security: Neon MCP leak fix + Codex MCP config + docs by shadowdevcode · Pull Request #15 · shadowdevcode/ai-product-os

shadowdevcode · 2026-04-04T10:31:07Z

Summary

Security: Remove committed Neon API key from .mcp.json; gitignore local .mcp.json; add .mcp.json.example (see CHANGELOG).
Codex: Add project-scoped .codex/config.toml with Neon HTTP MCP via NEON_API_KEY env var (no secrets in repo).
Docs: CHANGELOG entries for security + Codex; project-state + Linear sync map updated for review.

Linear

VIJ-11 (root issue-009): Done in Linear (verified 2026-04-04).
Last Linear sync in experiments/linear-sync/issue-009.json remains phase-1-rollout-closeout (2026-04-04). These commits are repo/dev-env hygiene and do not change MoneyMirror delivery milestones—no separate Linear issue required unless you want a chore ticket.

Reviewer checklist

Revoke leaked Neon key in Neon Console if not already done; use new key only in env / gitignored files.
Confirm export NEON_API_KEY=... for Codex; copy .mcp.json.example → .mcp.json for Cursor/Claude if needed.

Made with Cursor

- Replace tracked .mcp.json with .mcp.json.example (placeholder only) - Ignore .mcp.json locally; document Neon revoke + safe Cursor setup in CHANGELOG Made-with: Cursor

- Add .codex/config.toml with streamable HTTP Neon MCP (bearer from env) - Document setup and Cursor/Claude vs Codex in CHANGELOG Made-with: Cursor

vercel · 2026-04-04T10:31:12Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
ai-product-os-493e	Ready	Preview, Comment	Apr 4, 2026 10:32am

- Point open_pr_link to PR #15; last_commit dced451 - Decisions log: MCP/Codex repo hygiene; Linear unchanged for milestone - CHANGELOG: PR prep + Linear verification note - issue-009.json: pr_link -> PR 15 Made-with: Cursor

Made-with: Cursor

github-actions · 2026-04-04T10:32:05Z

PR Risk Assessment

Risk level: Low

Reason: Changes are scoped to developer tooling config (.codex/config.toml using env var, not hardcoded secret), .gitignore update, .mcp.json key rotation to placeholder, and CHANGELOG docs. No production code, auth logic, shared services, or schema changes touched.

Action taken: Auto-approve warranted (low risk) — blocked by GitHub Actions permission restriction; manual approval recommended.

github-actions · 2026-04-04T10:33:51Z

PR Risk Assessment

Risk level: Very Low

Reason: All changes are security remediation (leaked Neon key removed from .mcp.json, replaced with placeholder in renamed .mcp.json.example, .gitignore hardened), dev tooling config (.codex/config.toml using bearer_token_env_var, no secrets committed), and docs/state metadata updates (CHANGELOG.md, project-state.md, experiments/linear-sync/issue-009.json). No production code, auth logic, API routes, schemas, or shared libraries modified.

Action taken: Approved (auto-approval blocked by GitHub Actions restriction — manual approval required from a human reviewer)

github-actions · 2026-04-04T10:34:25Z

PR Risk Assessment

Risk level: Low

Reason: No production application code changed. Changes are a security fix (leaked Neon key redacted in .mcp.json.example + gitignored), a new dev tooling config (.codex/config.toml using bearer_token_env_var, no secrets), and docs/metadata housekeeping in CHANGELOG.md, project-state.md, and experiments/linear-sync/issue-009.json.

Action taken: Auto-approve attempted — blocked by GitHub Actions platform restriction (Actions cannot approve PRs). Manual approval recommended: low risk, no reviewer required.

shadowdevcode added 2 commits April 4, 2026 14:02

security: remove Neon MCP key from repo, gitignore .mcp.json

9f483ed

- Replace tracked .mcp.json with .mcp.json.example (placeholder only) - Ignore .mcp.json locally; document Neon revoke + safe Cursor setup in CHANGELOG Made-with: Cursor

chore(codex): add project MCP config for Neon via NEON_API_KEY

dced451

- Add .codex/config.toml with streamable HTTP Neon MCP (bearer from env) - Document setup and Cursor/Claude vs Codex in CHANGELOG Made-with: Cursor

vercel bot deployed to Preview April 4, 2026 10:31 View deployment

shadowdevcode added 2 commits April 4, 2026 16:01

docs: PR #15, project-state, Linear map for MCP hygiene

44eb797

- Point open_pr_link to PR #15; last_commit dced451 - Decisions log: MCP/Codex repo hygiene; Linear unchanged for milestone - CHANGELOG: PR prep + Linear verification note - issue-009.json: pr_link -> PR 15 Made-with: Cursor

docs(project-state): last_commit 44eb797

5076a58

Made-with: Cursor

vercel bot deployed to Preview April 4, 2026 10:32 View deployment

shadowdevcode merged commit a49e731 into main Apr 4, 2026
3 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

security: Neon MCP leak fix + Codex MCP config + docs#15

security: Neon MCP leak fix + Codex MCP config + docs#15
shadowdevcode merged 4 commits intomainfrom
feat/linear-workflow-sync

shadowdevcode commented Apr 4, 2026

Uh oh!

vercel bot commented Apr 4, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 4, 2026

Uh oh!

github-actions bot commented Apr 4, 2026

Uh oh!

github-actions bot commented Apr 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

shadowdevcode commented Apr 4, 2026

Summary

Linear

Reviewer checklist

Uh oh!

vercel bot commented Apr 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Apr 4, 2026

Uh oh!

github-actions bot commented Apr 4, 2026

Uh oh!

github-actions bot commented Apr 4, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

vercel bot commented Apr 4, 2026 •

edited

Loading