Delete tools.json after loading to ensure no secrets remain on disk

Added file deletion in both safe_inputs_mcp_server.cjs and safe_inputs_mcp_server_http.cjs
after the configuration is loaded and tools are registered. This guarantees that even
though the env field only lists variable names (not secrets), the file is removed
immediately after use for maximum security.

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>

Author: Copilot

.github/workflows/copilot-pr-merged-report.lock.yml

@@ -71,6 +71,18 @@ function startSafeInputsServer(configPath, options = {}) {
     registerTool(server, tool);
   }
 
+  // Delete the configuration file after loading to ensure no secrets remain on disk
+  try {
+    const fs = require("fs");
+    if (fs.existsSync(configPath)) {
+      fs.unlinkSync(configPath);
+      server.debug(`Deleted configuration file: ${configPath}`);
+    }
+  } catch (error) {
+    server.debugError(`Warning: Could not delete configuration file: `, error);
+    // Continue anyway - the server is already running
+  }
+
   // Start the server
   start(server);
 }

.github/workflows/daily-performance-summary.lock.yml

@@ -114,6 +114,18 @@ function createMCPServer(configPath, options = {}) {
   logger.debug(`Tool registration complete: ${registeredCount} registered, ${skippedCount} skipped`);
   logger.debug(`=== MCP Server Creation Complete ===`);
 
+  // Delete the configuration file after loading to ensure no secrets remain on disk
+  try {
+    const fs = require("fs");
+    if (fs.existsSync(configPath)) {
+      fs.unlinkSync(configPath);
+      logger.debug(`Deleted configuration file: ${configPath}`);
+    }
+  } catch (error) {
+    logger.debugError(`Warning: Could not delete configuration file: `, error);
+    // Continue anyway - the server is already running
+  }
+
   return { server, config, logger };
 }