refactor(mcp-server,daemon): migrate worker-URL env to canonical AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL#310
Open
hanwencheng wants to merge 2 commits into
Open
refactor(mcp-server,daemon): migrate worker-URL env to canonical AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL#310hanwencheng wants to merge 2 commits into
hanwencheng wants to merge 2 commits into
Conversation
…TKEYS_WORKER_{MEMORY,AUDIT}_URL
Clean re-land of #202 off current main. The #202 branch's lineage carried
the secret-exfil workflows removed in the June incident (PR #235), so it is
not merged; this redoes the same refactor fresh with none of that history.
- mcp-server config.rs + daemon main.rs: clap env -> canonical
AGENTKEYS_WORKER_{MEMORY,AUDIT}_URL (daemon now matches its adjacent
AGENTKEYS_WORKER_CONFIG_URL). MCP from_cli accepts the legacy bare names
as a fallback so a deployed host's mcp.env keeps working until its next
setup-mcp-host.sh rewrite; the daemon hard-renames (dev.sh passes
--memory-url explicitly and operator-workstation.env only defines the
canonical name, so the bare fallback was already dead).
- README + setup-mcp-host.sh (both mcp.env heredocs): canonical names.
- arch.md §5: canonical-names row for the AGENTKEYS_WORKER_<svc>_URL family.
cargo check -p agentkeys-mcp-server -p agentkeys-daemon: clean, 0 warnings.
cargo fmt --check only; no logic change. (CI rust-checks fmt step flagged the hand-formatted closure.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
Canonical-names cleanup (arch.md §5 / terminology-source-of-truth). The MCP server and daemon read their worker base-URLs from the bare
AGENTKEYS_MEMORY_URL/AGENTKEYS_AUDIT_URL, diverging from the canonicalAGENTKEYS_WORKER_<svc>_URLfamily thatscripts/operator-workstation.env, the CLI, the fleet tooling, and the daemon's own--config-url(AGENTKEYS_WORKER_CONFIG_URL) already use. This renames the MCP server + daemon to the canonical spelling.AGENTKEYS_BROKER_URLis intentionally untouched — the broker is not a worker, so the bare name is already canonical.Clean re-land of #202 (do not merge that branch)
This supersedes #202. While triaging #202 I found its branch lineage carries the malicious secret-exfiltration GitHub workflows removed from
mainin the June incident (PR #235) — its commit 2 is "security: remove malicious exfil workflows from branch." Rather than merge a branch with that history, this redoes the identical refactor fresh off currentmain(cdea265) with none of the contaminated lineage.mainis already clean; this PR touches only the 5 intended files.Zero-downtime (accept-both fallback)
A deployed remote MCP host still carries the old bare names in
/etc/agentkeys/mcp.envuntil its nextsetup-mcp-host.shrun. To avoid a window between the binary upgrade and that rewrite,config.rs::from_clireads the canonicalAGENTKEYS_WORKER_*var first (clapenv, or--memory-url/--audit-url), then falls back to the legacy bare name viastd::env::var(...)only when unset. The fallback drops out naturally once the next deploy rewritesmcp.env.The daemon hard-renames (no fallback):
dev.shpasses--memory-urlexplicitly andoperator-workstation.envonly defines the canonical name, so the bareenv=fallback was already dead code — the rename also fixes that latent inconsistency.Files
crates/agentkeys-mcp-server/src/config.rs— clapenv(memory/audit) → canonical + thefrom_cliaccept-both fallback.crates/agentkeys-daemon/src/main.rs—memory_urlenv → canonical (matches the adjacentconfig_url).crates/agentkeys-mcp-server/README.md— Docker-eflags.scripts/setup-mcp-host.sh— bothmcp.envheredocs (xiaozhi + self-hosted).docs/arch.md— §5 canonical-names row for theAGENTKEYS_WORKER_<svc>_URLfamily (records the legacy aliases + the fallback).Verification
cargo check -p agentkeys-mcp-server -p agentkeys-daemon→ exit 0, 0 warnings.bash -n scripts/setup-mcp-host.sh→ OK.config.rs.To test this — deploy surfaces
agentkeys-mcp-server+agentkeys-daemon+setup-mcp-host.sh):bash scripts/setup-broker-host.sh --ref claude/mcp-worker-url-env— rebuilds the binaries and rewritesmcp.envwith the canonical names in the same idempotent run.dev.shrebuild (already canonical viaoperator-workstation.env).setup-cloud.sh) run needed.🤖 Generated with Claude Code