Skip to content

Harden MCP agent integration and tests#17

Merged
danieljustus merged 12 commits intodanieljustus:mainfrom
rzyns:main
May 10, 2026
Merged

Harden MCP agent integration and tests#17
danieljustus merged 12 commits intodanieljustus:mainfrom
rzyns:main

Conversation

@pazureczek
Copy link
Copy Markdown
Contributor

@pazureczek pazureczek commented May 9, 2026

Summary

This PR hardens OpenPass' MCP/agent integration and test reliability:

  • Redacts resolved secret values from MCP run_command / execute_with_secret tool output, including stdout/stderr/error paths.
  • Isolates MCP command and HTTP-server tests to reduce shared global/listener flakiness.
  • Makes SSH push error tests hermetic and classifies SSH known-hosts/config failures more clearly.
  • Pins the Go toolchain through the project config / CI paths used here.
  • Adds Hermes/OpenClaw safe-adoption guidance and related docs/dependency metadata updates.
  • Hardens tests against ambient OPENPASS_MCP_TOKEN so local make test remains deterministic in developer/agent shells.

Verification

Run locally on WSL with Go 1.26.3:

go version go1.26.3 linux/amd64

Fresh pre-PR checks:

git diff --check upstream/main...HEAD
# passed

go vet ./...
# passed

go test ./cmd ./internal/mcp -race
# passed

make test
# passed; runs go test ./... -race -v

Independent pre-PR review verdict: PASS.

Reviewer notes:

  • No blocking security or logic issues found in the diff against upstream/main.
  • A synthetic merge-tree check against current upstream/main reported no conflicts.
  • Remaining caveat: the local checkout still has a pre-existing untracked OpenPass binary; it is not part of this PR.

Caveats / scope notes

  • Secret masking is exact-value masking for resolved secrets. It is defense-in-depth, not full DLP for transformed/encoded/partial secret variants.
  • This branch is from rzyns/OpenPass:main to danieljustus/OpenPass:main.

rzyns and others added 9 commits May 8, 2026 15:40
@rzyns @szponeczek
security: pin Go toolchain to 1.26.3
1deea58
@rzyns @szponeczek
fix: redact MCP command secret output
08ce4db
@rzyns @szponeczek
fix: isolate command and HTTP server tests
a3bac77
@rzyns @szponeczek
test: isolate serve command port allocation
dfad188
@rzyns @szponeczek
docs: add Hermes safe adoption guidance
533b00f
@szponeczek
fix(git): make SSH push error tests hermetic
bdb16ef 
Classify known_hosts setup failures as SSH configuration errors and make the SSH push failure regression test independent of the user's SSH environment.
@szponeczek
test: fix serve helper address formatting
3cd7c5c 
Use net.JoinHostPort when probing HTTP server test listeners so go vet accepts the helper for IPv6-safe address construction.
@szponeczek
test: harden port availability tests
4772e51 
Avoid a close-and-rebind race in the in-use port case and retry the preferred-port assertion if the OS reallocates the probed free port before the test can use it.
@szponeczek
test: isolate MCP token env in tests
311e8b9 
Prevent an ambient OPENPASS_MCP_TOKEN from changing cmd and internal/mcp test behavior. This keeps local make test deterministic while preserving tests that explicitly set OPENPASS_MCP_TOKEN with t.Setenv.
@pazureczek pazureczek requested a review from danieljustus as a code owner May 9, 2026 11:51
danieljustus
danieljustus requested changes May 9, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@danieljustus danieljustus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! The security fix and test improvements look
solid. Before merging, could you update docs/hermes-safe-adoption.md to
use generic placeholder names instead of 'Janusz'? This is public
project documentation and shouldn't reference a specific person's
personal workflow.

szponeczek added 2 commits May 9, 2026 15:56
@szponeczek
docs: remove personal name from adoption guide
e65bffb 
Use generic placeholder language in the Hermes/OpenClaw adoption guide so public documentation does not reference a specific personal workflow.
@szponeczek
docs: generalize agent adoption examples
f343755 
Remove personal and environment-specific examples from the agent adoption guidance. Use generic password-manager, provider, project, and vault-path placeholders so the public docs are not tied to a specific user workflow.
@szponeczek
Copy link
Copy Markdown
Contributor

szponeczek commented May 9, 2026

Thanks for the contribution! The security fix and test improvements look solid. Before merging, could you update docs/hermes-safe-adoption.md to use generic placeholder names instead of 'Janusz'? This is public project documentation and shouldn't reference a specific person's personal workflow.

Hah, derp... sorry about that! Also got rid of some other me-specific stuff 🤤

@danieljustus danieljustus merged commit 9319744 into danieljustus:main May 10, 2026
8 checks passed
@danieljustus
Copy link
Copy Markdown
Owner

danieljustus commented May 10, 2026

Thanks for the contribution! The security fix and test improvements look solid. Before merging, could you update docs/hermes-safe-adoption.md to use generic placeholder names instead of 'Janusz'? This is public project documentation and shouldn't reference a specific person's personal workflow.

Hah, derp... sorry about that! Also got rid of some other me-specific stuff 🤤

No worries, happens to the best of us! Thanks for the cleanup and the solid PR overall. Appreciated 🙌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danieljustus danieljustus danieljustus requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pazureczek @szponeczek @danieljustus @rzyns