continuedev · RomneyDa · Nov 10, 2025 · Nov 10, 2025 · Nov 10, 2025 · RomneyDa
@@ -9,7 +9,6 @@ import {
   ModelRole,
   PackageIdentifier,
   RegistryClient,
-  TEMPLATE_VAR_REGEX,
   unrollAssistant,
   validateConfigYaml,
 } from "@continuedev/config-yaml";
@@ -237,22 +236,6 @@ export async function configYamlToContinueConfig(options: {
     sourceFile: doc.sourceFile,
   }));
 
-  config.mcpServers?.forEach((mcpServer) => {
-    if ("args" in mcpServer) {
-      const mcpArgVariables =
-        mcpServer.args?.filter((arg) => TEMPLATE_VAR_REGEX.test(arg)) ?? [];
-
-      if (mcpArgVariables.length === 0) {
-        return;
-      }
-
-      localErrors.push({
-        fatal: false,
-        message: `MCP server "${mcpServer.name}" has unsubstituted variables in args: ${mcpArgVariables.join(", ")}. Please refer to https://docs.continue.dev/hub/secrets/secret-types for managing hub secrets.`,
-      });
-    }
-  });
-
   // Prompt files -
   try {
     const promptFiles = await getAllPromptFiles(ide, undefined, true);

@@ -2,6 +2,10 @@ import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { Transport } from "@modelcontextprotocol/sdk/shared/transport.js";
 import { fileURLToPath } from "url";
 
+import {
+  decodeSecretLocation,
+  getTemplateVariables,
+} from "@continuedev/config-yaml";
 import {
   SSEClientTransport,
   SseError,
@@ -163,6 +167,19 @@ class MCPConnection {
       }
     }
 
+    const vars = getTemplateVariables(JSON.stringify(this.options));
+    const unrendered = vars.map((v) => {
+      return decodeSecretLocation(v.replace("secrets.", "")).secretName;
-      return decodeSecretLocation(v.replace("secrets.", "")).secretName;
+      return v.replace("secrets.", "");
-      return decodeSecretLocation(v.replace("secrets.", "")).secretName;
+      return v.replace("secrets.", "");
+    });
+
+    if (unrendered.length > 0) {
+      this.errors.push(
+        `${this.options.name} MCP Server has unresolved secrets: ${unrendered.join(", ")}.
+For personal use you can set the secret in the hub at https://hub.continue.dev/settings/secrets.
+Org-level secrets can only be used for MCP by Background Agents (https://docs.continue.dev/hub/agents/overview) when \"Include in Env\" is enabled.`,
+      );
+    }
+
     this.connectionPromise = Promise.race([
       // If aborted by a refresh or other, cancel and don't do anything
       new Promise((resolve) => {

@@ -15,6 +15,10 @@
 import { getErrorString } from "../util/error.js";
 import { logger } from "../util/logger.js";
 
+import {
+  decodeSecretLocation,
+  getTemplateVariables,
+} from "@continuedev/config-yaml";
 import { BaseService, ServiceWithDependencies } from "./BaseService.js";
 import { serviceContainer } from "./ServiceContainer.js";
 import {
@@ -248,7 +252,23 @@
     this.connections.set(serverName, connection);
     this.updateState();
 
+    const vars = getTemplateVariables(JSON.stringify(serverConfig));
+    const unrendered = vars.map((v) => {
+      return decodeSecretLocation(v.replace("secrets.", "")).secretName;
+    });
+
     try {
+      if (unrendered.length > 0) {
+        const message = `${serverConfig.name} MCP Server has unresolved secrets: ${unrendered.join(", ")}
+For personal use you can set the secret in the hub at https://hub.continue.dev/settings/secrets or pass it to the CLI environment.
+Org-level secrets can only be used for MCP by Background Agents (https://docs.continue.dev/hub/agents/overview) when \"Include in Env\" is enabled for the secret.`;
+        if (this.isHeadless) {
+          throw new Error(message);
+        } else {
+          connection.warnings.push(message);
+        }
+      }
+
       const client = await this.getConnectedClient(serverConfig);
 
       connection.client = client;