feat: secrets configuration for mcp server

[salman1993]

tested with Tavily MCP Server for web search:

1. build and run goosed: cargo run --bin goosed -- agent

2. add system with secret. you need to replace with free API key that you can get here: https://app.tavily.com/home

curl --request POST \
  --url http://localhost:3000/systems/add \
  --header 'Content-Type: application/json' \
  --data '{
  "type": "Stdio",
  "cmd": "uvx", 
  "args": ["mcp-tavily"], 
  "secrets": {
    "TAVILY_API_KEY": "REPLACE_SECRET_HERE"
  }
}'

3. ask question that requires using the system's tools

curl --request POST \
  --url http://localhost:3000/ask \
  --header 'Content-Type: application/json' \
  --data '{
  "prompt": "can you do a search for recent news on LA wildfires - give me a timeline of events if possible. only provide breaking news and also let me know which tools you called in the process of getting the answer. be very concise!"
}'

step (2) validation depends on MCP server implementation - eg. it fails if env var is not set but does not fail if you set an invalid key - in that case, it will fail in step (3) by replying it can't get the news, which isn't good.

We can prompt the LLM to let the user know if the system contains secrets but its tools can't be used.

[github-actions]

Desktop App for this PR

The following build is available for testing:

• 📱 macOS Desktop App (Universal, signed)

The app is signed and notarized for macOS. After downloading, unzip the file and drag the Goose.app to your Applications folder.

This link is provided by nightly.link and will work even if you're not logged into GitHub.

[salman1993]

this right now stores the secret in plaintext. this can also be a map of env_var_name -> key_manager_secret_name and then we pull in the secret value and set it as env var

goose/crates/goose/src/key_manager.rs

Line 45 in 3e0ce19

pub fn get_keyring_secret(

[kalvinnchau]

this looks like it sets the env vars for the main goose process, should we only be setting the secrets in for the subprocess when doing stdio mcps servers?

[salman1993]

this is a good question. there is a TODO on adding in-process transport. for now, it makes sense to set it in only in subprocess -

goose/crates/goose-cli/src/commands/session.rs

Line 56 in 3e0ce19

// TODO once the client/server for MCP has stabilized, we should probably add InProcess transport to each

[salman1993]

updated this to be set envs in the spawned process

[github-actions]

Desktop App for this PR

The following build is available for testing:

• 📱 macOS Desktop App (Universal, signed)

The app is signed and notarized for macOS. After downloading, unzip the file and drag the Goose.app to your Applications folder.

This link is provided by nightly.link and will work even if you're not logged into GitHub.

[alexhancock]

Will this do any validation for us to make sure the values passed are valid as environment vars? Names etc. Would be nice to get some descriptive messages if anything goes wrong.

[salman1993]

this totally depends on the server implementation. in the case of the Tavily example: it errors if TAVILY_API_KEY is not set but it won't error if its an invalid key

[github-actions]

Desktop App for this PR

The following build is available for testing:

• 📱 macOS Desktop App (Universal, signed)

The app is signed and notarized for macOS. After downloading, unzip the file and drag the Goose.app to your Applications folder.

This link is provided by nightly.link and will work even if you're not logged into GitHub.