feat(THU-618): support editing MCP servers in settings#1008
Conversation
Semgrep Security ScanNo security issues found. |
|
Preview environment destroyed 🧹 Stack |
PR Metrics
Updated Wed, 08 Jul 2026 11:33:03 GMT · run #2235 |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 437a5db. Configure here.
437a5db to
df0a6dd
Compare
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: df0a6dda88da · mode: deep · deferred 7 item(s) already reported by other bots (best-effort dedup)
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: f15675233d52 · mode: deep · deferred 7 item(s) already reported by other bots (best-effort dedup)
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: a9d67b4b54aa · mode: deep · deferred 7 item(s) already reported by other bots (best-effort dedup)
| // the OAuth credential is preserved by the mutation — the | ||
| // card's needs-auth flow handles a re-authorize at the new | ||
| // endpoint post-save). | ||
| (form.hasConnectionEdits && |
There was a problem hiding this comment.
🔧 Nit — Save-eligibility logic is duplicated (and inverted) across the button and the Enter handler
The rule for "is this edit saveable?" now lives in two places written in opposite polarity: the Save button's disabled expression here (enabled when hasConnectionEdits is false OR isClearingBearerOnly OR isOAuthEdit OR testResult is success), and the Enter branch in handleUrlKeyDown at line 535 (!form.hasConnectionEdits || form.isClearingBearerOnly || form.isOAuthEdit, notably missing the success case, which then relies on a separate branch below). Keeping two hand-inverted copies of the same gate in sync is exactly the kind of thing that drifts — the missing success arm in the keydown path is a symptom. Could we hoist a single derived const canSaveEdit = ... and have both the button and Enter read it? That collapses the logic to one source of truth and makes the intent obvious.
There was a problem hiding this comment.
🔭 thunder-deep-review (advisory)
Complements the other bots — surfaces only what they did not flag. Never approves, never requests changes, never gates merge.
head: 1f1cf2a16ce8 · mode: deep · deferred 7 item(s) already reported by other bots (best-effort dedup)
Additional notes (couldn't anchor to a diff line)
src/hooks/use-add-server-form.ts— 🚫 Blocking — Blurring the URL field on an OAuth edit bypasses the OAuth-skip guard

Adds an Edit action to the MCP servers settings page so users can update an existing server's config (name, URL, headers, credentials) without deleting and re-adding it.
updateMcpServerDAL helper + tests.useAddServerFormreused for both add and edit; the dialog opens prefilled when editing.Fixes THU-618.
Note
Medium Risk
Touches MCP connection lifecycle (reconnect, in-flight connect coalescing, credential writes) and local secret handling; well-covered by new tests but mis-sync could leave stale clients or wrong auth.
Overview
Users can edit existing MCP servers from settings (pencil on each card) instead of delete-and-re-add. The shared add dialog runs in Edit mode with prefilled name, URL, transport, and bearer token; JSON bulk-import is hidden while editing.
Persistence: New DAL helpers
updateMcpServer/updateMcpServerWithCredentialspatch server rows and optionally replace, delete, or leavemcp_secretscredentials unchanged (so OAuth tokens aren’t wiped on rename-only saves).Save UX:
useAddServerFormtrackshasConnectionEditsso metadata-only changes (e.g. rename) can save without a new successful probe; renames no longer clear a passing test result. Connection field changes still require test success before save.Live connections:
updateServerStatusis replaced byupdateServer, which patches in-memory config and reconnects when enabled (URL/transport/credential changes). Settings calls it withforceRedialafter save so credential-only updates apply even if an initial connect is still in flight.useMcpSyncnow diffs name/url/type/enabled and callsupdateServer, not just enable toggles.Reviewed by Cursor Bugbot for commit 437a5db. Bugbot is set up for automated code reviews on this repo. Configure here.