AOI-2: MCP env-merge at instance scope #731

New issue

Closed

opened 2026-05-02 11:01:46 +00:00 by claude-desktop · 1 comment

claude-desktop commented 2026-05-02 11:01:46 +00:00

Collaborator

Copy link

As an operator running multiple instances of an agent type that need different MCP credentials (e.g. per-instance Penpot tokens or per-instance secrets paths), I want instance-scope mcp_server rows to merge their env map into the inherited row, so that I can tweak per-instance secrets without redefining command / args / transport / url — while forge MCP auth stays bound to type identity by construction.

Acceptance criteria

Resolver

• resolveMcpServers (apps/server/src/domain/agent-config/resolver.ts) detects when an instance-scope row's name matches an inherited row from agent_type / global / builtin and produces a merged record:
  • env: instance keys override parent keys per-key; absent keys inherit
  • command / args / transport / url: inherited from parent; instance row's values for these MUST be null OR identical to parent (validation rejects divergence)
• Net-new instance-scope MCP (no inherited row by name) keeps current full-row behavior.
• AOI-1's enabled=false invariant still holds at instance scope.

Forge MCP identity guardrail (option C)

• Forge MCP (name = "forge", formerly "forgejo") is special-cased: the resolver synthesizes its auth env from the agent's type-level identity (ResolvedAgent.token_file / forgejo_user) at render time, ignoring any env override at any scope for the auth keys (FORGEJO_ACCESS_TOKEN, FORGE_TOKEN_FILE, or whichever keys the binary reads).
• List of locked env keys lives next to mcp-builtin-defs.json (e.g. mcp-builtin-locks.json mapping MCP name → array of locked env keys). Builtin layer is the source of truth; operator cannot edit at runtime.
• Validation rejects writes to mcp_server.env (any scope ≥ global) that touch a locked key, with: "<env_key> on <mcp_name> is bound to type identity; remove from override".
• Resolver merge skips locked keys from instance/agent_type/global env maps even if they slipped past validation; locked keys come exclusively from the type identity at render time.
• Pattern is generic: when forge-mcp ships multi-forge (FM-3 — github, gitlab MCP names), they get the same lock treatment automatically by appearing in mcp-builtin-locks.json.

Validation

• Instance-scope MCP row whose name matches an inherited row AND whose command, args, transport, or url differs from inherited → reject with: "instance scope can only override env on inherited MCP; differing <field> rejected".
• Instance-scope MCP row with no inherited match → treated as additive net-new MCP, full record required (transport + command at minimum, validated by existing schema).
• Any-scope MCP row that includes a locked env key (per mcp-builtin-locks.json) → rejected per forge-identity guardrail above.

Render path

• agent-env-sync.renderForInstance (apps/server/src/infrastructure/agent-env-sync/render-for-instance.ts) writes the merged env into the materialized .mcp.json (or the MCP config file the agent reads).
• For locked-key MCPs (forge, future github/gitlab), the render path injects auth env from ResolvedAgent.token_file / forgejo_user. Locked keys never come from the resolver's merged env.
• No double-write: instance row's env is not written separately; the resolver's merged output (minus locked keys) is the single source for non-locked env.

Tests

• Resolver: instance row with partial env (e.g. {LOG_LEVEL: "debug"}) merges with parent env (e.g. {LOG_LEVEL: "info", X: "y"}) → result {LOG_LEVEL: "debug", X: "y"}.
• Resolver: instance row attempting to override command rejected at validation.
• Render: materialized config on disk reflects merged env after renderForInstance(agent).
• Forge identity guardrail: instance-scope row for forge with env.FORGEJO_ACCESS_TOKEN set → validation rejects.
• Forge identity guardrail: even if a locked env key sneaks into the DB (e.g. via direct SQL), renderForInstance writes the type-derived value, not the row's value.
• Forge identity guardrail: setting non-locked env keys on forge (e.g. LOG_LEVEL) still works as expected.

Out of scope

• Env merge at agent_type or global scope (those still replace today). Revisit if a use case appears; out of this story.
• Plugin-level config overrides (plugins don't carry env today).
• Per-instance Forgejo identity / token rotation across the rest of the stack — git commit author, ForgePort host-side calls, PR creator. Those stay type-level until session key moves off type.
• Multi-forge MCP rename / FM-3 work — separate milestone; this story only ensures the lock mechanism is generic enough for FM-3 to drop in github / gitlab names without code changes.

References

• apps/server/src/infrastructure/agent-env-sync/render-for-instance.ts
• apps/server/src/domain/agent-config/resolver.ts resolveMcpServers
• config/mcp-builtin.json / config/mcp-builtin-defs.json (sibling: new mcp-builtin-locks.json)
• Discussion 2026-05-02 — option (c) chosen: forge auth bound to type identity by construction, no operator footgun.
• Depends on AOI-1 invariant (no enabled=false at instance scope).

As an operator running multiple instances of an agent type that need different MCP credentials (e.g. per-instance Penpot tokens or per-instance secrets paths), I want instance-scope `mcp_server` rows to merge their `env` map into the inherited row, so that I can tweak per-instance secrets without redefining `command` / `args` / `transport` / `url` — while forge MCP auth stays bound to type identity by construction. ## Acceptance criteria ### Resolver - [ ] `resolveMcpServers` (`apps/server/src/domain/agent-config/resolver.ts`) detects when an instance-scope row's `name` matches an inherited row from `agent_type` / `global` / `builtin` and produces a merged record: - `env`: instance keys override parent keys per-key; absent keys inherit - `command` / `args` / `transport` / `url`: inherited from parent; instance row's values for these MUST be null OR identical to parent (validation rejects divergence) - [ ] Net-new instance-scope MCP (no inherited row by `name`) keeps current full-row behavior. - [ ] AOI-1's `enabled=false` invariant still holds at instance scope. ### Forge MCP identity guardrail (option C) - [ ] Forge MCP (`name = "forge"`, formerly `"forgejo"`) is special-cased: the resolver synthesizes its auth env from the agent's type-level identity (`ResolvedAgent.token_file` / `forgejo_user`) at render time, **ignoring any `env` override at any scope** for the auth keys (`FORGEJO_ACCESS_TOKEN`, `FORGE_TOKEN_FILE`, or whichever keys the binary reads). - [ ] List of locked env keys lives next to `mcp-builtin-defs.json` (e.g. `mcp-builtin-locks.json` mapping MCP name → array of locked env keys). Builtin layer is the source of truth; operator cannot edit at runtime. - [ ] Validation rejects writes to `mcp_server.env` (any scope ≥ global) that touch a locked key, with: `"<env_key> on <mcp_name> is bound to type identity; remove from override"`. - [ ] Resolver merge skips locked keys from instance/agent_type/global env maps even if they slipped past validation; locked keys come exclusively from the type identity at render time. - [ ] Pattern is generic: when forge-mcp ships multi-forge (FM-3 — `github`, `gitlab` MCP names), they get the same lock treatment automatically by appearing in `mcp-builtin-locks.json`. ### Validation - [ ] Instance-scope MCP row whose `name` matches an inherited row AND whose `command`, `args`, `transport`, or `url` differs from inherited → reject with: `"instance scope can only override env on inherited MCP; differing <field> rejected"`. - [ ] Instance-scope MCP row with no inherited match → treated as additive net-new MCP, full record required (transport + command at minimum, validated by existing schema). - [ ] Any-scope MCP row that includes a locked env key (per `mcp-builtin-locks.json`) → rejected per forge-identity guardrail above. ### Render path - [ ] `agent-env-sync.renderForInstance` (`apps/server/src/infrastructure/agent-env-sync/render-for-instance.ts`) writes the merged env into the materialized `.mcp.json` (or the MCP config file the agent reads). - [ ] For locked-key MCPs (forge, future github/gitlab), the render path injects auth env from `ResolvedAgent.token_file` / `forgejo_user`. Locked keys never come from the resolver's merged env. - [ ] No double-write: instance row's `env` is not written separately; the resolver's merged output (minus locked keys) is the single source for non-locked env. ### Tests - [ ] Resolver: instance row with partial env (e.g. `{LOG_LEVEL: "debug"}`) merges with parent env (e.g. `{LOG_LEVEL: "info", X: "y"}`) → result `{LOG_LEVEL: "debug", X: "y"}`. - [ ] Resolver: instance row attempting to override `command` rejected at validation. - [ ] Render: materialized config on disk reflects merged env after `renderForInstance(agent)`. - [ ] Forge identity guardrail: instance-scope row for `forge` with `env.FORGEJO_ACCESS_TOKEN` set → validation rejects. - [ ] Forge identity guardrail: even if a locked env key sneaks into the DB (e.g. via direct SQL), `renderForInstance` writes the type-derived value, not the row's value. - [ ] Forge identity guardrail: setting non-locked env keys on `forge` (e.g. `LOG_LEVEL`) still works as expected. ## Out of scope - Env merge at `agent_type` or `global` scope (those still replace today). Revisit if a use case appears; out of this story. - Plugin-level config overrides (plugins don't carry env today). - Per-instance Forgejo identity / token rotation across the rest of the stack — git commit author, ForgePort host-side calls, PR creator. Those stay type-level until session key moves off type. - Multi-forge MCP rename / FM-3 work — separate milestone; this story only ensures the lock mechanism is generic enough for FM-3 to drop in `github` / `gitlab` names without code changes. ## References - `apps/server/src/infrastructure/agent-env-sync/render-for-instance.ts` - `apps/server/src/domain/agent-config/resolver.ts` `resolveMcpServers` - `config/mcp-builtin.json` / `config/mcp-builtin-defs.json` (sibling: new `mcp-builtin-locks.json`) - Discussion 2026-05-02 — option (c) chosen: forge auth bound to type identity by construction, no operator footgun. - Depends on AOI-1 invariant (no `enabled=false` at instance scope).

claude-desktop added this to the add-only-inheritance milestone 2026-05-02 11:01:46 +00:00

claude-desktop added the

area:agents

type:user-story

labels 2026-05-02 11:01:46 +00:00

code-lead was assigned by claude-desktop 2026-05-02 11:12:48 +00:00

code-lead was unassigned by claude-desktop 2026-05-02 11:39:27 +00:00

code-lead was assigned by claude-desktop 2026-05-02 11:39:37 +00:00

claude-desktop referenced this issue 2026-05-02 11:45:43 +00:00

bug: agent-type rename migration (#670) misses secret table + token file paths #741

code-lead was unassigned by claude-desktop 2026-05-02 11:48:08 +00:00

code-lead was assigned by claude-desktop 2026-05-02 11:48:11 +00:00

code-lead commented 2026-05-02 18:11:36 +00:00

Collaborator

Copy link

🦵 @charles kicked the queue — re-running implement on @code-lead.

🦵 @charles kicked the queue — re-running implement on @code-lead.

code-lead referenced this issue from a commit 2026-05-02 18:26:12 +00:00

feat(agent-config): AOI-2 MCP env-merge + forge-identity guardrail

code-lead referenced this issue from a pull request that will close it, 2026-05-02 18:26:36 +00:00

feat(agent-config): AOI-2 MCP env-merge + forge-identity guardrail #763

charles closed this issue 2026-05-02 18:51:34 +00:00

charles referenced this issue from a commit 2026-05-02 18:51:35 +00:00

feat(agent-config): AOI-2 MCP env-merge + forge-identity guardrail (#763)

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels   

area:agents

Agent types, pool scheduling, per-instance config

  

area:dashboard

Dashboard UI and observability surfaces

  

area:database

DB layer — schema, migrations, ORM, raw SQL

  

area:design

UI/UX mockup work — routes to designer agent

  

area:design-review

Design review dispatch — routes to design-reviewer agent

  

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

  

area:infra

Deployment, isolation, containers, systemd units

  

area:meta

Tracking, scaffolding, project setup

  

area:security

Security — routes to reviewer-security (opus)

  

area:sessions

Session-id store, Claude SDK resume logic

  

area:webhook

Forgejo webhook routing and handlers

  

area:workdir

Clone cache, worktrees, git identity

  

security

Security-sensitive issue

  

type:bug

Bug

  

type:chore

Chore

  

type:meta

Tracking or decisions, not implementation work

  

type:user-story

User story

No labels

area:agents

area:dashboard

area:database

area:design

area:design-review

area:flows

area:infra

area:meta

area:security

area:sessions

area:webhook

area:workdir

security

type:bug

type:chore

type:meta

type:user-story

Milestone

Clear milestone

No items

No milestone

add-only-inheritance

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

code-lead

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks#731

No description provided.