feat(mcp): add JSON structured logging emitter and JWT sub claim (#373 stack 1/3)#375
Open
adriannoes wants to merge 4 commits into
Open
feat(mcp): add JSON structured logging emitter and JWT sub claim (#373 stack 1/3)#375adriannoes wants to merge 4 commits into
adriannoes wants to merge 4 commits into
Conversation
This was referenced Jul 8, 2026
Introduce allowlisted JSON event builders and a dedicated stdout logger with propagate=False so hosted observability coexists with FastMCP's RichHandler. Add PIPEFY_MCP_LOG_LEVEL to McpSettings and wire it through run_server and FastMCP construction.
Extend the resource-server token mapping with an optional sub field so hosted HTTP request logs can emit caller subject alongside client_id without re-decoding the bearer.
normalize_log_level resolved names via getattr(logging, ...), which returns non-level module attributes (BASIC_FORMAT) and accepts aliases the settings Literal rejects (WARN, FATAL); an explicit map fails loudly on both. The observability package now re-exports its stdlib-only emitter surface per the package convention, and a suite-wide autouse fixture drops leftover stdout handlers so a test that configures the process-global logger cannot leak a closed-stream handler into later tests.
…he token PipefyAccessToken.sub is str | None, so a validly-signed token carrying a numeric sub raised ValidationError inside _to_access_token and verify_token turned it into a 401, a token dev accepted before the field existed. sub feeds request logging only; a malformed value must not gate authentication. RFC 7519 requires StringOrURI, so only non-compliant IdPs ever hit this.
651dec7 to
932c9f2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Part of #373 (stack 1/3).
Summary
propagate=False) for hosted observability.PIPEFY_MCP_LOG_LEVELtoMcpSettingsand wires it throughFastMCP(log_level=...).PipefyAccessTokenwith optionalsubfrom JWT claims for caller subject in request logs (D16).subtonullinstead of rejecting the token.What does not land yet
No structured lines are emitted until stack 2/3 (#376) and 3/3 (#377) merge. This PR only lays the emitter and identity groundwork.
Stack status
devafter refactor: reshape the Pipefy client into an engine/session split #348 merged (8adea173).Test plan
uv run pytest packages/mcp/tests/observability/test_json_logging.py -quv run pytest packages/mcp/tests/auth/test_resource_server.py -quv run ruff check packages/mcp && uv run ruff format --check packages/mcp