Security
-
No cross-server credential bleed. The gateway loads every PMCP-stored
credential into its ownos.environ, and the subprocess-spawn paths copied
that whole environment — so each downstream MCP server received every other
server's credentials (e.g.@brightdata/mcpgot the OpenAI key). Downstream
subprocesses now inherit the gateway environment minus PMCP-managed secret
keys (the keys in the userpmcp.env+ project.env.pmcpstores), then get
only their own resolved credential re-applied. This covers both the server
spawn (_connect_stdio) and the paths that execute a server's package code
(start_install/install_server, and theupdate_server/verify_installation
--helpprobes). Non-secret ambient vars (PATH/HOME/NODE_*/proxy/locale)
are preserved. (#96)Scope: only PMCP-managed secrets are stripped — not secrets the operator
exported into the shell or a plain.env. Behavior change: a server that
relied on ambient inheritance of a secret it does not declare (no config
envblock, no manifest credential) no longer receives it. Follow-ups tracked
in #96: sanitizing the trusted-CLI probes as defense-in-depth, and the durable
fix of not loading secrets into the globalos.environat all.