Add fallback mechanism for MCP configuration updates in VS Code (AST-129350)

[cx-rahul-pidde]

By submitting a PR to this repository, you agree to the terms within the Checkmarx Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

1. Added Fallback Mechanism
   • Wrapped config.update() in try-catch blocks for both install and uninstall operations
   • Falls back to direct file write (updateMcpJsonFile() / removeMcpFromJsonFile()) on failure
   • Added user-friendly warn logging with specific error messages
2. Code Refactoring
   • Created removeMcpFromJsonFile() helper function to eliminate code duplication
   • Handles both mcpServers (Cursor, Windsurf, Kiro) and servers (VS Code) properties

References

AST-129350 - Spike | VS Code | Handling MCP Installation Failure Due to Policy (Windows and Mac)

Testing

Note -

• Test all cases with Checkmarx and Checkmarx Developer Assist plugin both

Test Case 1: VS Code - Successful Configuration Update
Scenario: Install MCP server in VS Code when settings API works correctly
Steps:

• Open VS Code
• Login with Oauth\Api key \ click on MCP install
• Verify authentication is successful

Expected Result:

• MCP configuration is saved via config.update()
• No fallback mechanism is triggered
• Success message: "MCP configuration saved successfully."
• No warning messages in console

Test Case 2: VS Code - Fallback Mechanism on Installation
Scenario: Install MCP server when VS Code settings API fails

Steps:

• Open VS Code
• Simulate config.update() failure (or trigger actual failure)
• Login with Oauth\Api key \ click on MCP install

Expected Result:

• Warning message logged: "Failed to update MCP server details. Using fallback mechanism to configure mcp server details. Error: {error message}"
• MCP configuration is written to mcp.json file at platform-specific path:
  Windows: %APPDATA%\Code\User\mcp.json
  macOS: ~/Library/Application Support/Code/User/mcp.json
  Linux: ~/.config/Code/User/mcp.json
• Success message: "MCP configuration saved successfully."

Test Case 3: VS Code - Fallback Mechanism on Uninstallation
Scenario: Uninstall MCP server when VS Code settings API fails

Steps:

• Install MCP server first
• Simulate config.update() failure during uninstall
• Logout

Expected Result:

• Warning message logged: "Failed to update MCP server details. Using fallback mechanism to configure mcp server details. Error: {error message}"
• No errors displayed to user

Test Case 5: Cursor - Direct File Write (No Fallback)
Scenario: Install MCP server in Cursor IDE

Steps:

• Open Cursor IDE
• Login with Oauth\Api key \ click on MCP install

Expected Result:

• Configuration is written directly to ~/.cursor/mcp.json
• No config.update() is called
• mcp.json contains mcpServers object (not servers)

Test Case 6: Windsurf - Direct File Write
Scenario: Install MCP server in Windsurf IDE

Steps:

• Open Windsurf IDE
• Login with Oauth\Api key \ click on MCP install

Expected Result:

• Configuration is written to ~/.codeium/windsurf/mcp_config.json
• Uses serverUrl instead of url
• mcp.json contains mcpServers object

Test Case 7: Kiro - Direct File Write with Special Configuration
Scenario: Install MCP server in Kiro IDE

Steps:

• Open Kiro IDE
• Login with Oauth\Api key \ click on MCP install

Expected Result:

• Configuration is written to ~/.kiro/settings/mcp.json
• Uses KiroMcpServer format with command, args, disabled, autoApprove
• mcp.json contains mcpServers object

Test Case 8: Uninstall from Non-VS Code IDE
Scenario: Uninstall MCP server from Cursor/Windsurf/Kiro

Steps:

• Install MCP server in Cursor/Windsurf/Kiro
• Verify mcp.json file exists with configuration
• Run uninstall command

Expected Result:

• removeMcpFromJsonFile() is called directly
• Checkmarx server entry is removed from mcpServers object
  File is updated successfully

Checklist

• I have added documentation for new/changed functionality in this PR (if applicable).
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used

[github-actions]

Checkmarx One – Scan Summary & Details – 4afd5d9f-2c7d-4456-9226-0b807d148d90

New Issues (1)

Checkmarx found the following issues in this Pull Request

#	Severity	Issue	Source File / Package	Checkmarx Insight
1		CVE-2026-25639	Npm-axios-1.12.2	details Recommended version: 1.13.5 Description: Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.5, the mergeConfig function in axios crashes with a TypeError when ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package