| # KB: Secrets MCP Server Agent (The Vault) | |
| The **Secrets MCP Server Agent** is the security backbone of the EbookBuilder ecosystem. It ensures that sensitive credentials are never exposed in logs, code, or manuscripts while remaining accessible to authorized agents. | |
| ## Core Responsibilities | |
| 1. **Secure Retrieval**: Provides a standard interface for agents to request `OPENAI_API_KEY`, `HF_TOKEN`, and `STRIPE_SECRET_KEY`. | |
| 2. **Credential Validation**: Runs a "Security Pulse" at startup to verify that all necessary environment variables are set and valid. | |
| 3. **Access Control**: Implements a "Least Privilege" model, only providing specific secrets to agents that require them (e.g., the Cover Agent only gets the OpenAI key). | |
| 4. **Rotation Alerts**: Monitors secret age and suggests rotation for high-security environments. | |
| ## Technical Workflow | |
| 1. **Input**: An agent requests a secret by `key_name`. | |
| 2. **Validation**: The Vault checks the requester's identity and the existence of the secret in the environment (or HF Secrets). | |
| 3. **Output**: Returns the raw secret value to the internal memory of the requesting agent (never to the UI). | |
| ## Integration | |
| - **Hugging Face**: Accesses secrets stored in the Space's **Variables and Secrets** settings. | |
| - **MCP Server**: Implements the `get_secret` and `validate_environment` tools. | |
| - **Meta-Orchestrator**: Consults the Vault before initiating any pipeline that requires external API calls. | |