From 0ae55a61a7629a77407d63428c0e3211bac4ae9a Mon Sep 17 00:00:00 2001
From: Lasim <hajdas@hajdas.de>
Date: Tue, 26 Aug 2025 21:52:58 +0200
Subject: [PATCH] Enhance security documentation for MCP configuration,
 detailing secret type support, encryption processes, and API response
 protection measures.

---
 docs/mcp-configuration.mdx      |  8 +++++--
 docs/mcp-team-installation.mdx  |  8 ++++---
 docs/mcp-user-configuration.mdx |  6 ++---
 docs/security.mdx               | 42 +++++++++++++++++++++++++++++++--
 4 files changed, 54 insertions(+), 10 deletions(-)

diff --git a/docs/mcp-configuration.mdx b/docs/mcp-configuration.mdx
index 4d50df9..2b3e90e 100644
--- a/docs/mcp-configuration.mdx
+++ b/docs/mcp-configuration.mdx
@@ -61,6 +61,8 @@ This architecture enables teams to share common settings like API keys while all
 
 The heart of the system is sophisticated lock/unlock controls with precise categorization:
 
+**Secret Type Support:** Configuration values marked as `type: "secret"` in schemas are automatically encrypted for security. For complete details on secret encryption, masking, and security, see [Security and Privacy](/security).
+
 **Global Administrator Controls:**
 - **Sophisticated Categorization** - Categorize every configuration element into Template/Team/User tiers
 - **Granular Lock/Unlock Controls** - Set default lock states and visibility controls for each element
@@ -116,7 +118,7 @@ Here's how the three tiers combine into a final runtime configuration:
 ```json
 {
   "args": [],
-  "env": {"SHARED_API_KEY": "team-secret-12345"}
+  "env": {"SHARED_API_KEY": "••••• (encrypted secret)"}
 }
 ```
 
@@ -140,12 +142,14 @@ Here's how the three tiers combine into a final runtime configuration:
   ],
   "env": {
     "PROTOCOL_VERSION": "1.0",
-    "SHARED_API_KEY": "team-secret-12345", 
+    "SHARED_API_KEY": "decrypted-secret-for-runtime", 
     "DEBUG": "true"
   }
 }
 ```
 
+*Note: Secret values are automatically decrypted only for runtime execution. In all other contexts (API responses, user interfaces), secrets appear masked as `*****`.*
+
 ## Key Benefits
 
 **Security:** Sensitive credentials managed at appropriate tiers with encryption and access controls
diff --git a/docs/mcp-team-installation.mdx b/docs/mcp-team-installation.mdx
index c43d963..590e5e6 100644
--- a/docs/mcp-team-installation.mdx
+++ b/docs/mcp-team-installation.mdx
@@ -70,7 +70,7 @@ Template Configuration (Set by Global Admin, Cannot Change):
 ├─ System Flag: "-y" (🔒 Locked Forever)
 
 Team Configuration (You Control):
-├─ GIT_ACCESS_TOKEN: "team-git-token-xyz" (🔒 Locked, Hidden)
+├─ GIT_ACCESS_TOKEN: "••••• (encrypted secret)" (🔒 Locked)
 ├─ SHARED_PROJECT_ROOT: "/company/projects" (🔒 Locked)
 
 User Controls (You Decide Lock/Unlock):
@@ -88,8 +88,10 @@ User Controls (You Decide Lock/Unlock):
 - Team members can use credentials but may not see actual values
 
 **Credential Visibility:**
-- **Hidden Credentials** - Users use them automatically but can't see values (for API keys)
-- **Visible Credentials** - Users can see values (for service URLs)
+- **Secret Fields** - Users see `*****` and use them automatically (for API keys, tokens)
+- **Visible Fields** - Users can see actual values (for service URLs, non-sensitive settings)
+
+For complete details on how secret fields are encrypted and protected, see [Security and Privacy](/security).
 
 **Updates:**
 - Update credentials without affecting user configurations
diff --git a/docs/mcp-user-configuration.mdx b/docs/mcp-user-configuration.mdx
index d1985dc..10fa189 100644
--- a/docs/mcp-user-configuration.mdx
+++ b/docs/mcp-user-configuration.mdx
@@ -63,7 +63,7 @@ Debug Settings:
 
 TEAM-MANAGED SETTINGS (You inherit these automatically)
 
-✓ Team credentials configured
+✓ Team API credentials: ••••• (encrypted, see Security)
 ✓ Shared project access: /company/projects
 ✓ Team backup settings: Enabled
 
@@ -157,7 +157,7 @@ Template (System):
 └─ System flags: "-y"
 
 + Team (Shared):
-├─ Team API Key: "team-secret-12345" (hidden from you)
+├─ Team API Key: "••••• (encrypted secret, hidden from you)"
 ├─ Shared directory: "/company/projects"
 └─ Backup enabled: true
 
@@ -170,7 +170,7 @@ Template (System):
 Command: npx -y @modelcontextprotocol/server-filesystem 
          /Users/alice/Development /Users/alice/Projects
 Environment: {
-  "TEAM_API_KEY": "team-secret-12345",
+  "TEAM_API_KEY": "decrypted-for-runtime-only",
   "SHARED_DIR": "/company/projects", 
   "BACKUP_ENABLED": "true",
   "DEBUG": "true",
diff --git a/docs/security.mdx b/docs/security.mdx
index 374d45e..fee2977 100644
--- a/docs/security.mdx
+++ b/docs/security.mdx
@@ -41,8 +41,46 @@ To ensure account security:
 
 ## Data Protection
 
-### Sensitive Settings
-Your configuration data is protected with encryption:
+### MCP Configuration Security
+
+DeployStack automatically protects sensitive MCP configuration values through a selective encryption system:
+
+**Secret Type Implementation:**
+- **Schema-Based Detection**: Fields marked as `type: "secret"` in MCP schemas are automatically identified for encryption
+- **AES-256-GCM Encryption**: Secret values are encrypted using the same industry-standard encryption as global settings
+- **Selective Processing**: Only secret-type fields are encrypted; regular configuration values remain as plaintext for performance
+- **Encrypted Storage**: Secret values are stored encrypted in the database and never saved as plaintext
+
+**API Response Protection:**
+- **Automatic Masking**: All API responses automatically mask secret values as `*****`
+- **No Secret Exposure**: Secret values never appear in API responses, logs, or user interfaces
+- **Runtime Decryption**: Only authorized operations (like gateway configuration generation) can decrypt secrets for actual use
+
+**Three-Tier Secret Management:**
+- **Template Level**: Global administrators define which fields are secret types in schemas
+- **Team Level**: Team administrators configure secret values (API keys, tokens) that all team members inherit
+- **User Level**: Users see masked values (`*****`) and cannot access actual secret content
+
+**What Gets Encrypted:**
+- API keys and authentication tokens
+- Database passwords and connection strings
+- Service credentials and access keys
+- Any configuration field marked as `type: "secret"` in the schema
+
+**What Doesn't Get Encrypted:**
+- Debug flags and boolean settings
+- File paths and directory names
+- Public configuration values
+- Regular string, number, and boolean fields
+
+**Security Benefits:**
+- **Zero Secret Exposure**: Impossible for secrets to leak through API responses
+- **Database Protection**: Even database access doesn't reveal plaintext secrets
+- **Audit Safe**: Logs and interfaces never contain actual secret values
+- **Team Security**: Team members use secrets without seeing actual values
+
+### Global Settings Encryption
+Your global configuration data is protected with encryption:
 
 - **Encrypted storage**: Sensitive settings like passwords and API keys are encrypted
 - **Secure keys**: Encryption uses industry-standard methods