@@ -156,6 +156,19 @@ memories = true
156156
157157[profiles."rldyour-safe".features]
158158terminal_resize_reflow = false
159+ EOF
160+ ;;
161+ mcp_secret_placeholder_upgrade)
162+ cat > " $config_path " << 'EOF '
163+ [mcp_servers.github]
164+ command = "github-mcp-server"
165+ args = ["stdio", "--toolsets", "context,repos"]
166+
167+ [mcp_servers.github.env]
168+ GITHUB_PERSONAL_ACCESS_TOKEN = "${GITHUB_PERSONAL_ACCESS_TOKEN}"
169+
170+ [mcp_servers.github.tools.old]
171+ approval_mode = "approve"
159172EOF
160173 ;;
161174 * )
@@ -255,6 +268,17 @@ if case_name == "memories_legacy":
255268 raise SystemExit(f"{case_name}: memories legacy alias was not migrated: {memories!r}")
256269 if "no_memories_if_mcp_or_web_search" in memories:
257270 raise SystemExit(f"{case_name}: memories legacy alias was not removed: {memories!r}")
271+ if case_name == "mcp_secret_placeholder_upgrade":
272+ github = (data.get("mcp_servers") or {}).get("github") or {}
273+ if "env" in github:
274+ raise SystemExit(f"{case_name}: stale github env table was not removed: {github!r}")
275+ if github.get("env_vars") != ["GITHUB_PERSONAL_ACCESS_TOKEN"]:
276+ raise SystemExit(f"{case_name}: github token was not forwarded through env_vars: {github!r}")
277+ if "${GITHUB_PERSONAL_ACCESS_TOKEN}" in text:
278+ raise SystemExit(f"{case_name}: literal GitHub token placeholder remains in config")
279+ tools = github.get("tools") or {}
280+ if "old" in tools:
281+ raise SystemExit(f"{case_name}: stale managed github tool approval remains: {tools!r}")
258282PY
259283
260284 printf ' ok %s\n' " $case_name "
@@ -283,6 +307,7 @@ cases=(
283307 memories_legacy
284308 features_legacy_landlock
285309 profiles_nested_legacy
310+ mcp_secret_placeholder_upgrade
286311)
287312
288313for case_name in " ${cases[@]} " ; do
0 commit comments