add managed auth tools (manage_auth_connections, manage_credentials, manage_credential_providers)

[masnwilliams]

Summary

Closes the largest agent-facing capability gap in the MCP server: setting up an authenticated browser session for a third-party site. Agents can now drive Kernel's managed auth flow end-to-end without a human in the loop beyond the one-time hosted login or explicit credential handoff.

What's added

• manage_auth_connections (full surface)
  • create — start managing auth for a profile + domain (optionally referencing a pre-stored credential by name, or an external provider like 1Password)
  • list / get / delete
  • login — kicks off a hosted login flow. Returns hosted_url (share with the user to sign in) and live_view_url (agent can watch). Triggers automatic re-auth if credentials are saved.
  • submit — provide field values, an MFA option ID, or an SSO button selector when the flow is awaiting_input. Agent inspects discovered_fields / mfa_options from get to know what's needed.
• manage_credentials (full CRUD)
  • list / get (SDK never returns values) / totp_code (current 6-digit code)
  • create / update / delete — agents can store and rotate credentials directly. Values, sso_provider, and totp_secret are all settable.
• manage_credential_providers (full CRUD)
  • list / get / create / update / delete for external providers (e.g. 1Password)
  • list_items to enumerate available items from the provider, and test to validate the token and list accessible vaults

Agent Experience / Flow

This PR gives agents a durable path from "I need to use a logged-in site" to "I have a browser profile that can be reused for that site." The agent should first decide whether it already has a profile and credential source, then create the auth connection, start the login, and poll the connection state until the profile is healthy.

Typical flow:

1. Agent identifies the target domain and profile it wants to keep logged in.
2. Agent discovers or creates the credential source: manage_credentials list/get/create, or manage_credential_providers list_items when the secret lives in an external provider.
3. Agent creates the connection: manage_auth_connections create domain=<site> profile_name=<profile> credential_name=<credential>.
4. Agent starts the flow with manage_auth_connections login id=<conn_id> and shares the hosted_url with the user when human login is required.
5. Agent polls manage_auth_connections get id=<conn_id> until the flow reaches success, or until it sees awaiting_input with discovered_fields / mfa_options.
6. If MFA or additional fields are needed, agent collects the exact requested value, optionally calls manage_credentials totp_code, then uses manage_auth_connections submit.
7. Once the connection is healthy, future browser work starts with manage_browsers create profile_name=<profile> so the session opens already logged in.
8. Agent uses connection health/list/get before destructive actions and deletes only stale or explicitly requested connections/credentials.

Agent safety notes:

• get never returns credential secret values, so agents should not expect to recover passwords after creation.
• totp_code and provider tokens are sensitive outputs; agents should use them only for the active auth flow and avoid echoing them in summaries.
• Hosted login is still a user-facing boundary: the agent can orchestrate the flow, but the user may need to complete the site login.

Test plan

• Local server starts; tools register without errors
• manage_auth_connections list returns existing connections for the authed user
• manage_auth_connections create + login returns a working hosted URL
• manage_credentials round-trip: create → list → get → update → delete
• manage_credentials totp_code returns a 6-digit code for a TOTP-enabled credential
• manage_credential_providers round-trip: create → test → list_items → update → delete

Tool count

Bumps from 10 → 13.

---

Note

High Risk
Introduces agent-facing APIs for auth flows, credential storage/rotation, TOTP codes, and external provider tokens—security-sensitive surfaces that must not leak secrets in tool output.

Overview
Adds managed auth to the MCP server so agents can set up and maintain logged-in browser profiles without manual API work.

Three new manage_* tools follow the existing action-based pattern and call the Kernel SDK: manage_auth_connections (create/list/get/delete connections, login for hosted + live view URLs, submit for MFA/SSO/fields, with validation for credential vs 1Password-style options and proxies); manage_credentials (CRUD plus totp_code, metadata-only on get); and manage_credential_providers (1Password-style providers with list_items and test).

registerMcpCapabilities wires in the new registrars; the README updates the tool count 10 → 13 and documents the new capabilities.

^{Reviewed by Cursor Bugbot for commit 3dff35c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mcp	Ready	Preview, Comment	Jun 1, 2026 5:59pm

[firetiger-agent]

Monitoring Plan: Add managed-auth and credentials MCP tools

What this PR does: Registers three new MCP tool handlers — manage_auth_connections (full CRUD + login/submit on managed auth connections), manage_credentials (read-only: list, get, TOTP code fetch), and manage_credential_providers (read-only: list, get) — by adding ~450 lines to the MCP server route handler. The remaining diff is formatting-only changes to existing tools.

Intended effect: After deploy, AI agents using the MCP server can invoke these three tools. Successful calls will appear as spans on the already-active Kernel API backend endpoints (/auth/connections/*, /credentials/*, /org/credential_providers). Pre-deploy baseline on those endpoints: 210–983 calls/hr on auth connections, 144–173 calls/hr on credentials — both with 0 errors in the last 24h. Confirmation: first tool invocations produce new spans on those routes with no error status.

Risks:

• Tool registration crash — Railway HTTP 5xx rate (all routes); alert if > 15/hr sustained (baseline: 3–8/hr)
• Auth connection API errors — /auth/connections trace spans with status.code = 2; alert if any errors appear post-deploy (baseline: 0/hr)
• Credentials API errors — /credentials + /org/credential_providers trace spans with status.code = 2; alert if any errors appear post-deploy (baseline: 0/hr)
• SDK method missing at runtime — TypeError: Cannot read properties in Railway HTTP error logs; alert on any such log matching manage_auth_connections, manage_credentials, or manage_credential_providers
• TOTP misconfiguration — /credentials/{id_or_name}/totp-code returning 5xx; alert on any 5xx on this endpoint

Status updates will be posted automatically on this PR as monitoring progresses.

View agent

[dcruzeneil2]

LGTM! Clean PR, follows existing codebase patterns well. One nit:

nit: submit in manage_auth_connections lets fields: {} through the validation guard since !params.fields is falsy for empty objects. The API will likely reject it anyway, but manage_credentials create already handles the equivalent case with Object.keys(params.values).length === 0. Worth adding the same check here for consistency.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 7d19430. Configure here.}