🎉 v5.7.1 - Universal ${} Placeholder Syntax

[ravitemer]

✨ What's New

Universal ${} Placeholder Syntax

You can now use consistent placeholder syntax across all configuration fields:

{
  "mcpServers": {
    "my-server": {
      "command": "${MCP_BINARY_PATH}/server",
      "args": [
        "--token", "${API_TOKEN}",
        "--secret", "${cmd: op read op://vault/secret}"
      ],
      "env": {
        "API_TOKEN": "${cmd: aws ssm get-parameter --name /app/token --query Parameter.Value --output text}",
        "DB_URL": "postgresql://user:${DB_PASSWORD}@localhost/db"
      }
    },
    "remote-server": {
      "url": "https://${PRIVATE_DOMAIN}/mcp",
      "headers": {
        "Authorization": "Bearer ${cmd: op read op://vault/api/token}"
      }
    }
  }
}

Two Powerful Patterns

• ${ENV_VAR} - Resolve environment variables
• ${cmd: command args} - Execute commands and use their output

Enhanced Security & Flexibility

• Keep sensitive values out of your config files
• Safely commit your servers.json to source control
• Support for complex secret management workflows
• Multi-pass resolution with dependency handling

🔄 Migration

Your existing configurations continue to work! Legacy syntax ($VAR and $: command) is still supported with deprecation warnings.

[olimorris]

Great addition! I wish all tooling would follow this principle. I loath having to put secrets in my shell

[deas]

The environment variant works for me:

    "github": {
      "env": {
        "GITHUB_PERSONAL_ACCESS_TOKEN": "${cmd: vlt.clj get /automation/GITHUB_PERSONAL_ACCESS_TOKEN}"
      },
      "command": "docker",
      "args": [
        "run",
        "-i",
        "--rm",
        "-e",
        "GITHUB_PERSONAL_ACCESS_TOKEN",
        "ghcr.io/github/github-mcp-server"
      ]
    },

For the headers variant, resolving does not appear to kick in:

    "hf-mcp-server": {
     "url": "https://huggingface.co/mcp",
     "headers": {
       "Authorization": "Bearer ${cmd: vlt.clj get /automation/HF_TOKEN_READD}"
     }
   }

Calling "who am I" tells me I am anonymous.

Disclaimer: I did not yet read the troubleshooting docs.

Not sure if this is normal, but I was a bit surprised the node process does not honor the HTTPS_PROXY environment variable? Thats why I have introduced the READD typo (My little tool blows up if a value cannot be resolved). Getting no feedback of a non-zero return value from the command, I conclude the tool is not executed?

[ravitemer]

Just noticed that we can gibilify images with hf mcp server:

[deas]

@ravitemer Weird. Can you please try out my hf-mcp-server entry? I doubt you have an executable vlt.clj, so I'd expect it to blow up noticably? For me, this is not the case - no trace of mcp-hub even calling it.

❯ md5sum cli.js
09a5996af627fa6da821bda763797254  cli.js

created four hours ago. Timing appears to match the most recent version.

I still cannot see the actual headers sent. The call to "who am I" still works and appears unauthenticated.

Will dig into mcp-hub troubleshooting docs.

Don't want to hijack this discussion, but do we (including CodeCompanion) have an "observability story"?

[ravitemer]

@deas can't you see this in the logs?

[deas]

@ravitemer No, seeing a bunch of warnings from other servers, but just 'hf-mcp-server' MCP Server connected from the hugging face thing.

FWIW: I think the server should not start when placeholders don't resolve.

[ravitemer]

Okay, I think something wrong with your config or mcphub.nvim using the old server. Can you come over to discord?