Skip to content

Replace Smithery with Composio for Mapbox integration #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ngoiyaeric merged 5 commits into from
Jan 5, 2026
Merged

Replace Smithery with Composio for Mapbox integration #397

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
cf9024c
Replace Smithery with Composio for Mapbox integration
ngoiyaeric Jan 3, 2026
3e65c6f
Fix: Update @composio/core to correct version (0.3.3)
ngoiyaeric Jan 4, 2026
0602e75
Fix code review issues
ngoiyaeric Jan 4, 2026
a460272
Fix: Add COMPOSIO_API_KEY validation and remove Smithery dependencies
ngoiyaeric Jan 4, 2026
18a4ac2
Update geospatial.tsx
ngoiyaeric Jan 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 19 additions & 10 deletions .env.local.example
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,27 @@
# Mapbox MCP Server Credentials
# Replace with your actual Smithery profile ID and API key
SMITHERY_PROFILE_ID="your_smithery_profile_id_here"
SMITHERY_API_KEY="your_smithery_api_key_here"
# Composio Mapbox Integration
# Replace with your actual Composio auth config ID, user ID, and API key
COMPOSIO_API_KEY=your_composio_api_key
COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
COMPOSIO_USER_ID=user@example.com

# Mapbox Access Token
MAPBOX_ACCESS_TOKEN=your_mapbox_api_key

# For client-side usage (if needed)
NEXT_PUBLIC_COMPOSIO_API_KEY=your_composio_api_key
NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
NEXT_PUBLIC_COMPOSIO_USER_ID=user@example.com
Comment on lines +1 to +13
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add COMPOSIO_API_KEY and reconsider client-side variable exposure.

Past review investigations confirmed that the @composio/core SDK expects a COMPOSIO_API_KEY environment variable for authentication. This critical variable is missing from the example configuration.

Additionally, NEXT_PUBLIC_COMPOSIO_USER_ID and NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID expose server-side authentication identifiers to the client. Since the README emphasizes server-side-only usage and the composio-mapbox.ts module initializes Composio server-side, these client-side variables appear unnecessary and increase the risk of accidental exposure.

🔎 Proposed fix 
 # Composio Mapbox Integration
-# Replace with your actual Composio auth config ID and user ID
+# Get your Composio API key from https://app.composio.dev/settings/api-keys
+COMPOSIO_API_KEY=your_composio_api_key_here
+
+# Replace with your actual Composio auth config ID and user ID
 COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
 COMPOSIO_USER_ID=user@example.com
 
 # Mapbox Access Token
 MAPBOX_ACCESS_TOKEN=your_mapbox_api_key
-
-# For client-side usage (if needed)
-NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
-NEXT_PUBLIC_COMPOSIO_USER_ID=user@example.com

Based on learnings from past reviews.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Composio Mapbox Integration
# Replace with your actual Composio auth config ID and user ID
COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
COMPOSIO_USER_ID=user@example.com
# Mapbox Access Token
MAPBOX_ACCESS_TOKEN=your_mapbox_api_key
# For client-side usage (if needed)
NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
NEXT_PUBLIC_COMPOSIO_USER_ID=user@example.com
# Composio Mapbox Integration
# Get your Composio API key from https://app.composio.dev/settings/api-keys
COMPOSIO_API_KEY=your_composio_api_key_here
# Replace with your actual Composio auth config ID and user ID
COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
COMPOSIO_USER_ID=user@example.com
# Mapbox Access Token
MAPBOX_ACCESS_TOKEN=your_mapbox_api_key
🤖 Prompt for AI Agents 
In .env.local.example around lines 1 to 11, the example is missing
COMPOSIO_API_KEY and unnecessarily exposes server-side IDs via NEXT_PUBLIC_
variables; add a COMPOSIO_API_KEY=your_composio_api_key entry near the other
server-side settings and remove (or comment out)
NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID and NEXT_PUBLIC_COMPOSIO_USER_ID to
avoid client-side exposure, keeping only server-side environment variables and a
short inline comment that these keys must remain server-only.

Comment on lines +10 to +13
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jan 4, 2026
edited by ngoiyaeric
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical security risk: Remove NEXT_PUBLIC_COMPOSIO_API_KEY — API keys must never be exposed client-side.

Exposing COMPOSIO_API_KEY via a NEXT_PUBLIC_ prefix makes it accessible in browser bundles, allowing anyone to extract and misuse your API key. The README and composio-mapbox.ts both emphasize server-side-only usage.

If client-side code needs to interact with Composio, implement a server-side API route that proxies requests without exposing credentials.

🔎 Proposed fix 
-# For client-side usage (if needed)
-NEXT_PUBLIC_COMPOSIO_API_KEY=your_composio_api_key
-NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID=ac_YOUR_MAPBOX_CONFIG_ID
-NEXT_PUBLIC_COMPOSIO_USER_ID=user@example.com
+# Note: Composio credentials should remain server-side only.
+# If client-side access is needed, use a server-side API route to proxy requests.
🤖 Prompt for AI Agents 
In .env.local.example around lines 10-13, the example exposes
NEXT_PUBLIC_COMPOSIO_API_KEY (client-side) which is a critical security risk;
remove the NEXT_PUBLIC_COMPOSIO_API_KEY entry and replace it with a server-only
variable name (e.g., COMPOSIO_API_KEY) in the example, add a short comment that
this key must be kept server-side only, and update the example/README to
instruct developers to create a server-side API route that proxies calls to
Composio using the server-only COMPOSIO_API_KEY (ensure composio-mapbox.ts and
any other code reference the server env var, not a NEXT_PUBLIC_* variable).


# NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN is already used by mapbox-map.tsx
# Ensure it's also in your .env.local file if you haven't set it up yet.
# NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN="your_mapbox_public_token_here"
# NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN=your_mapbox_public_token_here

# AI Provider API Keys
# Gemini 3 Pro (Google Generative AI)
GEMINI_3_PRO_API_KEY="your_gemini_3_pro_api_key_here"
GEMINI_3_PRO_API_KEY=your_gemini_3_pro_api_key_here

# Supabase Credentials
NEXT_PUBLIC_SUPABASE_URL="YOUR_SUPABASE_URL_HERE"
NEXT_PUBLIC_SUPABASE_ANON_KEY="YOUR_SUPABASE_ANON_KEY_HERE"
SUPABASE_SERVICE_ROLE_KEY="YOUR_SUPABASE_SERVICE_ROLE_KEY_HERE"
DATABASE_URL="postgresql://postgres:[YOUR-POSTGRES-PASSWORD]@[YOUR-SUPABASE-DB-HOST]:[PORT]/postgres"
NEXT_PUBLIC_SUPABASE_URL=YOUR_SUPABASE_URL_HERE
NEXT_PUBLIC_SUPABASE_ANON_KEY=YOUR_SUPABASE_ANON_KEY_HERE
SUPABASE_SERVICE_ROLE_KEY=YOUR_SUPABASE_SERVICE_ROLE_KEY_HERE
DATABASE_URL=postgresql://postgres:[YOUR-POSTGRES-PASSWORD]@[YOUR-SUPABASE-DB-HOST]:[PORT]/postgres
253 changes: 253 additions & 0 deletions COMPOSIO_MIGRATION.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,253 @@
# Migration Guide: Smithery to Composio

This document outlines the migration from Smithery to Composio for the Mapbox integration in QCX.

## Overview

The QCX project has migrated from using Smithery's MCP server hosting to Composio's integration platform for Mapbox functionality. This change provides better scalability, more robust authentication, and improved tool management.

## What Changed

### 1. Dependencies

**Removed:**
- `@smithery/cli` (^1.2.5)
- `@smithery/sdk` (^1.0.4)
- `smithery` (^0.5.2)

**Added:**
- `@composio/core` (^0.5.0)

### 2. Environment Variables

**Old (Smithery):**
```bash
SMITHERY_PROFILE_ID="your_smithery_profile_id_here"
SMITHERY_API_KEY="your_smithery_api_key_here"
NEXT_PUBLIC_SMITHERY_PROFILE_ID="your_smithery_profile_id_here"
NEXT_PUBLIC_SMITHERY_API_KEY="your_smithery_api_key_here"
```

**New (Composio):**
```bash
COMPOSIO_MAPBOX_AUTH_CONFIG_ID="ac_YOUR_MAPBOX_CONFIG_ID"
COMPOSIO_USER_ID="user@example.com"
MAPBOX_ACCESS_TOKEN="your_mapbox_api_key"
NEXT_PUBLIC_COMPOSIO_MAPBOX_AUTH_CONFIG_ID="ac_YOUR_MAPBOX_CONFIG_ID"
NEXT_PUBLIC_COMPOSIO_USER_ID="user@example.com"
```

### 3. Configuration Files

**mapbox_mcp_config.json**

**Old:**
```json
{
"mcpServers": {
"mapbox-mcp-server": {
"command": "npx",
"args": [
"-y",
"@smithery/cli@latest",
"run",
"@ngoiyaeric/mapbox-mcp-server",
"--key",
"705b0222-a657-4cd2-b180-80c406cf6179",
"--profile",
"smooth-lemur-vfUbUE"
]
}
}
}
```

**New:**
```json
{
"composio": {
"mapbox": {
"authConfigId": "ac_YOUR_MAPBOX_CONFIG_ID",
"userId": "user@example.com",
"description": "Composio configuration for Mapbox integration"
}
}
}
```

### 4. Code Changes

#### mapbox_mcp/hooks.ts

**Old Connection Method:**
```typescript
const mcp = useMcp({
url: `https://server.smithery.ai/@Waldzell-Agentics/mcp-server/mcp?profile=${process.env.NEXT_PUBLIC_SMITHERY_PROFILE_ID}&api_key=${process.env.NEXT_PUBLIC_SMITHERY_API_KEY}`,
debug: process.env.NODE_ENV === 'development',
autoReconnect: true,
autoRetry: 5000,
});
```

**New Connection Method:**
```typescript
const composioClient = getComposioClient();
const { connectionId, connectedAccount } = await initializeComposioMapbox();
```

#### Tool Execution

**Old:**
```typescript
const result = await mcp.callTool('geocode_location', {
query: address,
includeMapPreview: true,
});
```

**New:**
```typescript
const result = await composioClient.executeAction({
action: 'mapbox_geocode_location',
params: {
query: address,
includeMapPreview: true,
},
connectedAccountId: connectionId,
});
```
Comment thread
coderabbitai[bot] marked this conversation as resolved.

## Migration Steps

### Step 1: Install Composio

```bash
bun install @composio/core
```

### Step 2: Remove Smithery Dependencies

```bash
bun remove @smithery/cli @smithery/sdk smithery
```

### Step 3: Set Up Composio Account

1. Sign up at https://composio.dev
2. Create a new auth config for Mapbox
3. Select "API Key" as the authentication method
4. Note your auth config ID (starts with `ac_`)

### Step 4: Update Environment Variables

1. Copy `.env.local.example` to `.env.local` (if not already done)
2. Replace Smithery variables with Composio variables:
```bash
COMPOSIO_MAPBOX_AUTH_CONFIG_ID="ac_YOUR_ACTUAL_CONFIG_ID"
COMPOSIO_USER_ID="your_email@example.com"
MAPBOX_ACCESS_TOKEN="your_mapbox_token"
```
Comment on lines +134 to +149
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Clarify authentication setup steps.

Step 3 mentions creating an auth config for Mapbox and selecting "API Key" as the authentication method. This could be confusing because:

  1. The guide doesn't explain how to get a Composio API key for authenticating the SDK itself
  2. "API Key" refers to Mapbox's auth method, not Composio's

Consider adding a step to obtain the Composio API key before creating the Mapbox auth config.

🧰 Tools
🪛 markdownlint-cli2 (0.18.1)

136-136: Bare URL used

(MD034, no-bare-urls)

145-145: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

🤖 Prompt for AI Agents 
In COMPOSIO_MIGRATION.md around lines 134 to 149, clarify the authentication
setup by adding a step to obtain a Composio SDK API key (and where to
find/create it in the Composio dashboard) before instructing users to create the
Mapbox auth config; explicitly state that the "API Key" selection in Step 3
refers to Mapbox's authentication method (not Composio's) and show which
environment variable should hold the Composio API key (e.g., COMPOSIO_API_KEY)
in the Step 4 env example alongside COMPOSIO_MAPBOX_AUTH_CONFIG_ID,
COMPOSIO_USER_ID and MAPBOX_ACCESS_TOKEN so users know both keys are required
and where to paste each.


### Step 5: Update Code References

The following files have been updated automatically:
- `mapbox_mcp/composio-mapbox.ts` (new file)
- `mapbox_mcp/hooks.ts` (updated)
- `mapbox_mcp/index.ts` (updated)
- `mapbox_mcp_config.json` (updated)
- `package.json` (updated)
- `.env.local.example` (updated)

### Step 6: Test the Integration

```bash
# Test the connection
bun run mapbox_mcp/index.ts

# Run the development server
bun run dev
```

## API Compatibility

The `useMCPMapClient` hook maintains the same interface, so existing components using it should continue to work without changes:

```typescript
const {
isConnected,
isLoading,
error,
connect,
disconnect,
processLocationQuery,
geocodeLocation,
calculateDistance,
searchNearbyPlaces,
} = useMCPMapClient();
```

## Troubleshooting

### Issue: "Composio client not connected"

**Solution:** Ensure you've called `connect()` before using any tool functions:

```typescript
useEffect(() => {
connect();
}, [connect]);
```

### Issue: "Invalid auth config ID"

**Solution:** Verify your `COMPOSIO_MAPBOX_AUTH_CONFIG_ID` starts with `ac_` and is copied correctly from the Composio dashboard.

### Issue: "Mapbox API key invalid"

**Solution:** Check that your `MAPBOX_ACCESS_TOKEN` is valid and has the necessary scopes enabled in your Mapbox account.

### Issue: Tool execution fails

**Solution:** Verify the action names match Composio's Mapbox integration. Common actions:
- `mapbox_geocode_location`
- `mapbox_calculate_distance`
- `mapbox_search_nearby_places`
- `mapbox_generate_map_link`

## Benefits of Composio

1. **Better Authentication Management**: Centralized auth config management
2. **Improved Security**: API keys stored securely in Composio
3. **Scalability**: Better handling of multiple integrations
4. **Monitoring**: Built-in logging and monitoring in Composio dashboard
5. **Flexibility**: Easier to add new tools and integrations

## Resources

- [Composio Documentation](https://docs.composio.dev)
- [Composio GitHub](https://github.com/ComposioHQ/composio)
- [Mapbox API Documentation](https://docs.mapbox.com)
- [QCX Documentation](https://deepwiki.com/QueueLab/QCX)

## Support

If you encounter issues during migration:
1. Check the Composio dashboard for connection status
2. Review the logs in your development console
3. Consult the [mapbox_mcp/README.md](./mapbox_mcp/README.md) file
4. Open an issue in the QCX repository

## Rollback

If you need to rollback to Smithery:

```bash
# Reinstall Smithery packages
bun install @smithery/cli@^1.2.5 @smithery/sdk@^1.0.4 smithery@^0.5.2

# Restore old environment variables in .env.local
# Restore old code from git history
git checkout HEAD~1 -- mapbox_mcp/
```

Comment on lines +1 to +252
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Fix markdown formatting issues throughout the document.

Static analysis detected multiple formatting issues:

  • Missing blank lines before/after fenced code blocks (MD031)
  • Bare URLs that should be wrapped in angle brackets (MD034)
  • Emphasis used instead of heading for "Old:" and "New:" labels (MD036)

These are minor but should be fixed for consistency with markdown best practices.

🧰 Tools
🪛 LanguageTool

[grammar] ~31-~31: Ensure spelling is correct
Context: ...your_smithery_api_key_here" **New (Composio):**bash COMPOSIO_MAPBOX_AUTH_CONFIG...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🪛 markdownlint-cli2 (0.18.1)

24-24: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

32-32: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

42-42: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

45-45: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

66-66: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

83-83: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

93-93: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

101-101: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

109-109: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

136-136: Bare URL used

(MD034, no-bare-urls)

145-145: Fenced code blocks should be surrounded by blank lines

(MD031, blanks-around-fences)

🤖 Prompt for AI Agents 
In COMPOSIO_MIGRATION.md lines 1-252, fix Markdown lint issues by ensuring there
is a blank line before and after every fenced code block throughout the document
(MD031), wrap all bare URLs in angle brackets (e.g., <https://...>) (MD034), and
replace emphasized "Old:" and "New:" labels with proper subheadings or bolded
labels (e.g., use "### Old" / "### New" or bold text) so they are treated as
headings (MD036); apply these edits consistently for each section (Dependencies,
Environment Variables, Configuration Files, Code Changes, Migration Steps,
Troubleshooting, Resources, Rollback) to resolve the formatting warnings.

Comment on lines +240 to +252
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Clarify rollback command.

The rollback command git checkout HEAD~1 -- mapbox_mcp/ assumes the previous commit contains the Smithery code, which may not be accurate if this PR includes multiple commits or if the branch has been rebased.

Consider updating to:

# Check out from the commit before this PR was merged
git checkout <commit-hash-before-pr> -- mapbox_mcp/

Or provide instructions to check git history first.

🤖 Prompt for AI Agents 
In COMPOSIO_MIGRATION.md around lines 240-252, the rollback step uses a fragile
command git checkout HEAD~1 -- mapbox_mcp/; update the instructions to tell
users to check out the exact commit hash before the PR (e.g. git checkout
<commit-hash-before-pr> -- mapbox_mcp/) and add a brief note on how to find that
hash (suggest running git log --oneline or git reflog to identify the correct
commit) so they use an explicit commit rather than HEAD~1.

However, we recommend staying with Composio for the improved features and maintainability.
33 changes: 19 additions & 14 deletions lib/agents/tools/geospatial.tsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import { BotMessage } from '@/components/message';
import { geospatialQuerySchema } from '@/lib/schema/geospatial';
import { Client as MCPClientClass } from '@modelcontextprotocol/sdk/client/index.js';
import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
import { createSmitheryUrl } from '@smithery/sdk';
// Smithery SDK removed - using direct URL construction
import { z } from 'zod';

// Types
Expand Down Expand Up @@ -34,17 +34,17 @@ interface MapboxConfig {
* Establish connection to the MCP server with proper environment validation.
*/
async function getConnectedMcpClient(): Promise<McpClient | null> {
const apiKey = process.env.NEXT_PUBLIC_SMITHERY_API_KEY;
const mapboxAccessToken = process.env.NEXT_PUBLIC_MAPBOX_ACCESS_TOKEN;
const profileId = process.env.NEXT_PUBLIC_SMITHERY_PROFILE_ID;
const composioApiKey = process.env.COMPOSIO_API_KEY;
const mapboxAccessToken = process.env.MAPBOX_ACCESS_TOKEN;
const composioUserId = process.env.COMPOSIO_USER_ID;

console.log('[GeospatialTool] Environment check:', {
apiKey: apiKey ? `${apiKey.substring(0, 8)}...` : 'MISSING',
composioApiKey: composioApiKey ? `${composioApiKey.substring(0, 8)}...` : 'MISSING',
mapboxAccessToken: mapboxAccessToken ? `${mapboxAccessToken.substring(0, 8)}...` : 'MISSING',
profileId: profileId ? `${profileId.substring(0, 8)}...` : 'MISSING',
composioUserId: composioUserId ? `${composioUserId.substring(0, 8)}...` : 'MISSING',
});

if (!apiKey || !mapboxAccessToken || !profileId || !apiKey.trim() || !mapboxAccessToken.trim() || !profileId.trim()) {
if (!composioApiKey || !mapboxAccessToken || !composioUserId || !composioApiKey.trim() || !mapboxAccessToken.trim() || !composioUserId.trim()) {
console.error('[GeospatialTool] Missing or empty required environment variables');
return null;
}
Expand All @@ -67,20 +67,25 @@ async function getConnectedMcpClient(): Promise<McpClient | null> {
console.log('[GeospatialTool] Using fallback config');
}

// Build Smithery URL
const smitheryUrlOptions = { config, apiKey, profileId };
const mcpServerBaseUrl = `https://server.smithery.ai/@Waldzell-Agentics/mcp-server/mcp?api_key=${smitheryUrlOptions.apiKey}&profile=${smitheryUrlOptions.profileId}`;
let serverUrlToUse;
// Build Composio MCP server URL
// Note: This should be migrated to use Composio SDK directly instead of MCP client
// For now, constructing URL directly without Smithery SDK
let serverUrlToUse: URL;
try {
serverUrlToUse = createSmitheryUrl(mcpServerBaseUrl, smitheryUrlOptions);
// Construct URL with Composio credentials
const baseUrl = 'https://api.composio.dev/v1/mcp/mapbox';
serverUrlToUse = new URL(baseUrl);
serverUrlToUse.searchParams.set('api_key', composioApiKey);
serverUrlToUse.searchParams.set('user_id', composioUserId);

const urlDisplay = serverUrlToUse.toString().split('?')[0];
console.log('[GeospatialTool] MCP Server URL created:', urlDisplay);
console.log('[GeospatialTool] Composio MCP Server URL created:', urlDisplay);
Comment on lines 74 to +82
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Jan 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's examine the actual file to confirm the code structure
head -n 100 lib/agents/tools/geospatial.tsx | cat -n

Repository: QueueLab/QCX

Length of output: 4459

🏁 Script executed:

# Search for the TODO comment mentioned in the review
rg "TODO|Smithery" lib/agents/tools/geospatial.tsx -n -B 2 -A 2

Repository: QueueLab/QCX

Length of output: 570

🏁 Script executed:

# Check the environment variables being used
rg "NEXT_PUBLIC|composioApiKey|composioUserId" lib/agents/tools/geospatial.tsx -n

Repository: QueueLab/QCX

Length of output: 739

🌐 Web query:

Composio MCP server API authentication best practices security

💡 Result:

Below are concise best-practice recommendations for authenticating and securing a Composio / MCP server API, with source citations.

Key recommendations

  • Require TLS (HTTPS) for all MCP endpoints and SSE connections. (docs.composio.dev)
  • Use strong, least-privilege credentials: long random API keys or short-lived tokens scoped to only required tools/actions. Rotate and revoke keys regularly. (mcp-cloud.ai)
  • Store secrets in a secrets manager or environment variables (do not hardcode keys in source or client-side code). (mcp-cloud.ai)
  • Prefer short-lived access tokens (with refresh tokens where needed) over long-lived static keys for user-facing flows; enforce sensible expirations for server-to-server tokens. (mcp-cloud.ai)
  • Protect both HTTP endpoints and SSE (stream) endpoints with authentication and enable auth on SSE in production. (mcp-framework.com)
  • Enforce fine-grained auth: create separate auth configurations per MCP server/instance and expose only required toolkits and scopes. (v3.docs.composio.dev)
  • Use mTLS or OAuth2 for higher-security integrations where possible (server-to-server or enterprise deployments). (mcp-framework.com)
  • Implement rate limiting, monitoring and alerting for failed auth attempts, and audit logging for key usage and token issuance/revocation. (mcp-cloud.ai)
  • Validate and sanitize client-supplied data and implement strict timeouts on connections to reduce abuse and resource exhaustion. (mcp-cloud.ai)

Practical operational steps

  • Use a secrets manager (AWS/GCP/Azure/HashiCorp) for production keys and rotate them on a schedule. (mcp-cloud.ai)
  • Limit MCP server allowed_tools and auth_config_ids to the minimum set required per instance. (v3.docs.composio.dev)
  • Log and review authentication failures; alert on unusual patterns and automatically revoke keys that appear compromised. (mcp-cloud.ai)

If you want, I can produce a checklist or example configuration (OAuth2, JWT, or API-key) tailored to your deployment (self-hosted vs Composio-managed) — tell me which environment you’re using.

Citations:

Security risk: API key exposed in URL query parameters.

Passing api_key as a URL query parameter (line 78) exposes credentials in server access logs, browser history, and HTTP referrer headers, violating MCP/Composio authentication best practices which explicitly recommend against passing sensitive data in URLs.

Additionally, using NEXT_PUBLIC_ environment variables for this server-side code (geospatial.tsx uses React Server Components) unnecessarily exposes these credentials to the client bundle.

The TODO comment on lines 71-72 correctly identifies the need to migrate to the Composio SDK directly. Prioritize this migration or implement a server-side proxy endpoint that uses secure authentication headers (e.g., Bearer tokens) instead of query parameters.

🤖 Prompt for AI Agents 
In lib/agents/tools/geospatial.tsx around lines 74 to 82, the code currently
injects the Composio api_key into the URL query string which exposes
credentials; instead, stop adding sensitive keys to the URL and move to a secure
server-side call: either use the Composio SDK on the server or call an internal
server-side proxy endpoint that reads a non-public environment variable (remove
NEXT_PUBLIC_ prefix and store composioApiKey/composioUserId in server-only envs)
and forwards requests with the API key in an Authorization header (e.g., Bearer
<key>) or in request body as per SDK requirements; ensure any console logs do
not print secrets and that this file runs only server-side (no client bundling)
so the credentials are never exposed to browser or logs.


if (!serverUrlToUse.href || !serverUrlToUse.href.startsWith('https://')) {
throw new Error('Invalid server URL generated');
}
} catch (urlError: any) {
console.error('[GeospatialTool] Error creating Smithery URL:', urlError.message);
console.error('[GeospatialTool] Error creating Composio URL:', urlError.message);
return null;
}

Expand Down
Loading