generate_secret
Generate cryptographic secrets using quantum noise for secure API keys, tokens, and passwords. Save directly to your OS-native vault to prevent plaintext leaks.
Instructions
Generate a cryptographic secret (quantum noise). Formats: hex, base64, alphanumeric, uuid, api-key, token, password. Optionally save directly to the keyring.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| format | No | Output format | api-key |
| length | No | Length in bytes or characters | |
| prefix | No | Prefix for api-key/token format | |
| saveAs | No | If provided, save the generated secret with this key name | |
| scope | No | Scope: global or project | global |
| projectPath | No | Project root path for project-scoped secrets |
Implementation Reference
- src/mcp/server.ts:288-323 (handler)The MCP tool registration and handler implementation for 'generate_secret'.
server.tool( "generate_secret", "Generate a cryptographic secret (quantum noise). Formats: hex, base64, alphanumeric, uuid, api-key, token, password. Optionally save directly to the keyring.", { format: z .enum(["hex", "base64", "alphanumeric", "uuid", "api-key", "token", "password"]) .optional() .default("api-key") .describe("Output format"), length: z.number().optional().describe("Length in bytes or characters"), prefix: z.string().optional().describe("Prefix for api-key/token format"), saveAs: z.string().optional().describe("If provided, save the generated secret with this key name"), scope: scopeSchema.default("global"), projectPath: projectPathSchema, }, async (params) => { const secret = generateSecret({ format: params.format as NoiseFormat, length: params.length, prefix: params.prefix, }); if (params.saveAs) { setSecret(params.saveAs, secret, { ...opts(params), description: `Generated ${params.format} secret`, }); const entropy = estimateEntropy(secret); return text( `Generated and saved as "${params.saveAs}" (${params.format}, ~${entropy} bits entropy)`, ); } return text(secret); }, ); - src/core/noise.ts:38-104 (helper)The actual secret generation logic exported and used by the MCP tool.
export function generateSecret(opts: NoiseOptions = {}): string { const format = opts.format ?? "api-key"; switch (format) { case "hex": { const len = opts.length ?? 32; return randomBytes(len).toString("hex"); } case "base64": { const len = opts.length ?? 32; return randomBytes(len).toString("base64url"); } case "alphanumeric": { const len = opts.length ?? 32; return randomString(ALPHA_NUM, len); } case "uuid": { const bytes = randomBytes(16); bytes[6] = (bytes[6] & 0x0f) | 0x40; // version 4 bytes[8] = (bytes[8] & 0x3f) | 0x80; // variant 1 const hex = bytes.toString("hex"); return [ hex.slice(0, 8), hex.slice(8, 12), hex.slice(12, 16), hex.slice(16, 20), hex.slice(20, 32), ].join("-"); } case "api-key": { const prefix = opts.prefix ?? "qr_"; const len = opts.length ?? 48; return prefix + randomString(ALPHA_NUM, len); } case "token": { const prefix = opts.prefix ?? ""; const len = opts.length ?? 64; return prefix + randomBytes(len).toString("base64url"); } case "password": { const len = opts.length ?? 24; let pw = randomString(PASSWORD_CHARS, len); // Guarantee at least one of each class const hasUpper = /[A-Z]/.test(pw); const hasLower = /[a-z]/.test(pw); const hasDigit = /[0-9]/.test(pw); const hasSpecial = /[^A-Za-z0-9]/.test(pw); if (!hasUpper) pw = replaceAt(pw, randomInt(len), randomString("ABCDEFGHIJKLMNOPQRSTUVWXYZ", 1)); if (!hasLower) pw = replaceAt(pw, randomInt(len), randomString("abcdefghijklmnopqrstuvwxyz", 1)); if (!hasDigit) pw = replaceAt(pw, randomInt(len), randomString("0123456789", 1)); if (!hasSpecial) pw = replaceAt(pw, randomInt(len), randomString("!@#$%^&*()-_=+", 1)); return pw; } default: return randomBytes(32).toString("hex"); } }