feat(mcp): persist login audit for OAuth and API key

- Add audit::log_login in secrets-core (audit_log detail: user_id, provider, client_ip, user_agent)
- Log web Google OAuth success after session established
- Log MCP Bearer API key auth success in middleware
- Bump secrets-mcp to 0.1.6 (tag 0.1.5 existed)

Made-with: Cursor

crates/secrets-mcp/src/auth.rs

@@ -9,6 +9,7 @@ use axum::{
 use sqlx::PgPool;
 use uuid::Uuid;
 
+use secrets_core::audit::log_login;
 use secrets_core::service::api_key::validate_api_key;
 
 /// Injected into request extensions after Bearer token validation.
@@ -34,6 +35,15 @@ fn log_client_ip(req: &Request) -> Option<String> {
         .map(|c| c.ip().to_string())
 }
 
+fn log_user_agent(req: &Request) -> Option<String> {
+    req.headers()
+        .get(axum::http::header::USER_AGENT)
+        .and_then(|v| v.to_str().ok())
+        .map(str::trim)
+        .filter(|value| !value.is_empty())
+        .map(ToOwned::to_owned)
+}
+
 /// Axum middleware that validates Bearer API keys for the /mcp route.
 /// Passes all non-MCP paths through without authentication.
 pub async fn bearer_auth_middleware(
@@ -44,6 +54,7 @@ pub async fn bearer_auth_middleware(
     let path = req.uri().path();
     let method = req.method().as_str();
     let client_ip = log_client_ip(&req);
+    let user_agent = log_user_agent(&req);
 
     // Only authenticate /mcp paths
     if !path.starts_with("/mcp") {
@@ -84,6 +95,15 @@ pub async fn bearer_auth_middleware(
 
     match validate_api_key(&pool, raw_key).await {
         Ok(Some(user_id)) => {
+            log_login(
+                &pool,
+                "api_key",
+                "bearer",
+                user_id,
+                client_ip.as_deref(),
+                user_agent.as_deref(),
+            )
+            .await;
             tracing::debug!(?user_id, "api key authenticated");
             let mut req = req;
             req.extensions_mut().insert(AuthUser { user_id });