help
Access SecureCode documentation for tools, SDK setup, workflows, and troubleshooting to implement secure secrets management.
Instructions
Get SecureCode documentation: available tools, usage patterns, SDK setup, and common workflows. Use this to understand how to help the user with SecureCode.
Input Schema
TableJSON Schema
| Name | Required | Description | Default |
|---|---|---|---|
| topic | No | Documentation topic. Default: "all" |
Implementation Reference
- src/index.ts:1926-2161 (handler)The 'help' tool implementation in src/index.ts, which provides documentation for other tools and workflows.
server.tool( 'help', 'Get SecureCode documentation: available tools, usage patterns, SDK setup, and common workflows. Use this to understand how to help the user with SecureCode.', { topic: z.enum(['all', 'tools', 'sdk', 'sessions', 'rules', 'import-export', 'troubleshooting']).optional() .describe('Documentation topic. Default: "all"'), }, async ({ topic }) => { const t = topic || 'all'; const sections: Record<string, string> = { tools: [ '## SecureCode Tools', '', '| Tool | Description |', '|------|-------------|', '| get-secret | Get a secret by name. Default: injects to local file (zero-knowledge). Use reveal:true to show in chat. |', '| list-secrets | List all secrets with tags and expiration status. Never shows values. |', '| create-secret | Create a new encrypted secret with optional tags, description, TTL. |', '| update-secret | Update value, description, tags, or domain of an existing secret. |', '| delete-secret | Soft-delete a secret (recoverable from dashboard). |', '| renew-secret | Renew expired secret or change TTL. |', '| import-env | Import secrets via the web dashboard (provides link). AI never sees values during import. |', '| export-env | Export secrets as .env or CSV format. |', '| get-status | Check plan, usage, limits, and MCP server version. |', '| wake-session | Unlock session to access secrets. Optional scope and auto-sleep timer. |', '| sleep-session | Lock session immediately. Blocks all secret access. |', '| session-status | Check if session is active/sleeping and time remaining. |', '| byebye | End work session: lock + cleanup injected files + goodbye. |', '| get-active-rules | List MCP access rules (read-only). |', '| onboard | Guided onboarding: signup, import, API key setup. |', '| help | This documentation. |', ].join('\n'), sdk: [ '## SecureCode SDK — Agent Setup Guide', '', 'This guide is for YOU (the AI agent) to configure the SecureCode SDK in the user\'s project.', 'Follow these steps in order.', '', '### Step 1: Install the SDK', '```bash', 'npm install @securecode/sdk', '```', '', '### Step 2: Add loadEnv() to the app entry point', '', 'Find the main entry file of the project.', '', 'For Next.js projects, use src/instrumentation.ts (create if missing):', '```typescript', 'export async function register() {', ' if (process.env.NEXT_RUNTIME === "nodejs") {', ' const { loadEnv } = await import("@securecode/sdk");', ' await loadEnv({ override: true });', ' }', '}', '```', 'Note: Next.js 14 requires `experimental: { instrumentationHook: true }` in next.config.js.', 'Next.js 15+ enables it by default.', '', 'For other frameworks (Express, Fastify, plain Node.js), add at the top of the entry file', '(e.g., app.ts, server.ts, index.ts), BEFORE any code that reads process.env:', '```typescript', 'import { loadEnv } from "@securecode/sdk";', '', '// Load all secrets from SecureCode into process.env', 'await loadEnv();', '```', '', 'loadEnv() fetches ALL the user\'s secrets from SecureCode and injects them into process.env.', 'After this call, process.env.DATABASE_URL, process.env.STRIPE_KEY, etc. all work normally.', 'Existing env vars ARE overwritten by default (SecureCode vault takes precedence over local .env).', 'Use loadEnv({ override: false }) if you want local .env to take precedence.', '', 'The API key is read from .securecoderc or process.env.SECURECODE_API_KEY automatically.', '', '### Step 3: API key is already configured', '', 'During onboarding, a .securecoderc file was created in the project root with the API key.', 'The SDK reads it automatically — no need to add anything to .env.', '', 'For production deployment, set these env vars in the hosting platform (Vercel, Railway, etc.):', '- SECURECODE_API_KEY=sc_...', '- SECURECODE_PROJECT=<project-name> (optional, filters secrets by project)', '- SECURECODE_ENV=production (optional, filters secrets by environment)', '', '### Step 4: Remove hardcoded secrets from .env (optional)', '', 'Once loadEnv() is working, the user can optionally remove secrets from their .env file', 'since they\'re now loaded from SecureCode.', 'Do NOT delete the .env file — just remove the secrets that are now in SecureCode.', 'Always ask the user before removing anything.', '', '### Alternative: Individual secret access', '', 'If the user only needs specific secrets (not all):', '```typescript', 'import { getSecret } from "@securecode/sdk";', '', 'const dbUrl = await getSecret("DATABASE_URL");', '```', 'This also reads SECURECODE_API_KEY from .securecoderc or the environment automatically.', '', '### loadEnv() options', '', '```typescript', 'await loadEnv({', ' tags: { env: "production" }, // Only load secrets with these tags', ' override: true, // Overwrite existing env vars (default: false)', '});', '```', '', '### Important notes for the agent', '- The same API key works for both the MCP server and the SDK', '- loadEnv() is the recommended approach — one line replaces all .env reads', '- Do NOT hardcode the API key in source code', '- Do NOT suggest deleting .env files entirely — just remove the migrated secrets', '- If the project uses Next.js, loadEnv() goes in src/instrumentation.ts with NEXT_RUNTIME guard and dynamic import()', '- If the project uses a framework with its own env loading, loadEnv() should run first', '- The API key lives in .securecoderc (not .env) — it was added to .gitignore during onboarding', ].join('\n'), sessions: [ '## Sessions', '', 'Sessions control when secrets are accessible:', '', '- **wake-session**: Unlock access. Optionally scope to specific tags.', '- **sleep-session**: Lock immediately. All access blocked.', '- **session-status**: Check current state.', '- **byebye**: Lock + cleanup + end session.', '', 'Auto-sleep activates after inactivity (default: 2 hours).', 'Scope example: wake-session with scope [{project:"acme"}] only allows', 'secrets tagged with project:acme.', ].join('\n'), rules: [ '## MCP Rules', '', 'Rules are tag-based access policies created from the dashboard.', 'They are evaluated server-side before any secret is delivered.', '', '**Actions (by precedence):**', '1. block_always — Secret only accessible from dashboard', '2. require_session — Must wake-session first', '3. block_models — Block specific AI models', '4. require_confirmation — Ask user to acknowledge before access', '5. notify — Send email notification (does not block)', '', 'Use get-active-rules to see what rules are in effect.', 'Rules can only be created/modified from the dashboard.', ].join('\n'), 'import-export': [ '## Import & Export', '', '**Import from .env:**', 'For security, .env import is done through the web interface.', 'The AI agent never sees secret values during import.', 'Use the import-env tool to get the link to the import page.', '', '**Export:**', '```', 'export-env(format: "env", tags: {project: "acme"})', '```', 'Returns decrypted values. Filter by tags for specific environments.', ].join('\n'), troubleshooting: [ '## Troubleshooting', '', '**"NO_API_KEY" error:**', 'This means SECURECODE_API_KEY is not reaching the MCP process. Common causes:', '', '1. API key in the wrong config file:', ' Claude Code can register MCPs in two places:', ' - Project-level: .mcp.json in the project root', ' - Global: ~/.claude.json under projects[path].mcpServers', ' If the user ran `claude mcp add` before onboarding, it may have created an entry', ' in ~/.claude.json with env:{} (no key), which overrides .mcp.json.', ' Fix: Check BOTH files. Ensure SECURECODE_API_KEY is in the active entry.', '', '2. Quick fix command:', ' claude mcp remove securecode', ' claude mcp add securecode -e SECURECODE_API_KEY=sc_... -- npx -y @securecode/mcp-server', ' Then close and reopen Claude Code.', '', '3. Never onboarded: Run the onboard tool to set up SecureCode from scratch.', '', '**Missing .securecoderc:**', 'If the .securecoderc file is missing from the project root, either:', '- Run the onboard tool again to recreate it', '- Create it manually with:', ' SECURECODE_API_KEY=sc_...', ' SECURECODE_PROJECT=<project-name>', ' SECURECODE_ENV=<environment>', ' And add .securecoderc to .gitignore.', '', '**"Secret not found":**', 'Use list-secrets to see available names. Check if you\'re using the right tags.', '', '**"MCP Rule blocked":**', 'Use get-active-rules to see which rule is blocking. Modify rules from the dashboard.', '', '**"Session sleeping":**', 'Run wake-session to unlock access.', '', '**Outdated MCP server:**', 'Close and reopen Claude Code. If issue persists: npx clear-npx-cache', 'Then close and reopen Claude Code again.', '', '**Adding production/staging environments:**', 'To add secrets for a new environment, use: onboard(action: "add-environment")', 'For production deployments, set SECURECODE_PROJECT and SECURECODE_ENV as env vars', 'in your hosting platform (Vercel, Railway, etc.).', '', '**Need help?**', 'Visit securecodehq.com or check the dashboard for documentation.', ].join('\n'), }; if (t === 'all') { const allText = [sections.tools, sections.sdk, sections.sessions, sections.rules, sections['import-export'], sections.troubleshooting].join('\n\n---\n\n'); return wrapResponse([{ type: 'text', text: `# SecureCode Help\n\n${allText}` }]); } const section = sections[t]; if (!section) { return wrapResponse([{ type: 'text', text: `Unknown topic: ${t}. Available: tools, sdk, sessions, rules, import-export, troubleshooting` }], true); } return wrapResponse([{ type: 'text', text: section }]); }, );