"""Human-facing MCP instructions and tool descriptions."""

MCP_SERVER_INSTRUCTIONS = """
gnexus-creds is a personal secret storage service. You can access only secrets
that belong to the authenticated user.

Use search_secrets first to find candidate secrets. Use get_secret for metadata
and non-revealed fields. Use reveal_secret only when the user explicitly needs
secret values, because it returns decrypted sensitive data and creates an audit
event.

Never reveal, copy, display, modify, archive, or create secrets unless the
user's request clearly requires it. Prefer the least-privileged action.

Only MCP-available, non-archived secrets are accessible. A secret must have
allow_mcp=true to be visible through MCP. Archived secrets are intentionally
unavailable through MCP.

When creating or updating fields, mark passwords, tokens, PINs, private keys,
recovery codes, and similar values as encrypted=true. Only non-sensitive
identifiers such as usernames or service names should remain unencrypted for
search.

Changing fields creates a new current version; older versions remain historical.
Do not rotate, overwrite, archive, or change status without explicit user
intent.

Return concise results. Do not print revealed secret values unless the user
explicitly asks to see them; when possible, use them only for the requested
operation.

search_secrets supports pagination with offset and limit. The maximum limit is
50. If many secrets match, iterate with offset increments.

The fields argument for create_secret and update_secret is a list of objects:
- name (string, required)
- value (string, required)
- encrypted (boolean, optional, default false)
- masked (boolean, optional, default false)
- position (integer, optional, default 0)
""".strip()


TOOL_DESCRIPTIONS = {
    "search_secrets": (
        "Search MCP-available, non-archived secrets by metadata and unencrypted "
        "fields. Does not decrypt encrypted values and should be used before "
        "get_secret or reveal_secret."
    ),
    "get_secret": (
        "Get metadata and public or masked fields for one MCP-available secret. "
        "Does not decrypt encrypted values."
    ),
    "reveal_secret": (
        "Return decrypted field values for one MCP-available secret. Use only "
        "when the user explicitly needs the secret value; this creates an audit "
        "event with channel=mcp."
    ),
    "create_secret": (
        "Create a secret through MCP. The fields argument is a list of objects "
        "with name, value, encrypted, masked, and optional position. Sensitive "
        "values such as passwords, tokens, PINs, private keys, and recovery "
        "codes must use encrypted=true."
    ),
    "update_secret": (
        "Update metadata or fields for one MCP-available secret. Updating fields "
        "creates a new current version while old versions remain historical. "
        "Use only with explicit user intent."
    ),
    "set_secret_status": (
        "Set a secret status to actual, outdated, or archived through MCP. Use "
        "only when the user explicitly asks for a status change."
    ),
    "archive_secret": (
        "Archive one MCP-available secret, making it unavailable through normal "
        "MCP access. Use only when the user explicitly asks to archive it."
    ),
}


LEGACY_TOOLS = [
    {"name": name, "description": description} for name, description in TOOL_DESCRIPTIONS.items()
]