fix: show all env vars for basic auth in mcp details and install page

[simplesagar]

Summary

• Fixes the MCP details page to show separate editable entries for each environment variable in a security scheme (e.g., username and password for basic auth)
• Fixes the install page to use per-env-var display names from the headerDisplayNames map

Changes

Frontend (client/dashboard/src/pages/mcp/MCPDetails.tsx)

• The AuthorizationHeadersSection now flattens security variables to create one row per environment variable
• This handles cases like basic auth where one securityVariable has multiple envVariables (username + password)
• Each env var can now have its own custom display name

Backend (server/internal/mcpmetadata/impl.go)

• collectEnvironmentVariables now accepts a headerDisplayNames map parameter
• Display names are looked up per-env-var from the metadata, not from the security variable level
• This ensures the install page shows the correct custom display names for each credential

Test plan

• Create an MCP server with basic auth (username + password)
• Verify the MCP details page shows two separate entries: one for username, one for password
• Edit each display name and verify they save independently
• Verify the install page shows the correct display names for both username and password

🤖 Generated with Claude Code

---

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
gram	Ready	Preview, Comment	Jan 23, 2026 0:15am
gram-docs-redirect	Ready	Preview, Comment	Jan 23, 2026 0:15am

[changeset-bot]

🦋 Changeset detected

Latest commit: d90e6e0

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
dashboard	Patch
server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[devin-ai-integration]

Devin Review found 1 potential issue.

View issue and 5 additional flags in Devin Review.

[speakeasybot]

🚀 Preview Environment (PR #1337)

Preview URL: https://pr-1337.test.getgram.ai

Component	Status	Details	Updated (UTC)
✅ Database	Ready	Existing database reused	2026-01-23 00:18:42.
✅ Images	Available	Container images ready	2026-01-23 00:18:25.

_{Gram Preview Bot}

[devin-ai-integration]

Devin Review found 1 new potential issue.

🔴 1 issue in files not directly in the diff

🔴 Key mismatch between frontend saving display names and backend reading them for toolset security variables (server/internal/mv/toolset.go:1011)

There is an inconsistency in how header display names are keyed when saving vs. reading:

1. Frontend saves (MCPDetails.tsx:698, 707): Uses entry.envVar (environment variable name like X_API_KEY) as the securityKey when calling handleEditSave(entry.envVar)

2. Server mcpmetadata/impl.go:656 correctly looks up display names by envVar:

if customName, ok := headerDisplayNames[envVar]; ok && customName != "" {

3. Server mv/toolset.go:1011 incorrectly looks up display names by entry.Name.String (the header name, NOT the env var):

if dn, ok := headerDisplayNames[entry.Name.String]; ok && dn != "" {

The mv/toolset.go code populates securityVariables in the toolset API response, which is used by useMcpConfigs (MCPDetails.tsx:845) to generate MCP config JSON via secVar.displayName. Since the lookup uses the wrong key, custom display names will NOT appear in the generated MCP configuration JSON that users copy to set up their MCP clients.

Impact: Custom display names work correctly on the hosted install page (which uses collectEnvironmentVariables), but fail to appear in the MCP JSON configuration shown in the dashboard and used by useMcpConfigs.

Recommendation: Change line 1011 in mv/toolset.go to look up display names by environment variable names instead of entry.Name.String. Iterate through entry.EnvVariables to find matching display names, similar to how collectEnvironmentVariables in mcpmetadata/impl.go does it.

View issue and 10 additional flags in Devin Review.