fix: Remove unused SESSION_SECRET from entire codebase#110
Merged
Conversation
🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
Remove SESSION_SECRET configuration that was never actually used. The project uses header-based session tracking (mcp-session-id) instead of cookie-based sessions, making SESSION_SECRET unnecessary. Changes: - Remove SessionSecretSchema from config package - Remove SESSION_SECRET from environment configuration - Remove sessionSecret from all HTTP server interfaces - Remove SESSION_SECRET from all templates and .env examples - Remove SESSION_SECRET from documentation - Fix all tests that referenced the removed configuration Impact: - 22 files modified, 82 deletions - No functional changes - SESSION_SECRET was never consumed - All validation tests pass (unit, integration, system) Rationale: SESSION_SECRET was defined in configuration but never used anywhere in the codebase. Sessions are tracked via HTTP headers (mcp-session-id) not cookies, and OAuth uses Bearer tokens. This removes confusing technical debt that suggested cookie-based session management that doesn't exist. 🤖 Generated with [Claude Code](https://claude.ai/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes
SESSION_SECRETconfiguration that was defined but never actually used anywhere in the codebase. This cleans up technical debt that suggested cookie-based session management when the project actually uses header-based session tracking.Problem
SESSION_SECRETwas defined in configuration, templates, and documentation but never consumed by any code:express-sessionorcookie-parserpackagesmcp-session-idHTTP header insteadThis created confusion about what security features existed and added unnecessary configuration burden.
Changes
Source Code (5 files)
SessionSecretSchemafrompackages/config/src/base-config.tsSESSION_SECRETfrom environment configurationsessionSecretfrom all HTTP server interfaces and typessessionSecretparameter from transport factoryTests (15 files)
Documentation (4 files)
Templates & Config (2 files)
Impact
Testing
✅ All validation passed:
Verification
Thoroughly searched entire codebase for all variations:
SESSION_SECRETsessionSecretsession-secretsession_secretResult: Zero references remain
Rationale
Keeping unused configuration:
Removing it:
🤖 Generated with Claude Code