@delega-dev/mcp 1.0.6 → 1.0.7

package/README.md

@@ -34,9 +34,16 @@ Add to your MCP client config (e.g. Claude Desktop `claude_desktop_config.json`)
 |----------|---------|-------------|
 | `DELEGA_API_URL` | `http://127.0.0.1:18890` | Delega API endpoint |
 | `DELEGA_AGENT_KEY` | (none) | Agent API key for authenticated requests |
+| `DELEGA_REVEAL_AGENT_KEYS` | `0` | Set to `1` only if you want MCP tool output to print full agent API keys |
 
 For the hosted tier, use `https://api.delega.dev` as the URL.
 
+## Security Notes
+
+- Non-local `DELEGA_API_URL` values must use `https://`.
+- Agent keys are passed through environment variables rather than command-line arguments, which avoids process-list leakage.
+- MCP tool output redacts full agent API keys by default. Set `DELEGA_REVEAL_AGENT_KEYS=1` only when you explicitly want them printed back to the client.
+
 ## Tools
 
 | Tool | Description |

package/dist/index.js

@@ -7,14 +7,22 @@ import { z } from "zod";
 
 // src/delega-client.ts
 var DEFAULT_BASE_URL = "http://127.0.0.1:18890";
+var LOCAL_API_HOSTS = /* @__PURE__ */ new Set(["localhost", "127.0.0.1"]);
+function normalizeBaseUrl(rawUrl) {
+  const parsed = new URL(rawUrl);
+  if (parsed.protocol !== "https:" && !LOCAL_API_HOSTS.has(parsed.hostname)) {
+    throw new Error("Delega API URL must use HTTPS unless it points to localhost");
+  }
+  return rawUrl.replace(/\/+$/, "");
+}
 var DelegaClient = class {
   baseUrl;
   agentKey;
   pathPrefix;
   constructor(baseUrl, agentKey) {
-    this.baseUrl = (baseUrl || DEFAULT_BASE_URL).replace(/\/+$/, "");
+    this.baseUrl = normalizeBaseUrl(baseUrl || DEFAULT_BASE_URL);
     this.agentKey = agentKey;
-    this.pathPrefix = this.baseUrl.includes("api.delega.dev") ? "/v1" : "/api";
+    this.pathPrefix = new URL(this.baseUrl).hostname === "api.delega.dev" ? "/v1" : "/api";
   }
   async request(method, path, body, query) {
     const url = new URL(path, this.baseUrl);
@@ -130,11 +138,21 @@ function formatTask(t) {
 function formatProject(p) {
   return `[#${p.id}] ${p.name}`;
 }
+function maskApiKey(key) {
+  if (key.length <= 12) return key;
+  return `${key.slice(0, 8)}...${key.slice(-4)}`;
+}
 function formatAgent(a) {
   const lines = [];
   lines.push(`[#${a.id}] ${a.name}${a.display_name ? ` (${a.display_name})` : ""}`);
   if (a.description) lines.push(`  Description: ${a.description}`);
-  if (a.api_key) lines.push(`  API Key: ${a.api_key}`);
+  if (a.api_key) {
+    if (process.env.DELEGA_REVEAL_AGENT_KEYS === "1") {
+      lines.push(`  API Key: ${a.api_key}`);
+    } else {
+      lines.push(`  API Key Preview: ${maskApiKey(a.api_key)}`);
+    }
+  }
   if (a.permissions?.length) lines.push(`  Permissions: ${a.permissions.join(", ")}`);
   if (a.active !== void 0) lines.push(`  Active: ${a.active ? "yes" : "no"}`);
   return lines.join("\n");
@@ -361,12 +379,11 @@ server.tool(
   async (params) => {
     try {
       const agent = await client.registerAgent(params);
+      const warning = process.env.DELEGA_REVEAL_AGENT_KEYS === "1" ? "\n\n\u26A0\uFE0F Save the API key \u2014 it won't be shown again." : "\n\nAPI keys are redacted by default in MCP output. Set DELEGA_REVEAL_AGENT_KEYS=1 to reveal them.";
       return {
         content: [{ type: "text", text: `Agent registered:
 
-${formatAgent(agent)}
-
-\u26A0\uFE0F Save the API key \u2014 it won't be shown again.` }]
+${formatAgent(agent)}${warning}` }]
       };
     } catch (e) {
       return { content: [{ type: "text", text: `Error: ${e.message}` }], isError: true };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@delega-dev/mcp",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "mcpName": "io.github.delega-dev/delega",
   "description": "MCP server for Delega — task infrastructure for AI agents",
   "type": "module",