diff --git a/.changeset/patch-fix-safe-inputs-secrets.md b/.changeset/patch-fix-safe-inputs-secrets.md
new file mode 100644
index 0000000000..3885023a5a
--- /dev/null
+++ b/.changeset/patch-fix-safe-inputs-secrets.md
@@ -0,0 +1,11 @@
+---
+"gh-aw": patch
+---
+
+Ensure safe-inputs MCP server start step receives tool secrets via an
+`env:` block so the MCP server process inherits the correct environment.
+Removes redundant `export` statements in the start script that attempted
+to export variables that were not present in the step environment.
+
+Fixes passing of secrets like `GH_AW_GH_TOKEN` to the MCP server process.
+
diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml
index 8c01989623..21df370d31 100644
--- a/.github/workflows/copilot-pr-merged-report.lock.yml
+++ b/.github/workflows/copilot-pr-merged-report.lock.yml
@@ -400,14 +400,14 @@ jobs:
           
       - name: Start Safe Inputs MCP HTTP Server
         id: safe-inputs-start
+        env:
+          GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_DEBUG: 1
         run: |
           # Set environment variables for the server
           export GH_AW_SAFE_INPUTS_PORT=${{ steps.safe-inputs-config.outputs.safe_inputs_port }}
           export GH_AW_SAFE_INPUTS_API_KEY=${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }}
           
-          export GH_AW_GH_TOKEN="${GH_AW_GH_TOKEN}"
-          export GH_DEBUG="${GH_DEBUG}"
-          
           bash /tmp/gh-aw/actions/start_safe_inputs_server.sh
           
       - name: Setup MCPs
diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml
index 1cbb37ed40..d3ec2d747e 100644
--- a/.github/workflows/daily-choice-test.lock.yml
+++ b/.github/workflows/daily-choice-test.lock.yml
@@ -278,8 +278,8 @@ jobs:
                   }
                 },
                 "required": [
-                  "environment",
-                  "test_type"
+                  "test_type",
+                  "environment"
                 ],
                 "type": "object"
               },
diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml
index 06fd398039..82821699c4 100644
--- a/.github/workflows/daily-performance-summary.lock.yml
+++ b/.github/workflows/daily-performance-summary.lock.yml
@@ -854,13 +854,13 @@ jobs:
           
       - name: Start Safe Inputs MCP HTTP Server
         id: safe-inputs-start
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           # Set environment variables for the server
           export GH_AW_SAFE_INPUTS_PORT=${{ steps.safe-inputs-config.outputs.safe_inputs_port }}
           export GH_AW_SAFE_INPUTS_API_KEY=${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }}
           
-          export GH_TOKEN="${GH_TOKEN}"
-          
           bash /tmp/gh-aw/actions/start_safe_inputs_server.sh
           
       - name: Setup MCPs
diff --git a/.github/workflows/smoke-copilot-no-firewall.lock.yml b/.github/workflows/smoke-copilot-no-firewall.lock.yml
index 788778f447..64da76e3e7 100644
--- a/.github/workflows/smoke-copilot-no-firewall.lock.yml
+++ b/.github/workflows/smoke-copilot-no-firewall.lock.yml
@@ -492,14 +492,14 @@ jobs:
           
       - name: Start Safe Inputs MCP HTTP Server
         id: safe-inputs-start
+        env:
+          GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_DEBUG: 1
         run: |
           # Set environment variables for the server
           export GH_AW_SAFE_INPUTS_PORT=${{ steps.safe-inputs-config.outputs.safe_inputs_port }}
           export GH_AW_SAFE_INPUTS_API_KEY=${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }}
           
-          export GH_AW_GH_TOKEN="${GH_AW_GH_TOKEN}"
-          export GH_DEBUG="${GH_DEBUG}"
-          
           bash /tmp/gh-aw/actions/start_safe_inputs_server.sh
           
       - name: Setup MCPs
diff --git a/.github/workflows/smoke-copilot-playwright.lock.yml b/.github/workflows/smoke-copilot-playwright.lock.yml
index eea476d08f..15e05d72bc 100644
--- a/.github/workflows/smoke-copilot-playwright.lock.yml
+++ b/.github/workflows/smoke-copilot-playwright.lock.yml
@@ -585,14 +585,14 @@ jobs:
           
       - name: Start Safe Inputs MCP HTTP Server
         id: safe-inputs-start
+        env:
+          GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_DEBUG: 1
         run: |
           # Set environment variables for the server
           export GH_AW_SAFE_INPUTS_PORT=${{ steps.safe-inputs-config.outputs.safe_inputs_port }}
           export GH_AW_SAFE_INPUTS_API_KEY=${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }}
           
-          export GH_AW_GH_TOKEN="${GH_AW_GH_TOKEN}"
-          export GH_DEBUG="${GH_DEBUG}"
-          
           bash /tmp/gh-aw/actions/start_safe_inputs_server.sh
           
       - name: Setup MCPs
diff --git a/.github/workflows/smoke-copilot-safe-inputs.lock.yml b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
index 7fe69def91..7f75acab8a 100644
--- a/.github/workflows/smoke-copilot-safe-inputs.lock.yml
+++ b/.github/workflows/smoke-copilot-safe-inputs.lock.yml
@@ -447,14 +447,14 @@ jobs:
           
       - name: Start Safe Inputs MCP HTTP Server
         id: safe-inputs-start
+        env:
+          GH_AW_GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_DEBUG: 1
         run: |
           # Set environment variables for the server
           export GH_AW_SAFE_INPUTS_PORT=${{ steps.safe-inputs-config.outputs.safe_inputs_port }}
           export GH_AW_SAFE_INPUTS_API_KEY=${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }}
           
-          export GH_AW_GH_TOKEN="${GH_AW_GH_TOKEN}"
-          export GH_DEBUG="${GH_DEBUG}"
-          
           bash /tmp/gh-aw/actions/start_safe_inputs_server.sh
           
       - name: Setup MCPs
diff --git a/pkg/workflow/mcp_servers.go b/pkg/workflow/mcp_servers.go
index 5b7c287bee..974e19a8a7 100644
--- a/pkg/workflow/mcp_servers.go
+++ b/pkg/workflow/mcp_servers.go
@@ -299,19 +299,30 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
 		// Step 4: Start the HTTP server in the background
 		yaml.WriteString("      - name: Start Safe Inputs MCP HTTP Server\n")
 		yaml.WriteString("        id: safe-inputs-start\n")
+
+		// Add env block with tool-specific secrets so they're available to the Node.js MCP server process
+		safeInputsSecrets := collectSafeInputsSecrets(workflowData.SafeInputs)
+		if len(safeInputsSecrets) > 0 {
+			yaml.WriteString("        env:\n")
+			// Sort env var names for consistent output
+			envVarNames := make([]string, 0, len(safeInputsSecrets))
+			for envVarName := range safeInputsSecrets {
+				envVarNames = append(envVarNames, envVarName)
+			}
+			sort.Strings(envVarNames)
+
+			for _, envVarName := range envVarNames {
+				secretExpr := safeInputsSecrets[envVarName]
+				fmt.Fprintf(yaml, "          %s: %s\n", envVarName, secretExpr)
+			}
+		}
+
 		yaml.WriteString("        run: |\n")
 		yaml.WriteString("          # Set environment variables for the server\n")
 		yaml.WriteString("          export GH_AW_SAFE_INPUTS_PORT=${{ steps.safe-inputs-config.outputs.safe_inputs_port }}\n")
 		yaml.WriteString("          export GH_AW_SAFE_INPUTS_API_KEY=${{ steps.safe-inputs-config.outputs.safe_inputs_api_key }}\n")
 		yaml.WriteString("          \n")
 
-		// Pass through environment variables from safe-inputs config
-		envVars := getSafeInputsEnvVars(workflowData.SafeInputs)
-		for _, envVar := range envVars {
-			fmt.Fprintf(yaml, "          export %s=\"${%s}\"\n", envVar, envVar)
-		}
-		yaml.WriteString("          \n")
-
 		// Call the bundled shell script to start the server
 		yaml.WriteString("          bash /tmp/gh-aw/actions/start_safe_inputs_server.sh\n")
 		yaml.WriteString("          \n")