Summary
Live MCP scans launch subprocesses from .mcp.json but ScanConfig has no --env-file to inject secrets (SSO tokens, API keys) into the child process environment. multi-server MCP repositories bridge exits before MCP handshake when credentials exist locally in .env but aren't passed to MCTS — generic startup failure (E8) with no --env-file workaround.
Problem
MCP client configs reference env vars:
{
"mcpServers": {
"ifd-bridge": {
"command": "python",
"args": ["-m", "ifd_backend.bridge", "--sso-env", "prod"],
"env": {"SSO_PROFILE": "prod"}
}
}
}Bridge also reads ADMIN_API_TOKEN, SSO_SECRET, etc. from process environment — not committed to repo.
| Secret location |
Available to subprocess today |
Shell export before mcts scan |
✅ If user exports manually |
.env file in repo |
❌ Not loaded by MCTS |
.mcp.json env block |
✅ Static keys only (no secrets in VCS) |
| CI secret store |
❌ No --env-file bridge |
Proposed solution
Add --env-file / --secret-file for subprocess launch.
Acceptance Criteria
Summary
Live MCP scans launch subprocesses from
.mcp.jsonbutScanConfighas no--env-fileto inject secrets (SSO tokens, API keys) into the child process environment. multi-server MCP repositories bridge exits before MCP handshake when credentials exist locally in.envbut aren't passed to MCTS — generic startup failure (E8) with no--env-fileworkaround.Problem
MCP client configs reference env vars:
{ "mcpServers": { "ifd-bridge": { "command": "python", "args": ["-m", "ifd_backend.bridge", "--sso-env", "prod"], "env": {"SSO_PROFILE": "prod"} } } }Bridge also reads
ADMIN_API_TOKEN,SSO_SECRET, etc. from process environment — not committed to repo.mcts scan.envfile in repo.mcp.jsonenv block--env-filebridgeProposed solution
Add --env-file / --secret-file for subprocess launch.
Acceptance Criteria
--env-file .envinjects vars into live subprocess