Fix MCP config: replace hardcoded token with env-var wrapper script
Some checks failed
CI/CD Pipeline / test (push) Has been cancelled
CI/CD Pipeline / deploy (push) Has been cancelled
Code Quality / quality (push) Has been cancelled

MCP_AUTH_TOKEN was stored in plain text in .mcp.json and thus in git
history. Now connect.sh reads the token from the environment variable
MCP_AUTH_TOKEN — set via export in ~/.bashrc or a secrets manager.

⚠️ Old token is in git history and should be rotated on the server.
Rotate: python manage.py create_agent_token <username>

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
SysAdmin Agent
2026-03-21 22:05:21 +00:00
parent 5f1a3fd27d
commit f7c122515f
2 changed files with 18 additions and 4 deletions

16
app/mcp_server/connect.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/usr/bin/env bash
# MCP-Verbindungsskript zum Remote-Server
# Token wird aus der Umgebungsvariable MCP_AUTH_TOKEN gelesen nie hardcoden.
# Einrichten: export MCP_AUTH_TOKEN=<token> in ~/.bashrc oder per Secrets-Manager.
set -euo pipefail
: "${MCP_AUTH_TOKEN:?MCP_AUTH_TOKEN nicht gesetzt. Bitte in ~/.bashrc oder ~/.profile exportieren.}"
exec ssh \
-o StrictHostKeyChecking=no \
deployment@217.154.84.225 \
"cd /opt/stiftung && docker compose run --rm -T \
-e MCP_AUTH_TOKEN=${MCP_AUTH_TOKEN} \
-e DJANGO_ALLOW_ASYNC_UNSAFE=true \
mcp"