enhance security

adranwit · adranwit · commit ef7fff9af148 · 2025-10-30T10:39:02.000-07:00
diff --git a/README.md b/README.md
@@ -68,14 +68,24 @@ The easiest way to try the toolbox is to run the server with both HTTP and
 STDIO transports enabled:
 
 
-```bash cd
-go run ./cmd/mcp-sqlkit -a :5000 
+```bash
+go run ./cmd/mcp-sqlkit -a :5000 --secretsBase mem://localhost/mcp-sqlkit/.secret/
+```
+
+Tip: for persistence across restarts, use a file-backed secrets store, e.g.:
+
+```bash
+go run ./cmd/mcp-sqlkit -a :5000 --secretsBase file://~/.secret/mcp-sqlkit
 ```
 
 
 * `-a :5000` – HTTP listen address (omit to disable HTTP transport).
 * `-s`       – enable STDIO transport (useful when the toolbox is launched
                by another process via pipes).
+* `--secretsBase` – base URL for secrets storage (scy-backed). Examples:
+  - `mem://localhost/mcp-sqlkit/.secret/` (default, in-memory)
+  - `file://~/.secret/mcp-sqlkit` (persistent on disk)
+  - `gcp://secretmanager/projects/...` or `vault://...` (external managers)
 
 The server will print something similar to:
 
@@ -117,6 +127,10 @@ applied.
 }
 ```
 
+CLI overrides
+
+- The `--secretsBase` flag overrides `connector.secretBaseLocation` from the config file.
+
 ### Pre-configured connectors
 
 In addition to adding connectors at runtime you can **pre-load** connection
@@ -300,6 +314,7 @@ Key points about secret storage:
   on disk set `connector.secretBaseLocation` to a `file://` path (e.g.
   `file://~/.secret/mcpt`). You can also point it to `gsecret://` or
   `vault://` according to your environment.
+* Prefer the CLI flag `--secretsBase <base-url>` to set the storage location at runtime; it overrides the config and is recommended for persistent or remote deployments.
 
 
 ## Authentication & authorization
diff --git a/cmd/mcp-sqlkit/options.go b/cmd/mcp-sqlkit/options.go
@@ -14,5 +14,5 @@ type Options struct {
 
 	// Base URL for secrets storage (scy). Supports mem://, file://,
 	// Defaults to in-memory AFS storage.
-	SecretBaseLocation string `long:"secrets" description:"Base URL for secrets storage (mem://, file://, gcp://secretmanager/projects/xxxx/   ... see for list of secure connector  https://github.com/viant/afsc	)" default:"mem://localhost/mcp-sqlkit/.secret/"`
+	SecretBaseLocation string `long:"secretsBase" description:"Base URL for secrets storage (mem://, file://, gcp://secretmanager/projects/xxxx/   ... see for list of secure connector  https://github.com/viant/afsc	)" default:"mem://localhost/mcp-sqlkit/.secret/"`
 }

Original file line number	Diff line number	Diff line change
`@@ -14,5 +14,5 @@ type Options struct {`
`14`	`14`
`15`	`15`	`// Base URL for secrets storage (scy). Supports mem://, file://,`
`16`	`16`	`// Defaults to in-memory AFS storage.`
`17`		- SecretBaseLocation string `long:"secrets" description:"Base URL for secrets storage (mem://, file://, gcp://secretmanager/projects/xxxx/ ... see for list of secure connector https://github.com/viant/afsc )" default:"mem://localhost/mcp-sqlkit/.secret/"`
	`17`	+ SecretBaseLocation string `long:"secretsBase" description:"Base URL for secrets storage (mem://, file://, gcp://secretmanager/projects/xxxx/ ... see for list of secure connector https://github.com/viant/afsc )" default:"mem://localhost/mcp-sqlkit/.secret/"`
`18`	`18`	`}`