diff --git a/mcp_servers.d/gnexus-creds.json b/mcp_servers.d/gnexus-creds.json index 20ef38b..7688719 100644 --- a/mcp_servers.d/gnexus-creds.json +++ b/mcp_servers.d/gnexus-creds.json @@ -17,5 +17,5 @@ "archive_secret" ] }, - "instructions": "MCP tools for gnexus-creds — personal secret storage.\n\nQuery mapping (use in this order):\n1. Find a secret → search_secrets\n2. View metadata and public/masked fields → get_secret (pass secret_id from search result)\n3. Only when user explicitly asks for decrypted values → reveal_secret (creates audit event)\n4. Add a new secret → create_secret\n5. Edit fields/metadata → update_secret\n6. Change status → set_secret_status (allowed values: actual, outdated, archived)\n7. Archive (hide from MCP) → archive_secret\n\nCritical details:\n- secret_id is a UUID string (e.g. 550e8400-e29b-41d4-a716-446655440000), NOT a secret name. Obtain it from search_secrets results: items[].id.\n- get_secret returns metadata and public/masked fields but NEVER decrypts encrypted values. Use reveal_secret only when the user explicitly needs the plaintext value.\n- create_secret and update_secret require a 'fields' argument that is a LIST of objects: [{\"name\": \"...\", \"value\": \"...\", \"encrypted\": true, \"masked\": false, \"position\": 0}]. It is an array, not a single object.\n- When creating or updating, always set encrypted=true for passwords, tokens, PINs, private keys, and recovery codes. Only non-sensitive identifiers (e.g. service name, username) should remain unencrypted.\n- Only secrets with allow_mcp=true are visible through MCP. Archived secrets are unavailable.\n- search_secrets supports pagination with offset and limit. Maximum limit is 50. If total > 50, iterate with offset increments.\n- Never reveal, copy, display, modify, archive, or create secrets unless the user's request clearly requires it." + "instructions": "MCP tools for gnexus-creds — personal secret storage.\n\nQuery mapping (use in this order):\n1. Find a secret → search_secrets\n2. View metadata and public/masked fields → get_secret (pass secret_id from search result)\n3. Only when user explicitly asks for decrypted values → reveal_secret (creates audit event)\n4. Add a new secret → create_secret\n5. Edit fields/metadata → update_secret\n6. Change status → set_secret_status (allowed values: actual, outdated, archived)\n7. Archive (hide from MCP) → archive_secret\n\nCritical details:\n- secret_id is a UUID string (e.g. 550e8400-e29b-41d4-a716-446655440000), NOT a secret name. Obtain it from search_secrets results: items[].id.\n- get_secret returns metadata and public/masked fields but NEVER decrypts encrypted values. Use reveal_secret only when the user explicitly needs the plaintext value.\n- create_secret and update_secret require a 'fields' argument that is a LIST of objects: [{\"name\": \"...\", \"value\": \"...\", \"encrypted\": true, \"masked\": false, \"position\": 0}]. It is an array, not a single object.\n- When creating or updating, always set encrypted=true for passwords, tokens, PINs, private keys, and recovery codes. Only non-sensitive identifiers (e.g. service name, username) should remain unencrypted.\n- When creating a secret via create_secret, ALWAYS include the `tags` field (array of strings, e.g. [\"api\", \"production\"]) and the `category` field (string, e.g. \"infrastructure\", \"personal\", or \"development\"). These fields are essential for organizing and searching secrets later. Never omit them.\n- When creating a secret, ALWAYS set allow_mcp=true so the secret remains accessible through MCP tools.\n- Only secrets with allow_mcp=true are visible through MCP. Archived secrets are unavailable.\n- search_secrets supports pagination with offset and limit. Maximum limit is 50. If total > 50, iterate with offset increments.\n- Never reveal, copy, display, modify, archive, or create secrets unless the user's request clearly requires it." }