Skip to content

Align secrets surface naming: CLI uses 'secrets' (plural), MCP tools use 'secret' (singular) #37

Open
Open
Align secrets surface naming: CLI uses 'secrets' (plural), MCP tools use 'secret' (singular)#37
Labels
enhancementNew feature or request
@krisrowe

Description

@krisrowe
krisrowe
opened on May 1, 2026

Problem

The secrets surface in gapp uses different verb forms across its CLI and its MCP tool interfaces, both of which ship in the same package:

Surface Form
CLI gapp secrets get, gapp secrets list, gapp secrets set (plural)
MCP tools gapp_secret_get, gapp_secret_list, gapp_secret_set (singular)

Both forms are functionally identical. They take the same arguments, hit the same underlying SDK, and return the same data. But an operator (or agent) using one surface and then the other has to mentally remap the noun, and the asymmetry is visible in any documentation that references both — including the secrets/SKILL.md skill that ships with the package, where examples accurately use both forms because both are correct for their respective surface.

This is the kind of papercut that compounds: every doc, every error message, every agent-prompt that mentions a secrets command has to be aware of which surface the reader is on. Easier to fix the surface than to keep both worlds in mind everywhere.

Proposed direction

Pick one form and align both surfaces. Plural is the more common shell convention for resource groups (gcloud secrets, kubectl secrets, docker secrets, aws secretsmanager) and is already what the CLI uses, so the lower-disruption path is:

  • Rename the MCP tools to plural: gapp_secrets_get, gapp_secrets_list, gapp_secrets_set
  • Keep the CLI as-is

If singular is preferred for some reason (e.g., MCP convention elsewhere in the package, namespacing concerns), the alternative is to rename the CLI subcommand group to gapp secret <verb> and keep MCP tools singular. Either way, both surfaces should agree.

If renaming is too disruptive in the short term, document the divergence prominently in secrets/SKILL.md and the package README so it stops surprising readers.

Context

Discovered while operating against a deployed solution from an agent session: the agent reached for gapp secret get (singular), got No such command 'secret', and had to switch to gapp secrets get (plural). The same agent in the same session called gapp_secret_get via the MCP tool earlier and it just worked. Trivially recoverable, but the friction is real and avoidable.

Verified against gapp 3.0.7:

$ gapp secret --help
Error: No such command 'secret'.

$ gapp secrets --help
Usage: gapp secrets [OPTIONS] COMMAND [ARGS]...
  List, get, and set secret values for the current solution.
Commands:
  get   Fetch a secret.
  list  Show declared secrets, deploy-readiness, and remediation hints.
  set   Store a secret value.

# MCP tool names visible in plugin metadata:
# gapp_secret_get, gapp_secret_list, gapp_secret_set

Work breakdown

  • Decide on canonical form (plural CLI + plural MCP, or singular CLI + singular MCP)
  • Rename the non-canonical surface, with deprecation aliases for one release if back-compat matters
  • Update secrets/SKILL.md examples to use the canonical form throughout
  • Update any README / package docs that reference the old form
  • If aliases are kept, document the deprecation timeline in CHANGELOG / release notes
  • Add a short note in CONTRIBUTING.md about CLI ↔ MCP tool naming conventions so future surfaces stay aligned

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions