When running in pnpm projects, the .npmrc configuration propagates as
NPM_CONFIG_* environment variables to child processes. This can cause
MCP servers to fail due to registry/proxy conflicts or case sensitivity
issues between uppercase and lowercase variants.
This fix adds a createCleanMcpEnvironment function that filters out:
- NPM_CONFIG_* and npm_config_* (npm/pnpm config)
- YARN_* (yarn config)
- PNPM_* (pnpm config)
- NO_UPDATE_NOTIFIER
Fixes#456
Co-authored-by: sisyphus-dev-ai <sisyphus-dev-ai@users.noreply.github.com>
* fix(skill-mcp-manager): prevent memory leaks from orphaned MCP processes
- Close transport on connection failure to prevent zombie processes
- Add process exit handlers (SIGINT/SIGTERM) for graceful cleanup
- Use pendingConnections Map to prevent duplicate client spawns
Fixes#361🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
* fix(ci): replace deprecated rhysd/actionlint-action with direct installation
rhysd/actionlint-action repository was removed/archived.
Use official actionlint download script instead.
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
* fix(skill-mcp-manager): add transport.close() and idle timeout to fix memory leaks
Previously, disconnectSession() and disconnectAll() only called client.close() but NOT transport.close().
StdioClientTransport spawns child processes for MCP servers, and without transport.close(), these
processes remained orphaned and accumulated memory (6GB leak reported).
Changes:
- Added missing transport.close() calls in disconnectSession() and disconnectAll()
- Added idle timeout mechanism (5-minute timeout) with lastUsedAt tracking
- Added cleanup timer that runs every 60 seconds to remove idle clients
- Made signal handlers (SIGINT, SIGTERM, SIGBREAK) async to properly await cleanup
- Ensure proper cleanup order: clear from map first, then close client, then close transport
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
* fix(ci): pin actionlint download script to v1.7.10 for supply chain security
- Pin to specific release tag instead of 'main' branch
- Prevents potential supply chain attacks from upstream compromises
🤖 GENERATED WITH ASSISTANCE OF [OhMyOpenCode](https://github.com/code-yeongyu/oh-my-opencode)
- Always merge parent process.env when spawning MCP child processes
- Overlay config.env on top if present (for skill-specific overrides)
- Fixes issue where skills without explicit env: block started with zero environment variables
- Adds 2 tests for env inheritance behavior
🤖 Generated with assistance of OhMyOpenCode (https://github.com/code-yeongyu/oh-my-opencode)
