Skip to content

fix(stacks): update_stack_env defaults to merge-semantic to prevent variable data loss#82

Open
strausmann wants to merge 1 commit into
mainfrom
fix/update-stack-env-merge-semantic
Open

fix(stacks): update_stack_env defaults to merge-semantic to prevent variable data loss#82
strausmann wants to merge 1 commit into
mainfrom
fix/update-stack-env-merge-semantic

Conversation

@strausmann

@strausmann strausmann commented Jun 1, 2026

Copy link
Copy Markdown
Owner

Problem

The Dockhand REST endpoint PUT /api/stacks/{name}/env has replace-semantics: submitting a partial variable list silently deletes all other variables. The update_stack_env MCP tool was passing the payload 1:1 to the API, making every partial update a potential wipe.

Production incident (2026-06-01): Stack hangar-print-hub had 8 variables (tokens for Hangar, Hub, Spoolman, Grocy, Snipe-IT, Webhook API keys). A single-key update_stack_env([{key: "PRINTER_HUB_SSO_TRUST_TOKEN", ...}]) call deleted all other 7 variables → Hangar Admin login 401, all service integrations broken.

Solution

Add a mode parameter to update_stack_env with default "merge":

Mode Behaviour
"merge" (default) GET existing vars → merge by key (new value wins on collision) → PUT full combined list
"replace" PUT only the provided variables — all others are deleted (original behaviour, opt-in only) 
// Safe partial update — only this key changes, all others preserved
update_stack_env(environmentId=1, name="my-stack", variables=[{key: "MY_VAR", value: "new"}])

// Explicit full replacement (opt-in)
update_stack_env(environmentId=1, name="my-stack", variables=[...], mode="replace")

Changes

  • src/tools/stacks.ts — add mode parameter; implement GET→merge→PUT logic in merge path; import StackEnv and EnvVariable types for typed response
  • tests/stack-env-merge.test.ts — 20 new static-analysis tests covering mode parameter, merge path (GET + Map merge + Array.from), replace path, PUT body, description, and type safety
  • tests/stack-env-tools.test.ts — update one existing test that asserted the old direct { variables } PUT body (now correctly checks { variables: finalVariables })
  • README.md — add dedicated section documenting merge vs replace semantics; update stack tool table row

Test results

Tests  266 passed (266)   ← was 265 before this PR (+20 new, -1 updated old)
TypeScript  0 errors
Build  clean

Backwards compatibility

  • Existing callers that omit mode get the new safe merge behaviour automatically.
  • Callers that need the old replace behaviour must explicitly pass mode="replace".
  • The JSON key sent to the Dockhand API remains "variables" — no API contract change.

@strausmann
fix(stacks): update_stack_env defaults to merge-semantic to prevent v…
15d7549 
…ariable data loss

The Dockhand REST endpoint PUT /api/stacks/{name}/env has replace-semantics:
a partial variable list silently deletes all other variables. This caused a
production incident where a single-key update wiped 7 of 8 variables from
the hangar-print-hub stack (2026-06-01).

Changes:
- Add `mode` parameter (enum: "merge" | "replace", default: "merge")
- In merge mode: GET existing vars → merge by key (new wins) → PUT full list
- In replace mode: PUT only the provided variables (original behaviour)
- Import StackEnv and EnvVariable types for typed GET response
- Update tool description to document the replace-semantics risk and opt-in
- Update README with a dedicated section explaining merge vs replace
- Add 20 new static-analysis tests in tests/stack-env-merge.test.ts
- Update existing test in stack-env-tools.test.ts that asserted the old
  direct-pass { variables } body (now correctly asserts { variables: finalVariables })
Copilot AI review requested due to automatic review settings June 1, 2026 15:13
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 1, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces merge-by-default semantics to the update_stack_env tool to prevent accidental data loss during partial environment variable updates, while adding an optional mode parameter to allow explicit replacements. It also documents these changes in the README and adds static analysis tests. The review feedback highlights a critical security risk where the isSecret flag could be unintentionally overwritten and lost during a merge, as well as a potential runtime error if the API returns malformed data. Additionally, the reviewer suggests updating the static analysis tests to accommodate the security fix and recommends implementing real functional tests to replace the fragile regex-based static analysis.

Comment thread src/tools/stacks.ts
Comment on lines +152 to +169
let finalVariables: EnvVariable[];

if (mode === 'merge') {
const existing = await client.get<StackEnv>(
`/api/stacks/${encodePath(name)}/env`,
{ env: environmentId },
);
const existingVars: EnvVariable[] = existing?.variables ?? [];
const mergedByKey = new Map<string, EnvVariable>(
existingVars.map((v) => [v.key, v]),
);
for (const v of variables) {
mergedByKey.set(v.key, v);
}
finalVariables = Array.from(mergedByKey.values());
} else {
finalVariables = variables;
}

@gemini-code-assist gemini-code-assist Bot Jun 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

There are two key issues with the current merge implementation:

  1. Security / Secret Exposure Risk (High Severity): If an existing variable is flagged as a secret (isSecret: true), and a partial update is performed on it without explicitly passing isSecret: true (since it is optional in the schema), the existing isSecret flag will be overwritten with undefined. This causes the variable to lose its secret status and potentially be written to the .env file in plain text. Preserving the existing isSecret flag unless explicitly overridden is a crucial security safeguard.
  2. Defensive Programming (Medium Severity): If the API returns an unexpected response or if variables is not an array (e.g., null), existingVars.map will throw a runtime TypeError. Checking Array.isArray(existingVars) and filtering out any malformed entries prevents potential crashes.
      let finalVariables: EnvVariable[];

      if (mode === 'merge') {
        const existing = await client.get<StackEnv>(
          `/api/stacks/${encodePath(name)}/env`,
          { env: environmentId },
        );
        const existingVars = existing?.variables;
        const mergedByKey = new Map<string, EnvVariable>();

        if (Array.isArray(existingVars)) {
          for (const v of existingVars) {
            if (v && typeof v.key === 'string') {
              mergedByKey.set(v.key, v);
            }
          }
        }

        for (const v of variables) {
          const existingVar = mergedByKey.get(v.key);
          mergedByKey.set(v.key, {
            ...v,
            isSecret: v.isSecret !== undefined ? v.isSecret : existingVar?.isSecret,
          });
        }
        finalVariables = Array.from(mergedByKey.values());
      } else {
        finalVariables = variables;
      }

Comment thread tests/stack-env-merge.test.ts
Comment on lines +84 to +87
it('iterates over incoming variables and sets them in the Map', () => {
// mergedByKey.set(v.key, v) pattern
expect(block).toMatch(/mergedByKey\.set\s*\(\s*v\.key\s*,\s*v\s*\)/);
});

@gemini-code-assist gemini-code-assist Bot Jun 1, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Since we updated the merge implementation to safely preserve the isSecret flag, the regex in this test needs to be updated to be more flexible (matching just the key setting rather than expecting exactly v as the second argument).

Additionally, please note that static analysis tests (reading the source file and matching regexes) are highly fragile to refactoring, formatting, and variable name changes, and they do not verify actual runtime behavior (such as correct merging of properties or handling of edge cases). It is highly recommended to add real functional/unit tests using a mocked client to verify the actual runtime behavior of the tool.

Suggested change
it('iterates over incoming variables and sets them in the Map', () => {
// mergedByKey.set(v.key, v) pattern
expect(block).toMatch(/mergedByKey\.set\s*\(\s*v\.key\s*,\s*v\s*\)/);
});
it('iterates over incoming variables and sets them in the Map', () => {
// mergedByKey.set(v.key, ...) pattern
expect(block).toMatch(/mergedByKey\.set\s*\(\s*v\.key\s*,/);
});

Copilot AI reviewed Jun 1, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR makes update_stack_env safe for partial updates by defaulting to merge semantics (GET existing env vars → merge by key → PUT full list), with an explicit mode="replace" opt-in for the old replace behavior. This change reduces the risk of accidentally deleting unrelated stack environment variables when updating only a subset.

Changes:

  • Added mode parameter to update_stack_env (default "merge") and implemented GET→merge→PUT behavior in src/tools/stacks.ts.
  • Added static-analysis tests covering merge/replace behavior and updated an existing test to reflect the new PUT body shape.
  • Documented merge vs replace semantics in the README and updated the stacks tool table entry.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File Description
src/tools/stacks.ts Adds mode param and implements merge-default logic for update_stack_env.
tests/stack-env-merge.test.ts New static-analysis tests to verify merge/replace implementation and type usage.
tests/stack-env-tools.test.ts Updates assertion to expect { variables: finalVariables } in the PUT body.
README.md Documents merge-default behavior and adds usage examples for merge vs replace.

Comment thread src/tools/stacks.ts
Comment on lines +163 to +165
for (const v of variables) {
mergedByKey.set(v.key, v);
}
Comment thread tests/stack-env-merge.test.ts
Comment on lines +8 to +12
*
* See: https://github.com/strausmann/mcp-dockhand/issues/<issue>
* Incident: hangar-print-hub stack (2026-06-01), 7 of 8 variables deleted by
* a single-key update_stack_env call.
*/
Comment thread README.md
Comment on lines +379 to +380
# Safe partial update — only PRINTER_HUB_SSO_TRUST_TOKEN changes, all others preserved
update_stack_env(environmentId=1, name="my-stack", variables=[{key: "MY_VAR", value: "new"}])
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@strausmann