feat: add Mercury MCP Integration Security & Architecture Guide#203
Conversation
- Introduced a comprehensive guide detailing the architecture and security measures for Mercury MCP integration. - Included structural diagrams, end-to-end architecture, OAuth flow, permission enforcement, and data handling protocols. - Documented key architectural invariants and tool naming conventions for clarity in implementation.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
There was a problem hiding this comment.
Your trial has ended. Reactivate Greptile to resume code reviews.
WalkthroughAdded a 260-line security and architecture guide for Mercury integration through Composio and MergeDev, covering authorization, permissions, read-only capabilities, data handling, auditing, revocation, and known security gaps. ChangesMercury MCP Integration Guide
Estimated code review effort: 2 (Simple) | ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (1)
supercode-mercury.md (1)
9-9: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winAdd language identifiers to fenced code blocks.
The four diagram/flow fences trigger markdownlint MD040. Use
text(or another appropriate language) after each opening fence.Also applies to: 50-50, 76-76, 120-120
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@supercode-mercury.md` at line 9, Update the four diagram/flow fenced code blocks in supercode-mercury.md, including the referenced locations, by adding a language identifier such as text to each opening fence. Preserve the existing diagram contents and formatting.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@supercode-mercury.md`:
- Around line 224-228: Correct the Mercury disconnect documentation around
resetSession() so it describes only clearing the local Composio session, not
revoking access. Document the actual remote account/session teardown path, and
update the disconnect flow to perform remote teardown when disconnect is
intended to revoke access, while preserving local reset behavior.
- Around line 161-167: Update the connected-account retrieval in the server flow
around connectedAccounts.list to pass the authenticated user’s identifier as
Composio’s user filter, and retain only that user’s ACTIVE accounts when
building the session. Ensure the documentation’s per-user isolation claim
matches the filtered runtime behavior.
- Around line 157-160: Update the “What Supercode Persists (Mercury-Related)”
section to replace “Nothing” with the actual Mercury-derived data retained in
conversation/message rows and MergeDev audit logs. Identify the retained fields,
storage locations, and applicable retention or redaction rules, while preserving
the statement that no Mercury-specific PostgreSQL tables store balances,
transactions, vendor information, or OAuth tokens.
- Around line 247-250: Update the /api/composio/session response and
ComposioSessionManager handling so the server COMPOSIO_API_KEY is never returned
to or stored by the client. Return only session metadata; if client
authentication requires a credential, provide a separate short-lived, narrowly
scoped token and document it independently from Mercury OAuth data.
- Around line 16-21: Update the supercode-mercury.md flow and invariants to
accurately describe that McpManager exposes separate mcp_composio_* and
mcp_mergedev_* tools, while the CLI execution path prefers only mcp_composio_*
without enforcing both gateways. Do not claim every Mercury call is
dual-authorized; alternatively, add an explicit wrapper enforcing both gateways
if that is the intended contract.
---
Nitpick comments:
In `@supercode-mercury.md`:
- Line 9: Update the four diagram/flow fenced code blocks in
supercode-mercury.md, including the referenced locations, by adding a language
identifier such as text to each opening fence. Preserve the existing diagram
contents and formatting.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f4f74416-30fd-4fa9-8fb1-1a1ea89dbafa
📒 Files selected for processing (1)
supercode-mercury.md
| ┌─────────────────────────────────────────────────────────────────────┐ | ||
| │ MCP MANAGER (McpManager) │ | ||
| │ • HTTP/SSE transport to Composio MCP gateway │ | ||
| │ • HTTP/SSE transport to MergeDev connector gateway │ | ||
| │ • Prefixes tools as mcp_composio_* and mcp_mergedev_* │ | ||
| │ • All tool invocations gated by PermissionManager.check() │ |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the documented sections and the implementation paths they refer to.
printf '\n## supercode-mercury.md (selected ranges)\n'
nl -ba supercode-mercury.md | sed -n '1,220p'
printf '\n## candidate implementation files\n'
git ls-files 'apps/supercode-cli/server/src/**' | sed -n '1,200p'
printf '\n## relevant symbols in mcp-manager.ts and index.ts\n'
for f in apps/supercode-cli/server/src/mcp/mcp-manager.ts apps/supercode-cli/server/src/index.ts; do
if [ -f "$f" ]; then
printf '\n### %s\n' "$f"
ast-grep outline "$f" --view expanded || true
fi
done
printf '\n## textual search for relevant terms\n'
rg -n "mcp_composio_|mcp_mergedev_|PermissionManager|ACTIVE connected accounts|connected accounts|resetSession|MergeDev|Composio|gateway" apps/supercode-cli/server/src supercode-mercury.mdRepository: yashdev9274/supercli
Length of output: 241
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read the relevant code slices with line numbers after locating them.
for f in apps/supercode-cli/server/src/mcp/mcp-manager.ts apps/supercode-cli/server/src/index.ts; do
if [ -f "$f" ]; then
printf '\n## %s\n' "$f"
wc -l "$f"
fi
done
printf '\n## mcp-manager.ts excerpt\n'
nl -ba apps/supercode-cli/server/src/mcp/mcp-manager.ts | sed -n '1,260p'
printf '\n## index.ts excerpt\n'
nl -ba apps/supercode-cli/server/src/index.ts | sed -n '1,260p'Repository: yashdev9274/supercli
Length of output: 419
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read only the relevant slices around the cited logic.
for f in supercode-mercury.md apps/supercode-cli/server/src/mcp/mcp-manager.ts apps/supercode-cli/server/src/index.ts; do
if [ -f "$f" ]; then
echo "===== $f ====="
wc -l "$f"
fi
done
echo
echo "===== supercode-mercury.md:1-170 ====="
nl -ba supercode-mercury.md | sed -n '1,170p'
echo
echo "===== mcp-manager.ts:1-260 ====="
nl -ba apps/supercode-cli/server/src/mcp/mcp-manager.ts | sed -n '1,260p'
echo
echo "===== index.ts:1-260 ====="
nl -ba apps/supercode-cli/server/src/index.ts | sed -n '1,260p'Repository: yashdev9274/supercli
Length of output: 506
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
files = [
("supercode-mercury.md", 1, 170),
("apps/supercode-cli/server/src/mcp/mcp-manager.ts", 1, 260),
("apps/supercode-cli/server/src/index.ts", 1, 260),
]
for path, start, end in files:
p = Path(path)
print(f"\n===== {path}:{start}-{end} =====")
for i, line in enumerate(p.read_text().splitlines(), 1):
if start <= i <= end:
print(f"{i:4d}: {line}")
PYRepository: yashdev9274/supercli
Length of output: 26901
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## mercury doc hits\n'
rg -n -A3 -B3 "MCP MANAGER|mcp_composio_|mcp_mergedev_|PermissionManager|resetSession|ACTIVE connected accounts|chat-history|raw model output|Mercury" supercode-mercury.md
printf '\n## implementation hits\n'
rg -n -A4 -B4 "mcp_composio_|mcp_mergedev_|PermissionManager|resetSession|ACTIVE connected accounts|connected accounts|Composio|MergeDev|gateway|pref" apps/supercode-cli/server/src/index.ts apps/supercode-cli/server/src/mcp/mcp-manager.tsRepository: yashdev9274/supercli
Length of output: 16163
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## PermissionManager references\n'
rg -n "class PermissionManager|function PermissionManager|PermissionManager\.check|PermissionManager" .
printf '\n## MCP manager usage\n'
rg -n "getMcpManager\(|resetMcpManager\(|getAllTools\(|reconnectServer\(|mcp_composio_|mcp_mergedev_" apps/supercode-cli/server/srcRepository: yashdev9274/supercli
Length of output: 5520
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
from pathlib import Path
path = Path("apps/supercode-cli/server/src/index.ts")
start, end = 520, 640
for i, line in enumerate(path.read_text().splitlines(), 1):
if start <= i <= end:
print(f"{i:4d}: {line}")
PYRepository: yashdev9274/supercli
Length of output: 6633
Document the real gating path supercode-mercury.md:16-21, 48-63, 118-135 — McpManager exposes separate mcp_composio_* and mcp_mergedev_* tools, and the CLI only prefers mcp_composio_* for execution; there is no wrapper that forces both gateways on every Mercury call. Update the flow/invariants to match that behavior, or add the missing enforcement if dual authorization is required.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supercode-mercury.md` around lines 16 - 21, Update the supercode-mercury.md
flow and invariants to accurately describe that McpManager exposes separate
mcp_composio_* and mcp_mergedev_* tools, while the CLI execution path prefers
only mcp_composio_* without enforcing both gateways. Do not claim every Mercury
call is dual-authorized; alternatively, add an explicit wrapper enforcing both
gateways if that is the intended contract.
| ### What Supercode Persists (Mercury-Related) | ||
|
|
||
| **Nothing.** The Supercode PostgreSQL schema contains no Mercury-specific tables. No balances, transactions, vendor info, or OAuth tokens are stored in Supercode's database. | ||
|
|
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the document and related mentions of Mercury retention/persistence.
git ls-files | rg 'supercode-mercury\.md|mercury|chat history|provider payload|trace|log|retention|redact|response'
# Show the relevant section of the target file with line numbers.
if git ls-files | rg -q '^supercode-mercury\.md$'; then
nl -ba supercode-mercury.md | sed -n '140,280p'
fi
# Search for persistence/retention language across the repo.
rg -n --hidden --glob '!**/.git/**' \
-e 'persist(ed|s|ence)|stored|storage|retention|redact|redaction|trace|traces|log(s|ged|ging)?|chat history|conversation message|provider payload|Mercury' .Repository: yashdev9274/supercli
Length of output: 934
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read the target document section with portable line numbering.
sed -n '140,280p' supercode-mercury.md | cat -n
printf '\n--- MATCHES ---\n'
# Search for Mercury-related persistence/retention wording in the repository.
rg -n --hidden --glob '!**/.git/**' \
-e 'persist(ed|s|ence)|stored|storage|retention|redact|redaction|trace|traces|log(s|ged|ging)?|chat history|conversation message|provider payload|Mercury' supercode-mercury.md .Repository: yashdev9274/supercli
Length of output: 50377
Clarify the Mercury retention boundary. Supercode does persist Mercury-derived data in conversation/message rows (tool arguments) and MergeDev audit logs; replace “Nothing” with the actual retained fields, locations, and retention/redaction rules.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supercode-mercury.md` around lines 157 - 160, Update the “What Supercode
Persists (Mercury-Related)” section to replace “Nothing” with the actual
Mercury-derived data retained in conversation/message rows and MergeDev audit
logs. Identify the retained fields, storage locations, and applicable retention
or redaction rules, while preserving the statement that no Mercury-specific
PostgreSQL tables store balances, transactions, vendor information, or OAuth
tokens.
| ### What Composio Persists | ||
|
|
||
| | Data | Location | Retention | | ||
| |------|----------|-----------| | ||
| | Mercury OAuth tokens (access + refresh, read-only scoped) | Composio infrastructure | Until user revokes or token expires | | ||
| | Connected account metadata (account ID, status, provider) | Composio infrastructure | Until disconnected | | ||
| | Active MCP session state | Composio infrastructure | Per session lifecycle | |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the relevant code paths and map their structure first.
git ls-files | rg '^(apps/supercode-cli/server/src/index\.ts|.*connectedAccounts.*|.*mcp.*|.*account.*)$'
echo
echo "== Outline of apps/supercode-cli/server/src/index.ts =="
ast-grep outline apps/supercode-cli/server/src/index.ts --view expanded || true
echo
echo "== Search for connectedAccounts usage =="
rg -n "connectedAccounts\.list|connectedAccounts|ACTIVE account|Mercury" apps/supercode-cli/server/src/index.ts apps/supercode-cli/server/src || true
echo
echo "== Search for user/tenant scoping around connected accounts =="
rg -n "tenant|userId|accountId|workspace|project|session" apps/supercode-cli/server/src || true
echo
echo "== Search for tests or helpers around connected accounts =="
rg -n "connectedAccounts|Mercury|ACTIVE" . --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' || trueRepository: yashdev9274/supercli
Length of output: 39526
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== apps/supercode-cli/server/src/index.ts (around Composio session proxy) =="
sed -n '1080,1155p' apps/supercode-cli/server/src/index.ts | cat -n
echo
echo "== apps/supercode-cli/server/src/mcp/composio.ts (session/account handling) =="
sed -n '1,280p' apps/supercode-cli/server/src/mcp/composio.ts | cat -n
echo
echo "== Search for any user-scoped filtering passed to connectedAccounts.list() =="
rg -n "connectedAccounts\.list\(\{[^}]*user|connectedAccounts\.list\(\{[^}]*account|connectedAccounts\.list\(\{[^}]*tenant|connectedAccounts\.list\(" apps/supercode-cli/server/srcRepository: yashdev9274/supercli
Length of output: 11851
🌐 Web query:
Composio connectedAccounts.list userId filter docs sessions.create connectedAccounts project-wide
💡 Result:
In Composio, connected accounts and sessions are managed within the scope of a specific project, as projects serve as the primary isolation boundary for all resources, including connected accounts, authentication configurations, and API keys [1][2]. Connected Accounts To retrieve connected accounts, use the connectedAccounts.list method [3]. This method supports filtering by various criteria, including user IDs, via an optional query object [3][4][5]. Example (TypeScript): // List all accounts for a specific user const userAccounts = await composio.connectedAccounts.list({ userIds: ['user_123'] }); Example (Python): # List all accounts for a user accounts = composio.connected_accounts.list( user_ids=['user_123']) The available filter parameters for connectedAccounts.list include user_ids, toolkit_slugs, statuses, auth_config_ids, and connected_account_ids [4]. Sessions To initialize a session, use the composio.create(user_id) method, which acts as the entry point for all integrations [6][7]. While the documentation refers to sessions.create (often associated with the underlying API or internal session management), the recommended implementation for users is invoking create on the Composio SDK instance to establish a context for a specific user [6][7]. Once a session is created, it can access toolkits and connected accounts authorized for that project [8]. Project-wide access is implicitly handled by the API key associated with the project; resources in one project are strictly isolated from others [1].
Citations:
- 1: https://docs.composio.dev/docs/projects
- 2: https://docs.composio.dev/reference/api-reference/projects
- 3: https://docs.composio.dev/reference/sdk-reference/typescript/connected-accounts
- 4: https://docs.composio.dev/reference/api-reference/connected-accounts/getConnectedAccounts
- 5: https://github.com/ComposioHQ/composio/blob/next/docs/content/docs/auth-configuration/connected-accounts.mdx
- 6: https://docs.composio.dev/reference/sdk-reference/typescript/composio
- 7: https://docs.composio.dev/reference/sdk-reference/typescript/session-context-impl
- 8: https://docs.composio.dev/docs/configuring-sessions
Scope Composio connected accounts to the authenticated user
apps/supercode-cli/server/src/index.ts still calls connectedAccounts.list({}) and forwards every ACTIVE account in the project into the session. Composio supports user filters on this API, so this should be narrowed to the authenticated user before documenting the storage as per-user isolated.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supercode-mercury.md` around lines 161 - 167, Update the connected-account
retrieval in the server flow around connectedAccounts.list to pass the
authenticated user’s identifier as Composio’s user filter, and retain only that
user’s ACTIVE accounts when building the session. Ensure the documentation’s
per-user isolation claim matches the filtered runtime behavior.
| **From Supercode:** | ||
| 1. User opens `/mcp` TUI → views connected apps and connector status | ||
| 2. Disconnects Mercury → `composioSessionManager.resetSession()` | ||
| 3. Future Mercury tool calls fail at the Composio session layer | ||
| 4. Since access is read-only, revocation risk is limited to loss of balance visibility |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | 🏗️ Heavy lift
Do not describe resetSession() as revocation.
apps/supercode-cli/server/src/mcp/composio.ts:200-205 shows that resetSession() only sets the local session to null; it does not disconnect the connected account, revoke OAuth, invalidate the remote session, or stop an existing MCP connection.
Document the real revocation path and implement remote account/session teardown if local disconnect is intended to revoke access.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supercode-mercury.md` around lines 224 - 228, Correct the Mercury disconnect
documentation around resetSession() so it describes only clearing the local
Composio session, not revoking access. Document the actual remote
account/session teardown path, and update the disconnect flow to perform remote
teardown when disconnect is intended to revoke access, while preserving local
reset behavior.
| 1. OAuth tokens never touch Supercode — stored and managed entirely by Composio | ||
| 2. No Mercury data persisted in Supercode's database or local files | ||
| 3. Dual-gate authorization — both Composio (auth/session) and MergeDev (policy/audit) must pass | ||
| 4. Read-only by design — Mercury enforces at OAuth scope level, MergeDev enforces at policy level |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## Files mentioning createSessionFromServer / composio session\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/.git/**' 'createSessionFromServer|/api/composio/session|apiKey|Composio\(' .
printf '\n## Candidate files in repository root related to supercode-mercury\n'
git ls-files | rg 'supercode-mercury\.md|composio|mercury'Repository: yashdev9274/supercli
Length of output: 15374
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# If the files are found, inspect the relevant ranges with line numbers.
for f in $(git ls-files | rg 'supercode-mercury\.md|composio|mercury'); do
echo "## $f"
wc -l "$f"
doneRepository: yashdev9274/supercli
Length of output: 306
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Show the relevant document section around the cited lines.
f=$(git ls-files | rg '^supercode-mercury\.md$')
echo "## $f"
cat -n "$f" | sed -n '230,265p'Repository: yashdev9274/supercli
Length of output: 1839
🌐 Web query:
Composio createSessionFromServer apiKey client-side session endpoint returns apiKey
💡 Result:
In Composio, the session creation process (via composio.create(user_id) or the underlying /api/v3.1/tool_router/session endpoint) is designed to return session-specific metadata, such as a session_id and MCP server information (like mcp.url and mcp.headers) [1][2][3]. It does not return your sensitive API key. Your API key is used to authenticate the request that creates the session [4]. Key security points: 1. Authentication: The Composio API requires an API key (passed in the x-api-key header) to verify your project or organization access [4][5]. 2. Client-side Usage: While you can interact with Composio from client-side environments (e.g., in a browser or mobile app), it is considered a security risk to expose your project-level API key directly in client-side code [4]. 3. Recommended Practice: For client-side or frontend applications, you should handle session creation on your own backend server. The backend should authenticate with Composio using the API key, create the session, and then securely provide the necessary session context (such as the session_id or MCP configuration) to your client-side application [1][3]. If you are observing your API key being returned by an endpoint or client-side session, ensure that you are not inadvertently echoing back the request headers or configuration object in your application code [6]. Always verify that your API key is kept in environment variables or a secure secret manager on the server side [6][4].
Citations:
- 1: https://docs.composio.dev/reference/api-reference/tool-router/postToolRouterSession.md
- 2: https://docs.composio.dev/reference/sdk-reference/typescript/session
- 3: https://docs.composio.dev/docs/how-composio-works.md
- 4: https://docs.composio.dev/reference/v3/authentication
- 5: https://docs.composio.dev/reference
- 6: https://composiohq-composio-79.mintlify.app/typescript/api/composio
🌐 Web query:
site:docs.composio.dev Composio apiKey createSessionFromServer session apiKey
💡 Result:
To create a Composio session from your server, you initialize the Composio client with your API key and then create a session scoped to a specific user ID [1][2][3]. Steps to create a session: 1. Initialize the Composio client using your API key. 2. Call the create method to establish a session for a user. TypeScript Example: import { Composio } from '@composio/core'; // Initialize the client with your API key const composio = new Composio({ apiKey: 'YOUR_COMPOSIO_API_KEY' }); // Create a session for a specific user const session = await composio.create("user_123"); // Retrieve tools for this session const tools = await session.tools; Python Example: from composio import Composio # Initialize the client (ensure COMPOSIO_API_KEY is set in your environment) composio = Composio(api_key="YOUR_COMPOSIO_API_KEY") # Create a session for a specific user session = composio.create(user_id="user_123") # Retrieve tools for this session tools = session.tools Key Concepts: - API Keys: You can use a project API key (passed via headers or client initialization) to authenticate requests [4]. - Sessions: A session represents the runtime context for an agent [2]. It ties together user-specific authentication, connected accounts, and available toolkits [2][3]. - Multi-turn Support: For ongoing conversations, you can store the session ID and resume the session later using composio.use("session_id") instead of creating a new one [2].
Citations:
- 1: https://docs.composio.dev/docs/configuring-sessions
- 2: https://docs.composio.dev/docs/how-composio-works
- 3: https://docs.composio.dev/docs/sessions-vs-direct-execution
- 4: https://docs.composio.dev/reference/v3/authentication
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "## apps/supercode-cli/server/src/mcp/composio.ts"
cat -n apps/supercode-cli/server/src/mcp/composio.ts | sed -n '1,180p'
echo
echo "## apps/supercode-cli/server/src/index.ts around /api/composio/session"
cat -n apps/supercode-cli/server/src/index.ts | sed -n '1070,1125p'Repository: yashdev9274/supercli
Length of output: 8628
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the changelog / docs references around the session flow.
echo "## CHANGELOG.md around the session entry"
cat -n CHANGELOG.md | sed -n '1,30p'
echo
echo "## apps/web/app/(pages)/changelog/page.tsx around the session entry"
cat -n 'apps/web/app/(pages)/changelog/page.tsx' | sed -n '30,55p'Repository: yashdev9274/supercli
Length of output: 4152
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "## apps/supercode-cli/server/src/mcp/composio.ts"
cat -n apps/supercode-cli/server/src/mcp/composio.ts | sed -n '1,180p'
echo
echo "## apps/supercode-cli/server/src/index.ts around /api/composio/session"
cat -n apps/supercode-cli/server/src/index.ts | sed -n '1080,1120p'Repository: yashdev9274/supercli
Length of output: 8038
Do not return apiKey from /api/composio/session. The route echoes the server’s COMPOSIO_API_KEY back to the client, and ComposioSessionManager stores it locally. Return only session metadata; if a client credential is needed, expose a separate short-lived token and document its scope separately from Mercury OAuth data.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@supercode-mercury.md` around lines 247 - 250, Update the
/api/composio/session response and ComposioSessionManager handling so the server
COMPOSIO_API_KEY is never returned to or stored by the client. Return only
session metadata; if client authentication requires a credential, provide a
separate short-lived, narrowly scoped token and document it independently from
Mercury OAuth data.
Description
Type of change
How Has This Been Tested?
Please describe the tests that you ran to verify your changes.
bun testpassesbun run typecheckpassesbun run lintpasses (if applicable)Checklist:
Summary by CodeRabbit