Skip to content

Credential Broker Plugin

Plugin id: credential_broker

Version: supplied by the plugin registry descriptor and emitted in profile plugin lists, VM info/status, logs, and benchmark output.

Stage: preprocess. CEL rules do not invoke the credential broker.

Stages:

  • preprocess: capture observed credentials, attach broker refs, and resolve broker refs for runtime/upstream materialization.

Config:

[plugins.credential_broker]
mode = "rewrite"
detection_level = "informational"

Inputs: outbound HTTP boundaries, remote MCP auth boundaries, plus plugin-owned broker state. Raw credentials remain private to the broker and are not exposed as CEL fields.

Mutation: stores observed credentials through the broker and writes the brokered credential:blake3:* reference back onto the event. The broker does not sanitize durable logs; the log_sanitizer logging plugin owns ledger-safe materialization.

MCP contract: remote MCP server config may carry only brokered auth metadata in profile-owned mcp.json:

{
"servers": [
{
"id": "remote",
"name": "Remote MCP",
"transport": "sse",
"url": "https://mcp.example.invalid/sse",
"auth": {
"kind": "oauth",
"credential_ref": "credential:blake3:..."
}
}
]
}

The broker owns OAuth/API-key material and resolution. MCP config must not store raw bearer_token, bearerToken, Authorization, X-Api-Key, refresh tokens, or access tokens.

Decision: plugin policy can request allow, ask, block, or rewrite; rewrite keeps the effective decision at allow while recording mutation intent.

Status contract: credential state is opaque and VM-scoped. The UI must not infer credential state from AI/provider config. Profile plugin configuration is read through /profiles/{profile_id}/plugins/list and /profiles/{profile_id}/plugins/credential_broker/info; VM info and status carry the active descriptor, version, stage health, and last in-memory status snapshot without reading session.db.

Benchmark contract: the plugin descriptor owns a stable benchmark spec for capture, substitution, failed materialization, and status snapshot overhead. Benchmarks must report plugin id, version, stage, event count, latency, and mutation count.

Detection contract: enabled executions append one SecurityDetectionEvent to SecurityEvent.detections with source = "plugin", the configured detection_level, plugin id, plugin mode, and reason.

Failure: broker storage errors abort runtime materialization and the event is not emitted by the security engine.

Tests must prove capture, BLAKE3 reference logging, rewrite mutation, VM-scoped status/stats, and failure without raw credential leakage.