Checked for duplicates?
What are the steps to reproduce this bug?
MCP validation builds authenticated clone URLs when GIT_CLONE_TOKEN is configured.
If the Git clone operation fails, the validation path stores the raw clone exception in McpValidationResult.details.
Some Git clone errors can include the authenticated URL, which may contain the configured token.
Expected behaviour
Validation errors should never persist secret material.
Clone failure details should redact the configured GIT_CLONE_TOKEN before saving the error, and should also pass through the existing secret redaction helper for defense in depth.
Support bundle
Not applicable. This is a static backend hardening issue.
(Optional) Anything else you want to share?
This is related to MCP validation error handling and can be covered with a focused regression test.
Checked for duplicates?
What are the steps to reproduce this bug?
MCP validation builds authenticated clone URLs when
GIT_CLONE_TOKENis configured.If the Git clone operation fails, the validation path stores the raw clone exception in
McpValidationResult.details.Some Git clone errors can include the authenticated URL, which may contain the configured token.
Expected behaviour
Validation errors should never persist secret material.
Clone failure details should redact the configured
GIT_CLONE_TOKENbefore saving the error, and should also pass through the existing secret redaction helper for defense in depth.Support bundle
Not applicable. This is a static backend hardening issue.
(Optional) Anything else you want to share?
This is related to MCP validation error handling and can be covered with a focused regression test.