Merge pull request #310 from basementstudio/canary

v0.5.3

Author: valebearzotti

packages/cli/src/utils/client-definitions.ts

@@ -87,6 +87,14 @@ function normalizeClientDefinitions(
   return undefined;
 }
 
+function isValidHeader(header: unknown): boolean {
+  if (!header || typeof header !== "object") return false;
+  const h = header as Record<string, unknown>;
+  if (typeof h.name !== "string") return false;
+  // Must have either 'value' (static) or 'env' (environment variable reference)
+  return typeof h.value === "string" || typeof h.env === "string";
+}
+
 function createClientDefinition(
   entry: unknown,
   fallbackName?: string
@@ -112,10 +120,12 @@ function createClientDefinition(
     "url" in entry && typeof (entry as any).url === "string"
       ? (entry as any).url
       : undefined;
-  const headersProp =
-    "headers" in entry && Array.isArray((entry as any).headers)
-      ? (entry as any).headers
-      : undefined;
+
+  let headersProp: CustomHeaders | undefined;
+  if ("headers" in entry && Array.isArray((entry as any).headers)) {
+    const rawHeaders = (entry as any).headers;
+    headersProp = rawHeaders.filter(isValidHeader) as CustomHeaders;
+  }
 
   if (!nameProp || !urlProp) {
     return undefined;

packages/cli/src/utils/templates.ts

@@ -170,6 +170,18 @@ async function ${identifier}(client: HttpClient${
       ? JSON.stringify(headers, null, 2)
       : undefined;
 
+  // Warn if any headers contain literal values (potential secrets)
+  if (headers && headers.length > 0) {
+    const staticHeaders = headers.filter(
+      (h) => "value" in h && h.value && !h.value.startsWith("$")
+    );
+    if (staticHeaders.length > 0) {
+      console.warn(
+        `Warning: Headers with static values detected. Consider using { env: "ENV_VAR_NAME" } for sensitive values like API keys.`
+      );
+    }
+  }
+
   const headersConstant = headersLiteral
     ? `\nconst DEFAULT_HEADERS: CustomHeaders = ${headersLiteral};\n`
     : "";

packages/xmcp/src/client/headers.ts

@@ -1,22 +1,60 @@
-export interface CustomHeader {
+/**
+ * A header with a static value (use only for non-sensitive values)
+ */
+export interface StaticHeader {
   name: string;
   value: string;
 }
 
+/**
+ * A header that reads its value from an environment variable at runtime.
+ * Use this for sensitive values like API keys and authorization tokens.
+ */
+export interface EnvHeader {
+  name: string;
+  /** The name of the environment variable to read at runtime */
+  env: string;
+}
+
+export type CustomHeader = StaticHeader | EnvHeader;
+
 export type CustomHeaders = CustomHeader[];
 
-export const createEmptyHeader = (): CustomHeader => ({
+export const createEmptyHeader = (): StaticHeader => ({
   name: "",
   value: "",
 });
 
+/**
+ * Check if a header uses an environment variable reference
+ */
+export const isEnvHeader = (header: CustomHeader): header is EnvHeader => {
+  return "env" in header && typeof header.env === "string";
+};
+
+/**
+ * Converts CustomHeaders to a Record, resolving environment variables at runtime.
+ * Throws if a required env var is not set.
+ */
 export const headersToRecord = (
   headers: CustomHeaders
 ): Record<string, string> => {
   const record: Record<string, string> = {};
 
   headers.forEach((header) => {
-    record[header.name.trim()] = header.value.trim();
+    const name = header.name.trim();
+
+    if (isEnvHeader(header)) {
+      const envValue = process.env[header.env];
+      if (envValue === undefined) {
+        throw new Error(
+          `Environment variable "${header.env}" is not set (required for header "${name}")`
+        );
+      }
+      record[name] = envValue;
+    } else {
+      record[name] = header.value.trim();
+    }
   });
 
   return record;

packages/xmcp/src/index.ts

@@ -24,4 +24,10 @@ export { completable } from "@modelcontextprotocol/sdk/server/completable";
 
 export { createHTTPClient } from "./client";
 export type { HttpClient } from "./client/types";
-export type { CustomHeaders } from "./client/headers";
+export type {
+  CustomHeaders,
+  CustomHeader,
+  StaticHeader,
+  EnvHeader,
+} from "./client/headers";
+export { isEnvHeader, headersToRecord } from "./client/headers";