diff --git a/src/agents/mcp-sse.test.ts b/src/agents/mcp-sse.test.ts index 10c79876a69..567ad04b785 100644 --- a/src/agents/mcp-sse.test.ts +++ b/src/agents/mcp-sse.test.ts @@ -122,4 +122,36 @@ describe("describeSseMcpServerLaunchConfig", () => { "https://mcp.example.com/sse", ); }); + + it("redacts embedded credentials", () => { + const result = describeSseMcpServerLaunchConfig({ + url: "https://user:pass@mcp.example.com/sse", + }); + expect(result).toContain("***:***@"); + expect(result).not.toContain("user"); + expect(result).not.toContain("pass@"); + }); + + it("redacts all sensitive query params", () => { + const sensitiveParams = [ + "token", + "key", + "api_key", + "apikey", + "secret", + "access_token", + "password", + "pass", + "auth", + "client_secret", + "refresh_token", + ]; + for (const param of sensitiveParams) { + const result = describeSseMcpServerLaunchConfig({ + url: `https://mcp.example.com/sse?${param}=supersecret`, + }); + expect(result).toContain(`${param}=***`); + expect(result).not.toContain("supersecret"); + } + }); }); diff --git a/src/agents/mcp-sse.ts b/src/agents/mcp-sse.ts index ec8936dcffa..30fd4a73a91 100644 --- a/src/agents/mcp-sse.ts +++ b/src/agents/mcp-sse.ts @@ -93,7 +93,12 @@ export function describeSseMcpServerLaunchConfig(config: SseMcpServerLaunchConfi lower === "api_key" || lower === "apikey" || lower === "secret" || - lower === "access_token" + lower === "access_token" || + lower === "password" || + lower === "pass" || + lower === "auth" || + lower === "client_secret" || + lower === "refresh_token" ) { parsed.searchParams.set(key, "***"); } diff --git a/src/agents/pi-bundle-mcp-tools.ts b/src/agents/pi-bundle-mcp-tools.ts index bae9160fcbc..ef164da49bd 100644 --- a/src/agents/pi-bundle-mcp-tools.ts +++ b/src/agents/pi-bundle-mcp-tools.ts @@ -175,7 +175,7 @@ function resolveTransport( fetch: (url, init) => fetch(url, { ...init, - headers: { ...headers, ...(init?.headers as Record) }, + headers: { ...(init?.headers as Record), ...headers }, }), } : undefined,