Skip to content

Use collision-resistant request/operation IDs for tool invocations #2099

@davidahmann

Description

@davidahmann

Problem

Tool invocation request/operation IDs can collide under concurrent load, making audit trails ambiguous and impairing incident analysis.

Why now

GitHub MCP server is increasingly used for operational automation where deterministic, unique correlation IDs are required for governance and debugging.

Evidence Packet

  • Version/commit under test: origin/main at b222072346e3
  • Runtime environment: macOS 26.3 (arm64), Go 1.25.7
  • Minimal repro:
    1. Execute many concurrent tool invocations with similar request shapes.
    2. Inspect logged/requested operation identifiers.
    3. Detect ambiguous or reused IDs.
  • Expected behavior: collision-resistant unique request/operation IDs per invocation.
  • Actual behavior: current ID strategy is not explicit about collision resistance across all paths.

Why code change (not docs)

ID generation and propagation are runtime behavior contracts.

Scope / Codepaths

  • internal/ghmcp
  • pkg/context
  • pkg/log

Acceptance Criteria

  • Request/operation IDs include collision-resistant component.
  • IDs are propagated consistently through tool execution and logs.
  • Tests prove uniqueness under concurrent invocation.

Validation Plan

  • Add focused concurrent ID-generation tests.
  • Verify deterministic schema/fields for audit extraction.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions