add managed auth tools (manage_auth_connections, manage_credentials, manage_credential_providers)#104
add managed auth tools (manage_auth_connections, manage_credentials, manage_credential_providers)#104masnwilliams wants to merge 6 commits into
Conversation
…manage_credential_providers) Closes the largest agent-facing capability gap in the MCP server: setting up an authenticated browser session for a third-party site. Agents can now drive Kernel's managed auth flow end-to-end. - manage_auth_connections: create/list/get/delete connections; start login flows (returns hosted_url + live_view_url); submit MFA codes or SSO selections when a flow is awaiting input. - manage_credentials: read-only (list, get, totp_code). Credentials are created by humans via dashboard/CLI so the agent never sees raw secrets in its context — it references credentials by name. - manage_credential_providers: read-only (list, get) for external providers like 1Password. Same human-creates / agent-consumes pattern.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Monitoring Plan: Add managed-auth and credentials MCP toolsWhat this PR does: Registers three new MCP tool handlers — Intended effect: After deploy, AI agents using the MCP server can invoke these three tools. Successful calls will appear as spans on the already-active Kernel API backend endpoints ( Risks:
Status updates will be posted automatically on this PR as monitoring progresses. |
Cursor Bugbot caught that we were sending invalid credential payloads when only credential_path or credential_auto was provided without credential_provider. Add upfront validation so the agent gets a clear MCP-level error instead of a generic API rejection.
Cursor Bugbot follow-up: credential_auto=false was treated as a valid provider variant, and credential_path + credential_auto: true were silently allowed together. Only credential_auto: true now counts as a provider mode, and path/auto are enforced as mutually exclusive.
…providers also expose list_items and test on credential providers. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 4 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e945e6e. Configure here.
| { | ||
| action: z | ||
| .enum(["list", "get", "totp_code", "create", "update", "delete"]) | ||
| .describe("Operation to perform."), |
There was a problem hiding this comment.
Agents can store raw secrets
High Severity
manage_credentials and manage_credential_providers expose create, update, and delete actions that accept passwords, field maps, and provider tokens. The PR states credentials and providers are human-managed only so agents never handle raw secrets; those write paths let an agent persist secrets via MCP.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit e945e6e. Configure here.
…t empty credential values Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 participant
Summary
Closes the largest agent-facing capability gap in the MCP server: setting up an authenticated browser session for a third-party site. Agents can now drive Kernel's managed auth flow end-to-end without a human in the loop (beyond the one-time hosted login).
What's added
manage_auth_connections(full surface)create— start managing auth for a profile + domain (optionally referencing a pre-stored credential by name, or an external provider like 1Password)list/get/deletelogin— kicks off a hosted login flow. Returnshosted_url(share with the user to sign in) andlive_view_url(agent can watch). Triggers automatic re-auth if credentials are saved.submit— provide field values, an MFA option ID, or an SSO button selector when the flow isawaiting_input. Agent inspectsdiscovered_fields/mfa_optionsfromgetto know what's needed.manage_credentials(read-only)list/get(SDK never returns values) /totp_code(current 6-digit code)manage_credential_providers(read-only)list/getfor external providers (e.g. 1Password). Same human-creates / agent-consumes pattern.Agent flow
netflix-masoncredential in the Kernel dashboard.manage_auth_connections create domain=netflix.com profile_name=mason credential_name=netflix-masonmanage_auth_connections login id=<conn_id>→ shareshosted_urlwith user, or proceeds via re-auth.manage_auth_connections getuntilflow_status=SUCCESS(orflow_step=AWAITING_INPUTfor MFA).manage_credentials totp_code <name>→manage_auth_connections submit fields={mfa_code: "123456"}.manage_browsers create profile_name=masongets a logged-in session.Test plan
manage_auth_connections listreturns existing connections for the authed usermanage_auth_connections create+loginreturns a working hosted URLmanage_credentials listreturns names;totp_codereturns a 6-digit code for a TOTP-enabled credentialmanage_credential_providers listreturns configured providers (or empty list)Tool count
Bumps from 10 → 13.
Note
High Risk
Introduces auth flows, credential CRUD, TOTP retrieval, and provider tokens—security-sensitive surfaces where misuse or SDK behavior could expose secrets or weaken login boundaries.
Overview
Adds managed auth to the MCP server (documented tool count 10 → 13): three new
manage_*tools wired to the Kernel SDK inroute.ts.manage_auth_connectionsdrives profile+domain auth: create (with validation for Kernel vs external credential references), list/get/delete,login(hosted + live view URLs), andsubmitfor MFA fields, MFA option IDs, or SSO button selectors, with optional proxy routing.manage_credentialsexposes list/get,totp_code, and create/update/delete for stored credentials (includingvalues,sso_provider, andtotp_secreton write paths).manage_credential_providerscovers external providers (e.g. 1Password): full lifecycle pluslist_itemsandtest, including service-account tokens on create/update.The README lists the new capabilities; the rest of the diff is mostly formatting on existing tools (e.g.
computer_action).Reviewed by Cursor Bugbot for commit 0f6eb57. Bugbot is set up for automated code reviews on this repo. Configure here.