feat(mcp): add MCP server for secret-gated AI agent access

[jdx]

Summary

• Adds fnox mcp command that starts an MCP server over stdio, acting as a session-scoped secret broker for AI agents
• Two tools: get_secret (retrieve a secret by name) and exec (run a command with secrets as env vars)
• Secrets are batch-resolved on first access (amortizes yubikey/SSO cost), cached in memory, never persisted to disk
• Tools can be selectively enabled via [mcp] tools config in fnox.toml

Config

[mcp]
tools = ["get_secret", "exec"]  # default: both enabled

Claude Code integration (.claude/settings.json):

{
  "mcpServers": {
    "fnox": {
      "command": "fnox",
      "args": ["mcp"]
    }
  }
}

Test plan

• cargo build compiles without errors
• cargo test — all 118 tests pass
• CLI ordering test passes (new Mcp variant is alphabetically placed)
• Manual: pipe JSON-RPC tools/list to fnox mcp stdin → returns enabled tools
• Manual: tools/call get_secret with an age-encrypted secret → returns value
• Manual: tools/call exec with a command → output contains secrets without exposing them in the MCP stream
• Manual: configure tools = ["exec"] only → get_secret not listed, calls rejected
• Integration: configure in .claude/settings.json as MCP server

🤖 Generated with Claude Code

---

Note

High Risk
Adds a new secrets- and command-execution server surface area (fnox mcp) where bugs could leak secret material or allow unintended subprocess behavior. Although opt-in and with some safeguards (tool allowlist, non-interactive mode, output limits/timeouts), it touches security-critical handling of secrets and process execution.

Overview
Adds a new fnox mcp CLI subcommand that starts a Model Context Protocol (MCP) server over stdio, intended for session-scoped secret access by AI agents.

Introduces src/mcp_server.rs implementing two MCP tools—get_secret (on-demand secret retrieval, rejecting as_file=true) and exec (run a subprocess with env=true secrets injected, optional as_file temp-file injection, bounded output capture, and configurable timeout). Secrets are batch-resolved on first tool use and cached in-memory for the session.

Extends config/schema to support [mcp] settings (tools allowlist and exec_timeout_secs) with careful merge semantics to avoid overlays unintentionally re-enabling tools; updates docs/CLI reference and adds the rmcp dependency.

^{Written by Cursor Bugbot for commit 4ead676. This will update automatically on new commits. Configure here.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant security enhancement by integrating a Model Context Protocol (MCP) server into fnox. This server provides a secure, session-scoped mechanism for AI agents to access secrets without directly exposing them, addressing a critical security concern. By enabling controlled access through defined tools and temporary in-memory caching, it ensures that sensitive credentials are handled safely and efficiently, thereby improving the overall security posture when using AI agents with fnox.

Highlights

• New MCP Server Command: Introduced fnox mcp to launch a Model Context Protocol (MCP) server.
• Secure Secret Brokering: The server acts as a session-scoped secret broker for AI agents, preventing direct exposure of sensitive information.
• Tooling for AI Agents: Provides get_secret to retrieve secrets by name and exec to run commands with secrets injected as environment variables.
• Configurable Tool Access: Allows selective enabling/disabling of get_secret and exec tools via [mcp] tools in fnox.toml.
• Efficient Secret Management: Secrets are batch-resolved on first access to amortize costs (e.g., YubiKey/SSO prompts), cached in memory for the session, and never persisted to disk.
• Comprehensive Documentation: Added a new guide docs/guide/mcp.md explaining the MCP server's purpose, setup, usage, and security considerations.

Changelog

• Cargo.lock
  • Added rmcp dependency.
  • Added pastey dependency.
• Cargo.toml
  • Added rmcp dependency with server, transport-io, and macros features.
• docs/guide/mcp.md
  • Added new documentation for the MCP server, detailing its purpose, setup, available tools (get_secret, exec), operational flow, and security considerations.
• src/commands/mcp.rs
  • Created a new command module for fnox mcp, responsible for initializing and running the MCP server.
  • Implemented logic to enforce non-interactive mode for the MCP server.
  • Added validation for configured MCP tool names.
• src/commands/mod.rs
  • Imported the new mcp command module.
  • Integrated McpCommand into the main Commands enum for CLI access.
  • Updated the run method to dispatch to McpCommand::run.
• src/config.rs
  • Defined a new McpConfig struct to manage MCP server-specific settings, such as enabled tools.
  • Integrated McpConfig as an optional field within the main Config struct.
  • Implemented merging logic for McpConfig in the Config::merge method.
  • Initialized mcp field to None in Config::default.
• src/lib.rs
  • Declared the new mcp_server module.
• src/main.rs
  • Declared the new mcp_server module.
• src/mcp_server.rs
  • Implemented the FnoxMcpServer struct, which acts as the core MCP server handler.
  • Developed the ensure_resolved method for batch-resolving and caching secrets.
  • Implemented the get_secret tool to retrieve individual secret values.
  • Implemented the exec tool to execute commands with secrets injected as environment variables.
  • Defined the ServerHandler implementation for FnoxMcpServer, providing server capabilities and instructions.

Activity

• No specific activity (comments, reviews, progress) was provided in the context.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Greptile Summary

This PR adds a fnox mcp subcommand that starts a Model Context Protocol server over stdio, acting as a session-scoped secret broker for AI agents such as Claude Code. It introduces two tools — get_secret and exec — backed by batch-resolved, in-memory cached secrets, with a configurable allowlist via [mcp] tools in fnox.toml.

The implementation is well-structured and addresses a comprehensive list of security concerns:

• OnceCell-based resolution tracking correctly handles the edge case where all secrets resolve to None
• collect_bounded reads stdout/stderr concurrently with per-stream byte limits, preventing both OOM and pipe deadlock
• kill_on_drop(true) ensures child processes are killed when the timeout fires
• as_file=true secrets are rejected in get_secret and converted to temp-file paths only at exec time
• CallToolResult::error is correctly used for non-zero exit codes
• Field-by-field McpConfig merge prevents a restrictive tools list from being silently re-enabled by an overlay that only sets exec_timeout_secs
• exec_timeout_secs = 0 is rejected at startup with a clear config error
• tools/list is filtered by the enabled set via a manual ServerHandler implementation
• get_info instructions are built dynamically and handle all four combinations of enabled tools, including tools = []
• Docs accurately reflect the security model, including the as_file disk-write exception and the audit-visibility-only nature of exec

The one minor remaining issue is the _exec_temp_files variable name, which uses a leading underscore (conventionally "unused") for a value that must stay alive through the subprocess call.

Confidence Score: 4/5

• This PR is safe to merge; all previously identified security issues have been addressed with only one minor naming nit remaining.
• Every critical issue from the prior review round has been resolved — OnceCell sentinel, bounded I/O, kill_on_drop, as_file handling, exec error propagation, tool-list filtering, config merge semantics, and documentation accuracy. The single remaining item (underscore-prefixed temp-file variable) is a style concern that carries no correctness risk in current Rust. Score of 4 rather than 5 reflects the inherently high-risk surface area of a new secrets-and-subprocess execution server, which warrants manual integration testing before production use.
• No files require special attention; src/mcp_server.rs is the only file with any open concern and it is minor.

Important Files Changed

Filename	Overview
src/mcp_server.rs	Core MCP server implementation. Addresses all previously-noted issues: OnceCell for resolution tracking, bounded I/O with concurrent reads, kill_on_drop, per-stream truncation detection, as_file rejection in get_secret, exec error propagation, and correct is_some_and filter. Minor: _exec_temp_files naming is misleading.
src/commands/mcp.rs	Clean command entry point. Correctly sets non-interactive mode, validates exec_timeout_secs != 0 at startup, and wires up the MCP server over stdio.
src/config.rs	McpConfig added with field-by-field overlay merge semantics to prevent tools being accidentally re-enabled when only exec_timeout_secs is overridden. Schema annotation correctly sets minimum: 1 for exec_timeout_secs.
docs/guide/mcp.md	Documentation accurately describes the security model, correctly qualifies the "memory-only" claim with the as_file exception, and clearly explains that exec provides audit visibility rather than strict isolation.
docs/public/schema.json	McpConfig and McpTool schema entries added. exec_timeout_secs minimum is correctly set to 1, matching the runtime startup validation.

Sequence Diagram

sequenceDiagram
    participant Agent as AI Agent
    participant MCP as fnox MCP Server
    participant Cache as Secret Cache (RwLock)
    participant Once as OnceCell (resolved)
    participant Resolver as resolve_secrets_batch
    participant Child as Subprocess

    Note over Agent,Child: First tool call (e.g. get_secret or exec)

    Agent->>MCP: tools/call get_secret {name}
    MCP->>Once: get_or_try_init()
    Once->>Resolver: batch resolve env=true secrets
    Resolver-->>Once: HashMap<name, Option<value>>
    Once->>Cache: write all env=true results
    Once-->>MCP: () (cell populated)
    MCP->>Cache: read — cache hit?
    Cache-->>MCP: Some(value)
    MCP-->>Agent: CallToolResult::success(value)

    Note over Agent,Child: env=false secret (on-demand)

    Agent->>MCP: tools/call get_secret {name: env_false_key}
    MCP->>Once: get_or_try_init() — no-op (already populated)
    MCP->>Cache: read — cache miss (env=false not in batch)
    MCP->>Resolver: resolve_single(env_false_key)
    Resolver-->>MCP: Option<value>
    MCP->>Cache: write (including None for absent)
    MCP-->>Agent: CallToolResult::success / invalid_request

    Note over Agent,Child: exec tool call

    Agent->>MCP: tools/call exec {command}
    MCP->>Once: get_or_try_init() — no-op
    MCP->>Cache: snapshot env=true secrets (releases lock)
    MCP->>Child: spawn with env vars injected (as_file → temp path)
    MCP->>Child: concurrent bounded read stdout+stderr (PER_STREAM_LIMIT)
    Child-->>MCP: stdout_buf, stderr_buf, exit status
    MCP-->>Agent: CallToolResult::success/error (truncated if needed)

Loading

_{Last reviewed commit: 498ee19}

[gemini-code-assist]

Code Review

This pull request introduces a new fnox mcp command, running a Model Context Protocol (MCP) server to provide AI agents with controlled access to secrets via get_secret and exec tools. While the implementation is generally well-structured, a significant security flaw exists in the exec tool: it allows arbitrary command execution and returns output, enabling agents to easily exfiltrate injected secrets, bypassing intended security boundaries. Additionally, suggestions for improvement include using an enum for MCP tool names, refactoring exec tool's output formatting, clarifying tool configuration documentation, and using a more specific error type for MCP server errors.

[gemini-code-assist]

The exec tool presents a significant security risk: it allows AI agents to execute arbitrary commands and retrieve stdout, enabling easy exfiltration of all secrets injected into the environment, contrary to documentation. Beyond this critical vulnerability, the current output formatting logic is also complex and contains a minor bug where a failing command with no output can produce a leading newline. It is recommended to refactor this logic to be more straightforward and correct by building a vector of output parts and then joining them, which improves readability and handles all cases cleanly.

        let mut parts = Vec::new();
        if !stdout.is_empty() {
            parts.push(stdout.to_string());
        }
        if !stderr.is_empty() {
            parts.push(format!("[stderr]\n{}", stderr));
        }

        let exit_code = output.status.code().unwrap_or(-1);
        if !output.status.success() || parts.is_empty() {
            parts.push(format!("[exit code: {exit_code}]"));
        }

        let text = parts.join("\n");

[gemini-code-assist]

This sentence could be slightly ambiguous. It might imply that setting one tool disables the other, which is only true if you provide a list with a single element. A clearer phrasing would explicitly mention that tools is a list of enabled tools.

Suggested change

	Set `tools = ["exec"]` to only allow running commands (agent never sees raw secrets). Set `tools = ["get_secret"]` to only allow reading secrets directly.
	You can limit which tools are available by listing them in the `tools` array. For example, to only allow executing commands without exposing raw secrets, set `tools = ["exec"]`. To only allow retrieving secrets directly, set `tools = ["get_secret"]`.

[gemini-code-assist]

Using FnoxError::Config for MCP server errors (both at startup and during runtime) might be a bit misleading. Consider adding a more specific error variant for MCP-related issues, like FnoxError::McpServerError, to improve error diagnostics and handling. This would make it clearer where the error originated.

[gemini-code-assist]

Using a Vec<String> for the tools is a bit fragile as it relies on string matching. Consider using an enum for McpTool to make this more robust and leverage the type system for validation. This would also allow serde to validate the tool names at deserialization time.

For example:

#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema, PartialEq, Eq)]
#[serde(rename_all = "snake_case")]
pub enum McpTool {
    GetSecret,
    Exec,
}

#[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
#[serde(deny_unknown_fields)]
pub struct McpConfig {
    /// Which MCP tools to expose (default: ["get_secret", "exec"])
    #[serde(default = "McpConfig::default_tools")]
    pub tools: Vec<McpTool>,
}

impl McpConfig {
    fn default_tools() -> Vec<McpTool> {
        vec![McpTool::GetSecret, McpTool::Exec]
    }
}

This change would make the manual validation in src/commands/mcp.rs unnecessary and simplify the checks in src/mcp_server.rs (e.g., self.mcp_config.tools.contains(&McpTool::GetSecret)).

[jdx]

bugbot run

[jdx]

bugbot run

[jdx]

bugbot run

[cursor]

Output truncation doesn't prevent unbounded memory during collection

Medium Severity

The exec tool calls child.wait_with_output() which buffers ALL stdout/stderr into process memory before the MAX_OUTPUT_BYTES truncation logic runs. The documentation claims output is "capped at 1 MiB to prevent unbounded memory usage," but the cap only applies to the JSON-RPC response — the full output is already loaded into memory by wait_with_output. A command producing large output (e.g., streaming binary data) during the timeout window (default 5 minutes) could cause OOM in the long-lived MCP server process.

 

[jdx]

bugbot run

[cursor]

Sequential stdout/stderr reading causes subprocess deadlock

Medium Severity

The exec tool reads stdout to completion (waiting for EOF) before starting to read stderr. If the child process writes more than the OS pipe buffer size (~64KB on Linux) to stderr without writing to stdout, the child blocks on the stderr write while the MCP server blocks waiting for stdout EOF — a classic deadlock. The timeout will eventually kill the child, but legitimate commands that write heavily to stderr (e.g., verbose builds, programs that log to stderr) will fail with a confusing "timed out" error. Both pipes need to be drained concurrently, e.g., via tokio::join!.

 

[cursor]

Disabled tools still reachable via call_tool routing

Low Severity

The call_tool handler delegates directly to self.tool_router.call(tcc) without checking whether the requested tool is enabled in mcp_config. While list_tools and get_tool correctly filter disabled tools, call_tool bypasses this filtering, allowing a client to invoke a disabled tool's handler. The handler itself checks enablement and rejects the call, but this inconsistency means the tool router processes disabled tool requests rather than rejecting them at the dispatch level.

 

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​rmcp@​1.1.0

View full report

[jdx]

bugbot run

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Documentation falsely claims exec prevents secret exposure

Medium Severity

The documentation states "The agent never sees the raw secret values" for the exec tool and recommends tools = ["exec"] to "prevent agents from reading raw secret values." Both claims are incorrect — the exec tool captures stdout/stderr and returns it to the agent, so running ["printenv"], ["env"], or ["sh", "-c", "echo $SECRET"] through exec reveals all env=true secret values. This gives users a false sense of security when configuring tools = ["exec"].

Additional Locations (1)

• docs/guide/mcp.md#L82-L83

 

[greptile-apps]

Underscore-prefix implies "intentionally unused" but variable must be kept alive

_exec_temp_files uses a leading underscore, which Rust developers conventionally read as "I know this is unused/discardable". However, this Vec<NamedTempFile> must not be discarded early — the NamedTempFile handles must stay alive until the subprocess finishes, otherwise the temp files are deleted before the child process can open them.

While Rust only immediately drops bare _ (not _foo), the naming convention will confuse future readers and the compiler may emit a dead-code warning for the variable. Rename it to make the keeping-alive intent explicit:

Suggested change

	let mut _exec_temp_files = Vec::new();
	let mut exec_temp_files = Vec::new();

Then update the reference at line 315:

let path = Self::create_secret_file(key, value, &mut exec_temp_files)?;