zhengchen.tao/obsidian-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2aefdbeef5ef07568194f71d17ccc0e034a8c524
obsidian-mcp/Services/AuditLogger.cs
T
zhengchen.tao 28f9a54ba9
Build Docker Image / build (push) Failing after 9m21s
Details
Build Docker Image / deploy (push) Has been skipped
Details
obsidian-mcp: 初次落地 Obsidian Vault MCP Server (.NET 10, read+write) 
把 Obsidian vault 通过 MCP 暴露给 Claude.ai,OAuth 走 nas-auth。
设计文档见 vault Coding/obsidian-mcp/obsidian-mcp 设计.md。
代码层落地参考 vault Coding/obsidian-mcp/MCP 实现指南.md。

V1+V2 同时实现(用户要求跳过分阶段直接全部):

读 Tools(需 scope=read:obsidian):
- list_vault_tree(一次性 vault 地图,限制深度)
- list_files / read_file(含 offset/limit 大文件分页)
- search(子串匹配 + glob 过滤,最多 50 hits)
- get_metadata(size / modified_at / has_frontmatter)

写 Tools(需 scope=write:obsidian):
- write_file / append_file
- 多重门禁:scope 校验 + 路径黑名单 + 写入白名单 + 永禁文件
  - 永禁写:任意目录的 AGENTS.md / PROFILE.md / README.md / CLAUDE.md / 01-Secret/**
  - 白名单:02-ShengquGames/logs/ + Coding/ + NAS/NAS 待办清单.md
- 写入审计日志按天 rotate(JSON line)

安全:
- VaultPathResolver chroot:path traversal + symlink 双拒绝
- JwtBearer (HS256, Current+Previous fallback, MapInboundClaims=false)
- aud=obsidian, iss=https://auth.zhengchentao.win
- 黑名单:01-Secret / .obsidian / .trash / .git

技术栈:
- .NET 10 + ModelContextProtocol SDK 1.0
- Streamable HTTP transport (POST /mcp)
- JwtBearer 10.0 + IdentityModel.Tokens 8.x

部署:
- Dockerfile multi-stage,runtime 装 ripgrep(V3 备用),non-root user
- .gitea/workflows/build-image.yml:build + deploy 双 job,buildkit v0.13.2
- 容器内 :8080,宿主端口 9090
- 子域名 obs.zhengchentao.win
- vault 挂载 /volume1/docker/webdav/data/Zhengchen:/vault:rw(V2 写入需要 rw)

测试:35/35 单测过(VaultPathResolver path traversal/blacklist/symlink + VaultWriteGuard whitelist/forbidden)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-06 01:32:11 +08:00

56 lines
1.4 KiB
C#
Raw Blame History

using System.Text.Json;
namespace ObsidianMcp.Services;
/// <summary>
/// 写操作审计日志(JSON lines 格式,按天 rotate)。
/// 输出到 /app/logs/audit-YYYY-MM-DD.log。
/// 注册为 Singleton,内部用 lock 保证多线程写入安全。
/// </summary>
public class AuditLogger
{
private readonly string _logDir;
private readonly object _lock = new();
public AuditLogger(IConfiguration config)
{
// 允许通过配置覆盖日志目录,默认 /app/logs
_logDir = config["AuditLog:Directory"] ?? "/app/logs";
Directory.CreateDirectory(_logDir);
}
/// <summary>
/// 记录一次写操作审计条目。
/// </summary>
public void LogWrite(
string user,
string clientId,
string tool,
string path,
long bytes,
bool ok,
string? error = null)
{
var entry = new
{
timestamp = DateTime.UtcNow.ToString("O"),
user,
tool,
path,
bytes,
client_id = clientId,
ok,
error,
};
var line = JsonSerializer.Serialize(entry);
var fileName = $"audit-{DateTime.UtcNow:yyyy-MM-dd}.log";
var filePath = Path.Combine(_logDir, fileName);
lock (_lock)
{
File.AppendAllText(filePath, line + Environment.NewLine);
}
}
}
Reference in New Issue View Git Blame Copy Permalink