opencode-synced 0.4.2 → 0.5.0

package/README.md

@@ -78,6 +78,7 @@ Create `~/.config/opencode/opencode-synced.jsonc`:
     "branch": "main",
   },
   "includeSecrets": false,
+  "includeMcpSecrets": false,
   "includeSessions": false,
   "includePromptStash": false,
   "extraSecretPaths": [],
@@ -100,6 +101,9 @@ Enable secrets with `/sync-enable-secrets` or set `"includeSecrets": true`:
 - `~/.local/share/opencode/mcp-auth.json`
 - Any extra paths in `extraSecretPaths` (allowlist)
 
+MCP API keys stored inside `opencode.json(c)` are **not** committed by default. To allow them
+in a private repo, set `"includeMcpSecrets": true` (requires `includeSecrets`).
+
 ### Sessions (private repos only)
 
 Sync your OpenCode sessions (conversation history from `/sessions`) across machines by setting `"includeSessions": true`. This requires `includeSecrets` to also be enabled since sessions may contain sensitive data.
@@ -146,6 +150,22 @@ Create a local-only overrides file at:
 
 Overrides are merged into the runtime config and re-applied to `opencode.json(c)` after pull.
 
+### MCP secret scrubbing
+
+If your `opencode.json(c)` contains MCP secrets (for example `mcp.*.headers` or `mcp.*.oauth.clientSecret`), opencode-synced will automatically:
+
+1. Move the secret values into `opencode-synced.overrides.jsonc` (local-only).
+2. Replace the values in the synced config with `{env:...}` placeholders.
+
+This keeps secrets out of the repo while preserving local behavior. On other machines, set the matching environment variables (or add local overrides).
+If you want MCP secrets committed (private repos only), set `"includeMcpSecrets": true` alongside `"includeSecrets": true`.
+
+Env var naming rules:
+
+- If the header name already looks like an env var (e.g. `CONTEXT7_API_KEY`), it is used directly.
+- Otherwise: `OPENCODE_MCP_<SERVER>_<HEADER>` (uppercase, non-alphanumerics become `_`).
+- OAuth client secrets use `OPENCODE_MCP_<SERVER>_OAUTH_CLIENT_SECRET`.
+
 ## Usage
 
 | Command | Description |

package/dist/command/sync-enable-secrets.md

@@ -4,3 +4,4 @@ description: Enable secrets sync (private repo required)
 
 Use the opencode_sync tool with command "enable-secrets".
 If the user supplies extra secret paths, pass them via extraSecretPaths.
+If they want MCP secrets committed in a private repo, pass includeMcpSecrets: true.

package/dist/command/sync-init.md

@@ -9,3 +9,4 @@ If the user wants a custom repo name, pass name="custom-name".
 If the user wants an org-owned repo, pass owner="org-name".
 If the user wants a public repo, pass private=false.
 Include includeSecrets if the user explicitly opts in.
+Include includeMcpSecrets only if they want MCP secrets committed to a private repo.

package/dist/index.js

@@ -100,6 +100,10 @@ export const OpencodeConfigSync = async (ctx) => {
             url: tool.schema.string().optional().describe('Repo URL'),
             branch: tool.schema.string().optional().describe('Repo branch'),
             includeSecrets: tool.schema.boolean().optional().describe('Enable secrets sync'),
+            includeMcpSecrets: tool.schema
+                .boolean()
+                .optional()
+                .describe('Allow MCP secrets to be committed (requires includeSecrets)'),
             includeSessions: tool.schema
                 .boolean()
                 .optional()
@@ -126,6 +130,7 @@ export const OpencodeConfigSync = async (ctx) => {
                         url: args.url,
                         branch: args.branch,
                         includeSecrets: args.includeSecrets,
+                        includeMcpSecrets: args.includeMcpSecrets,
                         includeSessions: args.includeSessions,
                         includePromptStash: args.includePromptStash,
                         create: args.create,
@@ -146,7 +151,10 @@ export const OpencodeConfigSync = async (ctx) => {
                     return await service.push();
                 }
                 if (args.command === 'enable-secrets') {
-                    return await service.enableSecrets(args.extraSecretPaths);
+                    return await service.enableSecrets({
+                        extraSecretPaths: args.extraSecretPaths,
+                        includeMcpSecrets: args.includeMcpSecrets,
+                    });
                 }
                 if (args.command === 'resolve') {
                     return await service.resolve();

package/dist/sync/apply.d.ts

@@ -1,3 +1,6 @@
 import type { SyncPlan } from './paths.js';
 export declare function syncRepoToLocal(plan: SyncPlan, overrides: Record<string, unknown> | null): Promise<void>;
-export declare function syncLocalToRepo(plan: SyncPlan, overrides: Record<string, unknown> | null): Promise<void>;
+export declare function syncLocalToRepo(plan: SyncPlan, overrides: Record<string, unknown> | null, options?: {
+    overridesPath?: string;
+    allowMcpSecrets?: boolean;
+}): Promise<void>;

package/dist/sync/apply.js

@@ -1,6 +1,7 @@
 import { promises as fs } from 'node:fs';
 import path from 'node:path';
 import { deepMerge, parseJsonc, pathExists, stripOverrides, writeJsonFile } from './config.js';
+import { extractMcpSecrets, hasOverrides, mergeOverrides, stripOverrideKeys, } from './mcp-secrets.js';
 import { normalizePath } from './paths.js';
 export async function syncRepoToLocal(plan, overrides) {
     for (const item of plan.items) {
@@ -11,10 +12,39 @@ export async function syncRepoToLocal(plan, overrides) {
         await applyOverridesToLocalConfig(plan, overrides);
     }
 }
-export async function syncLocalToRepo(plan, overrides) {
+export async function syncLocalToRepo(plan, overrides, options = {}) {
+    const configItems = plan.items.filter((item) => item.isConfigFile);
+    const sanitizedConfigs = new Map();
+    let secretOverrides = {};
+    const allowMcpSecrets = Boolean(options.allowMcpSecrets);
+    for (const item of configItems) {
+        if (!(await pathExists(item.localPath)))
+            continue;
+        const content = await fs.readFile(item.localPath, 'utf8');
+        const parsed = parseJsonc(content);
+        const { sanitizedConfig, secretOverrides: extracted } = extractMcpSecrets(parsed);
+        if (!allowMcpSecrets) {
+            sanitizedConfigs.set(item.localPath, sanitizedConfig);
+        }
+        if (hasOverrides(extracted)) {
+            secretOverrides = mergeOverrides(secretOverrides, extracted);
+        }
+    }
+    let overridesForStrip = overrides;
+    if (hasOverrides(secretOverrides)) {
+        if (!allowMcpSecrets) {
+            const baseOverrides = overrides ?? {};
+            const mergedOverrides = mergeOverrides(baseOverrides, secretOverrides);
+            if (options.overridesPath && !isDeepEqual(baseOverrides, mergedOverrides)) {
+                await writeJsonFile(options.overridesPath, mergedOverrides, { jsonc: true });
+            }
+        }
+        overridesForStrip = overrides ? stripOverrideKeys(overrides, secretOverrides) : overrides;
+    }
     for (const item of plan.items) {
-        if (item.isConfigFile && overrides && Object.keys(overrides).length > 0) {
-            await copyConfigForRepo(item, overrides, plan.repoRoot);
+        if (item.isConfigFile) {
+            const sanitized = sanitizedConfigs.get(item.localPath);
+            await copyConfigForRepo(item, overridesForStrip, plan.repoRoot, sanitized);
             continue;
         }
         await copyItem(item.localPath, item.repoPath, item.type, true);
@@ -35,21 +65,22 @@ async function copyItem(sourcePath, destinationPath, type, removeWhenMissing = f
     await removePath(destinationPath);
     await copyDirRecursive(sourcePath, destinationPath);
 }
-async function copyConfigForRepo(item, overrides, repoRoot) {
+async function copyConfigForRepo(item, overrides, repoRoot, configOverride) {
     if (!(await pathExists(item.localPath))) {
         await removePath(item.repoPath);
         return;
     }
-    const localContent = await fs.readFile(item.localPath, 'utf8');
-    const localConfig = parseJsonc(localContent);
+    const localConfig = configOverride ??
+        parseJsonc(await fs.readFile(item.localPath, 'utf8'));
     const baseConfig = await readRepoConfig(item, repoRoot);
+    const effectiveOverrides = overrides ?? {};
     if (baseConfig) {
-        const expectedLocal = deepMerge(baseConfig, overrides);
+        const expectedLocal = deepMerge(baseConfig, effectiveOverrides);
         if (isDeepEqual(localConfig, expectedLocal)) {
             return;
         }
     }
-    const stripped = stripOverrides(localConfig, overrides, baseConfig);
+    const stripped = stripOverrides(localConfig, effectiveOverrides, baseConfig);
     const stat = await fs.stat(item.localPath);
     await fs.mkdir(path.dirname(item.repoPath), { recursive: true });
     await writeJsonFile(item.repoPath, stripped, {

package/dist/sync/config.d.ts

@@ -9,6 +9,7 @@ export interface SyncConfig {
     repo?: SyncRepoConfig;
     localRepoPath?: string;
     includeSecrets?: boolean;
+    includeMcpSecrets?: boolean;
     includeSessions?: boolean;
     includePromptStash?: boolean;
     extraSecretPaths?: string[];
@@ -20,6 +21,7 @@ export interface SyncState {
 }
 export declare function pathExists(filePath: string): Promise<boolean>;
 export declare function normalizeSyncConfig(config: SyncConfig): SyncConfig;
+export declare function canCommitMcpSecrets(config: SyncConfig): boolean;
 export declare function loadSyncConfig(locations: SyncLocations): Promise<SyncConfig | null>;
 export declare function writeSyncConfig(locations: SyncLocations, config: SyncConfig): Promise<void>;
 export declare function loadOverrides(locations: SyncLocations): Promise<Record<string, unknown> | null>;

package/dist/sync/config.js

@@ -10,8 +10,10 @@ export async function pathExists(filePath) {
     }
 }
 export function normalizeSyncConfig(config) {
+    const includeSecrets = Boolean(config.includeSecrets);
     return {
-        includeSecrets: Boolean(config.includeSecrets),
+        includeSecrets,
+        includeMcpSecrets: includeSecrets ? Boolean(config.includeMcpSecrets) : false,
         includeSessions: Boolean(config.includeSessions),
         includePromptStash: Boolean(config.includePromptStash),
         extraSecretPaths: Array.isArray(config.extraSecretPaths) ? config.extraSecretPaths : [],
@@ -19,6 +21,9 @@ export function normalizeSyncConfig(config) {
         repo: config.repo,
     };
 }
+export function canCommitMcpSecrets(config) {
+    return Boolean(config.includeSecrets) && Boolean(config.includeMcpSecrets);
+}
 export async function loadSyncConfig(locations) {
     if (!(await pathExists(locations.syncConfigPath))) {
         return null;

package/dist/sync/mcp-secrets.d.ts

@@ -0,0 +1,8 @@
+export interface McpSecretExtraction {
+    sanitizedConfig: Record<string, unknown>;
+    secretOverrides: Record<string, unknown>;
+}
+export declare function extractMcpSecrets(config: Record<string, unknown>): McpSecretExtraction;
+export declare function mergeOverrides(base: Record<string, unknown>, extra: Record<string, unknown>): Record<string, unknown>;
+export declare function stripOverrideKeys(base: Record<string, unknown>, toRemove: Record<string, unknown>): Record<string, unknown>;
+export declare function hasOverrides(value: Record<string, unknown>): boolean;

package/dist/sync/mcp-secrets.js

@@ -0,0 +1,130 @@
+import { deepMerge } from './config.js';
+const ENV_PLACEHOLDER_PATTERN = /\{env:[^}]+\}/i;
+export function extractMcpSecrets(config) {
+    const sanitizedConfig = cloneConfig(config);
+    const secretOverrides = {};
+    const mcp = getPlainObject(sanitizedConfig.mcp);
+    if (!mcp) {
+        return { sanitizedConfig, secretOverrides };
+    }
+    for (const [serverName, serverConfigValue] of Object.entries(mcp)) {
+        const serverConfig = getPlainObject(serverConfigValue);
+        if (!serverConfig)
+            continue;
+        const headers = getPlainObject(serverConfig.headers);
+        if (headers) {
+            for (const [headerName, headerValue] of Object.entries(headers)) {
+                if (!isSecretString(headerValue))
+                    continue;
+                const envVar = buildHeaderEnvVar(serverName, headerName);
+                const placeholder = buildHeaderPlaceholder(String(headerValue), envVar, headerName);
+                headers[headerName] = placeholder;
+                setNestedValue(secretOverrides, ['mcp', serverName, 'headers', headerName], headerValue);
+            }
+        }
+        const oauth = getPlainObject(serverConfig.oauth);
+        if (oauth) {
+            const clientSecret = oauth.clientSecret;
+            if (isSecretString(clientSecret)) {
+                const envVar = buildEnvVar(serverName, 'OAUTH_CLIENT_SECRET');
+                oauth.clientSecret = `{env:${envVar}}`;
+                setNestedValue(secretOverrides, ['mcp', serverName, 'oauth', 'clientSecret'], clientSecret);
+            }
+        }
+    }
+    return { sanitizedConfig, secretOverrides };
+}
+function isSecretString(value) {
+    return typeof value === 'string' && value.length > 0 && !ENV_PLACEHOLDER_PATTERN.test(value);
+}
+function buildHeaderEnvVar(serverName, headerName) {
+    if (/^[A-Z0-9_]+$/.test(headerName)) {
+        return headerName;
+    }
+    return buildEnvVar(serverName, headerName);
+}
+function buildEnvVar(serverName, key) {
+    const serverToken = toEnvToken(serverName, 'SERVER');
+    const keyToken = toEnvToken(key, 'VALUE');
+    return `OPENCODE_MCP_${serverToken}_${keyToken}`;
+}
+function toEnvToken(input, fallback) {
+    const cleaned = String(input)
+        .trim()
+        .replace(/[^a-zA-Z0-9]+/g, '_')
+        .replace(/^_+|_+$/g, '');
+    if (!cleaned)
+        return fallback;
+    return cleaned.toUpperCase();
+}
+function buildHeaderPlaceholder(value, envVar, headerName) {
+    if (!isAuthorizationHeader(headerName)) {
+        return `{env:${envVar}}`;
+    }
+    const schemeMatch = value.match(/^([A-Za-z][A-Za-z0-9+.-]*)\s+/);
+    if (schemeMatch) {
+        return `${schemeMatch[0]}{env:${envVar}}`;
+    }
+    return `{env:${envVar}}`;
+}
+function isAuthorizationHeader(headerName) {
+    if (!headerName)
+        return false;
+    const normalized = headerName.toLowerCase();
+    return normalized === 'authorization' || normalized === 'proxy-authorization';
+}
+function setNestedValue(target, path, value) {
+    let current = target;
+    for (let i = 0; i < path.length - 1; i += 1) {
+        const key = path[i];
+        const next = current[key];
+        if (!isPlainObject(next)) {
+            current[key] = {};
+        }
+        current = current[key];
+    }
+    current[path[path.length - 1]] = value;
+}
+function getPlainObject(value) {
+    return isPlainObject(value) ? value : null;
+}
+function isPlainObject(value) {
+    if (!value || typeof value !== 'object')
+        return false;
+    return Object.getPrototypeOf(value) === Object.prototype;
+}
+function cloneConfig(config) {
+    if (typeof structuredClone === 'function') {
+        return structuredClone(config);
+    }
+    return JSON.parse(JSON.stringify(config));
+}
+export function mergeOverrides(base, extra) {
+    return deepMerge(base, extra);
+}
+export function stripOverrideKeys(base, toRemove) {
+    if (!isPlainObject(base) || !isPlainObject(toRemove)) {
+        return base;
+    }
+    const result = { ...base };
+    for (const [key, removeValue] of Object.entries(toRemove)) {
+        if (!Object.hasOwn(result, key))
+            continue;
+        const currentValue = result[key];
+        if (isPlainObject(removeValue) && isPlainObject(currentValue)) {
+            const stripped = stripOverrideKeys(currentValue, removeValue);
+            if (Object.keys(stripped).length === 0) {
+                delete result[key];
+            }
+            else {
+                result[key] = stripped;
+            }
+            continue;
+        }
+        delete result[key];
+    }
+    return result;
+}
+export function hasOverrides(value) {
+    return Object.keys(value).length > 0;
+}

package/dist/sync/service.d.ts

@@ -7,6 +7,7 @@ interface InitOptions {
     url?: string;
     branch?: string;
     includeSecrets?: boolean;
+    includeMcpSecrets?: boolean;
     includeSessions?: boolean;
     includePromptStash?: boolean;
     create?: boolean;
@@ -24,7 +25,10 @@ export interface SyncService {
     link: (_options: LinkOptions) => Promise<string>;
     pull: () => Promise<string>;
     push: () => Promise<string>;
-    enableSecrets: (_extraSecretPaths?: string[]) => Promise<string>;
+    enableSecrets: (_options?: {
+        extraSecretPaths?: string[];
+        includeMcpSecrets?: boolean;
+    }) => Promise<string>;
     resolve: () => Promise<string>;
 }
 export declare function createSyncService(ctx: SyncServiceContext): SyncService;

package/dist/sync/service.js

@@ -1,6 +1,6 @@
 import { syncLocalToRepo, syncRepoToLocal } from './apply.js';
 import { generateCommitMessage } from './commit.js';
-import { loadOverrides, loadState, loadSyncConfig, normalizeSyncConfig, writeState, writeSyncConfig, } from './config.js';
+import { canCommitMcpSecrets, loadOverrides, loadState, loadSyncConfig, normalizeSyncConfig, writeState, writeSyncConfig, } from './config.js';
 import { SyncCommandError, SyncConfigMissingError } from './errors.js';
 import { buildSyncPlan, resolveRepoRoot, resolveSyncLocations } from './paths.js';
 import { commitAll, ensureRepoCloned, ensureRepoPrivate, fetchAndFastForward, findSyncRepo, getAuthenticatedUser, getRepoStatus, hasLocalChanges, isRepoCloned, pushBranch, repoExists, resolveRepoBranch, resolveRepoIdentifier, } from './repo.js';
@@ -12,7 +12,7 @@ export function createSyncService(ctx) {
         startupSync: async () => {
             const config = await loadSyncConfig(locations);
             if (!config) {
-                await showToast(ctx.client, 'Configure opencode-synced with /sync-init.', 'info');
+                await showToast(ctx.client, 'Configure opencode-synced with /sync-init or link to an existing repo with /sync-link', 'info');
                 return;
             }
             try {
@@ -48,6 +48,7 @@ export function createSyncService(ctx) {
             }
             const repoIdentifier = resolveRepoIdentifier(config);
             const includeSecrets = config.includeSecrets ? 'enabled' : 'disabled';
+            const includeMcpSecrets = config.includeMcpSecrets ? 'enabled' : 'disabled';
             const includeSessions = config.includeSessions ? 'enabled' : 'disabled';
             const includePromptStash = config.includePromptStash ? 'enabled' : 'disabled';
             const lastPull = state.lastPull ?? 'never';
@@ -68,6 +69,7 @@ export function createSyncService(ctx) {
                 `Repo: ${repoIdentifier}`,
                 `Branch: ${branch}`,
                 `Secrets: ${includeSecrets}`,
+                `MCP secrets: ${includeMcpSecrets}`,
                 `Sessions: ${includeSessions}`,
                 `Prompt stash: ${includePromptStash}`,
                 `Last pull: ${lastPull}`,
@@ -93,7 +95,10 @@ export function createSyncService(ctx) {
             if (created) {
                 const overrides = await loadOverrides(locations);
                 const plan = buildSyncPlan(config, locations, repoRoot);
-                await syncLocalToRepo(plan, overrides);
+                await syncLocalToRepo(plan, overrides, {
+                    overridesPath: locations.overridesPath,
+                    allowMcpSecrets: canCommitMcpSecrets(config),
+                });
                 const dirty = await hasLocalChanges(ctx.$, repoRoot);
                 if (dirty) {
                     const branch = resolveRepoBranch(config);
@@ -130,6 +135,7 @@ export function createSyncService(ctx) {
             const config = normalizeSyncConfig({
                 repo: { owner: found.owner, name: found.name },
                 includeSecrets: false,
+                includeMcpSecrets: false,
                 includeSessions: false,
                 includePromptStash: false,
                 extraSecretPaths: [],
@@ -197,7 +203,10 @@ export function createSyncService(ctx) {
             }
             const overrides = await loadOverrides(locations);
             const plan = buildSyncPlan(config, locations, repoRoot);
-            await syncLocalToRepo(plan, overrides);
+            await syncLocalToRepo(plan, overrides, {
+                overridesPath: locations.overridesPath,
+                allowMcpSecrets: canCommitMcpSecrets(config),
+            });
             const dirty = await hasLocalChanges(ctx.$, repoRoot);
             if (!dirty) {
                 return 'No local changes to push.';
@@ -210,11 +219,14 @@ export function createSyncService(ctx) {
             });
             return `Pushed changes: ${message}`;
         },
-        enableSecrets: async (extraSecretPaths) => {
+        enableSecrets: async (options) => {
             const config = await getConfigOrThrow(locations);
             config.includeSecrets = true;
-            if (extraSecretPaths) {
-                config.extraSecretPaths = extraSecretPaths;
+            if (options?.extraSecretPaths) {
+                config.extraSecretPaths = options.extraSecretPaths;
+            }
+            if (options?.includeMcpSecrets !== undefined) {
+                config.includeMcpSecrets = options.includeMcpSecrets;
             }
             await ensureRepoPrivate(ctx.$, config);
             await writeSyncConfig(locations, config);
@@ -277,7 +289,10 @@ async function runStartup(ctx, locations, config, log) {
     }
     const overrides = await loadOverrides(locations);
     const plan = buildSyncPlan(config, locations, repoRoot);
-    await syncLocalToRepo(plan, overrides);
+    await syncLocalToRepo(plan, overrides, {
+        overridesPath: locations.overridesPath,
+        allowMcpSecrets: canCommitMcpSecrets(config),
+    });
     const changes = await hasLocalChanges(ctx.$, repoRoot);
     if (!changes) {
         log.debug('No local changes to push');
@@ -318,6 +333,7 @@ async function buildConfigFromInit($, options) {
     return normalizeSyncConfig({
         repo,
         includeSecrets: options.includeSecrets ?? false,
+        includeMcpSecrets: options.includeMcpSecrets ?? false,
         includeSessions: options.includeSessions ?? false,
         includePromptStash: options.includePromptStash ?? false,
         extraSecretPaths: options.extraSecretPaths ?? [],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-synced",
-  "version": "0.4.2",
+  "version": "0.5.0",
   "description": "Sync global OpenCode config across machines via GitHub.",
   "author": {
     "name": "Ian Hildebrand"
@@ -22,7 +22,9 @@
   "publishConfig": {
     "access": "public"
   },
-  "files": ["dist"],
+  "files": [
+    "dist"
+  ],
   "dependencies": {
     "@opencode-ai/plugin": "1.0.85"
   },
@@ -49,6 +51,8 @@
     "prepare": "husky"
   },
   "lint-staged": {
-    "*.{js,ts,json}": ["biome check --write --no-errors-on-unmatched"]
+    "*.{js,ts,json}": [
+      "biome check --write --no-errors-on-unmatched"
+    ]
   }
 }