MCP Server
envpkt ships an MCP server that gives AI agents structured awareness of their credentials. The server reads envpkt.toml which contains metadata — never plaintext secret values.
Configuration
Section titled “Configuration”Add envpkt to your MCP client config:
{ "mcpServers": { "envpkt": { "command": "envpkt", "args": ["mcp"] } }}Starting the Server
Section titled “Starting the Server”envpkt mcpUses stdio transport. The server reads envpkt.toml from the current directory (or specify with -c).
| Tool | Description |
|---|---|
getPacketHealth | Get overall health status with per-secret audit results |
listCapabilities | List agent and per-secret capabilities |
getSecretMeta | Get metadata for a specific secret by key |
checkExpiration | Check expiration status and days remaining |
getEnvMeta | Get metadata for environment defaults and drift status |
getPacketHealth
Section titled “getPacketHealth”Returns the full audit result including overall status and per-secret health.
listCapabilities
Section titled “listCapabilities”Returns agent-level capabilities (from [agent].capabilities) and per-secret capabilities (from each [secret.KEY].capabilities).
getSecretMeta
Section titled “getSecretMeta”Takes a secret key and returns its metadata (service, purpose, capabilities, expiration, rotation URL, etc.).
checkExpiration
Section titled “checkExpiration”Returns expiration status for all secrets, including days remaining and expired flags.
getEnvMeta
Section titled “getEnvMeta”Returns metadata for configured environment defaults ([env.*] entries) and their current drift status.
Resources
Section titled “Resources”| URI | Description |
|---|---|
envpkt://health | Current credential health summary |
envpkt://capabilities | Agent and secret capabilities |
Security Model
Section titled “Security Model”The MCP server does not have access to secret values — this is an architectural constraint, not a policy choice:
- The server reads from
envpkt.toml, which contains metadata but never plaintext secret values - It never calls
boot(),unsealSecrets(), or readsprocess.envfor secret values - Encrypted ciphertext (
encrypted_valuefields) is excluded from tool responses - Only metadata is shared: service names, expiration dates, capabilities, rotation URLs
This means prompt injection attacks against the MCP layer cannot leak secret values — there are no secret values to leak. See the Security Model in the README for the full three-tier trust model.
Library API
Section titled “Library API”import { createServer, startServer, toolDefinitions, callTool, resourceDefinitions, readResource } from "envpkt"
// Tool definitions for MCP registrationconst tools = toolDefinitions
// Call a toolconst result = callTool("getPacketHealth", {}, config, audit)
// Resource definitionsconst resources = resourceDefinitions
// Read a resourceconst data = readResource("envpkt://health", config, audit)