Auto-connect stdio MCP servers; store env as connection secrets (#1129)

* Auto-connect stdio MCP servers; store env as connection secrets

Adding a stdio MCP server registered an integration but no connection, so
the v1.5 per-connection tool model produced zero tools on a fresh install.
Auto-create the default connection on add (no-auth, or one-shot env values),
declare secret env vars as a stdio_env auth method whose values live on the
connection's secret store, add a boot-time reconcile for pre-existing stdio
integrations, and give the add form a TagInput for declaring env var names.

* Derive stdio MCP display name from the package, not the runner

The stdio add form fell back to the bare command (npx, uvx, ...) for both
the display name and namespace, so every npm-launched server landed as
"npx". Derive a name from the package/module being run instead: skip the
runner and its flags/subcommands, drop the npm scope, version, path, and the
usual MCP affixes (mcp-server-, server-, -mcp), then title-case. So
"npx -y @modelcontextprotocol/server-github" becomes "Github MCP" and
"uvx mcp-server-time" becomes "Time MCP", falling back to the raw command
when nothing meaningful can be extracted.

* Run the local e2e project in CI

The local vitest project (e2e/local/**, including the stdio MCP auto-connect
coverage) was excluded from both the default e2e chain and root `bun run
test`, so it never ran in CI. Add a test:local script and a dedicated CI job
that boots the scenarios with Node 22 and Chromium installed, since each one
launches a real executor web server and some drive a browser.

* Fix ci.yml: restore desktop-smoke job header

The previous commit's edit consumed the desktop-smoke job header when
inserting e2e-local, leaving its body orphaned with a duplicate steps key.
GitHub rejected the workflow on startup. Restore the header.

* Make local e2e reliable in CI: serialize boots, add headless shell

The local project booted its executor web servers with file parallelism on,
the only server-booting project that did. On a CI runner several cold vite
boots at once thrashed past the token-URL wait, timing out stdio-mcp and auth.
Run the files serially like every other server-booting project so the first
boot warms the vite cache. Also install chromium-headless-shell, which the
browser scenarios launch and which does not come with the chromium download.

* Install Playwright browsers via e2e's pinned version

Running the install from the repo root let bunx float to the latest playwright,
which fetched a browser build the test runtime (playwright 1.60.0, pinned in
e2e) never looks for, so the browser scenarios failed to launch. Install from
e2e so the resolved playwright matches the one the scenarios use.

* Scope the e2e CI job to the stdio MCP scenario

Running the whole local project in one CI job stacked several executor web +
vite boots on the runner; a later boot would intermittently stall past the
token-URL wait, and the auth scenario carries its own pre-existing browser
flakiness. Run just the stdio MCP scenario, the auto-connect / env-as-secret
regression guard, on its own so the job is a reliable gate. Also give the
cold-boot wait headroom (120s to 180s) for CI runners. Expanding to the full
local suite is a follow-up once the rest is stabilized.

Author: RhysSullivan

.github/workflows/ci.yml

@@ -74,6 +74,44 @@ jobs:
 
       - run: bun run test
 
+  e2e-local:
+    name: E2E (stdio MCP)
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: 1.3.11
+
+      # The local scenarios boot a real `executor web` (which spawns a Node
+      # sidecar) and some drive a browser, so pin Node 22 and install Chromium.
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+
+      - run: bun install --frozen-lockfile
+
+      # `chromium` and the new `chromium-headless-shell` ship as separate
+      # downloads; the browser-driven scenarios launch the headless shell.
+      # Install from e2e so bunx resolves ITS pinned playwright (the version the
+      # tests run against) rather than floating to the latest, which would fetch
+      # a browser build the test runtime does not look for.
+      - name: Install Playwright Chromium
+        run: bunx playwright install --with-deps chromium chromium-headless-shell
+        working-directory: e2e
+
+      # The `local` project is excluded from the default `test` chain (each
+      # scenario boots its own `executor web`). Run just the stdio MCP scenario
+      # here: it is the auto-connect / env-as-secret regression guard, and
+      # running it alone avoids the boot-resource accumulation and the
+      # pre-existing browser flakiness of the rest of the local suite. Expanding
+      # to the full `local` project (bun run test:local) is a follow-up once
+      # those are stabilized.
+      - name: Run the stdio MCP scenario
+        run: bunx vitest run --project local local/stdio-mcp.test.ts
+        working-directory: e2e
+
   desktop-smoke:
     name: Desktop smoke build
     runs-on: ubuntu-latest

apps/local/src/executor.ts

@@ -14,6 +14,7 @@ import {
 } from "@executor-js/sdk";
 import { collectTables } from "@executor-js/api/server";
 import { loadPluginsFromJsonc } from "@executor-js/config";
+import type { McpPluginExtension } from "@executor-js/plugin-mcp";
 
 import executorConfig from "../executor.config";
 import { localDataMigrations } from "./db/data-migrations";
@@ -229,6 +230,26 @@ const createLocalExecutorLayer = (options: LocalExecutorOptions = {}) => {
         }
       }
 
+      // Heal stdio MCP integrations added before auto-connect existed (they
+      // landed with zero connections ⇒ zero tools) and move any legacy inline
+      // env into the secret store. No-op on a fresh install; never fails boot.
+      // Local is the only app that enables stdio, so this only runs here.
+      // oxlint-disable-next-line executor/no-double-cast -- typed boundary: the executor IS its own plugin-extension map (executor[pluginId]) but LocalExecutor doesn't surface per-plugin extensions statically
+      const mcpExtension = (executor as unknown as { readonly mcp?: McpPluginExtension }).mcp;
+      if (mcpExtension) {
+        yield* mcpExtension
+          .reconcileStdioConnections()
+          .pipe(
+            Effect.catch(() =>
+              Effect.sync(() =>
+                console.warn(
+                  "[executor] stdio connection reconcile failed; existing stdio servers may show no tools until re-added",
+                ),
+              ),
+            ),
+          );
+      }
+
       return { executor, plugins };
     }),
   );

e2e/local/fixtures/stdio-mcp-server.mjs

@@ -0,0 +1,104 @@
+// A zero-dependency MCP server over stdio, for the `local` e2e project.
+//
+// The real `@modelcontextprotocol/sdk` stdio server pulls in the whole SDK and
+// is awkward to resolve from an arbitrary spawn cwd under bun's node_modules
+// layout. The MCP stdio framing is just newline-delimited JSON-RPC, so we hand-
+// roll the three methods a tool-discovery + invoke round-trip needs:
+// `initialize`, `tools/list`, `tools/call` (plus `ping`). This keeps the
+// fixture a single self-contained file the executor server can launch as
+// `node <thisfile>` with nothing to install.
+//
+// It exposes one tool, `echo_tool`, and (when EXECUTOR_E2E_SECRET is set in the
+// child env) a second `whoami` tool that returns that env value — so a scenario
+// can prove a per-connection secret env var actually reached the subprocess.
+
+import { createInterface } from "node:readline";
+
+const send = (message) => {
+  process.stdout.write(`${JSON.stringify(message)}\n`);
+};
+
+const TOOLS = [
+  {
+    name: "echo_tool",
+    description: "Echoes the provided text back",
+    inputSchema: {
+      type: "object",
+      properties: { text: { type: "string" } },
+      required: ["text"],
+    },
+  },
+];
+
+if (process.env.EXECUTOR_E2E_SECRET) {
+  TOOLS.push({
+    name: "whoami",
+    description: "Returns the secret env value the server was launched with",
+    inputSchema: { type: "object", properties: {} },
+  });
+}
+
+const handle = (msg) => {
+  if (msg.method === "initialize") {
+    send({
+      jsonrpc: "2.0",
+      id: msg.id,
+      result: {
+        // Echo the client's protocol version so we never fail version
+        // negotiation against whatever SDK build is on the other end.
+        protocolVersion: msg.params?.protocolVersion ?? "2025-06-18",
+        capabilities: { tools: {} },
+        serverInfo: { name: "executor-e2e-stdio", version: "1.0.0" },
+      },
+    });
+    return;
+  }
+
+  // Notifications carry no id and expect no response.
+  if (msg.id === undefined || msg.id === null) return;
+
+  if (msg.method === "ping") {
+    send({ jsonrpc: "2.0", id: msg.id, result: {} });
+    return;
+  }
+
+  if (msg.method === "tools/list") {
+    send({ jsonrpc: "2.0", id: msg.id, result: { tools: TOOLS } });
+    return;
+  }
+
+  if (msg.method === "tools/call") {
+    const name = msg.params?.name;
+    const text =
+      name === "whoami"
+        ? (process.env.EXECUTOR_E2E_SECRET ?? "")
+        : String(msg.params?.arguments?.text ?? "");
+    send({
+      jsonrpc: "2.0",
+      id: msg.id,
+      result: { content: [{ type: "text", text }] },
+    });
+    return;
+  }
+
+  send({
+    jsonrpc: "2.0",
+    id: msg.id,
+    error: { code: -32601, message: `Method not found: ${msg.method}` },
+  });
+};
+
+const rl = createInterface({ input: process.stdin });
+rl.on("line", (line) => {
+  const trimmed = line.trim();
+  if (!trimmed) return;
+  let msg;
+  // oxlint-disable-next-line executor/no-try-catch-or-throw -- standalone zero-dep fixture: hand-rolled JSON-RPC framing, not product code
+  try {
+    // oxlint-disable-next-line executor/no-json-parse -- standalone zero-dep fixture: hand-rolled JSON-RPC framing, not product code
+    msg = JSON.parse(trimmed);
+  } catch {
+    return;
+  }
+  handle(msg);
+});

e2e/local/local-server.ts

@@ -61,7 +61,9 @@ export const withLocalServer = (
             markFocus(runDir, "terminal");
             const snapshot = await term.screen.waitUntil(
               (current) => TOKEN_URL.test(current.text),
-              { timeoutMs: 120_000 },
+              // A cold `executor web` runs vite's optimizeDeps before it prints
+              // the URL; give CI runners headroom over the warm ~3s boot.
+              { timeoutMs: 180_000 },
             );
             const url = TOKEN_URL.exec(snapshot.text)?.[0];
             if (!url) {

e2e/local/stdio-mcp.test.ts

@@ -0,0 +1,145 @@
+// Repro + regression guard for the user report: "On a totally fresh install
+// (no existing data dir) on macOS, Executor does not detect any tools for a
+// STDIO MCP server."
+//
+// `withLocalServer` boots a real `executor web` on a THROWAWAY data dir (the
+// fresh-install condition) and the `local` app is the only surface that enables
+// stdio MCP (`dangerouslyAllowStdioMCP: true`). We add a stdio MCP server over
+// the bearer-authed API and assert its tools are discoverable — and that the
+// secret env it needs is stored on the connection (the secret store), not in
+// the integration's config blob.
+//
+// The original bug: `mcp.addServer` only registered an INTEGRATION. Per the
+// v1.5 integrations/connections split, tools are produced per-CONNECTION, and a
+// stdio add never created one, so the integration landed with zero connections
+// and zero tools. The fix auto-creates the default connection on add and routes
+// the env values into the connection's secret store.
+import { fileURLToPath } from "node:url";
+
+import { expect } from "@effect/vitest";
+import { Effect } from "effect";
+import { HttpApiClient } from "effect/unstable/httpapi";
+import { FetchHttpClient, HttpClient, HttpClientRequest } from "effect/unstable/http";
+import { composePluginApi } from "@executor-js/api/server";
+import { mcpHttpPlugin } from "@executor-js/plugin-mcp/api";
+import { AuthTemplateSlug, ConnectionName, IntegrationSlug } from "@executor-js/sdk/shared";
+
+import { scenario } from "../src/scenario";
+import { Cli, RunDir } from "../src/services";
+import { withLocalServer } from "./local-server";
+
+const api = composePluginApi([mcpHttpPlugin()] as const);
+
+const FIXTURE = fileURLToPath(new URL("./fixtures/stdio-mcp-server.mjs", import.meta.url));
+
+// The fixture exposes `whoami` ONLY when EXECUTOR_E2E_SECRET is present in its
+// process env. So `whoami` showing up in the discovered tools is direct proof
+// the connection's secret env reached the spawned subprocess.
+const SECRET = "s3cr3t-from-the-vault";
+
+scenario(
+  "Local · a stdio MCP server's tools are detected on a fresh install, with env stored as a secret",
+  { timeout: 180_000 },
+  Effect.gen(function* () {
+    const cli = yield* Cli;
+    const runDir = yield* RunDir;
+
+    yield* withLocalServer(cli, runDir, (server) =>
+      Effect.gen(function* () {
+        const client = yield* HttpApiClient.make(api, {
+          baseUrl: new URL("/api", server.origin).toString(),
+          transformClient: HttpClient.mapRequest((request) =>
+            HttpClientRequest.setHeader(request, "authorization", `Bearer ${server.token}`),
+          ),
+        }).pipe(Effect.provide(FetchHttpClient.layer));
+
+        const slug = "e2e-stdio";
+
+        // Add the stdio server exactly as the desktop/local "Add MCP" flow does,
+        // including a secret env var the server needs.
+        yield* client.mcp.addServer({
+          payload: {
+            transport: "stdio",
+            name: "E2E Stdio",
+            command: "node",
+            args: [FIXTURE],
+            env: { EXECUTOR_E2E_SECRET: SECRET },
+            slug,
+          },
+        });
+
+        // The integration lands in the catalog — the add itself works.
+        const integrations = yield* client.integrations.list();
+        expect(
+          integrations.map((i) => String(i.slug)),
+          "the stdio MCP integration is registered",
+        ).toContain(slug);
+
+        // The add auto-creates the default connection (the v1.5 split makes this
+        // the thing that drives tool discovery). Pre-fix there were zero.
+        const connections = yield* client.connections.list({ query: { integration: slug } });
+        expect(
+          connections.map((c) => String(c.name)),
+          "a default connection was auto-created for the stdio server",
+        ).toContain("default");
+
+        // THE SYMPTOM, fixed: the stdio server's tools are detected. `whoami`
+        // appearing proves the connection's secret env reached the subprocess.
+        const tools = yield* client.tools.list({ query: { integration: slug } });
+        const names = tools.map((t) => t.name);
+        expect(names, "the stdio server's base tool is detected").toContain("echo_tool");
+        expect(
+          names,
+          "the secret env var reached the spawned subprocess (whoami is gated on it)",
+        ).toContain("whoami");
+
+        // "Properly store auth": the secret value is NOT in the integration's
+        // config blob — only the var NAME is declared there; the value lives on
+        // the connection (the secret store).
+        const stored = yield* client.mcp.getServer({ params: { slug } });
+        expect(
+          JSON.stringify(stored?.config ?? {}),
+          "the secret value is not persisted in the integration config",
+        ).not.toContain(SECRET);
+
+        // --- The UI path: DECLARE env var names, then provide the secret value
+        // as a connection credential (what the add form now does). ---
+        const declSlug = "e2e-stdio-decl";
+        yield* client.mcp.addServer({
+          payload: {
+            transport: "stdio",
+            name: "E2E Stdio Declared",
+            command: "node",
+            args: [FIXTURE],
+            envVars: ["EXECUTOR_E2E_SECRET"],
+            slug: declSlug,
+          },
+        });
+
+        // Declaring a secret env var (no value) does NOT auto-connect: the
+        // secret is still missing, so there are no tools until you connect.
+        const beforeConns = yield* client.connections.list({ query: { integration: declSlug } });
+        expect(beforeConns, "no connection until the secret is provided").toHaveLength(0);
+        const beforeTools = yield* client.tools.list({ query: { integration: declSlug } });
+        expect(beforeTools, "no tools until the secret is provided").toHaveLength(0);
+
+        // Provide the secret as the connection credential (the connect step).
+        yield* client.connections.create({
+          payload: {
+            owner: "org",
+            name: ConnectionName.make("default"),
+            integration: IntegrationSlug.make(declSlug),
+            template: AuthTemplateSlug.make("env"),
+            values: { EXECUTOR_E2E_SECRET: SECRET },
+          },
+        });
+
+        const declTools = yield* client.tools.list({ query: { integration: declSlug } });
+        expect(
+          declTools.map((t) => t.name),
+          "connecting with the secret discovers the env-gated tool",
+        ).toContain("whoami");
+      }),
+    );
+  }),
+);

e2e/package.json

@@ -10,6 +10,7 @@
     "test:selfhost": "vitest run --project selfhost",
     "test:selfhost-docker": "vitest run --project selfhost-docker",
     "test:cloudflare": "vitest run --project cloudflare",
+    "test:local": "vitest run --project local",
     "test:watch": "vitest",
     "ports": "bun scripts/ports.ts",
     "summary": "bun scripts/summary.ts",

e2e/vitest.config.ts

@@ -79,15 +79,18 @@ export default defineConfig({
       }),
       // The single-user local app. Each scenario launches its OWN `executor
       // web` via the CLI on a throwaway data dir + an OS-assigned port, so
-      // there is no shared instance and scenarios are independent — file
-      // parallelism is ON. No globalSetup (nothing shared to boot). Only
-      // local/** scenarios. Not part of the default `npm run test` chain; run
-      // with `vitest run --project local`.
+      // there is no shared instance and scenarios are independent. Files run
+      // SERIALLY (like every other server-booting project): a cold `executor
+      // web` boot runs vite's optimizeDeps, and several booting at once on a
+      // CI runner thrash hard enough to blow the token-URL wait. Serial lets
+      // the first boot warm the shared vite cache so the rest come up fast. No
+      // globalSetup (nothing shared to boot). Only local/** scenarios. Not part
+      // of the default `npm run test` chain; run with `vitest run --project local`.
       project("local", {
         include: ["local/**/*.test.ts"],
         globalSetup: [],
-        fileParallelism: true,
-        testTimeout: 180_000,
+        fileParallelism: false,
+        testTimeout: 240_000,
       }),
       // The supervised CLI daemon inside a guest VM, one project per OS. The
       // globalsetup provisions a VM, `executor service install`s the daemon, and

packages/core/api/src/integrations/api.ts

@@ -31,7 +31,7 @@ const IntegrationParams = { slug: IntegrationSlug };
 /** Where a credential value is carried — mirrors the SDK's
  *  `AuthPlacementDescriptor`. */
 const PlacementDescriptor = Schema.Struct({
-  carrier: Schema.Literals(["header", "query"]),
+  carrier: Schema.Literals(["header", "query", "env"]),
   name: Schema.String,
   prefix: Schema.String,
   /** Input variable this placement renders from (absent ⇒ `token`). Without

packages/core/sdk/src/integration.ts

@@ -24,10 +24,11 @@ export interface IntegrationDisplayDescriptor {
   readonly url?: string;
 }
 
-/** Where a credential value is carried on the outbound request. Mirrors the
- *  client's `Placement`. */
+/** Where a credential value is carried. `header`/`query` place it on an
+ *  outbound HTTP request (mirrors the client's `Placement`); `env` injects it
+ *  as an environment variable for a stdio (subprocess) integration. */
 export interface AuthPlacementDescriptor {
-  readonly carrier: "header" | "query";
+  readonly carrier: "header" | "query" | "env";
   readonly name: string;
   /** Literal prepended to the value (e.g. `"Bearer "`). Empty when bare. */
   readonly prefix: string;