@sirrlock/mcp 0.1.0 → 1.0.2

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024–2026 Sirr contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -1,26 +1,37 @@
 # @sirrlock/mcp — Sirr MCP Server
 
+[![npm version](https://img.shields.io/npm/v/@sirrlock/mcp)](https://www.npmjs.com/package/@sirrlock/mcp)
+[![npm downloads](https://img.shields.io/npm/dm/@sirrlock/mcp)](https://www.npmjs.com/package/@sirrlock/mcp)
+[![CI](https://github.com/sirrlock/mcp/actions/workflows/ci.yml/badge.svg)](https://github.com/sirrlock/mcp/actions)
+[![TypeScript](https://img.shields.io/badge/TypeScript-5-blue)](https://www.typescriptlang.org/)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D18-brightgreen)](https://nodejs.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://github.com/sirrlock/mcp/blob/main/LICENSE)
+[![GitHub stars](https://img.shields.io/github/stars/sirrlock/mcp)](https://github.com/sirrlock/mcp)
+[![Last commit](https://img.shields.io/github/last-commit/sirrlock/mcp)](https://github.com/sirrlock/mcp)
+
 Gives AI assistants like Claude direct access to your [Sirr](https://sirr.dev) secret vault. Push, read, and manage ephemeral secrets without leaving a conversation.
 
 ## Demo
 
-**Session 1 — store the secret**
+### Public dead drop — push and burn
+
+**Session 1 — push a secret (value-only, no key needed)**
 
 ```
-❯ set the BITBUCKET_TOKEN to 123asdzxc
+❯ stash this deploy token: 123asdzxc
 
-⏺ sirr-mcp - push_secret (MCP)(key: "BITBUCKET_TOKEN", value: "123asdzxc", max_reads: 1)
-  ⎿  Stored secret 'BITBUCKET_TOKEN'. Burns after 1 read.
+⏺ sirr-mcp - push_secret (MCP)(value: "123asdzxc", max_reads: 1)
+  ⎿  Stored. ID: a1b2c3d4e5f6…  URL: https://sirr.example/secrets/a1b2c3d4e5f6…
 
-⏺ Stored. Burns after first read.
+⏺ Stored. Share the URL — it burns after one read.
 ```
 
-**Session 2 — Claude retrieves and uses it (the vault burns it)**
+**Session 2 — retrieve by ID (the vault burns it)**
 
 ```
-❯ deploy to staging using sirr:BITBUCKET_TOKEN
+❯ get the secret at a1b2c3d4e5f6…
 
-⏺ sirr-mcp - get_secret (MCP)(key: "BITBUCKET_TOKEN")
+⏺ sirr-mcp - get_secret (MCP)(id: "a1b2c3d4e5f6…")
   ⎿  123asdzxc
 
 ⏺ Got it. Deploying to staging with the token. Done.
@@ -29,15 +40,29 @@ Gives AI assistants like Claude direct access to your [Sirr](https://sirr.dev) s
 **Session 3 — secret is already gone**
 
 ```
-❯ what is the BITBUCKET_TOKEN?
+❯ get that secret again
 
-⏺ sirr-mcp - get_secret (MCP)(key: "BITBUCKET_TOKEN")
-  ⎿  Secret 'BITBUCKET_TOKEN' not found, expired, or already burned.
+⏺ sirr-mcp - get_secret (MCP)(id: "a1b2c3d4e5f6…")
+  ⎿  Secret not found, expired, or already burned.
 
 ⏺ The secret no longer exists on the server.
 ```
 
-The secret existed just long enough to be used once. The vault enforces it server-side (`max_reads=1`). Claude is instructed by the tool description not to memorize or repeat the value. Even if a different agent, session, or attacker asks — there is nothing left to return.
+### Org-scoped named secret — set and get by key
+
+```
+❯ set the BITBUCKET_TOKEN to 123asdzxc in acme org
+
+⏺ sirr-mcp - set_secret (MCP)(org: "acme", key: "BITBUCKET_TOKEN", value: "123asdzxc")
+  ⎿  Stored 'BITBUCKET_TOKEN' in org acme.
+
+❯ deploy to staging using sirr:BITBUCKET_TOKEN
+
+⏺ sirr-mcp - get_secret (MCP)(key: "BITBUCKET_TOKEN", org: "acme")
+  ⎿  123asdzxc
+```
+
+The secret existed just long enough to be used. The vault enforces expiry server-side. Claude is instructed by the tool description not to memorize or repeat the value. Even if a different agent, session, or attacker asks — there is nothing left to return.
 
 ## Install
 
@@ -50,7 +75,7 @@ Or use `npx` without a global install — see the configuration block below.
 ## Quick start
 
 1. **Start Sirr** — run the Sirr server and note the `SIRR_MASTER_KEY` you set (or the one it printed on first launch).
-2. **Set your token** — `SIRR_TOKEN` in your MCP config must equal that `SIRR_MASTER_KEY` value exactly.
+2. **Set your token** — `SIRR_TOKEN` in your MCP config must equal that `SIRR_MASTER_KEY` value (or a principal key for org-scoped access).
 3. **Add to `.mcp.json`** — paste the config block below, substituting your server URL and key.
 4. **Verify** — run `sirr-mcp --health` to confirm the connection before starting your AI session.
 
@@ -89,14 +114,15 @@ Using `npx` without a global install:
 }
 ```
 
-> **What is `SIRR_TOKEN`?** It is the value of `SIRR_MASTER_KEY` that you set (or that was generated) when you started the Sirr server. These two values must match exactly — a mismatch is the most common cause of 401 errors. See [sirr.dev/errors#401](https://sirr.dev/errors#401).
+> **What is `SIRR_TOKEN`?** For single-tenant usage, set it to `SIRR_MASTER_KEY` (full access). For multi-tenant org-scoped usage, set it to a principal key. A mismatch is the most common cause of 401 errors. See [sirr.dev/errors#401](https://sirr.dev/errors#401).
 
 ### Environment variables
 
 | Variable | Default | Description |
 |---|---|---|
 | `SIRR_SERVER` | `http://localhost:39999` | Sirr server URL |
-| `SIRR_TOKEN` | — | Bearer token — must equal `SIRR_MASTER_KEY` on the server |
+| `SIRR_TOKEN` | — | Bearer token — `SIRR_MASTER_KEY` for full access, or a principal key for org-scoped access |
+| `SIRR_ORG` | — | Organization ID for multi-tenant mode. When set, all secret/audit/webhook/prune paths are prefixed with `/orgs/{id}/`. Leave unset for single-tenant usage. |
 
 ## CLI flags
 
@@ -116,8 +142,11 @@ SIRR_SERVER=http://localhost:39999 SIRR_TOKEN=mykey sirr-mcp --health
 
 | Tool | Description |
 |---|---|
-| `get_secret(key)` | Retrieve a secret value (increments read counter; burns if max_reads reached) |
-| `push_secret(key, value, ttl_seconds?, max_reads?)` | Store a secret with optional expiry and read limit |
+| `push_secret(value, ttl_seconds?, max_reads?)` | Anonymous public dead drop — value-only, returns `{id, url}`. No key or org needed. |
+| `set_secret(org, key, value)` | Org-scoped named secret — returns `{key, id}`. 409 Conflict if key already exists; use `patch_secret` to update. |
+| `get_secret(id)` or `get_secret(key, org)` | Dual mode: `id` fetches public dead drop (`GET /secrets/{id}`); `key`+`org` fetches org-scoped (`GET /orgs/{org}/secrets/{key}`) |
+| `check_secret(key)` | Check if a secret exists and inspect its metadata — **without consuming a read** |
+| `patch_secret(key, value?, ttl_seconds?, max_reads?)` | Update an existing secret's value, TTL, or read limit |
 | `list_secrets()` | List all active secrets — metadata only, values never returned |
 | `delete_secret(key)` | Burn a secret immediately, regardless of TTL or read count |
 | `prune_secrets()` | Delete all expired secrets in one sweep |
@@ -127,7 +156,7 @@ SIRR_SERVER=http://localhost:39999 SIRR_TOKEN=mykey sirr-mcp --health
 
 | Tool | Description |
 |---|---|
-| `sirr_audit(since?, action?, limit?)` | Query the audit log — secret creates, reads, deletes, and key events |
+| `sirr_audit(since?, until?, action?, limit?)` | Query the audit log — secret creates, reads, deletes, and key events |
 
 ### Webhooks
 
@@ -137,24 +166,67 @@ SIRR_SERVER=http://localhost:39999 SIRR_TOKEN=mykey sirr-mcp --health
 | `sirr_webhook_list()` | List all registered webhooks (signing secrets redacted) |
 | `sirr_webhook_delete(id)` | Remove a webhook by ID |
 
-### API keys
+### Principal keys
+
+| Tool | Description |
+|---|---|
+| `sirr_key_list()` | List all API keys for the current principal |
+| `sirr_create_key(name, valid_for_seconds?, valid_before?)` | Create a new API key; raw key returned once — save it |
+| `sirr_delete_key(keyId)` | Revoke an API key by ID |
+
+### Account (principal-scoped)
 
 | Tool | Description |
 |---|---|
-| `sirr_key_create(label, permissions, prefix?)` | Create a scoped API key; raw key returned once — save it |
-| `sirr_key_list()` | List all scoped API keys (key hashes never returned) |
-| `sirr_key_delete(id)` | Delete an API key by ID |
+| `sirr_me()` | Get the current principal's profile, role, and key list |
+| `sirr_update_me(metadata)` | Replace the current principal's metadata |
+
+### Organizations
+
+| Tool | Description |
+|---|---|
+| `sirr_org_create(name, metadata?)` | Create a new organization |
+| `sirr_org_list()` | List all organizations (master key only) |
+| `sirr_org_delete(org_id)` | Delete an organization — must have no principals |
+
+### Principals
+
+| Tool | Description |
+|---|---|
+| `sirr_principal_create(org_id, name, role, metadata?)` | Create a principal (user or service account) in an org |
+| `sirr_principal_list(org_id)` | List all principals in an org |
+| `sirr_principal_delete(org_id, principal_id)` | Delete a principal — must have no active keys |
+
+### Roles
+
+| Tool | Description |
+|---|---|
+| `sirr_role_create(org_id, name, permissions)` | Create a custom role. Permissions: C=create R=read P=patch D=delete L=list M=manage A=admin |
+| `sirr_role_list(org_id)` | List all roles in an org (built-in and custom) |
+| `sirr_role_delete(org_id, role_name)` | Delete a custom role — must not be in use |
 
 ## Inline secret references
 
-You can reference secrets inline in any prompt:
+You can reference org-scoped secrets inline in any prompt:
 
 ```
 "Use sirr:DATABASE_URL to run a migration"
 "Deploy with sirr:DEPLOY_TOKEN"
 ```
 
-The `sirr:KEYNAME` prefix tells Claude to fetch from the vault automatically.
+The `sirr:KEYNAME` prefix tells Claude to fetch from the vault automatically (requires `SIRR_ORG` to be set).
+
+## Secret lifecycle
+
+Sirr secrets expire by design. Both `push_secret` and `set_secret` support expiry controls:
+
+| Option | Behavior |
+|---|---|
+| `ttl_seconds: 3600` | Secret expires after 1 hour, regardless of reads |
+| `max_reads: 1` | Secret is deleted after the first read |
+| No options | Secret persists until explicitly deleted |
+
+Use `check_secret` to inspect a secret's status without consuming a read — useful when you want to verify a secret is still available before fetching it.
 
 ## Security notes
 
@@ -169,9 +241,10 @@ The `sirr:KEYNAME` prefix tells Claude to fetch from the vault automatically.
 
 | Symptom | Cause | Fix |
 |---|---|---|
-| `Error: Sirr 401` | `SIRR_TOKEN` doesn't match `SIRR_MASTER_KEY` | Verify both values match exactly — no extra spaces or newlines. [sirr.dev/errors#401](https://sirr.dev/errors#401) |
-| `Error: Sirr 402` | Free-tier limit of 100 secrets reached | Delete unused secrets or add a `SIRR_LICENSE_KEY`. [sirr.dev/errors#402](https://sirr.dev/errors#402) |
-| `Error: Sirr 403` | Scoped API key lacks the required permission | Re-create the key with the needed permissions. [sirr.dev/errors#403](https://sirr.dev/errors#403) |
+| `Error: Sirr 401` | `SIRR_TOKEN` doesn't match server key | Verify both values match exactly — no extra spaces or newlines. [sirr.dev/errors#401](https://sirr.dev/errors#401) |
+| `Error: Sirr 402` | Free-tier limit reached | Delete unused secrets or upgrade. [sirr.dev/errors#402](https://sirr.dev/errors#402) |
+| `Error: Sirr 403` | Token lacks the required permission | Use a token with the needed scope. [sirr.dev/errors#403](https://sirr.dev/errors#403) |
+| `Error: Sirr 409` | Key already exists (`set_secret`) or resource has dependencies | Use `patch_secret` to update, or delete the secret first. For orgs: remove dependents first. [sirr.dev/errors#409](https://sirr.dev/errors#409) |
 | `Secret '…' not found` | Secret expired, was burned, or key was mistyped | Re-push the secret if you still need it. [sirr.dev/errors#404](https://sirr.dev/errors#404) |
 | `did not respond within 10s` | Sirr server is unreachable | Check `SIRR_SERVER` URL and confirm Sirr is running (`sirr-mcp --health`). |
 | `[sirr-mcp] Warning: SIRR_TOKEN is not set` | Token missing from MCP config | Add `SIRR_TOKEN` to the `env` block in `.mcp.json`. |

package/dist/helpers.d.ts

@@ -8,6 +8,14 @@
  *   "KEYNAME"        → "KEYNAME"
  */
 export declare function parseKeyRef(ref: string): string;
+export declare function secretsPath(key?: string): string;
+/** Always routes to the public (unauthenticated) secrets endpoint. */
+export declare function publicSecretsPath(id?: string): string;
+/** Always routes to the org-scoped secrets endpoint. Throws if no org. */
+export declare function orgSecretsPath(org: string, key?: string): string;
+export declare function auditPath(): string;
+export declare function webhooksPath(id?: string): string;
+export declare function prunePath(): string;
 /**
  * Format a Unix timestamp (seconds) as a human-readable TTL string
  * relative to now. Returns "no expiry" for null, "expired" for past timestamps.

package/dist/helpers.js

@@ -4,6 +4,12 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.parseKeyRef = parseKeyRef;
+exports.secretsPath = secretsPath;
+exports.publicSecretsPath = publicSecretsPath;
+exports.orgSecretsPath = orgSecretsPath;
+exports.auditPath = auditPath;
+exports.webhooksPath = webhooksPath;
+exports.prunePath = prunePath;
 exports.formatTtl = formatTtl;
 /**
  * Parse a secret key reference from natural language.
@@ -18,6 +24,34 @@ function parseKeyRef(ref) {
         return ref.split("#")[0];
     return ref.trim();
 }
+// ── Org-aware path helpers ────────────────────────────────────────────────────
+function secretsPath(key) {
+    const org = process.env.SIRR_ORG;
+    const base = org ? `/orgs/${org}/secrets` : '/secrets';
+    return key ? `${base}/${key}` : base;
+}
+/** Always routes to the public (unauthenticated) secrets endpoint. */
+function publicSecretsPath(id) {
+    return id ? `/secrets/${id}` : '/secrets';
+}
+/** Always routes to the org-scoped secrets endpoint. Throws if no org. */
+function orgSecretsPath(org, key) {
+    const base = `/orgs/${org}/secrets`;
+    return key ? `${base}/${key}` : base;
+}
+function auditPath() {
+    const org = process.env.SIRR_ORG;
+    return org ? `/orgs/${org}/audit` : '/audit';
+}
+function webhooksPath(id) {
+    const org = process.env.SIRR_ORG;
+    const base = org ? `/orgs/${org}/webhooks` : '/webhooks';
+    return id ? `${base}/${id}` : base;
+}
+function prunePath() {
+    const org = process.env.SIRR_ORG;
+    return org ? `/orgs/${org}/prune` : '/prune';
+}
 /**
  * Format a Unix timestamp (seconds) as a human-readable TTL string
  * relative to now. Returns "no expiry" for null, "expired" for past timestamps.

package/dist/helpers.js.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../src/helpers.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAQH,kCAIC;AAMD,8BASC;AAzBD;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,GAAW;IACrC,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IACjD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,SAAgB,SAAS,CAAC,SAAwB;IAChD,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,SAAS,GAAG,GAAG,CAAC;IAC7B,IAAI,IAAI,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAChC,IAAI,IAAI,GAAG,EAAE;QAAE,OAAO,GAAG,IAAI,GAAG,CAAC;IACjC,IAAI,IAAI,GAAG,IAAI;QAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC;IACpD,IAAI,IAAI,GAAG,KAAK;QAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC;IACvD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC;AACxC,CAAC"}
+{"version":3,"file":"helpers.js","sourceRoot":"","sources":["../src/helpers.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAQH,kCAIC;AAID,kCAIC;AAGD,8CAEC;AAGD,wCAGC;AAED,8BAGC;AAED,oCAIC;AAED,8BAGC;AAMD,8BASC;AA5DD;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,GAAW;IACrC,IAAI,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;IACjD,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC;IACjD,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,iFAAiF;AAEjF,SAAgB,WAAW,CAAC,GAAY;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;IACvD,OAAO,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAED,sEAAsE;AACtE,SAAgB,iBAAiB,CAAC,EAAW;IAC3C,OAAO,EAAE,CAAC,CAAC,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC;AAC5C,CAAC;AAED,0EAA0E;AAC1E,SAAgB,cAAc,CAAC,GAAW,EAAE,GAAY;IACtD,MAAM,IAAI,GAAG,SAAS,GAAG,UAAU,CAAC;IACpC,OAAO,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACvC,CAAC;AAED,SAAgB,SAAS;IACvB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC/C,CAAC;AAED,SAAgB,YAAY,CAAC,EAAW;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,MAAM,IAAI,GAAG,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC;IACzD,OAAO,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC;AACrC,CAAC;AAED,SAAgB,SAAS;IACvB,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACjC,OAAO,GAAG,CAAC,CAAC,CAAC,SAAS,GAAG,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAgB,SAAS,CAAC,SAAwB;IAChD,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,WAAW,CAAC;IAC3C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,IAAI,GAAG,SAAS,GAAG,GAAG,CAAC;IAC7B,IAAI,IAAI,IAAI,CAAC;QAAE,OAAO,SAAS,CAAC;IAChC,IAAI,IAAI,GAAG,EAAE;QAAE,OAAO,GAAG,IAAI,GAAG,CAAC;IACjC,IAAI,IAAI,GAAG,IAAI;QAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC;IACpD,IAAI,IAAI,GAAG,KAAK;QAAE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC;IACvD,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,KAAK,CAAC,GAAG,CAAC;AACxC,CAAC"}

package/dist/helpers.test.js

@@ -22,6 +22,74 @@ const helpers_1 = require("./helpers");
         (0, globals_1.expect)((0, helpers_1.parseKeyRef)("KEY#a#b")).toBe("KEY");
     });
 });
+(0, globals_1.describe)("secretsPath", () => {
+    (0, globals_1.afterEach)(() => {
+        delete process.env.SIRR_ORG;
+    });
+    (0, globals_1.it)("returns /secrets without SIRR_ORG", () => {
+        delete process.env.SIRR_ORG;
+        (0, globals_1.expect)((0, helpers_1.secretsPath)()).toBe("/secrets");
+    });
+    (0, globals_1.it)("returns /secrets/{key} without SIRR_ORG", () => {
+        delete process.env.SIRR_ORG;
+        (0, globals_1.expect)((0, helpers_1.secretsPath)("MY_KEY")).toBe("/secrets/MY_KEY");
+    });
+    (0, globals_1.it)("returns /orgs/{org}/secrets with SIRR_ORG", () => {
+        process.env.SIRR_ORG = "acme";
+        (0, globals_1.expect)((0, helpers_1.secretsPath)()).toBe("/orgs/acme/secrets");
+    });
+    (0, globals_1.it)("returns /orgs/{org}/secrets/{key} with SIRR_ORG", () => {
+        process.env.SIRR_ORG = "acme";
+        (0, globals_1.expect)((0, helpers_1.secretsPath)("MY_KEY")).toBe("/orgs/acme/secrets/MY_KEY");
+    });
+});
+(0, globals_1.describe)("auditPath", () => {
+    (0, globals_1.afterEach)(() => {
+        delete process.env.SIRR_ORG;
+    });
+    (0, globals_1.it)("returns /audit without SIRR_ORG", () => {
+        delete process.env.SIRR_ORG;
+        (0, globals_1.expect)((0, helpers_1.auditPath)()).toBe("/audit");
+    });
+    (0, globals_1.it)("returns /orgs/{org}/audit with SIRR_ORG", () => {
+        process.env.SIRR_ORG = "acme";
+        (0, globals_1.expect)((0, helpers_1.auditPath)()).toBe("/orgs/acme/audit");
+    });
+});
+(0, globals_1.describe)("webhooksPath", () => {
+    (0, globals_1.afterEach)(() => {
+        delete process.env.SIRR_ORG;
+    });
+    (0, globals_1.it)("returns /webhooks without SIRR_ORG", () => {
+        delete process.env.SIRR_ORG;
+        (0, globals_1.expect)((0, helpers_1.webhooksPath)()).toBe("/webhooks");
+    });
+    (0, globals_1.it)("returns /webhooks/{id} without SIRR_ORG", () => {
+        delete process.env.SIRR_ORG;
+        (0, globals_1.expect)((0, helpers_1.webhooksPath)("wh_123")).toBe("/webhooks/wh_123");
+    });
+    (0, globals_1.it)("returns /orgs/{org}/webhooks with SIRR_ORG", () => {
+        process.env.SIRR_ORG = "acme";
+        (0, globals_1.expect)((0, helpers_1.webhooksPath)()).toBe("/orgs/acme/webhooks");
+    });
+    (0, globals_1.it)("returns /orgs/{org}/webhooks/{id} with SIRR_ORG", () => {
+        process.env.SIRR_ORG = "acme";
+        (0, globals_1.expect)((0, helpers_1.webhooksPath)("wh_123")).toBe("/orgs/acme/webhooks/wh_123");
+    });
+});
+(0, globals_1.describe)("prunePath", () => {
+    (0, globals_1.afterEach)(() => {
+        delete process.env.SIRR_ORG;
+    });
+    (0, globals_1.it)("returns /prune without SIRR_ORG", () => {
+        delete process.env.SIRR_ORG;
+        (0, globals_1.expect)((0, helpers_1.prunePath)()).toBe("/prune");
+    });
+    (0, globals_1.it)("returns /orgs/{org}/prune with SIRR_ORG", () => {
+        process.env.SIRR_ORG = "acme";
+        (0, globals_1.expect)((0, helpers_1.prunePath)()).toBe("/orgs/acme/prune");
+    });
+});
 (0, globals_1.describe)("formatTtl", () => {
     const realDateNow = Date.now;
     (0, globals_1.beforeEach)(() => {

package/dist/helpers.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"helpers.test.js","sourceRoot":"","sources":["../src/helpers.test.ts"],"names":[],"mappings":";;AAAA,2CAAkF;AAClF,uCAAmD;AAEnD,IAAA,kBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,IAAA,YAAE,EAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,kBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC;IAE7B,IAAA,oBAAU,EAAC,GAAG,EAAE;QACd,0DAA0D;QAC1D,cAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,eAAe,CAAC,OAAS,GAAG,IAAI,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,mBAAS,EAAC,GAAG,EAAE;QACb,cAAI,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,MAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"helpers.test.js","sourceRoot":"","sources":["../src/helpers.test.ts"],"names":[],"mappings":";;AAAA,2CAAkF;AAClF,uCAAoG;AAEpG,IAAA,kBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,IAAA,YAAE,EAAC,qBAAqB,EAAE,GAAG,EAAE;QAC7B,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC3D,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;QAChC,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxC,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,uDAAuD,EAAE,GAAG,EAAE;QAC/D,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,kBAAQ,EAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,IAAA,mBAAS,EAAC,GAAG,EAAE;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAA,gBAAM,EAAC,IAAA,qBAAW,GAAE,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,2CAA2C,EAAE,GAAG,EAAE;QACnD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,IAAA,gBAAM,EAAC,IAAA,qBAAW,GAAE,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,IAAA,gBAAM,EAAC,IAAA,qBAAW,EAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,kBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,mBAAS,EAAC,GAAG,EAAE;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAA,gBAAM,EAAC,IAAA,mBAAS,GAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,IAAA,gBAAM,EAAC,IAAA,mBAAS,GAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,kBAAQ,EAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAA,mBAAS,EAAC,GAAG,EAAE;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAA,gBAAM,EAAC,IAAA,sBAAY,GAAE,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAA,gBAAM,EAAC,IAAA,sBAAY,EAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,4CAA4C,EAAE,GAAG,EAAE;QACpD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,IAAA,gBAAM,EAAC,IAAA,sBAAY,GAAE,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,IAAA,gBAAM,EAAC,IAAA,sBAAY,EAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,kBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,IAAA,mBAAS,EAAC,GAAG,EAAE;QACb,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,OAAO,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;QAC5B,IAAA,gBAAM,EAAC,IAAA,mBAAS,GAAE,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yCAAyC,EAAE,GAAG,EAAE;QACjD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,IAAA,gBAAM,EAAC,IAAA,mBAAS,GAAE,CAAC,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,kBAAQ,EAAC,WAAW,EAAE,GAAG,EAAE;IACzB,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC;IAE7B,IAAA,oBAAU,EAAC,GAAG,EAAE;QACd,0DAA0D;QAC1D,cAAI,CAAC,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC,eAAe,CAAC,OAAS,GAAG,IAAI,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IAEH,IAAA,mBAAS,EAAC,GAAG,EAAE;QACb,cAAI,CAAC,eAAe,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;QACtC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,sCAAsC,EAAE,GAAG,EAAE;QAC9C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,MAAO,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC7C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC9C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/C,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjD,CAAC,CAAC,CAAC;IAEH,IAAA,YAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;QACjC,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChD,IAAA,gBAAM,EAAC,IAAA,mBAAS,EAAC,OAAS,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/index.d.ts

@@ -5,8 +5,8 @@
  * Exposes Sirr as MCP tools so Claude Code can read/write ephemeral secrets.
  *
  * Configuration (env vars):
- *   SIRR_SERVER  — Sirr server URL (default: http://localhost:39999)
- *   SIRR_TOKEN   — Bearer token (SIRR_MASTER_KEY on the server)
+ *   SIRR_SERVER  — Sirr server URL (default: https://sirr.sirrlock.com)
+ *   SIRR_TOKEN   — Bearer token: SIRR_MASTER_KEY for full access, or a principal key for org-scoped access
  *
  * Install:  npm install -g @sirrlock/mcp
  * Configure in .mcp.json: