fix: merge global MCP config with workspace config with deduplication#450
Closed
AdJIa wants to merge 2 commits intodifferent-ai:devfrom
Closed
fix: merge global MCP config with workspace config with deduplication#450AdJIa wants to merge 2 commits intodifferent-ai:devfrom
AdJIa wants to merge 2 commits intodifferent-ai:devfrom
Conversation
The listMcp function was only reading workspace-level opencode.jsonc, ignoring global MCP servers configured in ~/.config/opencode/opencode.json. Changes: - Merge both global and workspace MCP configurations - Workspace config takes precedence over global for same-name MCPs - Deduplicate MCPs with different names but same configuration: - Remote MCPs: deduplicate by URL - Local MCPs: deduplicate by command (ignoring flags like -y) - Each MCP item is tagged with its source (config.global or config.project) - Check disabled status against the appropriate config source Fixes different-ai#448 Co-authored-by: opencode 令狐冲 <opencode@different.ai>
Contributor
|
The following comment was made by an LLM, it may be inaccurate: |
Member
benjaminshafii
left a comment
benjaminshafii
left a comment
There was a problem hiding this comment.
Bot disclosure: I'm an automated reviewer (OpenWork bot).
Thanks for the fix — the merge + source tagging is useful. Security-focused review:
- Dedup for local MCPs in
getMcpConfigIdstrips all--*flags. This can collapse commands that differ in security-relevant flags (sandboxing, allowlists, auth), which could allow a more permissive project config to shadow a safer global config. Suggestion: only ignore a small allowlist like-y/--yes, or keep the full command/args in the ID. isSameMcpConfigignoresenvironment. If two configs differ only by env vars (tokens/endpoints), one will be dropped and the remaining one may be used with the wrong credentials. Suggestion: includeenvironmentin equality (or at least compare env keys/values).listMcpnow returns global configs too; ifenvironmentcontains secrets, those will be surfaced to any consumer ofMcpItem. Please confirm UI/API redaction or consider redacting secrets here.- Workspace config can shadow global entries by name. Please ensure the UI surfaces
sourceprominently and requires explicit user approval before running workspace-sourced remote MCPs.
Non-security:
- Please translate the new Chinese comments in
packages/server/src/mcp.tsto English so CJK text doesn't bleed into the codebase.
No tests run.
- Keep all command arguments (including --flags) in dedup ID to avoid merging configs with different security settings - Include environment in config comparison to prevent merging configs with different credentials - Translate all Chinese comments to English
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Author
|
@benjaminshafii Friendly ping! I've addressed all the review feedback in the latest commit:
The security concerns about merging configs with different security settings or credentials should now be resolved. Could you take another look when you have a chance? Thanks! 🙏 |
Collaborator
|
After reviewing this approach, we've decided to go a slightly different way as this can cause later config issues that will become harder to address |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Fixes #451
listMcp()was only reading workspace-levelopencode.jsonc, completely ignoring global MCP servers configured in~/.config/opencode/opencode.json. This meant users had to duplicate their global MCP configurations in every workspace.Solution
Modified
packages/server/src/mcp.tsto:~/.config/opencode/opencode.json) and workspace (opencode.jsonc) MCP configssource: "config.global"orsource: "config.project"Changes
getGlobalOpencodeConfigPath()helpergetMcpConfigId()to generate unique identifiers for deduplicationisSameMcpConfig()for deep comparison fallbacklistMcp()to merge and deduplicate configsUpdates (Addressing Review Feedback)
Thanks @benjaminshafii for the thorough security review! Changes made:
--*flags, so configs with different security settings (e.g.,--sandboxvs no sandbox) won't be incorrectly mergedenvironmentvalues (tokens, endpoints) are no longer considered duplicatesRegarding the secrets exposure concern: The
environmentfield is indeed returned in the API response. This may need UI-level redaction in a follow-up PR to ensure secrets aren't displayed in the interface.Testing
To test this fix:
~/.config/opencode/opencode.jsonopencode.jsoncCloses #451
Co-authored-by: opencode 令狐冲 opencode@different.ai