feat(all): Add translations for 'secret' data type in mcp-catalog

Author: Lasim

package-lock.json

@@ -1,5 +1,14 @@
 # Changelog
 
+## <small>0.31.3 (2025-08-25)</small>
+
+* chore(backend): release v0.31.2 ([77608e7](https://github.com/deploystackio/deploystack/commit/77608e7))
+* feat(all): implement storage-first architecture in BasicInfoStepEdit component ([c9abb46](https://github.com/deploystackio/deploystack/commit/c9abb46))
+
+## <small>0.31.2 (2025-08-25)</small>
+
+* feat(all): implement storage-first architecture in BasicInfoStepEdit component ([c9abb46](https://github.com/deploystackio/deploystack/commit/c9abb46))
+
 ## <small>0.31.1 (2025-08-24)</small>
 
 * chore(backend): release v0.31.0 ([5f7a5da](https://github.com/deploystackio/deploystack/commit/5f7a5da))

services/backend/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "@deploystack/backend",
-  "version": "0.31.1",
+  "version": "0.31.3",
   "scripts": {
     "dev": "nodemon",
     "build": "tsc && webpack --mode=production",

services/backend/package.json

@@ -9,8 +9,8 @@ export interface VersionInfo {
 
 // This will be replaced by the build script
 let versionData: VersionInfo = {
-  version: '0.31.0',
-  buildTime: '2025-08-24T21:26:47.922Z',
+  version: '0.31.2',
+  buildTime: '2025-08-25T19:31:55.874Z',
   source: 'release'
 };
 

services/backend/src/config/version.ts

@@ -25,7 +25,7 @@ const templateEnvSchema = z.object({
 
 const teamArgSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean(),
@@ -36,7 +36,7 @@ const teamArgSchema = z.object({
 
 const teamEnvSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean(),
@@ -46,7 +46,7 @@ const teamEnvSchema = z.object({
 
 const userArgSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean(),
@@ -56,7 +56,7 @@ const userArgSchema = z.object({
 
 const userEnvSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean()

services/backend/src/routes/mcp/servers/create-global.ts

@@ -28,7 +28,7 @@ const templateEnvSchema = z.object({
 
 const teamArgSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean(),
@@ -39,7 +39,7 @@ const teamArgSchema = z.object({
 
 const teamEnvSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean(),
@@ -49,7 +49,7 @@ const teamEnvSchema = z.object({
 
 const userArgSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean(),
@@ -59,7 +59,7 @@ const userArgSchema = z.object({
 
 const userEnvSchema = z.object({
   name: z.string(),
-  type: z.string(),
+  type: z.enum(['string', 'number', 'boolean', 'secret']),
   description: z.string(),
   required: z.boolean(),
   locked: z.boolean()

services/backend/src/routes/mcp/servers/update-global.ts

@@ -4,7 +4,8 @@ import { mcpServerInstallations, mcpServers } from '../db/schema.sqlite';
 import type { AnyDatabase } from '../db';
 import type { FastifyBaseLogger } from 'fastify';
 import { nanoid } from 'nanoid';
-import { encrypt, decrypt } from '../utils/encryption';
+import { McpArgsStorage } from '../utils/mcpArgsStorage';
+import { McpEnvStorage } from '../utils/mcpEnvStorage';
 
 // Types
 export interface McpInstallation {
@@ -92,35 +93,53 @@ export class McpInstallationService {
       installationsFound: installations.length
     }, 'Retrieved MCP installations for team');
 
-    return installations.map((row: any) => ({
-      ...row.installation,
-      team_args: row.installation.team_args 
-        ? this.parseJsonField(row.installation.team_args, [])
-        : null,
-      team_env: row.installation.team_env 
-        ? this.decryptEnvironmentVariables(row.installation.team_env)
-        : null,
-      server: row.server ? {
-        id: row.server.id,
-        name: row.server.name,
-        description: row.server.description,
-        language: row.server.language,
-        runtime: row.server.runtime,
-        status: row.server.status,
-        author_name: row.server.author_name,
-        homepage_url: row.server.homepage_url,
-        github_url: row.server.github_url,
-        tags: this.parseJsonField(row.server.tags, []),
-        installation_methods: this.parseJsonField(row.server.installation_methods, []),
-        template_args: this.parseJsonField(row.server.template_args, []),
-        template_env: this.parseJsonField(row.server.template_env, {}),
-        team_args_schema: this.parseJsonField(row.server.team_args_schema, []),
-        team_env_schema: this.parseJsonField(row.server.team_env_schema, []),
-        user_args_schema: this.parseJsonField(row.server.user_args_schema, []),
-        user_env_schema: this.parseJsonField(row.server.user_env_schema, []),
-        transport_type: row.server.transport_type
-      } : undefined
-    }));
+    const processedInstallations = [];
+    
+    for (const row of installations) {
+      const teamEnv = row.installation.team_env 
+        ? await this.maskEnvironmentVariables(
+            row.installation.team_env, 
+            this.parseJsonField(row.server?.team_env_schema, [])
+          )
+        : null;
+
+      const teamArgs = row.installation.team_args 
+        ? await McpArgsStorage.retrieveTeamArgs(
+            row.installation.team_args,
+            this.parseJsonField(row.server?.team_args_schema, []),
+            { maskSecrets: true, decryptSecrets: false },
+            this.logger
+          )
+        : null;
+
+      processedInstallations.push({
+        ...row.installation,
+        team_args: teamArgs,
+        team_env: teamEnv,
+        server: row.server ? {
+          id: row.server.id,
+          name: row.server.name,
+          description: row.server.description,
+          language: row.server.language,
+          runtime: row.server.runtime,
+          status: row.server.status,
+          author_name: row.server.author_name,
+          homepage_url: row.server.homepage_url,
+          github_url: row.server.github_url,
+          tags: this.parseJsonField(row.server.tags, []),
+          installation_methods: this.parseJsonField(row.server.installation_methods, []),
+          template_args: this.parseJsonField(row.server.template_args, []),
+          template_env: this.parseJsonField(row.server.template_env, {}),
+          team_args_schema: this.parseJsonField(row.server.team_args_schema, []),
+          team_env_schema: this.parseJsonField(row.server.team_env_schema, []),
+          user_args_schema: this.parseJsonField(row.server.user_args_schema, []),
+          user_env_schema: this.parseJsonField(row.server.user_env_schema, []),
+          transport_type: row.server.transport_type
+        } : undefined
+      });
+    }
+
+    return processedInstallations;
   }
 
   async getInstallationById(installationId: string, teamId: string): Promise<McpInstallation | null> {
@@ -156,13 +175,23 @@ export class McpInstallationService {
 
     const { installation, server } = result[0];
 
+    const teamArgs = installation.team_args 
+      ? await McpArgsStorage.retrieveTeamArgs(
+          installation.team_args,
+          this.parseJsonField(server?.team_args_schema, []),
+          { maskSecrets: true, decryptSecrets: false },
+          this.logger
+        )
+      : null;
+
     return {
       ...installation,
-      team_args: installation.team_args 
-        ? this.parseJsonField(installation.team_args, [])
-        : null,
+      team_args: teamArgs,
       team_env: installation.team_env 
-        ? this.decryptEnvironmentVariables(installation.team_env)
+        ? await this.maskEnvironmentVariables(
+            installation.team_env, 
+            this.parseJsonField(server?.team_env_schema, [])
+          )
         : null,
       server: server ? {
         id: server.id,
@@ -246,10 +275,16 @@ export class McpInstallationService {
       installation_name: data.installation_name,
       installation_type: data.installation_type || 'local',
       team_args: data.team_args 
-        ? JSON.stringify(data.team_args)
+        ? await this.encryptArguments(
+            data.team_args, 
+            this.parseJsonField(server[0].team_args_schema, [])
+          )
         : null,
       team_env: data.team_env 
-        ? this.encryptEnvironmentVariables(data.team_env)
+        ? await this.encryptEnvironmentVariables(
+            data.team_env, 
+            this.parseJsonField(server[0].team_env_schema, [])
+          )
         : null,
       created_at: now,
       updated_at: now,
@@ -328,13 +363,19 @@ export class McpInstallationService {
       }
 
       updateData.team_env = data.team_env
-        ? this.encryptEnvironmentVariables(data.team_env)
+        ? await this.encryptEnvironmentVariables(
+            data.team_env, 
+            existing.server?.team_env_schema || []
+          )
         : null;
     }
 
     if (data.team_args !== undefined) {
       updateData.team_args = data.team_args
-        ? JSON.stringify(data.team_args)
+        ? await this.encryptArguments(
+            data.team_args, 
+            existing.server?.team_args_schema || []
+          )
         : null;
     }
 
@@ -391,30 +432,55 @@ export class McpInstallationService {
       clientType
     }, 'Generating client configuration');
 
-    const installation = await this.getInstallationById(installationId, teamId);
-    if (!installation || !installation.server) {
+    // Get installation data directly from database to access encrypted values
+    const result = await this.db
+      .select({
+        installation: mcpServerInstallations,
+        server: mcpServers
+      })
+      .from(mcpServerInstallations)
+      .leftJoin(mcpServers, eq(mcpServerInstallations.server_id, mcpServers.id))
+      .where(
+        and(
+          eq(mcpServerInstallations.id, installationId),
+          eq(mcpServerInstallations.team_id, teamId)
+        )
+      )
+      .limit(1);
+
+    if (result.length === 0 || !result[0].server) {
       throw new Error('Installation not found');
     }
 
+    const { installation, server } = result[0];
+
     // Update last_used_at
     await this.db
       .update(mcpServerInstallations)
       .set({ last_used_at: new Date() })
       .where(eq(mcpServerInstallations.id, installationId));
 
     // Get Claude Desktop config from server's installation_methods
-    const claudeDesktopMethod = installation.server.installation_methods.find(
+    const claudeDesktopMethod = this.parseJsonField(server.installation_methods, []).find(
       (method: any) => method.client === 'claude-desktop'
     );
 
     if (!claudeDesktopMethod) {
       throw new Error('Server does not support Claude Desktop installation');
     }
 
-    // Merge template with team environment variables
+    // For gateway config generation, we need to decrypt secrets (authorized use case)
+    const decryptedTeamEnv = installation.team_env 
+      ? await this.decryptEnvironmentVariables(
+          installation.team_env, 
+          this.parseJsonField(server.team_env_schema, [])
+        )
+      : null;
+
+    // Merge template with team environment variables (with decrypted secrets)
     const mergedEnv = { ...claudeDesktopMethod.env };
-    if (installation.team_env) {
-      Object.assign(mergedEnv, installation.team_env);
+    if (decryptedTeamEnv) {
+      Object.assign(mergedEnv, decryptedTeamEnv);
     }
 
     const baseConfig = {
@@ -493,21 +559,42 @@ export class McpInstallationService {
     }
   }
 
-  private encryptEnvironmentVariables(vars: Record<string, string>): string {
-    return encrypt(JSON.stringify(vars));
+  private async encryptArguments(
+    args: string[],
+    schema?: any[]
+  ): Promise<string> {
+    return await McpArgsStorage.storeTeamArgs(args, schema || [], this.logger);
   }
 
-  private decryptEnvironmentVariables(encryptedVars: string): Record<string, string> {
-    try {
-      const decrypted = decrypt(encryptedVars);
-      return JSON.parse(decrypted);
-    } catch (error) {
-      this.logger.error({
-        operation: 'decrypt_environment_variables',
-        error
-      }, 'Failed to decrypt environment variables');
-      return {};
-    }
+  private async encryptEnvironmentVariables(
+    vars: Record<string, string>,
+    schema?: any[]
+  ): Promise<string> {
+    return await McpEnvStorage.storeTeamEnv(vars, schema || [], this.logger);
+  }
+
+  private async decryptEnvironmentVariables(
+    encryptedVars: string,
+    schema?: any[]
+  ): Promise<Record<string, string>> {
+    return await McpEnvStorage.retrieveTeamEnv(
+      encryptedVars,
+      schema || [],
+      { maskSecrets: false, decryptSecrets: true },
+      this.logger
+    );
+  }
+
+  private async maskEnvironmentVariables(
+    encryptedVars: string,
+    schema?: any[]
+  ): Promise<Record<string, string>> {
+    return await McpEnvStorage.retrieveTeamEnv(
+      encryptedVars,
+      schema || [],
+      { maskSecrets: true, decryptSecrets: false },
+      this.logger
+    );
   }
 
   private parseJsonField(fieldValue: any, defaultValue: any): any {