August 26, 2025 Update: Major Security and System Improvements
This release significantly enhances DeployStack's security and reliability with automatic credential encryption and improved internal architecture. We've eliminated the most common security risk in AI tool configurations while making the system more robust for future growth.
What We Changed
1. MCP Configuration Fields Now Encrypt Automatically
We added a type: "secret" field type to MCP server schemas. When global admins mark a field as secret:
- Field values are encrypted with AES-256-GCM before database storage
- API responses return ***** instead of the actual value
- Runtime still gets the decrypted value for MCP server execution
Before: API keys stored as plain text in the database, visible in API responses After: API keys encrypted in database, masked in API responses, decrypted only for runtime
Example:
// Schema definition
{
"apiKey": {
"type": "secret",
"description": "Your API key"
}
}
When you configure apiKey: "sk-1234567890", it gets encrypted and you see ***** everywhere except when the MCP server actually runs.
2. Fixed MCP Configuration Data Structure
We standardized how MCP configurations are stored internally across all three tiers (template/team/user):
- All configuration data now uses the same internal format
- Better handling of the args/env merging process
- More consistent behavior when assembling final runtime configurations
Before: Inconsistent data structures caused edge cases in configuration assembly After: Consistent data handling, more reliable configuration merging
Technical Impact
Secret Type Implementation:
- Affects: All MCP server configurations with sensitive fields
- Breaking: No - existing configs work the same
- Security: High - eliminates credential exposure in APIs/logs
Data Structure Consistency:
- Affects: Internal configuration processing
- Breaking: No - user experience unchanged
- Reliability: Improved configuration assembly and error handling
August 26, 2025 Update Summary
Release Date: August 26, 2025
What We Changed
1. MCP Configuration Fields Now Encrypt Automatically
We added a type: "secret" field type to MCP server schemas. When global admins mark a field as secret:
- Field values are encrypted with AES-256-GCM before database storage
- API responses return ***** instead of the actual value
- Runtime still gets the decrypted value for MCP server execution
Before: API keys stored as plain text in the database, visible in API responses After: API keys encrypted in database, masked in API responses, decrypted only for runtime
Example:
// Schema definition
{
"apiKey": {
"type": "secret",
"description": "Your API key"
}
}
When you configure apiKey: "sk-1234567890", it gets encrypted and you see ***** everywhere except when the MCP server actually runs.
2. Fixed MCP Configuration Data Structure
We standardized how MCP configurations are stored internally across all three tiers (template/team/user):
- All configuration data now uses the same internal format
- Better handling of the args/env merging process
- More consistent behavior when assembling final runtime configurations
Before: Inconsistent data structures caused edge cases in configuration assembly After: Consistent data handling, more reliable configuration merging
Technical Impact
Secret Type Implementation:
- Affects: All MCP server configurations with sensitive fields
- Breaking: No - existing configs work the same
- Security: High - eliminates credential exposure in APIs/logs
Data Structure Consistency:
- Affects: Internal configuration processing
- Breaking: No - user experience unchanged
- Reliability: Improved configuration assembly and error handling
What You Need to Do
Nothing. Both changes are backward compatible and happen automatically.
Nothing. Both changes are backward compatible and happen automatically.