), <code>reason_code</code></li> </ul> <p><strong>Memory</strong></p> <ul> <li><code>memory.read</code> / <code>memory.write</code></li> <li>attributes: <code>store</code>, <code>keys</code>, <code>bytes</code></li> </ul> <h3 id="why-spans--logs">Why spans &gt; logs</h3> <p>Spans give you causality:</p> <ul> <li>which tool call caused a failure</li> <li>which step blew the budget</li> <li>which upstream dependency was slow</li> </ul> <p>With OpenTelemetry, you can emit traces and metrics using the same SDK approach. [1][4]</p> <hr> <h2 id="metrics-that-matter">Metrics that matter</h2> <h3 id="tool-health-metrics">Tool health metrics</h3> <ul> <li><code>tool_calls_total{tool,status}</code></li> <li><code>tool_latency_ms_bucket{tool}</code></li> <li><code>tool_timeouts_total{tool}</code></li> <li><code>tool_retries_total{tool}</code></li> </ul> <h3 id="agent-run-health-metrics">Agent run health metrics</h3> <ul> <li><code>agent_runs_total{status}</code></li> <li><code>agent_run_latency_ms_bucket{agent}</code></li> <li><code>agent_steps_total_bucket{agent}</code></li> </ul> <h3 id="cost-metrics-treat-cost-like-reliability">Cost metrics (treat cost like reliability)</h3> <ul> <li><code>llm_tokens_total{model,type=prompt|completion}</code></li> <li><code>llm_cost_usd_total{model}</code></li> <li><code>run_cost_usd_bucket{agent}</code></li> </ul> <h3 id="policy-metrics">Policy metrics</h3> <ul> <li><code>policy_denied_total{rule_id}</code></li> <li><code>danger_tool_attempt_total{tool}</code></li> </ul> <p>Semantic conventions help your metrics stay queryable and consistent across systems. OpenTelemetry documents semantic conventions for HTTP spans/metrics, for example. [3][5]</p> <hr> <h2 id="logs-and-redaction">Logs and redaction</h2> <p>Logs should add human context, not become a data lake of secrets.</p> <p>Rules I like:</p> <ul> <li><strong>Do not log prompts by default.</strong></li> <li><strong>Do not log tool payloads by default.</strong></li> <li>Log summaries and hashes:</li> <li><code>goal_hash</code>, <code>plan_hash</code>, <code>tool_args_hash</code></li> <li>Log <strong>structured error reasons</strong>:</li> <li><code>validation_error</code>, <code>upstream_rate_limited</code>, <code>auth_failed</code>, <code>policy_denied</code></li> </ul> <p>For agent systems, OWASP highlights sensitive information disclosure and insecure output handling. Logging is one of the easiest ways to accidentally create both. [7]</p> <h3 id="debug-mode-that-isnt-dangerous">&ldquo;Debug mode&rdquo; that isn&rsquo;t dangerous</h3> <p>If you must support deeper logs:</p> <ul> <li>only enable per tenant/user for a limited window</li> <li>auto-expire</li> <li>redact aggressively</li> <li>never store raw secrets</li> </ul> <hr> <h2 id="audit-events-vs-debug-logs">Audit events vs debug logs</h2> <p>Treat them as different products:</p> <h3 id="audit-events-for-governance">Audit events (for governance)</h3> <ul> <li>immutable-ish records of side effects</li> <li>minimal sensitive data</li> <li>always on</li> <li>long retention</li> </ul> <p>Example audit fields:</p> <ul> <li>who: tenant/user/client</li> <li>what: tool + action class (create/update/delete)</li> <li>when: timestamp</li> <li>where: environment</li> <li>result: success/failure</li> <li>resource IDs (safe identifiers)</li> <li>idempotency keys / plan IDs</li> </ul> <h3 id="debug-logs-for-engineers">Debug logs (for engineers)</h3> <ul> <li>short retention</li> <li>more context</li> <li>highly controlled access</li> </ul> <p>Mixing these two is how you end up with &ldquo;SharePoint logs full of PII&rdquo; and no one wants to touch them.</p> <hr> <h2 id="dashboards-and-alerts">Dashboards and alerts</h2> <h3 id="dashboards-start-simple">Dashboards (start simple)</h3> <ol> <li><strong>Tool reliability</strong></li> </ol> <ul> <li>top tools by error rate</li> <li>top tools by p95 latency</li> <li>timeouts per tool</li> </ul> <ol start="2"> <li><strong>Agent success</strong></li> </ol> <ul> <li>success rate by agent type</li> <li>&ldquo;stuck runs&rdquo; (runs exceeding max duration)</li> <li>average steps per run</li> </ul> <ol start="3"> <li><strong>Cost</strong></li> </ol> <ul> <li>cost per run</li> <li>cost per tenant</li> <li>top drivers (which tools/model calls)</li> </ul> <h3 id="alerts-avoid-noise">Alerts (avoid noise)</h3> <p>Alert on what is actionable:</p> <ul> <li>tool error rate spikes for critical tools</li> <li>tool latency p95 spikes beyond SLO</li> <li>budget exceeded spike (runaway behavior)</li> <li>policy denied spike (possible prompt injection attempt)</li> </ul> <p>If you use SLOs and error budgets, Google&rsquo;s SRE material is a practical reference for turning SLOs into alerting strategies. [6]</p> <hr> <h2 id="a-production-checklist">A production checklist</h2> <h3 id="tracing">Tracing</h3> <ul> <li><input disabled="" type="checkbox"> Every agent run has a trace ID.</li> <li><input disabled="" type="checkbox"> Trace context propagates across MCP boundaries (W3C Trace Context). [2]</li> <li><input disabled="" type="checkbox"> Tool calls are spans with stable tool identifiers.</li> </ul> <h3 id="metrics">Metrics</h3> <ul> <li><input disabled="" type="checkbox"> Tool success/error/latency metrics exist.</li> <li><input disabled="" type="checkbox"> Agent run success/latency/steps metrics exist.</li> <li><input disabled="" type="checkbox"> Cost metrics exist and are monitored.</li> </ul> <h3 id="logging">Logging</h3> <ul> <li><input disabled="" type="checkbox"> Default logs are redacted summaries, not raw payloads.</li> <li><input disabled="" type="checkbox"> Debug logging is time-bounded and access-controlled.</li> </ul> <h3 id="audit">Audit</h3> <ul> <li><input disabled="" type="checkbox"> Audit events exist for all side-effecting tools.</li> <li><input disabled="" type="checkbox"> Audit records include &ldquo;who/what/when/result&rdquo; without leaking secrets.</li> </ul> <h3 id="security">Security</h3> <ul> <li><input disabled="" type="checkbox"> Observability does not become a secret exfil path (OWASP risks considered). [7]</li> </ul> <hr> <h2 id="references">References</h2> <p>[1] OpenTelemetry - Documentation (overview): <a href="https://opentelemetry.io/docs/" target="_blank" rel="noopener noreferrer">https://opentelemetry.io/docs/</a> [2] W3C - Trace Context: <a href="https://www.w3.org/TR/trace-context/" target="_blank" rel="noopener noreferrer">https://www.w3.org/TR/trace-context/</a> [3] OpenTelemetry - Semantic conventions for HTTP (spans/metrics/logs): <a href="https://opentelemetry.io/docs/specs/semconv/http/" target="_blank" rel="noopener noreferrer">https://opentelemetry.io/docs/specs/semconv/http/</a> [4] OpenTelemetry Go - Instrumentation docs: <a href="https://opentelemetry.io/docs/languages/go/instrumentation/" target="_blank" rel="noopener noreferrer">https://opentelemetry.io/docs/languages/go/instrumentation/</a> [5] OpenTelemetry - Semantic conventions for HTTP metrics: <a href="https://opentelemetry.io/docs/specs/semconv/http/http-metrics/" target="_blank" rel="noopener noreferrer">https://opentelemetry.io/docs/specs/semconv/http/http-metrics/</a> [6] Google SRE Workbook - Alerting on SLOs: <a href="https://sre.google/workbook/alerting-on-slos/" target="_blank" rel="noopener noreferrer">https://sre.google/workbook/alerting-on-slos/</a> [7] OWASP - Top 10 for Large Language Model Applications: <a href="https://owasp.org/www-project-top-10-for-large-language-model-applications/" target="_blank" rel="noopener noreferrer">https://owasp.org/www-project-top-10-for-large-language-model-applications/</a> </p>