fix(core): ignore project MCP server settings

BunsDev · web-flow · commit de881b7b9f5b · 2026-06-02T18:54:40.000-05:00
Ignore project-local MCP server definitions before hierarchical settings merge while preserving trusted global MCP server settings, including per-project MCP servers, during field-wise project settings merges.
diff --git a/src-rust/crates/core/src/lib.rs b/src-rust/crates/core/src/lib.rs
@@ -1606,13 +1606,14 @@ pub mod config {
         }
 
         /// Load settings from all config levels and merge them.
-        /// Priority: project > global.
+        /// Priority: project > global, except project-local executable MCP
+        /// server definitions are ignored before merging.
         pub async fn load_hierarchical(cwd: &std::path::Path) -> Self {
             // 1. Load global settings.
             let mut merged = Self::load().await.unwrap_or_default();
-            // 2. Find and merge project settings (project wins).
+            // 2. Find and merge project settings (safe project fields win).
             if let Some(project_settings) = Self::find_project_settings(cwd).await {
-                merged = Self::merge(merged, project_settings);
+                merged = Self::merge(merged, Self::sanitize_project_settings(project_settings));
             }
             merged
         }
@@ -1645,6 +1646,21 @@ pub mod config {
             None
         }
 
+        /// Remove project-local settings that can execute commands during startup.
+        ///
+        /// Repository settings are untrusted until the user explicitly chooses to
+        /// trust a project. Keep non-executable project preferences, but never let a
+        /// repository contribute MCP server definitions that are auto-connected at
+        /// startup.
+        fn sanitize_project_settings(mut settings: Self) -> Self {
+            settings.config.mcp_servers.clear();
+            settings.config.enable_all_mcp_servers = false;
+            for project in settings.projects.values_mut() {
+                project.mcp_servers.clear();
+            }
+            settings
+        }
+
         /// Merge two settings with `override_settings` taking priority.
         /// Simple strategy: override wins for all scalar fields; Vecs are
         /// concatenated (deduped); HashMaps are merged (override wins on collision).
@@ -1657,6 +1673,28 @@ pub mod config {
                 for (k, v) in over { base.insert(k, v); }
                 base
             }
+            fn merge_project_settings(
+                mut base: HashMap<String, ProjectSettings>,
+                over: HashMap<String, ProjectSettings>,
+            ) -> HashMap<String, ProjectSettings> {
+                for (key, project) in over {
+                    match base.get_mut(&key) {
+                        Some(existing) => {
+                            existing.allowed_tools.extend(project.allowed_tools);
+                            existing.allowed_tools.dedup();
+                            existing.custom_system_prompt =
+                                project.custom_system_prompt.or(existing.custom_system_prompt.take());
+                            // Keep trusted global per-project MCP servers. Project settings are
+                            // sanitized before this merge, so repo-provided MCP servers are empty
+                            // and must not erase trusted global entries.
+                        }
+                        None => {
+                            base.insert(key, project);
+                        }
+                    }
+                }
+                base
+            }
             // Merge the embedded Config structs.
             let merged_config = Config {
                 api_key: over.config.api_key.or(base.config.api_key),
@@ -1710,7 +1748,7 @@ pub mod config {
             Self {
                 config: merged_config,
                 version: over.version.or(base.version),
-                projects: merge_map(base.projects, over.projects),
+                projects: merge_project_settings(base.projects, over.projects),
                 remote_control_at_startup: over.remote_control_at_startup || base.remote_control_at_startup,
                 permission_rules: { let mut v = base.permission_rules; v.extend(over.permission_rules); v },
                 enabled_plugins: { let mut s = base.enabled_plugins; s.extend(over.enabled_plugins); s },
@@ -1818,6 +1856,86 @@ pub mod config {
         }
         result
     }
+
+    #[cfg(test)]
+    mod tests {
+        use super::*;
+
+        #[test]
+        fn project_settings_do_not_merge_mcp_servers() {
+            let global = Settings {
+                config: Config {
+                    mcp_servers: vec![McpServerConfig {
+                        name: "global".to_string(),
+                        command: Some("trusted-command".to_string()),
+                        args: vec!["--global".to_string()],
+                        env: HashMap::new(),
+                        url: None,
+                        server_type: "stdio".to_string(),
+                    }],
+                    enable_all_mcp_servers: true,
+                    ..Default::default()
+                },
+                projects: HashMap::from([(
+                    "repo".to_string(),
+                    ProjectSettings {
+                        allowed_tools: Vec::new(),
+                        mcp_servers: vec![McpServerConfig {
+                            name: "trusted-project".to_string(),
+                            command: Some("trusted-project-command".to_string()),
+                            args: Vec::new(),
+                            env: HashMap::new(),
+                            url: None,
+                            server_type: "stdio".to_string(),
+                        }],
+                        custom_system_prompt: None,
+                    },
+                )]),
+                ..Default::default()
+            };
+
+            let project = Settings {
+                config: Config {
+                    model: Some("project-model".to_string()),
+                    mcp_servers: vec![McpServerConfig {
+                        name: "project".to_string(),
+                        command: Some("sh".to_string()),
+                        args: vec!["-c".to_string(), "payload".to_string()],
+                        env: HashMap::from([("STEAL_ME".to_string(), "secret".to_string())]),
+                        url: None,
+                        server_type: "stdio".to_string(),
+                    }],
+                    enable_all_mcp_servers: true,
+                    ..Default::default()
+                },
+                projects: HashMap::from([(
+                    "repo".to_string(),
+                    ProjectSettings {
+                        allowed_tools: Vec::new(),
+                        mcp_servers: vec![McpServerConfig {
+                            name: "legacy-project".to_string(),
+                            command: Some("sh".to_string()),
+                            args: vec!["-c".to_string(), "payload".to_string()],
+                            env: HashMap::new(),
+                            url: None,
+                            server_type: "stdio".to_string(),
+                        }],
+                        custom_system_prompt: None,
+                    },
+                )]),
+                ..Default::default()
+            };
+
+            let merged = Settings::merge(global, Settings::sanitize_project_settings(project));
+
+            assert_eq!(merged.config.model.as_deref(), Some("project-model"));
+            assert_eq!(merged.config.mcp_servers.len(), 1);
+            assert_eq!(merged.config.mcp_servers[0].name, "global");
+            assert!(merged.config.enable_all_mcp_servers);
+            assert_eq!(merged.projects["repo"].mcp_servers.len(), 1);
+            assert_eq!(merged.projects["repo"].mcp_servers[0].name, "trusted-project");
+        }
+    }
 }
 
 // ---------------------------------------------------------------------------
