Log tool-call environment variable names instead of values#277
Merged
Conversation
Debug logging in mcp_client_params printed the full tool-call environment, which includes resolved credentials such as GH_TOKEN. Log only the variable names so secrets are never written to logs, while keeping the names for debuggability. The environment passed to the MCP server is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens MCP toolbox debug logging by ensuring tool-call environment variables are logged safely (names only), preventing accidental secret leakage when environment values are resolved from {{ env('...') }} templates.
Changes:
- Add
_env_names()helper to log only environment variable keys (never values) inmcp_client_params. - Update debug log statements for stdio and streamable toolbox initialization/environment logging to use
_env_names(). - Add a regression test asserting secret values do not appear in debug logs while env names still do and resolved env is still passed through.
Show a summary per file
| File | Description |
|---|---|
src/seclab_taskflow_agent/mcp_utils.py |
Replace env-value debug logging with env-name logging via _env_names() to avoid leaking credentials. |
tests/test_mcp_utils.py |
Add test coverage to ensure secrets are not emitted in debug logs while functionality remains unchanged. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 1
- Review effort level: Low
p-
previously approved these changes
Jul 10, 2026
Check `env is None` so an empty dict yields `[]` rather than the dict, honoring the list[str] | None return contract. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
p-
approved these changes
Jul 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Debug logging in
mcp_client_paramsprinted the full tool-call environment dict, including values resolved from{{ env('...') }}. That environment routinely carries credentials such asGH_TOKEN, so at DEBUG level the secret values were written to the logs.Reported at
seclab-taskflow-agent/src/seclab_taskflow_agent/mcp_utils.py
Lines 220 to 221 in 8de19ce
Fix
Log only the environment variable names, never the values. A small
_env_nameshelper returns the sorted keys, applied at all three env log sites (stdio pre-swap, stdio post-swap, and streamable). The names are kept so debug output still shows which variables are configured.This is log-only: the environment passed through to the MCP server is unchanged.
Scope
Env values only, as discussed. Command
argslogging is left as-is.Validation
test_mcp_client_params_logs_env_names_not_secret_valuesasserts a resolved secret value never appears in the logs, the variable names still do, and the real env is still handed to the server. Verified it fails without the fix.