Skip to content

feat: add safe application env upsert tool#56

Open
agentHits wants to merge 1 commit into
Dokploy:mainfrom
agentHits:feat/application-env-upsert
Open

feat: add safe application env upsert tool#56
agentHits wants to merge 1 commit into
Dokploy:mainfrom
agentHits:feat/application-env-upsert

Conversation

@agentHits

@agentHits agentHits commented Jul 2, 2026

Copy link
Copy Markdown

Summary

Status: ready for review, blocked for merge.

Please review the MCP implementation now, but do not merge until
Dokploy/dokploy#4581 lands or maintainers confirm the final
/application.env.upsert API/OpenAPI shape.

Adds dependent MCP support for the safe application environment variable upsert API from Dokploy core.

This PR exposes application-env-upsert for POST /application.env.upsert so MCP clients can send only the variables they need to add or update, without reading or reconstructing the full current application env block.

Closes #55.
Refs Dokploy/dokploy#4525.
Depends on Dokploy/dokploy#4581.

Dependency / Merge Gate

/application.env.upsert is not present in the published Dokploy OpenAPI yet. This PR is ready for review, but should not merge until Dokploy/dokploy#4581 lands or maintainers confirm the final API/OpenAPI shape.

The core issue and implementation were opened by @agentHits. Review from Dokploy maintainers, including @Siumauricio if this API surface is in scope, would help confirm when the MCP side can be safely promoted.

What Changed

  • Added /application.env.upsert to src/generated/openapi.json.
  • Regenerated src/generated/tools.ts and TOOLS.md, increasing the tool count from 524 to 525.
  • Updated the tool generator to preserve OpenAPI propertyNames.pattern + minProperties for string record schemas.
  • Added a handler redaction guard so submitted env variable values are redacted in logs for this tool even when global env redaction is disabled.
  • Added regression tests for tool exposure, schema constraints, call routing, no full env replacement fallback, and no raw submitted value in MCP output/logs.

Safety Notes

  • No client-side full env read/replace is introduced.
  • No fallback to application.saveEnvironment is used.
  • The MCP response remains metadata-only in tests.
  • Submitted env values are still forwarded to Dokploy, but are redacted from MCP logs for this tool.

Checks

  • corepack pnpm exec vitest run src/server.test.ts --reporter=verbose
  • corepack pnpm run lint (passes with existing src/utils/responseFormatter.ts warning)
  • corepack pnpm run type-check
  • corepack pnpm run test
  • corepack pnpm run build
  • git diff --check

Independent Agent Flow QA also re-ran targeted Vitest, type-check, and diff check with no blockers.

Not Verified

  • Live Dokploy backend call was not exercised.
  • Final published OpenAPI sync is blocked until the core PR is merged or the API is confirmed stable.

Что:
- Добавлен generated MCP tool `application-env-upsert` для `POST /application.env.upsert`.
- Добавлена поддержка OpenAPI pattern-record схем в генераторе, чтобы MCP валидировал имена env-переменных и непустой `variables`.
- Добавлено редактирование submitted env values в логах handler для нового tool и regression tests на безопасный routing.
Зачем:
- MCP-клиенты смогут безопасно отправлять только нужные application env variables без client-side read/replace полного env блока.
- Это снижает риск удаления или раскрытия существующих секретов при автоматизации через MCP.
Риски:
- Endpoint пока зависит от Dokploy core PR #4581 и отсутствует в published OpenAPI.
- Live Dokploy backend не вызывался.
Проверки:
- Команды и результаты: `corepack pnpm exec vitest run src/server.test.ts --reporter=verbose` passed, 1 file / 6 tests; `corepack pnpm run lint` passed with existing `src/utils/responseFormatter.ts` warning; `corepack pnpm run type-check` passed; `corepack pnpm run test` passed, 3 files / 27 tests; `corepack pnpm run build` passed; `git diff --check` passed.
- Ограничения: live Dokploy backend and final core OpenAPI sync were not verified because core PR #4581 is still open.

What:
- Added the generated MCP `application-env-upsert` tool for `POST /application.env.upsert`.
- Added OpenAPI pattern-record support to the generator so MCP validates env variable names and non-empty `variables`.
- Added handler log redaction for submitted env values on the new tool and regression tests for safe routing.
Why:
- MCP clients can send only the requested application env variables without client-side full env read/replace.
- This reduces the risk of deleting or exposing existing secrets during MCP automation.
Risks:
- The endpoint still depends on Dokploy core PR #4581 and is not present in the published OpenAPI yet.
- Live Dokploy backend was not exercised.
Checks:
- Commands and results: `corepack pnpm exec vitest run src/server.test.ts --reporter=verbose` passed, 1 file / 6 tests; `corepack pnpm run lint` passed with existing `src/utils/responseFormatter.ts` warning; `corepack pnpm run type-check` passed; `corepack pnpm run test` passed, 3 files / 27 tests; `corepack pnpm run build` passed; `git diff --check` passed.
- Limitations: live Dokploy backend and final core OpenAPI sync were not verified because core PR #4581 is still open.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add safe application env upsert MCP tool

1 participant