{
"transport": "streamable_http",
"url": "https://creds.gnexus.space/mcp-protocol/",
"headers": {
"Authorization": "Bearer gcr_68df12db3e7639da_cm2qvpXfRcut11NnB0VSBxjzXXaqyza5aN_42iSP3tk"
},
"groups": {
"read": [
"search_secrets",
"get_secret",
"reveal_secret"
],
"write": [
"create_secret",
"update_secret",
"set_secret_status",
"archive_secret"
]
},
"instructions": "MCP tools for gnexus-creds — personal secret storage.\n\nQuery mapping (use in this order):\n1. Find a secret → search_secrets\n2. View metadata and public/masked fields → get_secret (pass secret_id from search result)\n3. Only when user explicitly asks for decrypted values → reveal_secret (creates audit event)\n4. Add a new secret → create_secret\n5. Edit fields/metadata → update_secret\n6. Change status → set_secret_status (allowed values: actual, outdated, archived)\n7. Archive (hide from MCP) → archive_secret\n\nCritical details:\n- secret_id is a UUID string (e.g. 550e8400-e29b-41d4-a716-446655440000), NOT a secret name. Obtain it from search_secrets results: items[].id.\n- get_secret returns metadata and public/masked fields but NEVER decrypts encrypted values. Use reveal_secret only when the user explicitly needs the plaintext value.\n- create_secret and update_secret require a 'fields' argument that is a LIST of objects: [{\"name\": \"...\", \"value\": \"...\", \"encrypted\": true, \"masked\": false, \"position\": 0}]. It is an array, not a single object.\n- When creating or updating, always set encrypted=true for passwords, tokens, PINs, private keys, and recovery codes. Only non-sensitive identifiers (e.g. service name, username) should remain unencrypted.\n- Only secrets with allow_mcp=true are visible through MCP. Archived secrets are unavailable.\n- search_secrets supports pagination with offset and limit. Maximum limit is 50. If total > 50, iterate with offset increments.\n- Never reveal, copy, display, modify, archive, or create secrets unless the user's request clearly requires it."
}
