get_secret
Retrieve API keys and secrets from your OS vault to prevent plaintext leaks. Handles multi-environment configurations and logs all access for security auditing.
Instructions
Retrieve a secret by key. Collapses superposition if the secret has multiple environment states. Records access in audit log (observer effect).
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| key | Yes | The secret key name | |
| scope | No | Scope: global or project | |
| projectPath | No | Project root path for project-scoped secrets | |
| env | No | Environment for superposition collapse (e.g., dev, staging, prod) |
Implementation Reference
- src/core/keyring.ts:94-133 (handler)The handler function for retrieving a secret. It resolves scope/environment, checks for decay, collapses superposition if necessary, records access (observer effect), and logs audit events.
export function getSecret( key: string, opts: KeyringOptions = {}, ): string | null { const scopes = resolveScope(opts); const env = resolveEnv(opts); const source = opts.source ?? "cli"; for (const { service, scope } of scopes) { const envelope = readEnvelope(service, key); if (!envelope) continue; // Check decay const decay = checkDecay(envelope); if (decay.isExpired) { logAudit({ action: "read", key, scope, source, detail: "blocked: secret expired (quantum decay)", }); continue; } // Collapse superposition const value = collapseValue(envelope, env); if (value === null) continue; // Observer effect: record access and persist const updated = recordAccess(envelope); writeEnvelope(service, key, updated); logAudit({ action: "read", key, scope, env, source }); return value; } return null; } - src/mcp/server.ts:83-97 (registration)The MCP tool registration for 'get_secret', which maps the tool request to the core `getSecret` function.
server.tool( "get_secret", "Retrieve a secret by key. Collapses superposition if the secret has multiple environment states. Records access in audit log (observer effect).", { key: z.string().describe("The secret key name"), scope: scopeSchema, projectPath: projectPathSchema, env: envSchema, }, async (params) => { const value = getSecret(params.key, opts(params)); if (value === null) return text(`Secret "${params.key}" not found`, true); return text(value); }, );