fix(mcp): user headers override SDK defaults & expand redaction list

Address Greptile P1/P2 review feedback: - Fix header spread order so user-configured auth headers take precedence over SDK-internal headers in SSE eventSourceInit.fetch - Add password, pass, auth, client_secret, refresh_token to the sensitive query-param redaction set in describeSseMcpServerLaunchConfig - Add tests for redaction of all sensitive params and embedded credentials Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-01 04:11:03 +00:00 · 2026-03-21 16:35:47 +05:30
parent 32b7c00f90
commit 62d0e12155
3 changed files with 39 additions and 2 deletions
--- a/src/agents/mcp-sse.test.ts
+++ b/src/agents/mcp-sse.test.ts
@@ -122,4 +122,36 @@ describe("describeSseMcpServerLaunchConfig", () => {
      "https://mcp.example.com/sse",
    );
  });
+
+  it("redacts embedded credentials", () => {
+    const result = describeSseMcpServerLaunchConfig({
+      url: "https://user:pass@mcp.example.com/sse",
+    });
+    expect(result).toContain("***:***@");
+    expect(result).not.toContain("user");
+    expect(result).not.toContain("pass@");
+  });
+
+  it("redacts all sensitive query params", () => {
+    const sensitiveParams = [
+      "token",
+      "key",
+      "api_key",
+      "apikey",
+      "secret",
+      "access_token",
+      "password",
+      "pass",
+      "auth",
+      "client_secret",
+      "refresh_token",
+    ];
+    for (const param of sensitiveParams) {
+      const result = describeSseMcpServerLaunchConfig({
+        url: `https://mcp.example.com/sse?${param}=supersecret`,
+      });
+      expect(result).toContain(`${param}=***`);
+      expect(result).not.toContain("supersecret");
+    }
+  });
 });
--- a/src/agents/mcp-sse.ts
+++ b/src/agents/mcp-sse.ts
@@ -93,7 +93,12 @@ export function describeSseMcpServerLaunchConfig(config: SseMcpServerLaunchConfi
        lower === "api_key" ||
        lower === "apikey" ||
        lower === "secret" ||
-        lower === "access_token"
+        lower === "access_token" ||
+        lower === "password" ||
+        lower === "pass" ||
+        lower === "auth" ||
+        lower === "client_secret" ||
+        lower === "refresh_token"
      ) {
        parsed.searchParams.set(key, "***");
      }
--- a/src/agents/pi-bundle-mcp-tools.ts
+++ b/src/agents/pi-bundle-mcp-tools.ts
@@ -175,7 +175,7 @@ function resolveTransport(
            fetch: (url, init) =>
              fetch(url, {
                ...init,
-                headers: { ...headers, ...(init?.headers as Record<string, string>) },
+                headers: { ...(init?.headers as Record<string, string>), ...headers },
              }),
          }
        : undefined,