Harden environment isolation and error handling#2
Open
pandysp wants to merge 2 commits intoandroidStern-personal:mainfrom
Open
Harden environment isolation and error handling#2pandysp wants to merge 2 commits intoandroidStern-personal:mainfrom
pandysp wants to merge 2 commits intoandroidStern-personal:mainfrom
Conversation
- Stop spreading process.env into MCP subprocesses; the SDK's
StdioClientTransport already merges a safe base environment
(HOME, PATH, SHELL, etc.) before user-provided env vars.
**Breaking:** servers that relied on inherited env vars must now
declare them explicitly in their env config block.
- Warn when ${VAR} interpolation references an undefined env var
instead of silently substituting an empty string.
- Log transport errors, disconnects, and reconnect attempts so
failures are observable instead of swallowed silently.
- Expand reconnectable error set with ETIMEDOUT, ECONNRESET,
ENOTFOUND, and EHOSTUNREACH.
- Delete stale client map entry before reconnect and guard against
missing entry after reconnect to prevent TypeError on failed
reconnection.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This was referenced Feb 9, 2026
- Block HTTP transport URLs pointing to private/reserved addresses (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16, localhost, .local, IPv6 loopback/ULA). Opt out per-server with allowPrivateUrls: true. - Validate tool arguments against inputSchema before forwarding to MCP servers: warn on missing required fields and type mismatches. Warn-only (does not block calls) to avoid breaking tools with loose schemas. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening PR addressing environment leakage, silent failures, and reconnection bugs:
process.envto MCP subprocesses — theStdioClientTransportwas receiving the gateway's entire environment (Claude setup tokens, Tailscale keys, etc.). The MCP SDK already merges a safe base env (HOME,PATH,SHELL,USER,TERM,LOGNAME) viagetDefaultEnvironment()before user-providedenv, so we just stop passingprocess.env.${VAR}interpolation — typos like${MY_API_KYE}now log a warning instead of silently sending empty auth headers.onerror,onclose, andreconnect()were silent; failures are now observable in logs.ETIMEDOUT,ECONNRESET,ENOTFOUND,EHOSTUNREACHto the set that triggers automatic reconnection.undefinedafter, preventing aTypeErrorcrash on the non-null assertion.Breaking change
MCP servers that silently relied on inherited environment variables (e.g.,
NODE_OPTIONS,ANTHROPIC_API_KEY, customLD_LIBRARY_PATH) will need those vars added explicitly to theirenvconfig block. This is intentional — the gateway's full environment should never leak into subprocess sandboxes.What's NOT in this PR
Filed separately as issues to keep this PR focused:
Test plan
npm installsucceedsnpx tsc --noEmit— the pre-existingindex.ts:37.maptype error is unchanged)getDefaultEnvironment()merge