feat: Add structured audit logging for MCP feature server

[SIDDHESH1564]

What this PR does / why we need it:

This PR adds structured audit logging in JSONL format for the Python MCP feature server.

Previously, the MCP integration only logged startup events and errors. Operators did not have a unified audit trail for MCP tool calls, internal REST requests, authentication results, authorization decisions, or request correlation.

This change introduces an audit_logging configuration section under feature_server and adds structured audit events for:

• MCP tool invocations
• MCP JSON-RPC requests
• REST endpoint requests
• Authentication outcomes
• Authorization decisions
• Request correlation through X-Request-Id
• Client IP address and transport metadata

Each audit event follows a stable schema and includes:

• event_type
• UTC timestamp
• request_id
• principal (username, roles, and auth_type)
• source (ip and transport)
• action (MCP tool name and/or HTTP path)
• resource (type, name, and permitted actions)
• outcome
• duration_ms

Sensitive data is intentionally excluded from audit logs. Tokens, entity rows, feature values, and request payloads are not logged.

Audit logging layers

Layer	Scope	Event types
McpAuditMiddleware	/mcp JSON-RPC requests	mcp.tools.call, mcp.request
AuditLoggingMiddleware	REST endpoints such as /get-online-features and /push	http.request
AuditLogger helpers	Authentication and authorization hooks	authn.success, authn.failure, authz.decision

New files

• sdk/python/feast/audit/audit_logger.py

  • Adds the AuditEvent model.
  • Adds sink abstractions: StdoutAuditSink, FileAuditSink, and LoggerAuditSink.
  • Adds AuditLogger helper methods for MCP, HTTP, authentication, and authorization events.

• sdk/python/feast/audit/audit_middleware.py

  • Adds AuditLoggingMiddleware for REST endpoint auditing.
  • Adds McpAuditMiddleware for MCP JSON-RPC request auditing.

Modified files

• sdk/python/feast/infra/feature_servers/base_config.py

  • Adds AuditLoggingConfig to BaseFeatureServerConfig.

• sdk/python/feast/feature_server.py

  • Initializes the audit logger lifecycle.
  • Wires the audit middleware into get_app().

Example configuration

feature_server:
  type: mcp
  mcp_enabled: true
  audit_logging:
    enabled: true
    sink: stdout          # stdout | file | logger
    # file_path: /var/log/feast_audit.jsonl
    log_successful_reads: true

Example JSONL event

{
  "event_type": "mcp.tools.call",
  "timestamp": "2026-05-28T12:00:00.000Z",
  "request_id": "...",
  "principal": {
    "username": "jane@co.com",
    "roles": ["reader"],
    "auth_type": "oidc"
  },
  "source": {
    "ip": "10.0.0.1",
    "transport": "mcp-http"
  },
  "action": {
    "mcp_tool": "get_online_features",
    "path": "/mcp"
  },
  "outcome": "success",
  "duration_ms": 42.0
}

Which issue(s) this PR fixes:

Fixes #6452

Checks

• I've made sure the tests are passing.
• My commits are signed off (git commit -s)
• My PR title follows conventional commits format

Testing Strategy

• Unit tests
• Integration tests
• Manual tests
• Testing is not required for this change

Added 37 unit tests covering:

• AuditEvent serialization in JSONL format, including exclusion of None values

• AuditLogger helpers:

  • log_mcp_call
  • log_http_request
  • log_authn
  • log_authz

• Suppression of successful read events when log_successful_reads: false

• All supported sinks:

  • StdoutAuditSink
  • FileAuditSink
  • LoggerAuditSink

• create_audit_logger_from_config factory behavior and fallback handling

• AuditLoggingConfig validation and inheritance through McpFeatureServerConfig

• AuditLoggingMiddleware behavior:

  • HTTP request logging
  • Health and MCP route skipping
  • Error outcomes
  • X-Request-Id propagation
  • Resource mapping

• McpAuditMiddleware behavior:

  • MCP tool-call extraction from JSON-RPC request bodies
  • Generic MCP request logging
  • Non-JSON request-body handling

Misc

• audit_logging is defined on BaseFeatureServerConfig, making it available to both local and MCP feature server types.
• Principal metadata is extracted from the existing SecurityManager context and supports no_auth, oidc, and kubernetes authentication modes.
• Registry MCP parity and an OpenTelemetry sink are intentionally left as follow-up improvements, as noted in the linked issue.

[ntkathole]

@SIDDHESH1564

Registry MCP parity and an OpenTelemetry sink are intentionally left as follow-up improvements, as noted in the linked issue.

OTel is a follow-up is fine, but the core schema and sink abstraction feel like reinventing what opentelemetry-sdk already provides. Also, AuditEvent should carry a trace_id/span_id if OpenTelemetry is active.

Also, the fundamental problem with this is that it intercepts at the HTTP transport layer rather than at the MCP protocol layer. It should implement bidirectional correlation - linking a request to its response.

[SIDDHESH1564]

Thanks for the review, @ntkathole. Both points have been addressed.

• Added trace_id and span_id to AuditEvent, populated from the active OTel span when available.
• Added MCP request-response correlation using the JSON-RPC id.
• Added response-body inspection for JSON-RPC errors and a separate mcp_error outcome.

[ntkathole]

This audit hook is at the wrong layer. Instead of parsing raw HTTP bodies, wrap mcp.server.request_handlers[CallToolRequest] inside add_mcp_support_to_app() after FastApiMCP.setup_server(). That gives you typed tool_name, arguments, CallToolResult.isError

[SIDDHESH1564]

Thanks for the detailed review @ntkathole. I’ll study the suggested MCP protocol-layer approach and make the required changes. Will also address the thread-safety comment for the logger. Thanks!

[SIDDHESH1564]

@ntkathole, I’ll remove the raw HTTP body parsing from McpAuditMiddleware and wrap the MCP server’s CallToolRequest handler after FastApiMCP.setup_server(). This will provide the typed tool name, arguments, and CallToolResult.isError directly, without json.loads() or response-body replay.

[ntkathole]

MPC server don't use get_security_manager - again this is HTTP layer, will always return an empty principal for MCP

[SIDDHESH1564]

@ntkathole, Since get_security_manager() does not apply to MCP requests, I’ll derive the authentication metadata from mcp.server.request_context.request.headers.

[ntkathole]

Add a threading.Lock around emit(), when multiple tasks or workers emit the logs, it should handle

[SIDDHESH1564]

@ntkathole, I’ll add a threading.Lock around sink.emit() in the audit logging path.

[SIDDHESH1564]

Will update the tests accordingly and push the revised commit once the changes are complete. Thanks!