Skip to content

fix secret checks#29

Merged
j4ys0n merged 1 commit intomainfrom
bugfix-secret-deletion
Feb 24, 2026
Merged

fix secret checks#29
j4ys0n merged 1 commit intomainfrom
bugfix-secret-deletion

Conversation

@j4ys0n
Copy link
Contributor

@j4ys0n j4ys0n commented Feb 24, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 24, 2026 08:18
@j4ys0n
Copy link
Contributor Author

j4ys0n commented Feb 24, 2026

Automated review 🤖

Summary of Changes
Bumps version to 1.10.2 and fixes secret scoping logic in src/services/mcp.ts to support both bare secret names and serverName.secretName prefixed variants during injection into server arguments. Ensures backward compatibility while enabling explicit prefixed secret resolution.

Key Changes & Positives

  • Adds fallback logic to resolve secrets using serverName.secretName prefix when bare name lookup fails (src/services/mcp.ts, lines 890–894).
  • Maintains existing behavior for bare-name secrets, ensuring non-breaking change. 🟢

Potential Issues & Recommendations

  • Issue / Risk: If both bare and prefixed versions of a secret exist with different values, the prefixed variant takes precedence only when the bare name is absent—this may cause unexpected secret resolution order depending on caller setup.
  • Impact: Could lead to inconsistent secret injection if callers rely on ambiguous naming conventions across environments.
  • Recommendation: Clarify expected secret naming convention in documentation or enforce strict precedence (e.g., always prefer prefixed) to avoid ambiguity.
  • Status: 🟡 Needs review

Language/Framework Checks

  • TypeScript usage remains consistent; no type changes required as prefixedName is inferred as string.
  • Logic correctly handles undefined checks using !== undefined, preserving strict equality semantics.

Security & Privacy

  • Secret resolution now includes an additional namespace-aware lookup, reducing risk of accidental cross-server secret leakage if servers use distinct prefixes. 🟢

Approval Recommendation
Approve with caveats

  • Document expected secret naming convention (bare vs. prefixed) in API or deployment guide.
  • Consider adding unit test covering conflict scenario (same secret name bare and prefixed) to validate precedence.

Copilot AI reviewed Feb 24, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes secret handling in the MCP service by adding support for prefixed secret names. The service can now look up secrets using both unprefixed (e.g., api_key) and prefixed (e.g., serverName.api_key) formats, with unprefixed names taking precedence when both exist.

Changes:

  • Added fallback logic to check for server-prefixed secret names when unprefixed secrets are not found
  • Bumped version from 1.10.1 to 1.10.2

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
src/services/mcp.ts Added prefixed secret name lookup as fallback when unprefixed secret is not found
package.json Version bump to 1.10.2 for patch release

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/services/mcp.ts
Comment on lines +890 to +894
const prefixedName = `${serverName}.${name}`
if (allSecrets[name] !== undefined) {
scopedSecrets[name] = allSecrets[name]
} else if (allSecrets[prefixedName] !== undefined) {
scopedSecrets[name] = allSecrets[prefixedName]
Copy link

Copilot AI Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new prefixed secret name fallback logic lacks test coverage. Consider adding tests to verify:

  1. Secrets can be retrieved using the unprefixed name (e.g., "api_key")
  2. Secrets can be retrieved using the prefixed name (e.g., "serverName.api_key") when unprefixed doesn't exist
  3. Unprefixed secrets take precedence when both prefixed and unprefixed versions exist
  4. The correct secret value is passed to the tool in each scenario

Copilot uses AI. Check for mistakes.
@j4ys0n j4ys0n merged commit 87af6ef into main Feb 24, 2026
5 checks passed
@j4ys0n j4ys0n deleted the bugfix-secret-deletion branch February 24, 2026 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@j4ys0n