Skip to content

MCP server API #744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

MCP server API #744

wants to merge 2 commits into from

Conversation

@fadeev
Copy link
Member

@fadeev fadeev commented Oct 2, 2025

No description provided.

@vercel
Copy link

vercel bot commented Oct 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Updated (UTC)
docs-v2 Ready Ready Preview Oct 2, 2025 0:39am

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 2, 2025

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch mcp-server

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

github-advanced-security[bot]
github-advanced-security bot found potential problems Oct 2, 2025
View reviewed changes
app/api/mcp/route.ts
};

const json = (status: number, data: unknown, extra?: HeadersInit) => {
return new Response(JSON.stringify(data), {

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium

This information exposed to the user depends on
stack trace information
Loading
.
This information exposed to the user depends on
stack trace information
Loading
.
This information exposed to the user depends on
stack trace information
Loading
.

Copilot Autofix

AI 30 days ago

To fix the problem, sensitive error details (such as stack traces, error messages, and internal error structures) should never be sent to the client. Only generic, non-specific error messages should be sent in the HTTP response, while the details (including stack traces) should be logged server-side for debugging.

Best fix approach:

  • In each place where a JSON response is sent with an error and detail property, remove the inclusion of detail: String(e) from the response sent to the client.
  • Instead, log the error (message, stack, etc.) on the server using console.error to preserve the debugging utility.
  • Only send generic error messages to the client, e.g. { error: "Failed to connect MCP server" } and { error: "MCP tool execution failed" }.
  • Direct edits should be made to lines 248 and 357 where currently the error detail is returned to the client.

No new imports are required; only the error response objects and the surrounding catch blocks need to be adjusted.

Suggested changeset 1
app/api/mcp/route.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/api/mcp/route.ts b/app/api/mcp/route.ts
--- a/app/api/mcp/route.ts
+++ b/app/api/mcp/route.ts
@@ -245,7 +245,9 @@
     }
     client = await connectMcp(baseUrl, apiKey, profile || undefined);
   } catch (e) {
-    return json(502, { error: "Failed to connect MCP server", detail: String(e) }, headers);
+    // eslint-disable-next-line no-console
+    console.error("[mcp] connect MCP server failed", e);
+    return json(502, { error: "Failed to connect MCP server" }, headers);
   }
 
   try {
@@ -353,8 +355,8 @@
     return json(200, result, headers);
   } catch (e) {
     // eslint-disable-next-line no-console
-    console.error("[mcp] execution failed", String(e));
-    return json(500, { error: "MCP tool execution failed", detail: String(e) }, headers);
+    console.error("[mcp] execution failed", e);
+    return json(500, { error: "MCP tool execution failed" }, headers);
   } finally {
     await Promise.resolve(client?.close?.());
   }
EOF
@@ -245,7 +245,9 @@
}
client = await connectMcp(baseUrl, apiKey, profile || undefined);
} catch (e) {
return json(502, { error: "Failed to connect MCP server", detail: String(e) }, headers);
// eslint-disable-next-line no-console
console.error("[mcp] connect MCP server failed", e);
return json(502, { error: "Failed to connect MCP server" }, headers);
}

try {
@@ -353,8 +355,8 @@
return json(200, result, headers);
} catch (e) {
// eslint-disable-next-line no-console
console.error("[mcp] execution failed", String(e));
return json(500, { error: "MCP tool execution failed", detail: String(e) }, headers);
console.error("[mcp] execution failed", e);
return json(500, { error: "MCP tool execution failed" }, headers);
} finally {
await Promise.resolve(client?.close?.());
}
Copilot is powered by AI and may make mistakes. Always verify output.
app/api/mcp/route.ts
Comment on lines +206 to +211
console.log("[mcp] POST /api/mcp", {
serverUrlEnv: Boolean(smitheryServerUrlEnv),
hasApiKey: Boolean(smitheryApiKeyEnv),
profile: smitheryProfileEnv || undefined,
hasOpenAIKey: Boolean(openaiApiKey),
});

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This logs sensitive data returned by
an access to hasApiKey
Loading
as clear text.

Copilot Autofix

AI 30 days ago

To fix the logging of sensitive information, remove or redact any output that could reveal (even indirectly) the existence, value, or configuration of secrets like API keys or sensitive profiles. In this specific case:

  • Remove all references to smitheryServerUrlEnv, smitheryApiKeyEnv, smitheryProfileEnv, and openaiApiKey from the log statement.
  • If operational status must be logged (e.g., to check system health), make sure it is generic and does not depend on secret values.
  • Only log fixed text or non-sensitive values.
  • Adjust the code in app/api/mcp/route.ts, specifically lines 204–209, so that the log statement does not include any information derived from environment variables that are potentially sensitive.

No additional imports or packages are needed. Only edit the logging line(s).

Suggested changeset 1
app/api/mcp/route.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/app/api/mcp/route.ts b/app/api/mcp/route.ts
--- a/app/api/mcp/route.ts
+++ b/app/api/mcp/route.ts
@@ -201,12 +201,7 @@
   const openaiApiKey = process.env.OPENAI_API_KEY;
 
   // eslint-disable-next-line no-console
-  console.log("[mcp] POST /api/mcp", {
-    serverUrlEnv: Boolean(smitheryServerUrlEnv),
-    hasApiKey: Boolean(smitheryApiKeyEnv),
-    profile: smitheryProfileEnv || undefined,
-    hasOpenAIKey: Boolean(openaiApiKey),
-  });
+  console.log("[mcp] POST /api/mcp request received");
 
   // Parse body
   let body: unknown;
EOF
@@ -201,12 +201,7 @@
const openaiApiKey = process.env.OPENAI_API_KEY;

// eslint-disable-next-line no-console
console.log("[mcp] POST /api/mcp", {
serverUrlEnv: Boolean(smitheryServerUrlEnv),
hasApiKey: Boolean(smitheryApiKeyEnv),
profile: smitheryProfileEnv || undefined,
hasOpenAIKey: Boolean(openaiApiKey),
});
console.log("[mcp] POST /api/mcp request received");

// Parse body
let body: unknown;
Copilot is powered by AI and may make mistakes. Always verify output.
@fadeev fadeev mentioned this pull request Oct 2, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fadeev