vinkius-labs/mcp-fusion

What's New

Added — @vurb/core BYOC Credentials System

A new first-class API enabling marketplace-publishable MCP servers to declare and consume per-buyer credentials securely, without the seller ever touching the buyer's secrets.

• defineCredentials(schema) — Declare what credentials your server needs. The Vinkius marketplace reads this at deploy time and prompts buyers to configure them. Supports 9 credential types across 3 categories: api_key, token, password, connection_string, uri, hostname, json_config, certificate, custom.
• requireCredential(name, options?) — Read a credential at runtime. Resolves from globalThis.__vinkius_secrets (Cloud Edge) → process.env[NAME.toUpperCase()] (local dev) → options.fallback.
• CredentialSchema — Type-safe descriptor with type, label, sensitive, validation.pattern, and more.
• Zero-knowledge architecture — Seller code never sees raw buyer credentials. Runtime injects them into an isolated scope per-request.

Security

• Server-side credential injection scanner — vurb deploy now rejects bundles that attempt to intercept __vinkius_secrets, dump globalThis, or read process.env. Returns HTTP 422 with structured violations[] response.
• CLI violation display — Structured, actionable error messages on 422 responses instead of raw HTTP errors.

Documentation

• New page: Credentials — BYOC — full API reference, all 9 types, local dev guide, security architecture, Stripe example.
• llms.txt — ## Credentials — BYOC section added for AI agent reference.
• skills.md — "Credentials in Skill Servers" integration guide added.

Test Suite

• credentials.test.ts — defineCredentials schema registration, requireCredential runtime resolution (secrets injection, env fallback, provided fallback, missing required), CredentialsContext typed access.

Full changelog: CHANGELOG.md