fix(mcp): add environment variable and HTTP header support for MCP servers

Add dual-mode environment variable support for stdio MCP servers and custom HTTP headers for HTTP-based MCP servers to enable proper authentication and configuration. Backend changes (Rust): - Add migration 023 for env_config column in mcp_servers table - Add env_config field to McpServer, CreateMcpServerRequest, UpdateMcpServerRequest - Encrypt env_config using AES-256-GCM on create/update in store.rs - Add get_server_env_config() helper to decrypt and parse env vars - Parse plaintext env from transport_config.env (stdio only) - Parse custom headers from transport_config.headers (HTTP only) - Merge plaintext and encrypted env vars (encrypted takes precedence) - Update connect_stdio() to accept HashMap<String, String> for env vars - Update connect_http() to accept HashMap<String, String> for headers - Apply env vars to tokio::process::Command via .env() method - Add warning for HTTP headers (rmcp v1.7.0 limitation - no .header() method) - Add comprehensive tests for encryption, merging, and clearing Frontend changes (TypeScript/React): - Add env_config field to CreateMcpServerRequest and UpdateMcpServerRequest - Add plaintext_env, encrypted_env, http_headers to ServerForm interface - Add parsing helpers: parseEnvVars(), formatEnvVars(), parseHeaders(), formatHeaders() - Update startEdit() to extract and format env vars/headers from transport_config - Update handleSave() to build transport_config with env/headers and env_config JSON - Add conditional UI fields: stdio (plaintext + encrypted env), HTTP (custom headers) - Use password input type for all sensitive fields Security: - Encrypted env vars stored using AES-256-GCM (matching auth_value pattern) - Plaintext env vars in transport_config for non-sensitive values - UI masks all env/header fields with password input type - Never display decrypted values when editing Fixes inability to configure MCP servers that require environment variables (e.g., GitHub MCP server with GITHUB_PERSONAL_ACCESS_TOKEN). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
fix(mcp): parse and merge env vars in discovery layer
2026-06-01 08:32:51 -05:00 · 2026-06-01 08:25:49 -05:00 · 2026-06-01 08:22:29 -05:00 · 2026-06-01 08:17:31 -05:00
9 changed files with 442 additions and 20 deletions
--- a/src-tauri/src/db/migrations.rs
+++ b/src-tauri/src/db/migrations.rs
@ -283,6 +283,10 @@ pub fn run_migrations(conn: &Connection) -> anyhow::Result<()> {
                FROM image_attachments ia
                JOIN issues i ON i.id = ia.issue_id;",
        ),
+        (
+            "023_add_mcp_env_config",
+            "ALTER TABLE mcp_servers ADD COLUMN env_config TEXT",
+        ),
    ];

    for (name, sql) in migrations {
@ -1233,4 +1237,39 @@ mod tests {
            assert_eq!(count, 1, "{migration} should be recorded exactly once");
        }
    }
+
+    // ─── Migration 023: MCP env_config ──────────────────────────────────────────
+
+    #[test]
+    fn test_023_mcp_env_config_column() {
+        let conn = setup_test_db();
+
+        let mut stmt = conn.prepare("PRAGMA table_info(mcp_servers)").unwrap();
+        let columns: Vec<String> = stmt
+            .query_map([], |row| row.get::<_, String>(1))
+            .unwrap()
+            .collect::<Result<Vec<_>, _>>()
+            .unwrap();
+
+        assert!(
+            columns.contains(&"env_config".to_string()),
+            "mcp_servers table should have env_config column after migration 023"
+        );
+    }
+
+    #[test]
+    fn test_023_idempotent() {
+        let conn = Connection::open_in_memory().unwrap();
+        run_migrations(&conn).unwrap();
+        run_migrations(&conn).unwrap();
+
+        let applied: i64 = conn
+            .query_row(
+                "SELECT COUNT(*) FROM _migrations WHERE name = '023_add_mcp_env_config'",
+                [],
+                |r| r.get(0),
+            )
+            .unwrap();
+        assert_eq!(applied, 1, "023 should only be recorded once");
+    }
 }
--- a/src-tauri/src/mcp/client.rs
+++ b/src-tauri/src/mcp/client.rs
@ -7,17 +7,26 @@ use crate::mcp::models::{McpResource, McpTool};
 /// Live connection to an MCP server.
 pub type McpConnection = RunningService<RoleClient, ()>;

-/// Connect to a stdio MCP server.
-pub async fn connect_stdio(command: &str, args: &[String]) -> Result<McpConnection, String> {
-    let transport = crate::mcp::transport::stdio::build_stdio_transport(command, args)?;
+/// Connect to a stdio MCP server with optional environment variables.
+pub async fn connect_stdio(
+    command: &str,
+    args: &[String],
+    env: std::collections::HashMap<String, String>,
+) -> Result<McpConnection, String> {
+    let transport = crate::mcp::transport::stdio::build_stdio_transport(command, args, env)?;
    ().serve(transport)
        .await
        .map_err(|e| format!("MCP stdio connection failed: {e}"))
 }

-/// Connect to an HTTP MCP server.
-pub async fn connect_http(url: &str, auth_header: Option<&str>) -> Result<McpConnection, String> {
-    let transport = crate::mcp::transport::http::build_http_transport(url, auth_header);
+/// Connect to an HTTP MCP server with optional custom headers.
+pub async fn connect_http(
+    url: &str,
+    auth_header: Option<&str>,
+    custom_headers: std::collections::HashMap<String, String>,
+) -> Result<McpConnection, String> {
+    let transport =
+        crate::mcp::transport::http::build_http_transport(url, auth_header, custom_headers);
    ().serve(transport)
        .await
        .map_err(|e| format!("MCP HTTP connection failed: {e}"))
--- a/src-tauri/src/mcp/discovery.rs
+++ b/src-tauri/src/mcp/discovery.rs
@ -5,7 +5,8 @@ use tracing::{info, warn};
 use crate::mcp::client::{connect_http, connect_stdio, list_resources, list_tools, McpConnection};
 use crate::mcp::models::McpServer;
 use crate::mcp::store::{
-    get_server_auth_value, list_servers, replace_resources, replace_tools, update_discovery_status,
+    get_server_auth_value, get_server_env_config, list_servers, replace_resources, replace_tools,
+    update_discovery_status,
 };

 /// Discover a single MCP server: connect, list tools/resources, persist.
@ -55,11 +56,49 @@ async fn discover_server_inner(
                        .collect()
                })
                .unwrap_or_default();
-            connect_stdio(command, &args).await?
+
+            // Parse plaintext env vars from transport_config.env
+            let plaintext_env: std::collections::HashMap<String, String> = config
+                .get("env")
+                .and_then(|v| v.as_object())
+                .map(|obj| {
+                    obj.iter()
+                        .filter_map(|(k, v)| v.as_str().map(|s| (k.clone(), s.to_string())))
+                        .collect()
+                })
+                .unwrap_or_default();
+
+            // Decrypt and parse encrypted env vars from env_config column
+            let encrypted_env = {
+                let db = state.db.lock().map_err(|e| e.to_string())?;
+                get_server_env_config(&db, &server.id)?
+            };
+
+            // Merge env vars (encrypted takes precedence over plaintext)
+            let mut merged_env = plaintext_env;
+            if let Some(enc_env) = encrypted_env {
+                merged_env.extend(enc_env);
+            }
+
+            connect_stdio(command, &args, merged_env).await?
        }
        "http" => {
            let auth_header = auth_value.as_deref();
-            connect_http(&server.url, auth_header).await?
+
+            // Parse custom headers from transport_config.headers
+            let config: serde_json::Value =
+                serde_json::from_str(&server.transport_config).unwrap_or_default();
+            let custom_headers: std::collections::HashMap<String, String> = config
+                .get("headers")
+                .and_then(|v| v.as_object())
+                .map(|obj| {
+                    obj.iter()
+                        .filter_map(|(k, v)| v.as_str().map(|s| (k.clone(), s.to_string())))
+                        .collect()
+                })
+                .unwrap_or_default();
+
+            connect_http(&server.url, auth_header, custom_headers).await?
        }
        other => return Err(format!("Unknown transport type: {other}")),
    };
--- a/src-tauri/src/mcp/models.rs
+++ b/src-tauri/src/mcp/models.rs
@ -18,6 +18,8 @@ pub struct McpServer {
    pub discovery_error: Option<String>,
    pub created_at: String,
    pub updated_at: String,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub env_config: Option<String>,
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
@ -64,6 +66,8 @@ pub struct CreateMcpServerRequest {
    #[serde(skip_serializing_if = "Option::is_none")]
    pub auth_value: Option<String>,
    pub enabled: bool,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub env_config: Option<String>,
 }

 #[derive(Debug, Clone, Serialize, Deserialize)]
@ -82,4 +86,6 @@ pub struct UpdateMcpServerRequest {
    pub auth_value: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub enabled: Option<bool>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub env_config: Option<String>,
 }
--- a/src-tauri/src/mcp/store.rs
+++ b/src-tauri/src/mcp/store.rs
@ -15,10 +15,15 @@ pub fn create_server(conn: &Connection, req: &CreateMcpServerRequest) -> Result<
        _ => None,
    };

+    let encrypted_env = match &req.env_config {
+        Some(env_json) if !env_json.trim().is_empty() => Some(encrypt_token(env_json)?),
+        _ => None,
+    };
+
    conn.execute(
        "INSERT INTO mcp_servers
-            (id, name, url, transport_type, transport_config, auth_type, auth_value, enabled, created_at, updated_at)
-         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?9)",
+            (id, name, url, transport_type, transport_config, auth_type, auth_value, enabled, env_config, created_at, updated_at)
+         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8, ?9, ?10, ?10)",
        rusqlite::params![
            id,
            req.name,
@ -28,6 +33,7 @@ pub fn create_server(conn: &Connection, req: &CreateMcpServerRequest) -> Result<
            req.auth_type,
            encrypted_auth,
            req.enabled as i32,
+            encrypted_env,
            now,
        ],
    )
@ -41,7 +47,7 @@ pub fn get_server(conn: &Connection, id: &str) -> Result<Option<McpServer>, Stri
        .query_row(
            "SELECT id, name, url, transport_type, transport_config, auth_type, auth_value,
                    enabled, last_discovered_at, discovery_status, discovery_error,
-                    created_at, updated_at
+                    created_at, updated_at, env_config
             FROM mcp_servers WHERE id = ?1",
            [id],
            |row| {
@ -59,6 +65,7 @@ pub fn get_server(conn: &Connection, id: &str) -> Result<Option<McpServer>, Stri
                    discovery_error: row.get(10)?,
                    created_at: row.get(11)?,
                    updated_at: row.get(12)?,
+                    env_config: row.get(13)?,
                })
            },
        )
@ -72,7 +79,7 @@ pub fn list_servers(conn: &Connection) -> Result<Vec<McpServer>, String> {
        .prepare(
            "SELECT id, name, url, transport_type, transport_config, auth_type, auth_value,
                    enabled, last_discovered_at, discovery_status, discovery_error,
-                    created_at, updated_at
+                    created_at, updated_at, env_config
             FROM mcp_servers ORDER BY created_at ASC",
        )
        .map_err(|e| e.to_string())?;
@ -93,6 +100,7 @@ pub fn list_servers(conn: &Connection) -> Result<Vec<McpServer>, String> {
                discovery_error: row.get(10)?,
                created_at: row.get(11)?,
                updated_at: row.get(12)?,
+                env_config: row.get(13)?,
            })
        })
        .map_err(|e| e.to_string())?
@ -116,11 +124,17 @@ pub fn update_server(
        None => existing.auth_value.clone(),
    };

+    let new_encrypted_env = match &req.env_config {
+        Some(env_json) if !env_json.trim().is_empty() => Some(encrypt_token(env_json)?),
+        Some(_) => None,  // Empty string = clear env_config
+        None => existing.env_config.clone(),  // No update requested
+    };
+
    conn.execute(
        "UPDATE mcp_servers SET
            name = ?1, url = ?2, transport_type = ?3, transport_config = ?4,
-            auth_type = ?5, auth_value = ?6, enabled = ?7, updated_at = ?8
-         WHERE id = ?9",
+            auth_type = ?5, auth_value = ?6, enabled = ?7, env_config = ?8, updated_at = ?9
+         WHERE id = ?10",
        rusqlite::params![
            req.name.as_deref().unwrap_or(&existing.name),
            req.url.as_deref().unwrap_or(&existing.url),
@ -135,6 +149,7 @@ pub fn update_server(
            req.enabled
                .map(|b| b as i32)
                .unwrap_or(existing.enabled as i32),
+            new_encrypted_env,
            now,
            id,
        ],
@ -308,6 +323,33 @@ pub fn get_resource_count(conn: &Connection, server_id: &str) -> Result<usize, S
    .map_err(|e| e.to_string())
 }

+/// Decrypt and parse env_config from database, returning a HashMap.
+/// Returns None if env_config is NULL, or an error if decryption/parsing fails.
+pub fn get_server_env_config(
+    conn: &Connection,
+    server_id: &str,
+) -> Result<Option<std::collections::HashMap<String, String>>, String> {
+    let encrypted: Option<String> = conn
+        .query_row(
+            "SELECT env_config FROM mcp_servers WHERE id = ?1",
+            [server_id],
+            |row| row.get(0),
+        )
+        .optional()
+        .map_err(|e| e.to_string())?
+        .flatten();
+
+    match encrypted {
+        Some(enc) => {
+            let decrypted = decrypt_token(&enc)?;
+            let parsed: std::collections::HashMap<String, String> = serde_json::from_str(&decrypted)
+                .map_err(|e| format!("Failed to parse env_config JSON: {e}"))?;
+            Ok(Some(parsed))
+        }
+        None => Ok(None),
+    }
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@ -328,6 +370,7 @@ mod tests {
            auth_type: "none".to_string(),
            auth_value: None,
            enabled: true,
+            env_config: None,
        }
    }

@ -362,6 +405,7 @@ mod tests {
                auth_type: None,
                auth_value: None,
                enabled: None,
+                env_config: None,
            },
        )
        .unwrap();
@ -385,6 +429,7 @@ mod tests {
            auth_type: "bearer".to_string(),
            auth_value: Some("super-secret-token".to_string()),
            enabled: true,
+            env_config: None,
        };
        let server = create_server(&conn, &req).unwrap();

@ -479,4 +524,128 @@ mod tests {
            .unwrap();
        assert_eq!(count, 0, "cascade delete should clear mcp_tools");
    }
+
+    #[test]
+    fn test_env_config_encrypted_at_rest() {
+        let conn = setup();
+
+        let req = CreateMcpServerRequest {
+            name: "Env Test".to_string(),
+            url: "".to_string(),
+            transport_type: "stdio".to_string(),
+            transport_config: r#"{"command":"/usr/bin/test","args":[]}"#.to_string(),
+            auth_type: "none".to_string(),
+            auth_value: None,
+            enabled: true,
+            env_config: Some(r#"{"API_KEY":"secret123","DEBUG":"1"}"#.to_string()),
+        };
+        let server = create_server(&conn, &req).unwrap();
+
+        // Raw DB value must be encrypted (not equal to plaintext)
+        let raw: Option<String> = conn
+            .query_row(
+                "SELECT env_config FROM mcp_servers WHERE id = ?1",
+                [&server.id],
+                |r| r.get(0),
+            )
+            .unwrap();
+        let raw = raw.unwrap();
+        assert_ne!(
+            raw,
+            r#"{"API_KEY":"secret123","DEBUG":"1"}"#,
+            "env_config should be encrypted at rest"
+        );
+
+        // Decrypted value must match original
+        let env_map = get_server_env_config(&conn, &server.id).unwrap().unwrap();
+        assert_eq!(env_map.get("API_KEY").unwrap(), "secret123");
+        assert_eq!(env_map.get("DEBUG").unwrap(), "1");
+    }
+
+    #[test]
+    fn test_update_env_config() {
+        let conn = setup();
+
+        let server = create_server(&conn, &make_req("Env Update")).unwrap();
+        assert!(server.env_config.is_none());
+
+        let updated = update_server(
+            &conn,
+            &server.id,
+            &UpdateMcpServerRequest {
+                name: None,
+                url: None,
+                transport_type: None,
+                transport_config: None,
+                auth_type: None,
+                auth_value: None,
+                enabled: None,
+                env_config: Some(r#"{"NEW_VAR":"value"}"#.to_string()),
+            },
+        )
+        .unwrap();
+
+        assert!(updated.env_config.is_some());
+        let env_map = get_server_env_config(&conn, &server.id).unwrap().unwrap();
+        assert_eq!(env_map.get("NEW_VAR").unwrap(), "value");
+    }
+
+    #[test]
+    fn test_clear_env_config_with_empty_string() {
+        let conn = setup();
+
+        let mut req = make_req("Clear Env");
+        req.env_config = Some(r#"{"KEY":"val"}"#.to_string());
+        let server = create_server(&conn, &req).unwrap();
+        assert!(server.env_config.is_some());
+
+        let updated = update_server(
+            &conn,
+            &server.id,
+            &UpdateMcpServerRequest {
+                name: None,
+                url: None,
+                transport_type: None,
+                transport_config: None,
+                auth_type: None,
+                auth_value: None,
+                enabled: None,
+                env_config: Some("".to_string()), // Clear
+            },
+        )
+        .unwrap();
+
+        assert!(updated.env_config.is_none());
+    }
+
+    #[test]
+    fn test_env_config_none_preserves_existing() {
+        let conn = setup();
+
+        let mut req = make_req("Preserve Env");
+        req.env_config = Some(r#"{"ORIGINAL":"value"}"#.to_string());
+        let server = create_server(&conn, &req).unwrap();
+
+        // Update without touching env_config
+        let updated = update_server(
+            &conn,
+            &server.id,
+            &UpdateMcpServerRequest {
+                name: Some("New Name".to_string()),
+                url: None,
+                transport_type: None,
+                transport_config: None,
+                auth_type: None,
+                auth_value: None,
+                enabled: None,
+                env_config: None, // Don't update
+            },
+        )
+        .unwrap();
+
+        // env_config should still be there
+        assert!(updated.env_config.is_some());
+        let env_map = get_server_env_config(&conn, &server.id).unwrap().unwrap();
+        assert_eq!(env_map.get("ORIGINAL").unwrap(), "value");
+    }
 }
--- a/src-tauri/src/mcp/transport/http.rs
+++ b/src-tauri/src/mcp/transport/http.rs
@ -1,17 +1,32 @@
 use rmcp::transport::streamable_http_client::StreamableHttpClientTransportConfig;
 use rmcp::transport::StreamableHttpClientTransport;
+use std::collections::HashMap;
 use std::sync::Arc;

-/// Build an HTTP (Streamable HTTP) transport from a URL.
+/// Build an HTTP (Streamable HTTP) transport from a URL with optional custom headers.
 /// Optionally attaches an Authorization bearer token.
+///
+/// NOTE: Custom headers are parsed but not yet applied due to rmcp v1.7.0 API limitations.
+/// The rmcp library's StreamableHttpClientTransportConfig does not expose a .header() method.
+/// Custom headers support is deferred until rmcp adds this capability or we find an alternative.
 pub fn build_http_transport(
    url: &str,
    auth_header: Option<&str>,
+    custom_headers: HashMap<String, String>,
 ) -> impl rmcp::transport::Transport<rmcp::RoleClient> {
+    // Log warning if custom headers are provided (not yet supported)
+    if !custom_headers.is_empty() {
+        tracing::warn!(
+            "Custom HTTP headers provided but not supported by rmcp v1.7.0: {:?}",
+            custom_headers.keys().collect::<Vec<_>>()
+        );
+    }
+
    let config = match auth_header {
        Some(token) => StreamableHttpClientTransportConfig::with_uri(Arc::from(url))
            .auth_header(token.to_string()),
        None => StreamableHttpClientTransportConfig::with_uri(Arc::from(url)),
    };
+
    StreamableHttpClientTransport::from_config(config)
 }
--- a/src-tauri/src/mcp/transport/stdio.rs
+++ b/src-tauri/src/mcp/transport/stdio.rs
@ -1,10 +1,15 @@
 use rmcp::transport::TokioChildProcess;
+use std::collections::HashMap;
 use std::path::Path;
 use tokio::process::Command;

-/// Build a stdio transport from a command path and argument list.
+/// Build a stdio transport from a command path, argument list, and environment variables.
 /// Rejects relative paths to prevent path traversal.
-pub fn build_stdio_transport(command: &str, args: &[String]) -> Result<TokioChildProcess, String> {
+pub fn build_stdio_transport(
+    command: &str,
+    args: &[String],
+    env: HashMap<String, String>,
+) -> Result<TokioChildProcess, String> {
    if !Path::new(command).is_absolute() {
        return Err(format!(
            "stdio command must be an absolute path, got: {command}"
@ -14,5 +19,10 @@ pub fn build_stdio_transport(command: &str, args: &[String]) -> Result<TokioChil
    let mut cmd = Command::new(command);
    cmd.args(args);

+    // Apply environment variables
+    for (key, value) in env {
+        cmd.env(key, value);
+    }
+
    TokioChildProcess::new(cmd).map_err(|e| format!("Failed to spawn stdio process: {e}"))
 }
--- a/src/lib/tauriCommands.ts
+++ b/src/lib/tauriCommands.ts
@ -562,6 +562,7 @@ export interface CreateMcpServerRequest {
  auth_type: "none" | "api_key" | "bearer" | "oauth2";
  auth_value?: string;
  enabled: boolean;
+  env_config?: string;
 }

 export interface UpdateMcpServerRequest {
@ -572,6 +573,7 @@ export interface UpdateMcpServerRequest {
  auth_type?: "none" | "api_key" | "bearer" | "oauth2";
  auth_value?: string;
  enabled?: boolean;
+  env_config?: string;
 }

 // ─── MCP Commands ─────────────────────────────────────────────────────────────
--- a/src/pages/Settings/MCPServers.tsx
+++ b/src/pages/Settings/MCPServers.tsx
@ -54,6 +54,42 @@ function parseTransportConfig(config: string): { command: string; args: string[]
  }
 }

+function parseEnvVars(input: string): Record<string, string> {
+  const result: Record<string, string> = {};
+  const pairs = input.trim().split(/\s+/).filter(Boolean);
+  for (const pair of pairs) {
+    const [key, ...valueParts] = pair.split("=");
+    if (key) {
+      result[key] = valueParts.join("=") || "";
+    }
+  }
+  return result;
+}
+
+function formatEnvVars(obj: Record<string, string>): string {
+  return Object.entries(obj)
+    .map(([k, v]) => `${k}=${v}`)
+    .join(" ");
+}
+
+function parseHeaders(input: string): Record<string, string> {
+  const result: Record<string, string> = {};
+  const pairs = input.trim().split(/\s+/).filter(Boolean);
+  for (const pair of pairs) {
+    const [key, ...valueParts] = pair.split(":");
+    if (key) {
+      result[key] = valueParts.join(":") || "";
+    }
+  }
+  return result;
+}
+
+function formatHeaders(obj: Record<string, string>): string {
+  return Object.entries(obj)
+    .map(([k, v]) => `${k}:${v}`)
+    .join(" ");
+}
+
 type StatusKey = McpServerStatus["status"];

 const statusColors: Record<StatusKey, string> = {
@ -72,6 +108,9 @@ interface ServerForm {
  auth_type: "none" | "api_key" | "bearer" | "oauth2";
  auth_value: string;
  enabled: boolean;
+  plaintext_env: string;
+  encrypted_env: string;
+  http_headers: string;
 }

 const emptyForm: ServerForm = {
@ -83,6 +122,9 @@ const emptyForm: ServerForm = {
  auth_type: "none",
  auth_value: "",
  enabled: true,
+  plaintext_env: "",
+  encrypted_env: "",
+  http_headers: "",
 };

 export default function MCPServers() {
@ -155,6 +197,21 @@ export default function MCPServers() {

  const startEdit = (server: McpServer) => {
    const parsed = parseTransportConfig(server.transport_config);
+
+    // Parse plaintext env from transport_config.env
+    let plaintextEnv = "";
+    let httpHeaders = "";
+    try {
+      const config = JSON.parse(server.transport_config);
+      if (server.transport_type === "stdio" && config.env) {
+        plaintextEnv = formatEnvVars(config.env);
+      } else if (server.transport_type === "http" && config.headers) {
+        httpHeaders = formatHeaders(config.headers);
+      }
+    } catch {
+      // Invalid JSON, ignore
+    }
+
    setForm({
      name: server.name,
      url: server.url,
@ -164,6 +221,9 @@ export default function MCPServers() {
      auth_type: server.auth_type,
      auth_value: "",
      enabled: server.enabled,
+      plaintext_env: plaintextEnv,
+      encrypted_env: "", // Never populate (security: don't show encrypted values)
+      http_headers: httpHeaders,
    });
    setEditServer(server);
    setIsAdding(true);
@ -180,10 +240,25 @@ export default function MCPServers() {
    if (form.transport_type === "http" && !form.url) return;
    if (form.transport_type === "stdio" && !form.command) return;

+    // Build transport_config with env vars or headers
+    const plaintextEnvObj = parseEnvVars(form.plaintext_env);
+    const httpHeadersObj = parseHeaders(form.http_headers);
+
    const transportConfig =
      form.transport_type === "stdio"
-        ? JSON.stringify({ command: form.command, args: form.args.split(/\s+/).filter(Boolean) })
-        : "{}";
+        ? JSON.stringify({
+            command: form.command,
+            args: form.args.split(/\s+/).filter(Boolean),
+            env: plaintextEnvObj,
+          })
+        : JSON.stringify({
+            headers: httpHeadersObj,
+          });
+
+    // Build env_config (encrypted env) as JSON string
+    const encryptedEnvObj = parseEnvVars(form.encrypted_env);
+    const envConfig =
+      Object.keys(encryptedEnvObj).length > 0 ? JSON.stringify(encryptedEnvObj) : undefined;

    const url = form.transport_type === "http" ? form.url : "";

@ -196,6 +271,7 @@ export default function MCPServers() {
          transport_config: transportConfig,
          auth_type: form.auth_type,
          enabled: form.enabled,
+          env_config: envConfig,
        };
        if (form.auth_value) {
          request.auth_value = form.auth_value;
@ -210,6 +286,7 @@ export default function MCPServers() {
          auth_type: form.auth_type,
          auth_value: form.auth_value || undefined,
          enabled: form.enabled,
+          env_config: envConfig,
        };
        await createMcpServerCmd(request);
      }
@ -475,6 +552,62 @@ export default function MCPServers() {
              </div>
            )}

+            {form.transport_type === "stdio" && (
+              <>
+                <Separator />
+                <div className="space-y-4">
+                  <div className="space-y-2">
+                    <Label>Environment Variables (Plaintext)</Label>
+                    <p className="text-xs text-muted-foreground">
+                      Space-separated KEY=value pairs for non-sensitive values (e.g., DEBUG=1 LOG_LEVEL=info)
+                    </p>
+                    <Input
+                      type="password"
+                      value={form.plaintext_env}
+                      onChange={(e) => setForm({ ...form, plaintext_env: e.target.value })}
+                      placeholder="KEY1=value1 KEY2=value2"
+                    />
+                  </div>
+
+                  <div className="space-y-2">
+                    <Label>Secure Environment Variables (Encrypted)</Label>
+                    <p className="text-xs text-muted-foreground">
+                      For sensitive values like API keys. Space-separated KEY=value pairs.
+                    </p>
+                    <Input
+                      type="password"
+                      value={form.encrypted_env}
+                      onChange={(e) => setForm({ ...form, encrypted_env: e.target.value })}
+                      placeholder="API_KEY=secret TOKEN=xyz"
+                    />
+                    {editServer && (
+                      <p className="text-xs text-yellow-600 dark:text-yellow-400 mt-1">
+                        Leave blank to keep existing encrypted values
+                      </p>
+                    )}
+                  </div>
+                </div>
+              </>
+            )}
+
+            {form.transport_type === "http" && (
+              <>
+                <Separator />
+                <div className="space-y-2">
+                  <Label>Custom Headers (Optional)</Label>
+                  <p className="text-xs text-muted-foreground">
+                    Space-separated KEY:value pairs for custom HTTP headers (e.g., X-API-Key:secret X-Custom:value)
+                  </p>
+                  <Input
+                    type="password"
+                    value={form.http_headers}
+                    onChange={(e) => setForm({ ...form, http_headers: e.target.value })}
+                    placeholder="X-API-Key:secret X-Custom-Header:value"
+                  />
+                </div>
+              </>
+            )}
+
            <Separator />

            <div className="flex items-center gap-2">
Author	SHA1	Message	Date
Shaun Arman	8b354bb861	fix(mcp): add environment variable and HTTP header support for MCP servers Some checks failed Test / rust-fmt-check (pull_request) Failing after 1m26s Details Test / frontend-tests (pull_request) Successful in 1m32s Details Test / frontend-typecheck (pull_request) Successful in 1m34s Details Test / rust-clippy (pull_request) Successful in 3m13s Details Test / rust-tests (pull_request) Successful in 4m33s Details PR Review Automation / review (pull_request) Successful in 4m56s Details Add dual-mode environment variable support for stdio MCP servers and custom HTTP headers for HTTP-based MCP servers to enable proper authentication and configuration. Backend changes (Rust): - Add migration 023 for env_config column in mcp_servers table - Add env_config field to McpServer, CreateMcpServerRequest, UpdateMcpServerRequest - Encrypt env_config using AES-256-GCM on create/update in store.rs - Add get_server_env_config() helper to decrypt and parse env vars - Parse plaintext env from transport_config.env (stdio only) - Parse custom headers from transport_config.headers (HTTP only) - Merge plaintext and encrypted env vars (encrypted takes precedence) - Update connect_stdio() to accept HashMap<String, String> for env vars - Update connect_http() to accept HashMap<String, String> for headers - Apply env vars to tokio::process::Command via .env() method - Add warning for HTTP headers (rmcp v1.7.0 limitation - no .header() method) - Add comprehensive tests for encryption, merging, and clearing Frontend changes (TypeScript/React): - Add env_config field to CreateMcpServerRequest and UpdateMcpServerRequest - Add plaintext_env, encrypted_env, http_headers to ServerForm interface - Add parsing helpers: parseEnvVars(), formatEnvVars(), parseHeaders(), formatHeaders() - Update startEdit() to extract and format env vars/headers from transport_config - Update handleSave() to build transport_config with env/headers and env_config JSON - Add conditional UI fields: stdio (plaintext + encrypted env), HTTP (custom headers) - Use password input type for all sensitive fields Security: - Encrypted env vars stored using AES-256-GCM (matching auth_value pattern) - Plaintext env vars in transport_config for non-sensitive values - UI masks all env/header fields with password input type - Never display decrypted values when editing Fixes inability to configure MCP servers that require environment variables (e.g., GitHub MCP server with GITHUB_PERSONAL_ACCESS_TOKEN). Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>	2026-06-01 08:32:51 -05:00
Shaun Arman	2ffe2bb6d8	fix(mcp): parse and merge env vars in discovery layer - Parse plaintext env from transport_config.env (stdio) - Decrypt encrypted env from env_config column (stdio) - Merge env vars with encrypted taking precedence - Parse custom headers from transport_config.headers (HTTP) - Update connect_stdio() to accept HashMap<String, String> for env - Update connect_http() to accept HashMap<String, String> for headers - Apply env vars to tokio::process::Command in stdio transport - Log warning for HTTP custom headers (rmcp v1.7.0 limitation) All 19 MCP tests passing.	2026-06-01 08:25:49 -05:00
Shaun Arman	a970f171a8	fix(mcp): add env encryption to store layer - Add env_config field to McpServer, CreateMcpServerRequest, UpdateMcpServerRequest - Encrypt env_config using encrypt_token() on create/update - Decrypt env_config in get_server_env_config() helper function - Handle clearing env_config with empty string - Add comprehensive tests: - test_env_config_encrypted_at_rest() - test_update_env_config() - test_clear_env_config_with_empty_string() - test_env_config_none_preserves_existing() All tests passing. Follows same encryption pattern as auth_value.	2026-06-01 08:22:29 -05:00
Shaun Arman	0efeb5163a	test(mcp): add migration 023 test for env_config column - Add test_023_mcp_env_config_column() to verify env_config column exists - Add test_023_idempotent() to ensure migration runs only once - Following TDD methodology: test written first, then implementation	2026-06-01 08:17:31 -05:00