MissionSquad · j4ys0n · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026 · Copilot
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@missionsquad/mcp-api",
-  "version": "1.10.2",
+  "version": "1.10.3",
   "description": "MCP Servers exposed via HTTP API",
   "main": "dist/index.js",
   "repository": "missionsquad/mcp-api",

diff --git a/src/services/mcp.ts b/src/services/mcp.ts
@@ -883,15 +883,21 @@ export class MCPService implements Resource {
       // Get server's declared secret names from metadata
       const serverSecretNames = server.secretNames ?? (server.secretName ? [server.secretName] : [])
 
+      // Extract secrets belonging to this server: keys stored as "${serverName}.${secretName}"
+      const prefix = `${serverName}.`
+      const serverSecrets: Record<string, string> = {}
+      for (const [key, value] of Object.entries(allSecrets)) {
+        if (key.startsWith(prefix)) {
+          serverSecrets[key.slice(prefix.length)] = value
+        }
+      }
+
       if (serverSecretNames.length > 0) {
-        // Inject ONLY secrets declared by this server
+        // Inject only the declared secret names
         const scopedSecrets: Record<string, string> = {}
         for (const name of serverSecretNames) {
-          const prefixedName = `${serverName}.${name}`
-          if (allSecrets[name] !== undefined) {
-            scopedSecrets[name] = allSecrets[name]
-          } else if (allSecrets[prefixedName] !== undefined) {
-            scopedSecrets[name] = allSecrets[prefixedName]
+          if (serverSecrets[name] !== undefined) {
+            scopedSecrets[name] = serverSecrets[name]
           }
         }
         args = { ...args, ...scopedSecrets }
@@ -900,17 +906,16 @@ export class MCPService implements Resource {
           msg: `Scoped secrets applied to tool call - ${serverName}:${methodName} - ${Object.keys(scopedSecrets).join(', ')}`
         })
       } else {
-        // Backward compatibility: if server has no declared secretNames,
-        // fall back to injecting all secrets (preserves existing behavior
-        // for servers not yet migrated to secretNames metadata).
-        args = { ...args, ...allSecrets }
+        // No declared secretNames — inject all secrets belonging to this server
+        args = { ...args, ...serverSecrets }
         log({
-          level: 'warn',
-          msg: `Server ${serverName} has no declared secretNames — injecting all secrets (legacy behavior)`
+          level: 'info',
+          msg: `Server secrets applied to tool call - ${serverName}:${methodName} - ${Object.keys(serverSecrets).join(', ')}`
         })
       }
     }
     log({ level: 'info', msg: `Calling tool - ${serverName}:${methodName}` })
+    log({ level: 'debug', msg: `callTool arguments keys: ${Object.keys(args).join(', ')}` })
-    log({ level: 'debug', msg: `callTool arguments keys: ${Object.keys(args).join(', ')}` })
+    const argKeys = Object.keys(args)
+    if (allSecrets != null) {
+      const secretKeys = new Set(Object.keys(allSecrets))
+      const nonSecretKeys = argKeys.filter(key => !secretKeys.has(key))
+      const secretKeyCount = argKeys.length - nonSecretKeys.length
+      log({
+        level: 'debug',
+        msg: `callTool arguments: totalKeys=${argKeys.length}, nonSecretKeys=[${nonSecretKeys.join(
+          ', '
+        )}], secretKeyCount=${secretKeyCount}`
+      })
+    } else {
+      log({
+        level: 'debug',
+        msg: `callTool arguments keys (no secrets injected): ${argKeys.join(', ')}`
+      })
+    }
-    log({ level: 'debug', msg: `callTool arguments keys: ${Object.keys(args).join(', ')}` })
+    const argKeys = Object.keys(args)
+    if (allSecrets != null) {
+      const secretKeys = new Set(Object.keys(allSecrets))
+      const nonSecretKeys = argKeys.filter(key => !secretKeys.has(key))
+      const secretKeyCount = argKeys.length - nonSecretKeys.length
+      log({
+        level: 'debug',
+        msg: `callTool arguments: totalKeys=${argKeys.length}, nonSecretKeys=[${nonSecretKeys.join(
+          ', '
+        )}], secretKeyCount=${secretKeyCount}`
+      })
+    } else {
+      log({
+        level: 'debug',
+        msg: `callTool arguments keys (no secrets injected): ${argKeys.join(', ')}`
+      })
+    }
     const requestOptions: RequestOptions = {}
     if (server.startupTimeout) {
       requestOptions.timeout = server.startupTimeout