fix(secrets): clear MCP2CLI_DAEMON when resolving ${secret:} refs in-daemon#62
Merged
Conversation
…daemon
The secret-ref resolver spawns `mcp2cli vaultwarden-secrets get_credential` to
resolve `${secret:...}` references. It inherited the parent env via ...process.env
and only set MCP2CLI_NO_DAEMON. When the resolver runs INSIDE the daemon, the
daemon's own MCP2CLI_DAEMON=1 is inherited, so the spawned child BOOTS A SECOND
DAEMON instead of running the CLI command -- and every ${secret:...} ref in a
stdio service's env fails with "Vaultwarden lookup failed".
This bit gitingest on CT216 (GITHUB_TOKEN secret-ref unresolvable) while
standalone lookups worked. Fix: explicitly clear MCP2CLI_DAEMON in the spawn env.
Verified live on the box (clearing MCP2CLI_DAEMON resolves; leaving it boots a
daemon) and with a mutation-tested regression test. Full suite 1072 pass / 0 fail.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
The secret-ref resolver (
src/secrets/refs.ts) spawnsmcp2cli vaultwarden-secrets get_credentialto resolve${secret:...}refs, inheriting...process.envand only settingMCP2CLI_NO_DAEMON. When it runs inside the daemon, the daemon's ownMCP2CLI_DAEMON=1is inherited, so the spawned child boots a SECOND daemon instead of resolving — every${secret:...}ref in a stdio service's env fails with "Vaultwarden lookup failed".Surfaced deploying gitingest to CT216: its
GITHUB_TOKENsecret-ref couldn't resolve, though standalonemcp2cli vaultwarden-secretsworked fine.Fix
Explicitly clear
MCP2CLI_DAEMONin the spawn env (one line).Verification
MCP2CLI_DAEMONset → child prints "daemon starting"; cleared → resolves.🤖 Generated with Claude Code