knowledge/secrets_agent.md

KB: Secrets MCP Server Agent (The Vault)

The Secrets MCP Server Agent is the security backbone of the EbookBuilder ecosystem. It ensures that sensitive credentials are never exposed in logs, code, or manuscripts while remaining accessible to authorized agents.

Core Responsibilities

1. Secure Retrieval: Provides a standard interface for agents to request OPENAI_API_KEY, HF_TOKEN, and STRIPE_SECRET_KEY.
2. Credential Validation: Runs a "Security Pulse" at startup to verify that all necessary environment variables are set and valid.
3. Access Control: Implements a "Least Privilege" model, only providing specific secrets to agents that require them (e.g., the Cover Agent only gets the OpenAI key).
4. Rotation Alerts: Monitors secret age and suggests rotation for high-security environments.

Technical Workflow

1. Input: An agent requests a secret by key_name.
2. Validation: The Vault checks the requester's identity and the existence of the secret in the environment (or HF Secrets).
3. Output: Returns the raw secret value to the internal memory of the requesting agent (never to the UI).

Integration

• Hugging Face: Accesses secrets stored in the Space's Variables and Secrets settings.
• MCP Server: Implements the get_secret and validate_environment tools.
• Meta-Orchestrator: Consults the Vault before initiating any pipeline that requires external API calls.