Skip to content

fix(mcp): filter credentials per-server in _embed_credentials#43

Merged
windsornguyen merged 4 commits intonextfrom
fix/mcp-credential-filtering
Feb 28, 2026
Merged

fix(mcp): filter credentials per-server in _embed_credentials#43
windsornguyen merged 4 commits intonextfrom
fix/mcp-credential-filtering

Conversation

@aryanma
Copy link
Collaborator

@aryanma aryanma commented Feb 5, 2026

_embed_credentials() was attaching all encrypted credentials to every server spec. Each server now receives only its own credentials, matched by connection name (slug.replace("/", "-")). API-side workaround removed in dedalus-labs/dedalus#9.

@cursor
Copy link

cursor bot commented Feb 5, 2026
edited
Loading

PR Summary

Medium Risk
Changes request payload shaping for encrypted MCP credentials; if connection-name derivation or server naming differs, servers may receive None creds and fail auth. Covered by new sync+async unit tests but impacts client/server integration.

Overview
Fixes MCP request preparation so _embed_credentials no longer attaches all encrypted credentials to every server; it now embeds only the credential matching that server’s connection name.

Adds wire.slug_to_connection_name() (slash-to-dash) plus request-side filtering logic and updates payloads so servers without a matching credential get credentials: None. Includes new tests validating both prepare_mcp_request and prepare_mcp_request_sync embed per-server credentials and remove the top-level credentials field.

Written by Cursor Bugbot for commit 375e62e. This will update automatically on new commits. Configure here.

@windsornguyen windsornguyen force-pushed the fix/mcp-credential-filtering branch from 1cb797e to aff8b1c Compare February 28, 2026 18:56
cursor[bot]
cursor bot reviewed Feb 28, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

  • ✅ Fixed: Truthiness check silently drops falsy credential values
    • Changed the credential presence check to blob is not None so falsy-but-present values are preserved instead of treated as missing.

Create PR

Or push these changes by commenting:

@cursor push f55259a6a3
Preview (f55259a6a3) 
diff --git a/src/dedalus_labs/lib/mcp/request.py b/src/dedalus_labs/lib/mcp/request.py
--- a/src/dedalus_labs/lib/mcp/request.py
+++ b/src/dedalus_labs/lib/mcp/request.py
@@ -172,7 +172,7 @@
     """Return the subset of *all_creds* that belongs to *name*, or None."""
     conn = slug_to_connection_name(name)
     blob = all_creds.get(conn)
-    return {conn: blob} if blob else None
+    return {conn: blob} if blob is not None else None
 
 
 def _embed_credentials(

@windsornguyen windsornguyen changed the base branch from main to next February 28, 2026 21:13
@windsornguyen
merge(next): resolve conflicts in mcp credential filtering PR
375e62e 
Merge latest next into fix/mcp-credential-filtering and resolve request.py/wire.py conflicts while preserving per-server credential embedding behavior.
@windsornguyen windsornguyen merged commit baa0239 into next Feb 28, 2026
6 of 7 checks passed
@stainless-app stainless-app bot mentioned this pull request Feb 28, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aryanma @windsornguyen