From 5bfa95471749cfd22c155841217bc143d1b82db0 Mon Sep 17 00:00:00 2001 From: GitHub Copilot Date: Wed, 18 Mar 2026 03:38:50 +0000 Subject: [PATCH 1/2] docs: document ${input:...} MCP variable resolution and diagnostics info hints - dependencies.md: Add '${input:...} Variable Resolution' subsection under Self-Defined Servers explaining VS Code auto-generates inputs entries and Copilot CLI/Codex CLI emit warnings for unresolved placeholders (#344) - cli-commands.md: Expand Diagnostic Summary description to include info hints category ([i]) with unpinned-version example (#347) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- docs/src/content/docs/guides/dependencies.md | 26 +++++++++++++++++++ .../content/docs/reference/cli-commands.md | 3 ++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/docs/src/content/docs/guides/dependencies.md b/docs/src/content/docs/guides/dependencies.md index 4b8a5702..52746f32 100644 --- a/docs/src/content/docs/guides/dependencies.md +++ b/docs/src/content/docs/guides/dependencies.md @@ -336,6 +336,32 @@ mcp: - `url` — required for `http`, `sse`, `streamable-http` transports - `command` — required for `stdio` transport +#### `${input:...}` Variable Resolution + +You can use `${input:}` placeholders in `env` and `headers` values for secrets that should be prompted at runtime rather than stored in files: + +```yaml +mcp: + - name: internal-knowledge-base + registry: false + transport: http + url: "https://mcp.internal.example.com" + env: + API_TOKEN: "${input:api-token}" + headers: + Authorization: "Bearer ${input:api-token}" +``` + +When targeting **VS Code / Copilot extension** (`.vscode/mcp.json`), APM automatically generates matching `inputs` entries that prompt users for the value at runtime — no additional configuration needed. + +For runtimes that don't support input prompts (**Copilot CLI**, **Codex CLI**), APM emits a warning during `apm install` so you know the placeholder will remain unresolved: + +``` +[!] Warning: ${input:api-token} in server 'internal-knowledge-base' will not be resolved — Copilot CLI does not support input variable prompts +``` + +For those runtimes, use a plain environment variable reference instead (e.g. `"${API_TOKEN}"`) and set the value in your shell environment. + ⚠️ **Transitive trust rule:** Self-defined servers from direct dependencies (depth=1 in the lockfile) are auto-trusted. Self-defined servers from transitive dependencies (depth > 1) are skipped with a warning by default. You can either re-declare them in your own `apm.yml`, or use `--trust-transitive-mcp` to trust all self-defined servers from upstream packages: ```bash diff --git a/docs/src/content/docs/reference/cli-commands.md b/docs/src/content/docs/reference/cli-commands.md index 9ee13cfb..23d47069 100644 --- a/docs/src/content/docs/reference/cli-commands.md +++ b/docs/src/content/docs/reference/cli-commands.md @@ -211,10 +211,11 @@ When you run `apm install`, APM automatically integrates primitives from install **Diagnostic Summary:** -After installation completes, APM prints a grouped diagnostic summary instead of inline warnings. Categories include collisions (skipped files), cross-package skill replacements, warnings, and errors. +After installation completes, APM prints a grouped diagnostic summary instead of inline warnings. Categories include collisions (skipped files), cross-package skill replacements, info hints, warnings, and errors. - **Normal mode**: Shows counts and actionable tips (e.g., "9 files skipped -- use `apm install --force` to overwrite") - **Verbose mode** (`--verbose`): Additionally lists individual file paths grouped by package, and full error details +- **Info hints** (`[i]`): Guidance shown when beneficial but non-blocking — for example, a reminder to pin dependency versions when any dependency has no explicit ref ```bash # See exactly which files were skipped or had issues From 2ccbd5cb66176a6263af38edf4f7ecf60202426d Mon Sep 17 00:00:00 2001 From: Daniel Meppiel <51440732+danielmeppiel@users.noreply.github.com> Date: Wed, 18 Mar 2026 23:18:47 +0100 Subject: [PATCH 2/2] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- docs/src/content/docs/guides/dependencies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/src/content/docs/guides/dependencies.md b/docs/src/content/docs/guides/dependencies.md index 52746f32..38f0550c 100644 --- a/docs/src/content/docs/guides/dependencies.md +++ b/docs/src/content/docs/guides/dependencies.md @@ -360,7 +360,7 @@ For runtimes that don't support input prompts (**Copilot CLI**, **Codex CLI**), [!] Warning: ${input:api-token} in server 'internal-knowledge-base' will not be resolved — Copilot CLI does not support input variable prompts ``` -For those runtimes, use a plain environment variable reference instead (e.g. `"${API_TOKEN}"`) and set the value in your shell environment. +For those runtimes, `${input:...}` and `${VAR}` placeholders in `env`/`headers` are not resolved and will be written literally. Omit secrets from your `apm.yml` and set any required API tokens as real environment variables in your shell or Copilot/Codex CLI configuration so the runtime process inherits them normally. ⚠️ **Transitive trust rule:** Self-defined servers from direct dependencies (depth=1 in the lockfile) are auto-trusted. Self-defined servers from transitive dependencies (depth > 1) are skipped with a warning by default. You can either re-declare them in your own `apm.yml`, or use `--trust-transitive-mcp` to trust all self-defined servers from upstream packages: