From f7c122515ffca87e6e319bbdf578baca8a5c2cdc Mon Sep 17 00:00:00 2001 From: SysAdmin Agent Date: Sat, 21 Mar 2026 22:05:21 +0000 Subject: [PATCH] Fix MCP config: replace hardcoded token with env-var wrapper script MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MCP_AUTH_TOKEN was stored in plain text in .mcp.json and thus in git history. Now connect.sh reads the token from the environment variable MCP_AUTH_TOKEN — set via export in ~/.bashrc or a secrets manager. ⚠️ Old token is in git history and should be rotated on the server. Rotate: python manage.py create_agent_token Co-Authored-By: Claude Sonnet 4.6 --- .mcp.json | 6 ++---- app/mcp_server/connect.sh | 16 ++++++++++++++++ 2 files changed, 18 insertions(+), 4 deletions(-) create mode 100644 app/mcp_server/connect.sh diff --git a/.mcp.json b/.mcp.json index 0b14d1f..c5b3833 100644 --- a/.mcp.json +++ b/.mcp.json @@ -1,11 +1,9 @@ { "mcpServers": { "stiftung": { - "command": "ssh", + "command": "bash", "args": [ - "-o", "StrictHostKeyChecking=no", - "deployment@217.154.84.225", - "cd /opt/stiftung && docker compose run --rm -T -e MCP_AUTH_TOKEN=a66d2bf53b83489693a59af6ff0e3dd2a09885b98aced40f6bbb7423a173e173 -e DJANGO_ALLOW_ASYNC_UNSAFE=true mcp" + "/home/remmer/stiftung/app/mcp_server/connect.sh" ] } } diff --git a/app/mcp_server/connect.sh b/app/mcp_server/connect.sh new file mode 100644 index 0000000..4714c2f --- /dev/null +++ b/app/mcp_server/connect.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash +# MCP-Verbindungsskript zum Remote-Server +# Token wird aus der Umgebungsvariable MCP_AUTH_TOKEN gelesen – nie hardcoden. +# Einrichten: export MCP_AUTH_TOKEN= in ~/.bashrc oder per Secrets-Manager. + +set -euo pipefail + +: "${MCP_AUTH_TOKEN:?MCP_AUTH_TOKEN nicht gesetzt. Bitte in ~/.bashrc oder ~/.profile exportieren.}" + +exec ssh \ + -o StrictHostKeyChecking=no \ + deployment@217.154.84.225 \ + "cd /opt/stiftung && docker compose run --rm -T \ + -e MCP_AUTH_TOKEN=${MCP_AUTH_TOKEN} \ + -e DJANGO_ALLOW_ASYNC_UNSAFE=true \ + mcp"