Merge pull request #212 from deploystackio/main

udpated-docs

Author: Lasim

docs/mcp-configuration.mdx

@@ -61,6 +61,8 @@ This architecture enables teams to share common settings like API keys while all
 
 The heart of the system is sophisticated lock/unlock controls with precise categorization:
 
+**Secret Type Support:** Configuration values marked as `type: "secret"` in schemas are automatically encrypted for security. For complete details on secret encryption, masking, and security, see [Security and Privacy](/security).
+
 **Global Administrator Controls:**
 - **Sophisticated Categorization** - Categorize every configuration element into Template/Team/User tiers
 - **Granular Lock/Unlock Controls** - Set default lock states and visibility controls for each element
@@ -116,7 +118,7 @@ Here's how the three tiers combine into a final runtime configuration:
 ```json
 {
   "args": [],
-  "env": {"SHARED_API_KEY": "team-secret-12345"}
+  "env": {"SHARED_API_KEY": "••••• (encrypted secret)"}
 }
 ```
 
@@ -140,12 +142,14 @@ Here's how the three tiers combine into a final runtime configuration:
   ],
   "env": {
     "PROTOCOL_VERSION": "1.0",
-    "SHARED_API_KEY": "team-secret-12345", 
+    "SHARED_API_KEY": "decrypted-secret-for-runtime", 
     "DEBUG": "true"
   }
 }
 ```
 
+*Note: Secret values are automatically decrypted only for runtime execution. In all other contexts (API responses, user interfaces), secrets appear masked as `*****`.*
+
 ## Key Benefits
 
 **Security:** Sensitive credentials managed at appropriate tiers with encryption and access controls

docs/mcp-team-installation.mdx

@@ -70,7 +70,7 @@ Template Configuration (Set by Global Admin, Cannot Change):
 ├─ System Flag: "-y" (🔒 Locked Forever)
 
 Team Configuration (You Control):
-├─ GIT_ACCESS_TOKEN: "team-git-token-xyz" (🔒 Locked, Hidden)
+├─ GIT_ACCESS_TOKEN: "••••• (encrypted secret)" (🔒 Locked)
 ├─ SHARED_PROJECT_ROOT: "/company/projects" (🔒 Locked)
 
 User Controls (You Decide Lock/Unlock):
@@ -88,8 +88,10 @@ User Controls (You Decide Lock/Unlock):
 - Team members can use credentials but may not see actual values
 
 **Credential Visibility:**
-- **Hidden Credentials** - Users use them automatically but can't see values (for API keys)
-- **Visible Credentials** - Users can see values (for service URLs)
+- **Secret Fields** - Users see `*****` and use them automatically (for API keys, tokens)
+- **Visible Fields** - Users can see actual values (for service URLs, non-sensitive settings)
+
+For complete details on how secret fields are encrypted and protected, see [Security and Privacy](/security).
 
 **Updates:**
 - Update credentials without affecting user configurations

docs/mcp-user-configuration.mdx

@@ -63,7 +63,7 @@ Debug Settings:
 
 TEAM-MANAGED SETTINGS (You inherit these automatically)
 
-✓ Team credentials configured
+✓ Team API credentials: ••••• (encrypted, see Security)
 ✓ Shared project access: /company/projects
 ✓ Team backup settings: Enabled
 
@@ -157,7 +157,7 @@ Template (System):
 └─ System flags: "-y"
 
 + Team (Shared):
-├─ Team API Key: "team-secret-12345" (hidden from you)
+├─ Team API Key: "••••• (encrypted secret, hidden from you)"
 ├─ Shared directory: "/company/projects"
 └─ Backup enabled: true
 
@@ -170,7 +170,7 @@ Template (System):
 Command: npx -y @modelcontextprotocol/server-filesystem 
          /Users/alice/Development /Users/alice/Projects
 Environment: {
-  "TEAM_API_KEY": "team-secret-12345",
+  "TEAM_API_KEY": "decrypted-for-runtime-only",
   "SHARED_DIR": "/company/projects", 
   "BACKUP_ENABLED": "true",
   "DEBUG": "true",

docs/meta.json

@@ -13,10 +13,16 @@
     "onboard-new-team-members",
     "global-settings",
     "security",
+    "device-management",
     "---MCP Server---",
     "mcp-catalog",
     "mcp-installation",
     "mcp-categories",
+    "mcp-admin-schema-workflow",
+    "---MCP Server Configuration---",
+    "mcp-configuration",
+    "mcp-team-installation",
+    "mcp-user-configuration",
     "---Administration---",
     "auth",
     "github-application",

docs/security.mdx

@@ -41,8 +41,46 @@ To ensure account security:
 
 ## Data Protection
 
-### Sensitive Settings
-Your configuration data is protected with encryption:
+### MCP Configuration Security
+
+DeployStack automatically protects sensitive MCP configuration values through a selective encryption system:
+
+**Secret Type Implementation:**
+- **Schema-Based Detection**: Fields marked as `type: "secret"` in MCP schemas are automatically identified for encryption
+- **AES-256-GCM Encryption**: Secret values are encrypted using the same industry-standard encryption as global settings
+- **Selective Processing**: Only secret-type fields are encrypted; regular configuration values remain as plaintext for performance
+- **Encrypted Storage**: Secret values are stored encrypted in the database and never saved as plaintext
+
+**API Response Protection:**
+- **Automatic Masking**: All API responses automatically mask secret values as `*****`
+- **No Secret Exposure**: Secret values never appear in API responses, logs, or user interfaces
+- **Runtime Decryption**: Only authorized operations (like gateway configuration generation) can decrypt secrets for actual use
+
+**Three-Tier Secret Management:**
+- **Template Level**: Global administrators define which fields are secret types in schemas
+- **Team Level**: Team administrators configure secret values (API keys, tokens) that all team members inherit
+- **User Level**: Users see masked values (`*****`) and cannot access actual secret content
+
+**What Gets Encrypted:**
+- API keys and authentication tokens
+- Database passwords and connection strings
+- Service credentials and access keys
+- Any configuration field marked as `type: "secret"` in the schema
+
+**What Doesn't Get Encrypted:**
+- Debug flags and boolean settings
+- File paths and directory names
+- Public configuration values
+- Regular string, number, and boolean fields
+
+**Security Benefits:**
+- **Zero Secret Exposure**: Impossible for secrets to leak through API responses
+- **Database Protection**: Even database access doesn't reveal plaintext secrets
+- **Audit Safe**: Logs and interfaces never contain actual secret values
+- **Team Security**: Team members use secrets without seeing actual values
+
+### Global Settings Encryption
+Your global configuration data is protected with encryption:
 
 - **Encrypted storage**: Sensitive settings like passwords and API keys are encrypted
 - **Secure keys**: Encryption uses industry-standard methods

lib/source.ts

@@ -1,8 +1,4 @@
-// The .source alias will be generated by 'fumadocs-mdx' postinstall script
-// or when you run `next dev`.
-// If TypeScript complains about '@/.source', you might need to run `npm run postinstall`
-// or `npm run dev` once to generate it.
-import { docs } from '../.source/index';
+import { docs } from '../.source';
 import { loader } from 'fumadocs-core/source';
 import { icons } from 'lucide-react';
 import { createElement } from 'react';
@@ -28,7 +24,11 @@ function createIconHandler() {
 }
 
 // Filter docs into separate sections
-const allDocs = docs.docs;
+type Doc = (typeof docs.docs)[number];
+const allDocs = docs.docs.map((doc: Doc) => ({
+  ...doc,
+  title: doc.sidebar ?? doc.title,
+}));
 const allMeta = docs.meta;
 
 // Main docs (include all files for complete control via meta.json)

next-env.d.ts

@@ -1,5 +1,6 @@
 /// <reference types="next" />
 /// <reference types="next/image-types/global" />
+/// <reference path="./.next/types/routes.d.ts" />
 
 // NOTE: This file should not be edited
 // see https://nextjs.org/docs/app/api-reference/config/typescript for more information.