Mark Henderson 9959eaeeaa feat(mcp): expose storage.{describe,provision,inject_env} tools ...

The per-workspace GCS backend (bucket, service account, HMAC keys) was
already provisioned for P5.3 but wasn't reachable through MCP, so
agents using vibn_sk_* tokens couldn't actually use object storage.

Three new tools:
- storage.describe    → bucket, region, endpoint, access_key_id.
                        No secret in response.
- storage.provision   → idempotent ensureWorkspaceGcsProvisioned().
- storage.inject_env  → writes STORAGE_* (or user-chosen prefix) env
                        vars into a Coolify app. SECRET_ACCESS_KEY is
                        tagged is_shown_once so Coolify masks it in
                        the UI, and it never leaves our backend — the
                        agent kicks off injection, but the HMAC secret
                        is read from our DB and pushed directly to
                        Coolify.

Apps can then hit the bucket with any S3 SDK (aws-sdk, boto3, etc.)
using force_path_style=true and the standard endpoint.

Made-with: Cursor

2026-04-23 12:48:23 -07:00

48 KiB

Raw Blame History

View Raw