Skip to content

fix: warnings and errors for unresolved MCP secrets #8656

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: warnings and errors for unresolved MCP secrets #8656

wants to merge 3 commits into from
+37 −17

Conversation

@RomneyDa
Copy link
Collaborator

@RomneyDa RomneyDa commented Nov 10, 2025
edited by cubic-dev-ai bot
Loading

  • For CLI, add warnings for unresolved secrets, or throw error if in headless
  • For extensions, make warnings more explanatory/up-to-date and move to mcp connection class

Summary by cubic

Detect unresolved MCP secrets and surface clear warnings in extensions; in headless CLI, throw an error to prevent misconfigured runs. Secret checks are now done at connection time for more accurate feedback.

  • Bug Fixes

    • Warn when MCP server config has unresolved secrets and list their names.
    • In headless CLI, treat unresolved secrets as errors and mark MCP status as error.
    • Add guidance links for personal/org secrets and “Include in Env”.

  • Refactors

    • Move secret validation from YAML load to MCPConnection and CLI service.
    • Use getTemplateVariables and decodeSecretLocation to extract secret names from server config.

Written for commit 86ed8e9. Summary will update automatically on new commits.

@RomneyDa RomneyDa requested a review from a team as a code owner November 10, 2025 03:56
@RomneyDa RomneyDa requested review from sestinj and removed request for a team November 10, 2025 03:56
@dosubot dosubot bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Nov 10, 2025
@github-actions
Copy link

github-actions bot commented Nov 10, 2025
edited
Loading

✅ Review Complete

Code Review Summary

⚠️ Continue configuration error. Please verify that the assistant exists in Continue Hub.

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 10, 2025
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 issues found across 3 files

Prompt for AI agents (all 2 issues) 

Understand the root cause of the following 2 issues and fix them.


<file name="core/context/mcp/MCPConnection.ts">

<violation number="1" location="core/context/mcp/MCPConnection.ts:172">
decodeSecretLocation expects a colon-delimited secret location (e.g. &quot;user:slug/secret&quot;), but this passes plain secret keys like &quot;OPENAI_API_KEY&quot;. When unresolved secrets are present, decodeSecretLocation throws and connectClient crashes instead of collecting the warning.</violation>
</file>

<file name="extensions/cli/src/services/MCPService.ts">

<violation number="1" location="extensions/cli/src/services/MCPService.ts:257">
decodeSecretLocation is being invoked on every template variable, so any non-secret placeholder (e.g. ${{ inputs.* }}) makes rest undefined inside decodeSecretLocation and causes connectServer to throw before establishing the connection.</violation>
</file>

React with 👍 or 👎 to teach cubic. Mention @cubic-dev-ai to give feedback, ask questions, or re-run the review.

core/context/mcp/MCPConnection.ts

const vars = getTemplateVariables(JSON.stringify(this.options));
const unrendered = vars.map((v) => {
return decodeSecretLocation(v.replace("secrets.", "")).secretName;
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Nov 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decodeSecretLocation expects a colon-delimited secret location (e.g. "user:slug/secret"), but this passes plain secret keys like "OPENAI_API_KEY". When unresolved secrets are present, decodeSecretLocation throws and connectClient crashes instead of collecting the warning.

Prompt for AI agents 
Address the following comment on core/context/mcp/MCPConnection.ts at line 172:

<comment>decodeSecretLocation expects a colon-delimited secret location (e.g. &quot;user:slug/secret&quot;), but this passes plain secret keys like &quot;OPENAI_API_KEY&quot;. When unresolved secrets are present, decodeSecretLocation throws and connectClient crashes instead of collecting the warning.</comment>

<file context>
@@ -163,6 +167,19 @@ class MCPConnection {
 
+    const vars = getTemplateVariables(JSON.stringify(this.options));
+    const unrendered = vars.map((v) =&gt; {
+      return decodeSecretLocation(v.replace(&quot;secrets.&quot;, &quot;&quot;)).secretName;
+    });
+
</file context>
Suggested change
return decodeSecretLocation(v.replace("secrets.", "")).secretName;
return v.replace("secrets.", "");
Fix with Cubic

extensions/cli/src/services/MCPService.ts

const vars = getTemplateVariables(JSON.stringify(serverConfig));
const unrendered = vars.map((v) => {
return decodeSecretLocation(v.replace("secrets.", "")).secretName;
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot Nov 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

decodeSecretLocation is being invoked on every template variable, so any non-secret placeholder (e.g. ${{ inputs.* }}) makes rest undefined inside decodeSecretLocation and causes connectServer to throw before establishing the connection.

Prompt for AI agents 
Address the following comment on extensions/cli/src/services/MCPService.ts at line 257:

<comment>decodeSecretLocation is being invoked on every template variable, so any non-secret placeholder (e.g. ${{ inputs.* }}) makes rest undefined inside decodeSecretLocation and causes connectServer to throw before establishing the connection.</comment>

<file context>
@@ -248,7 +252,23 @@ export class MCPService
 
+    const vars = getTemplateVariables(JSON.stringify(serverConfig));
+    const unrendered = vars.map((v) =&gt; {
+      return decodeSecretLocation(v.replace(&quot;secrets.&quot;, &quot;&quot;)).secretName;
+    });
+
</file context>
Fix with Cubic

RomneyDa
RomneyDa commented Nov 11, 2025
View reviewed changes
core/config/yaml/loadYaml.ts
sourceFile: doc.sourceFile,
}));

config.mcpServers?.forEach((mcpServer) => {
Copy link
Collaborator Author

@RomneyDa RomneyDa Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed this since it only applied to args. Moved to mcp loading

extensions/cli/src/services/MCPService.ts

try {
if (unrendered.length > 0) {
const message = `${serverConfig.name} MCP Server has unresolved secrets: ${unrendered.join(", ")}
Copy link
Collaborator Author

@RomneyDa RomneyDa Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems duplicate but the message is different enough for CLI since process.env is supported that I decided to leave them separate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@sestinj sestinj Awaiting requested review from sestinj sestinj is a code owner automatically assigned from continuedev/continue-code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:M This PR changes 30-99 lines, ignoring generated files.

Projects

Issues and PRs
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RomneyDa