The upstream MCP container requires a SonarQube user token in the
Authorization header. Without one, every call returns 401.
- proxy: read SONARQUBE_TOKEN via sonarqube_token() at session-open
time; raise TokenMissingError when unset/blank. upstream_session()
attaches the token as "Authorization: Bearer <token>" via
streamablehttp_client(headers=...).
- cli: fail fast in serve and check with a clear stderr message and
exit 1 when the token is missing, before any network attempt. All
exception text written to stderr passes through _redact() so an
accidentally-leaked token from a third-party exception is replaced
with [REDACTED] before display.
- The token is never stored on any object, never logged, and the
TokenMissingError message contains no token material (it only
describes how to generate one in SonarQube).
- Tests: header forwarding via mocked streamablehttp_client, missing-
token exit code, redaction in CLI error paths, whitespace stripping
on the token. Total: 25 tests.
- Docs: README/CLAUDE updated with the new env-var, Claude Desktop
config snippet, and the security guarantees. CHANGELOG added.
Bumps version to 0.2.0.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
