fix: clean mcp ui and eng-104 flow

Signed-off-by: betterclever <[email protected]>

Author: betterclever

e2e-tests/eng-104-alert-investigation.test.ts

@@ -111,22 +111,42 @@ async function runWorkflow(workflowId: string, inputs: Record<string, unknown> =
   return runId;
 }
 
-async function createSecret(name: string, value: string) {
-  const res = await fetch(`${API_BASE}/secrets`, {
-    method: 'POST',
-    headers: HEADERS,
-    body: JSON.stringify({ name, value }),
-  });
+async function listSecrets(): Promise<Array<{ id: string; name: string }>> {
+  const res = await fetch(`${API_BASE}/secrets`, { headers: HEADERS });
   if (!res.ok) {
     const text = await res.text();
-    throw new Error(`Failed to create secret: ${res.status} ${text}`);
+    throw new Error(`Failed to list secrets: ${res.status} ${text}`);
   }
-  const secret = await res.json();
-  return secret.id as string;
+  return res.json();
 }
 
-async function deleteSecret(secretId: string) {
-  await fetch(`${API_BASE}/secrets/${secretId}`, { method: 'DELETE', headers: HEADERS });
+async function createOrRotateSecret(name: string, value: string): Promise<string> {
+  const secrets = await listSecrets();
+  const existing = secrets.find((s) => s.name === name);
+  if (!existing) {
+    const res = await fetch(`${API_BASE}/secrets`, {
+      method: 'POST',
+      headers: HEADERS,
+      body: JSON.stringify({ name, value }),
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`Failed to create secret: ${res.status} ${text}`);
+    }
+    const secret = await res.json();
+    return secret.id as string;
+  }
+
+  const res = await fetch(`${API_BASE}/secrets/${existing.id}/rotate`, {
+    method: 'PUT',
+    headers: HEADERS,
+    body: JSON.stringify({ value }),
+  });
+  if (!res.ok) {
+    const text = await res.text();
+    throw new Error(`Failed to rotate secret: ${res.status} ${text}`);
+  }
+  return existing.id;
 }
 
 function loadGuardDutySample() {
@@ -145,18 +165,17 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
   e2eTest('triage workflow runs end-to-end with MCP tools + OpenCode agent', { timeout: 480000 }, async () => {
     const now = Date.now();
 
-    const abuseSecretId = await createSecret(`ENG104_ABUSE_${now}`, ABUSEIPDB_API_KEY!);
-    const vtSecretId = await createSecret(`ENG104_VT_${now}`, VIRUSTOTAL_API_KEY!);
-    const zaiSecretId = await createSecret(`ENG104_ZAI_${now}`, ZAI_API_KEY!);
+    const abuseSecretName = `ENG104_ABUSE_${now}`;
+    const vtSecretName = `ENG104_VT_${now}`;
+    const zaiSecretName = `ENG104_ZAI_${now}`;
+    const awsAccessKeyName = `ENG104_AWS_ACCESS_${now}`;
+    const awsSecretKeyName = `ENG104_AWS_SECRET_${now}`;
 
-    // For AWS MCP components, credentials are contract-based (object, not secret reference)
-    // So we pass the credential object directly instead of a secret ID
-    const awsCredentials = {
-      accessKeyId: AWS_ACCESS_KEY_ID,
-      secretAccessKey: AWS_SECRET_ACCESS_KEY,
-      sessionToken: AWS_SESSION_TOKEN,
-      region: AWS_REGION,
-    };
+    await createOrRotateSecret(abuseSecretName, ABUSEIPDB_API_KEY!);
+    await createOrRotateSecret(vtSecretName, VIRUSTOTAL_API_KEY!);
+    await createOrRotateSecret(zaiSecretName, ZAI_API_KEY!);
+    await createOrRotateSecret(awsAccessKeyName, AWS_ACCESS_KEY_ID!);
+    await createOrRotateSecret(awsSecretKeyName, AWS_SECRET_ACCESS_KEY!);
 
     const guardDutyAlert = loadGuardDutySample();
 
@@ -178,34 +197,6 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
             },
           },
         },
-        {
-          id: 'parse',
-          type: 'core.logic.script',
-          position: { x: 250, y: 0 },
-          data: {
-            label: 'Parse Alert',
-            config: {
-              params: {
-                variables: [
-                  { name: 'alert', type: 'json' },
-                ],
-                returns: [
-                  { name: 'suspiciousIp', type: 'string' },
-                  { name: 'publicIp', type: 'string' },
-                  { name: 'instanceId', type: 'string' },
-                ],
-                code: `export async function script(input: Input): Promise<Output> {
-  const alert = input.alert || {};
-  const portProbe = alert?.service?.action?.portProbeAction?.portProbeDetails || [];
-  const suspiciousIp = portProbe[0]?.remoteIpDetails?.ipAddressV4 || alert?.intel?.ip || '';
-  const publicIp = alert?.resource?.instanceDetails?.publicIp || '';
-  const instanceId = alert?.resource?.instanceDetails?.instanceId || '';
-  return { suspiciousIp, publicIp, instanceId };
-}`,
-              },
-            },
-          },
-        },
         {
           id: 'abuseipdb',
           type: 'security.abuseipdb.check',
@@ -216,7 +207,7 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
               mode: 'tool',
               params: { maxAgeInDays: 90 },
               inputOverrides: {
-                apiKey: abuseSecretId,
+                apiKey: abuseSecretName,
                 ipAddress: '',
               },
             },
@@ -232,12 +223,28 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
               mode: 'tool',
               params: { type: 'ip' },
               inputOverrides: {
-                apiKey: vtSecretId,
+                apiKey: vtSecretName,
                 indicator: '',
               },
             },
           },
         },
+        {
+          id: 'aws-creds',
+          type: 'core.credentials.aws',
+          position: { x: 520, y: 200 },
+          data: {
+            label: 'AWS Credentials Bundle',
+            config: {
+              params: {},
+              inputOverrides: {
+                accessKeyId: awsAccessKeyName,
+                secretAccessKey: awsSecretKeyName,
+                region: AWS_REGION,
+              },
+            },
+          },
+        },
         {
           id: 'cloudtrail',
           type: 'security.aws-cloudtrail-mcp',
@@ -250,9 +257,7 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
                 image: AWS_CLOUDTRAIL_MCP_IMAGE,
                 region: AWS_REGION,
               },
-              inputOverrides: {
-                credentials: awsCredentials,
-              },
+              inputOverrides: {},
             },
           },
         },
@@ -268,9 +273,7 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
                 image: AWS_CLOUDWATCH_MCP_IMAGE,
                 region: AWS_REGION,
               },
-              inputOverrides: {
-                credentials: awsCredentials,
-              },
+              inputOverrides: {},
             },
           },
         },
@@ -302,16 +305,15 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
         },
       ],
       edges: [
-        { id: 'e1', source: 'start', target: 'parse', sourceHandle: 'alert', targetHandle: 'alert' },
         { id: 'e2', source: 'start', target: 'agent' },
 
         { id: 't1', source: 'abuseipdb', target: 'agent', sourceHandle: 'tools', targetHandle: 'tools' },
         { id: 't2', source: 'virustotal', target: 'agent', sourceHandle: 'tools', targetHandle: 'tools' },
         { id: 't3', source: 'cloudtrail', target: 'agent', sourceHandle: 'tools', targetHandle: 'tools' },
         { id: 't4', source: 'cloudwatch', target: 'agent', sourceHandle: 'tools', targetHandle: 'tools' },
 
-        { id: 'd1', source: 'parse', target: 'abuseipdb', sourceHandle: 'suspiciousIp', targetHandle: 'ipAddress' },
-        { id: 'd2', source: 'parse', target: 'virustotal', sourceHandle: 'suspiciousIp', targetHandle: 'indicator' },
+        { id: 'a1', source: 'aws-creds', target: 'cloudtrail', sourceHandle: 'credentials', targetHandle: 'credentials' },
+        { id: 'a2', source: 'aws-creds', target: 'cloudwatch', sourceHandle: 'credentials', targetHandle: 'credentials' },
       ],
     };
 
@@ -340,8 +342,6 @@ e2eDescribe('ENG-104: End-to-End Alert Investigation Workflow', () => {
       }
     }
 
-    await deleteSecret(abuseSecretId);
-    await deleteSecret(vtSecretId);
-    await deleteSecret(zaiSecretId);
+    // Leave secrets for reuse across runs; rotation already updated values.
   });
 });

frontend/src/components/workflow/ConfigPanel.tsx

@@ -1198,12 +1198,34 @@ export function ConfigPanel({
             </CollapsibleSection>
           )}
 
-          {!isToolMode && component.agentTool?.enabled && toolSchemaJson && (
-            <CollapsibleSection title="Tool Schema" defaultOpen={false}>
-              <div className="mt-2">
-                <pre className="text-[11px] font-mono whitespace-pre-wrap bg-muted/20 text-foreground p-3 rounded-md border border-border shadow-sm min-h-[40px] max-h-[300px] overflow-y-auto">
-                  {toolSchemaJson}
-                </pre>
+          {!isToolMode &&
+            component.agentTool?.enabled &&
+            toolSchemaJson &&
+            component.category !== 'mcp' && (
+              <CollapsibleSection title="Tool Schema" defaultOpen={false}>
+                <div className="mt-2">
+                  <pre className="text-[11px] font-mono whitespace-pre-wrap bg-muted/20 text-foreground p-3 rounded-md border border-border shadow-sm min-h-[40px] max-h-[300px] overflow-y-auto">
+                    {toolSchemaJson}
+                  </pre>
+                </div>
+              </CollapsibleSection>
+            )}
+
+          {component.category === 'mcp' && component.agentTool?.toolName && (
+            <CollapsibleSection title="MCP Server" defaultOpen={false}>
+              <div className="mt-2 space-y-2 text-xs text-muted-foreground">
+                <div>
+                  <span className="font-medium text-foreground">Tool name: </span>
+                  <span className="font-mono">{component.agentTool.toolName}</span>
+                </div>
+                {component.agentTool.toolDescription && (
+                  <div className="text-[11px] leading-relaxed">
+                    {component.agentTool.toolDescription}
+                  </div>
+                )}
+                <div className="text-[11px] italic">
+                  Tool list appears after the MCP server starts at runtime.
+                </div>
               </div>
             </CollapsibleSection>
           )}

frontend/src/components/workflow/node/WorkflowNode.tsx

@@ -582,34 +582,31 @@ export const WorkflowNode = ({ data, selected, id }: NodeProps<NodeData>) => {
                 )}
               </div>
               <div className="flex items-center gap-1">
-                {mode === 'design' && !isEntryPoint && component?.agentTool?.enabled && (
-                  <button
-                    type="button"
-                    onClick={toggleToolMode}
-                    disabled={isToolModeOnly}
-                    className={cn(
-                      'flex items-center gap-1.5 px-2 py-1 rounded transition-all border',
-                      isToolModeOnly && 'opacity-70 cursor-not-allowed',
-                      isToolMode
-                        ? 'bg-purple-600 text-white border-purple-500 shadow-sm'
-                        : 'bg-background text-muted-foreground/60 border-border hover:border-purple-400 hover:text-purple-600',
-                    )}
-                    title={
-                      isToolModeOnly
-                        ? 'Tool Mode Only'
-                        : isToolMode
-                          ? 'Disable Tool Mode'
-                          : 'Enable Tool Mode'
-                    }
-                  >
-                    <Hammer
-                      className={cn('h-3.5 w-3.5', isToolMode ? 'text-white' : 'text-current')}
-                    />
-                    <span className="text-[10px] font-bold uppercase tracking-tight">
-                      {isToolMode ? 'Tool' : 'Mode'}
-                    </span>
-                  </button>
-                )}
+                {mode === 'design' &&
+                  !isEntryPoint &&
+                  component?.agentTool?.enabled &&
+                  !isToolModeOnly &&
+                  componentCategory !== 'mcp' && (
+                    <button
+                      type="button"
+                      onClick={toggleToolMode}
+                      disabled={isToolModeOnly}
+                      className={cn(
+                        'flex items-center gap-1.5 px-2 py-1 rounded transition-all border',
+                        isToolMode
+                          ? 'bg-purple-600 text-white border-purple-500 shadow-sm'
+                          : 'bg-background text-muted-foreground/60 border-border hover:border-purple-400 hover:text-purple-600',
+                      )}
+                      title={isToolMode ? 'Disable Tool Mode' : 'Enable Tool Mode'}
+                    >
+                      <Hammer
+                        className={cn('h-3.5 w-3.5', isToolMode ? 'text-white' : 'text-current')}
+                      />
+                      <span className="text-[10px] font-bold uppercase tracking-tight">
+                        {isToolMode ? 'Tool' : 'Mode'}
+                      </span>
+                    </button>
+                  )}
                 {isEntryPoint && (
                   <div style={{ display: 'none' }}>
                     <WebhookDetails

frontend/src/features/workflow-builder/hooks/useDesignWorkflowPersistence.ts

@@ -85,6 +85,17 @@ export function useDesignWorkflowPersistence({
   const [lastSavedMetadata, setLastSavedMetadata] = useState<SavedMetadata | null>(null);
   const [hasGraphChanges, setHasGraphChanges] = useState(false);
   const [hasMetadataChanges, setHasMetadataChanges] = useState(false);
+  const secretsInitialized = useSecretStore((state) => state.initialized);
+  const secretsLoading = useSecretStore((state) => state.loading);
+  const fetchSecrets = useSecretStore((state) => state.fetchSecrets);
+
+  useEffect(() => {
+    if (!secretsInitialized && !secretsLoading) {
+      fetchSecrets().catch((error) => {
+        console.error('Failed to preload secrets:', error);
+      });
+    }
+  }, [fetchSecrets, secretsInitialized, secretsLoading]);
 
   useEffect(() => {
     const currentSignature = computeGraphSignature(designNodes, designEdges);
@@ -150,6 +161,7 @@ export function useDesignWorkflowPersistence({
 
       // --- NEW: VALIDATION CHECK ---
       const getComponent = useComponentStore.getState().getComponent;
+      await useSecretStore.getState().fetchSecrets();
       const secrets = useSecretStore.getState().secrets;
       const allIssues: string[] = [];
 

worker/src/temporal/workflows/index.ts

@@ -973,20 +973,12 @@ export async function shipsecWorkflowRun(
       [{ outputs, error: normalizedError.message }],
     );
   } finally {
-    // Only cleanup MCP tools if workflow failed or was cancelled
-    // For successful completion, tools remain in registry for gateway access
-    if (!workflowCompletedSuccessfully) {
-      console.log(
-        `[Workflow] Workflow did not complete successfully, cleaning up MCP containers for run ${input.runId}`,
-      );
-      await cleanupLocalMcpActivity({ runId: input.runId }).catch((err) => {
-        console.error(`[Workflow] Failed to cleanup MCP containers for run ${input.runId}`, err);
-      });
-    } else {
-      console.log(
-        `[Workflow] Workflow completed successfully, keeping MCP tools available for run ${input.runId}`,
-      );
-    }
+    console.log(
+      `[Workflow] Cleaning up MCP containers for run ${input.runId} (success=${workflowCompletedSuccessfully})`,
+    );
+    await cleanupLocalMcpActivity({ runId: input.runId }).catch((err) => {
+      console.error(`[Workflow] Failed to cleanup MCP containers for run ${input.runId}`, err);
+    });
     await finalizeRunActivity({ runId: input.runId }).catch((err) => {
       console.error(`[Workflow] Failed to finalize run ${input.runId}`, err);
     });