Correlation ID for Unified Request Tracking

.env.example

@@ -537,7 +537,7 @@ SECURITY_HEADERS_ENABLED=true
 # null or none: Completely removes iframe restrictions (no headers sent)
 # ALLOW-FROM uri: Allows specific domain (deprecated, use CSP instead)
 # ALLOW-ALL uri: Allows all (*, http, https)
-# 
+#
 # Both X-Frame-Options header and CSP frame-ancestors directive are automatically synced.
 # Modern browsers prioritize CSP frame-ancestors over X-Frame-Options.
 X_FRAME_OPTIONS=DENY
@@ -659,6 +659,17 @@ LOG_MAX_SIZE_MB=1
 LOG_BACKUP_COUNT=5
 LOG_BUFFER_SIZE_MB=1.0
 
+# Correlation ID / Request Tracking
+# Enable automatic correlation ID tracking for unified request tracing
+# Options: true (default), false
+CORRELATION_ID_ENABLED=true
+# HTTP header name for correlation ID (default: X-Correlation-ID)
+CORRELATION_ID_HEADER=X-Correlation-ID
+# Preserve incoming correlation IDs from clients (default: true)
+CORRELATION_ID_PRESERVE=true
+# Include correlation ID in HTTP response headers (default: true)
+CORRELATION_ID_RESPONSE_HEADER=true
+
 # Transport Protocol Configuration
 # Options: all (default), sse, streamablehttp, http
 # - all: Enable all transport protocols
@@ -1193,6 +1204,16 @@ PAGINATION_INCLUDE_LINKS=true
 # Enable TLS for gRPC connections by default
 # MCPGATEWAY_GRPC_TLS_ENABLED=false
 
+#####################################
+# Security Event Logging
+#####################################
+
+# Enable security event logging (authentication attempts, authorization failures, etc.)
+# Options: true (default), false
+# When enabled, the AuthContextMiddleware will log all authentication attempts to the database
+# This is INDEPENDENT of observability settings - security logging is critical for audit trails
+# SECURITY_LOGGING_ENABLED=true
+
 #####################################
 # Observability Settings
 #####################################

README.md

@@ -1619,7 +1619,7 @@ ContextForge implements **OAuth 2.0 Dynamic Client Registration (RFC 7591)** and
 >
 > **iframe Embedding**: The gateway controls iframe embedding through both `X-Frame-Options` header and CSP `frame-ancestors` directive (both are automatically synced). Options:
 > - `X_FRAME_OPTIONS=DENY` (default): Blocks all iframe embedding
-> - `X_FRAME_OPTIONS=SAMEORIGIN`: Allows embedding from same domain only  
+> - `X_FRAME_OPTIONS=SAMEORIGIN`: Allows embedding from same domain only
 > - `X_FRAME_OPTIONS="ALLOW-ALL"`: Allows embedding from all sources (sets `frame-ancestors * file: http: https:`)
 > - `X_FRAME_OPTIONS=null` or `none`: Completely removes iframe restrictions (no headers sent)
 >

docs/docs/deployment/container.md

@@ -31,12 +31,12 @@ docker logs mcpgateway
 You can now access the UI at [http://localhost:4444/admin](http://localhost:4444/admin)
 
 ### Multi-architecture containers
-Note: the container build process creates container images for 'amd64', 'arm64' and 's390x' architectures. The version `ghcr.io/ibm/mcp-context-forge:VERSION` 
+Note: the container build process creates container images for 'amd64', 'arm64' and 's390x' architectures. The version `ghcr.io/ibm/mcp-context-forge:VERSION`
 not points to a manifest so that if all commands will pull the correct image for the architecture being used (whether that be locally or on Kubernetes or OpenShift).
 
 If the specific image is needed for one architecture on a different architecture use the appropriate arguments for your given container execution tool:
 
-With docker run: 
+With docker run:
 ```
 docker run [... all your options...] --platform linux/arm64 ghcr.io/ibm/mcp-context-forge:VERSION
 ```

gunicorn.config.py

@@ -65,37 +65,37 @@
 
 def on_starting(server):
     """Called just before the master process is initialized.
-    
+
     This is where we handle passphrase-protected SSL keys by decrypting
     them to a temporary file before Gunicorn workers start.
     """
     global _prepared_key_file
-    
+
     # Check if SSL is enabled via environment variable (set by run-gunicorn.sh)
     # and a passphrase is provided
     ssl_enabled = os.environ.get("SSL", "false").lower() == "true"
     ssl_key_password = os.environ.get("SSL_KEY_PASSWORD")
-    
+
     if ssl_enabled and ssl_key_password:
         try:
             from mcpgateway.utils.ssl_key_manager import prepare_ssl_key
-            
+
             # Get the key file path from environment (set by run-gunicorn.sh)
             key_file = os.environ.get("KEY_FILE", "certs/key.pem")
-            
+
             server.log.info(f"Preparing passphrase-protected SSL key: {key_file}")
-            
+
             # Decrypt the key and get the temporary file path
             _prepared_key_file = prepare_ssl_key(key_file, ssl_key_password)
-            
+
             server.log.info(f"SSL key prepared successfully: {_prepared_key_file}")
-            
+
             # Update the keyfile setting to use the decrypted temporary file
             # This is a bit of a hack, but Gunicorn doesn't provide a better way
             # to modify the keyfile after it's been set via command line
             if hasattr(server, 'cfg'):
                 server.cfg.set('keyfile', _prepared_key_file)
-            
+
         except Exception as e:
             server.log.error(f"Failed to prepare SSL key: {e}")
             raise
@@ -127,4 +127,3 @@ def worker_exit(server, worker):
 
 def child_exit(server, worker):
     server.log.info("Worker child exit (pid: %s)", worker.pid)
-