mcp: redact stdio server spec debug

2026-06-20 16:54:48 +09:00 · 2026-06-20 16:54:48 +09:00 · f396e1a253
commit f396e1a253
parent a114fa9d0a
2 changed files with 47 additions and 1 deletions
--- a/crates/mcp/src/stdio.rs
+++ b/crates/mcp/src/stdio.rs
@ -52,7 +52,7 @@ impl Default for McpStdioLimits {
 }

 /// A resolved, explicit local stdio MCP server process specification.
-#[derive(Debug, Clone)]
+#[derive(Clone)]
 pub struct McpStdioServerSpec {
    pub name: String,
    pub command: String,
@ -107,6 +107,24 @@ impl McpStdioServerSpec {
    }
 }

+impl fmt::Debug for McpStdioServerSpec {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        let env: BTreeMap<&str, &str> = self
+            .env
+            .keys()
+            .map(|name| (name.as_str(), "[redacted]"))
+            .collect();
+        f.debug_struct("McpStdioServerSpec")
+            .field("name", &self.name)
+            .field("command", &self.command)
+            .field("args", &self.args)
+            .field("cwd", &self.cwd)
+            .field("env", &env)
+            .field("redaction_count", &self.redactions.len())
+            .finish()
+    }
+}
+
 /// Resolve one explicitly named stdio server from typed MCP config.
 pub fn resolve_named_stdio_server(
    config: &McpConfig,
--- a/crates/mcp/tests/stdio_lifecycle.rs
+++ b/crates/mcp/tests/stdio_lifecycle.rs
@ -19,6 +19,34 @@ fn tight_limits() -> McpStdioLimits {
    }
 }

+#[test]
+fn stdio_server_spec_debug_redacts_resolved_env_values() {
+    let spec = McpStdioServerSpec::new("debug-mock", "/bin/mock-mcp")
+        .arg("--stdio")
+        .cwd("/tmp/mock-mcp")
+        .env("LITERAL_VALUE", "literal-plaintext")
+        .env("INHERITED_VALUE", "inherited-plaintext")
+        .env("ENV_REF_VALUE", "env-ref-plaintext")
+        .env("SECRET_REF_VALUE", "secret-ref-plaintext");
+
+    let debug = format!("{spec:?}");
+
+    assert!(debug.contains("debug-mock"));
+    assert!(debug.contains("/bin/mock-mcp"));
+    assert!(debug.contains("--stdio"));
+    assert!(debug.contains("/tmp/mock-mcp"));
+    assert!(debug.contains("LITERAL_VALUE"));
+    assert!(debug.contains("INHERITED_VALUE"));
+    assert!(debug.contains("ENV_REF_VALUE"));
+    assert!(debug.contains("SECRET_REF_VALUE"));
+    assert!(debug.contains("[redacted]"));
+
+    assert!(!debug.contains("literal-plaintext"));
+    assert!(!debug.contains("inherited-plaintext"));
+    assert!(!debug.contains("env-ref-plaintext"));
+    assert!(!debug.contains("secret-ref-plaintext"));
+}
+
 #[tokio::test]
 async fn initializes_mock_stdio_server() {
    let mut client = McpStdioClient::connect(mock_server("success"), tight_limits())