Skip to content

fix: critical security and stability improvements#1

Merged
dusterbloom merged 4 commits intomainfrom
security-fixes
Aug 8, 2025
Merged

fix: critical security and stability improvements#1
dusterbloom merged 4 commits intomainfrom
security-fixes

Conversation

@dusterbloom
Copy link
Owner

@dusterbloom dusterbloom commented Aug 8, 2025

Security Fixes

  • Replace hardcoded "slowcat-secret" token with MCPO_API_KEY env var
  • Remove "." from default file_tools allowed_dirs (no repo root access)
  • Fix truncation detection bug that could cause incorrect file read results

Stability Fixes

  • Replace global monkey-patching with dependency injection in config_minimal.py
  • Make HuggingFace offline mode conditional instead of forced
  • Add proper cleanup and context management for minimal config

Breaking Changes

  • MCPO_API_KEY environment variable now required for MCP tool discovery
  • File tools no longer access current directory by default

dusterbloom and others added 4 commits August 8, 2025 11:41
@dusterbloom @claude
fix: critical security and stability improvements
2fbf4a3 
## Security Fixes
- Replace hardcoded "slowcat-secret" token with MCPO_API_KEY env var
- Remove "." from default file_tools allowed_dirs (no repo root access)
- Fix truncation detection bug that could cause incorrect file read results

## Stability Fixes
- Replace global monkey-patching with dependency injection in config_minimal.py
- Make HuggingFace offline mode conditional instead of forced
- Add proper cleanup and context management for minimal config

## Breaking Changes
- MCPO_API_KEY environment variable now required for MCP tool discovery
- File tools no longer access current directory by default

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@dusterbloom
Merge branch 'main' into security-fixes
a9d4540
@dusterbloom @claude
test: trigger CI pipeline validation
92e9277 
This commit triggers security-tests.yml workflow to validate:
- Hardcoded secret elimination
- File access restrictions
- Component isolation
- Environment variable requirements

Expected: All tests PASS ✅

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@dusterbloom @claude
fix: correct CI test expectation for missing API key
00415ef 
The security fix correctly returns {} when MCPO_API_KEY is missing.
Updated test to match the actual (correct) behavior.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
@dusterbloom dusterbloom merged commit 9c345bb into main Aug 8, 2025
1 check passed
@dusterbloom dusterbloom deleted the security-fixes branch August 8, 2025 10:03
dusterbloom added a commit that referenced this pull request Aug 9, 2025
@dusterbloom
Merge pull request #1 from dusterbloom/security-fixes
f5c7d70 
fix: critical security and stability improvements
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dusterbloom