Skip to content

fix(secrets): clear MCP2CLI_DAEMON when resolving ${secret:} refs in-daemon#62

Merged
rodaddy merged 1 commit into
mainfrom
fix/secret-resolver-daemon-env
Jun 29, 2026
Merged

fix(secrets): clear MCP2CLI_DAEMON when resolving ${secret:} refs in-daemon#62
rodaddy merged 1 commit into
mainfrom
fix/secret-resolver-daemon-env

Conversation

@rodaddy

@rodaddy rodaddy commented Jun 29, 2026

Copy link
Copy Markdown
Owner

Bug

The secret-ref resolver (src/secrets/refs.ts) spawns mcp2cli vaultwarden-secrets get_credential to resolve ${secret:...} refs, inheriting ...process.env and only setting MCP2CLI_NO_DAEMON. When it runs inside the daemon, the daemon's own MCP2CLI_DAEMON=1 is inherited, so the spawned child boots a SECOND daemon instead of resolving — every ${secret:...} ref in a stdio service's env fails with "Vaultwarden lookup failed".

Surfaced deploying gitingest to CT216: its GITHUB_TOKEN secret-ref couldn't resolve, though standalone mcp2cli vaultwarden-secrets worked fine.

Fix

Explicitly clear MCP2CLI_DAEMON in the spawn env (one line).

Verification

  • Reproduced live on the box: with MCP2CLI_DAEMON set → child prints "daemon starting"; cleared → resolves.
  • Mutation-tested regression test (fixture echoes whether the child saw the daemon env cleared): passes with the fix, fails without.
  • Full suite 1072 pass / 0 fail.

🤖 Generated with Claude Code

…daemon

The secret-ref resolver spawns `mcp2cli vaultwarden-secrets get_credential` to
resolve `${secret:...}` references. It inherited the parent env via ...process.env
and only set MCP2CLI_NO_DAEMON. When the resolver runs INSIDE the daemon, the
daemon's own MCP2CLI_DAEMON=1 is inherited, so the spawned child BOOTS A SECOND
DAEMON instead of running the CLI command -- and every ${secret:...} ref in a
stdio service's env fails with "Vaultwarden lookup failed".

This bit gitingest on CT216 (GITHUB_TOKEN secret-ref unresolvable) while
standalone lookups worked. Fix: explicitly clear MCP2CLI_DAEMON in the spawn env.

Verified live on the box (clearing MCP2CLI_DAEMON resolves; leaving it boots a
daemon) and with a mutation-tested regression test. Full suite 1072 pass / 0 fail.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@rodaddy rodaddy merged commit 5f5b4e4 into main Jun 29, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant