Menu

#191 enhancement: credential_store_update — update metadata without re-entering secret

closed
nobody
None
2026-04-28
2026-04-27
Anonymous
No

Originally created by: kumaakh

Problem

credential_store_set always triggers an OOB dialog for the secret value, even when called on an existing credential name. There is no way to update non-sensitive metadata fields (members, ttl_seconds, network_policy) without re-entering the full secret.

Current user experience to fix a wrong members list:

  1. Call credential_store_set with the same name and corrected members
  2. OOB dialog opens — user must re-type the full secret
  3. Full overwrite — no field merging

This creates significant friction for corrections and updates, especially for long or complex secrets.

Proposed Solution

Add a credential_store_update tool that updates only non-sensitive metadata fields, leaving the encrypted value unchanged:

// New tool: credential_store_update
{
  name: string;                     // required — identifies which credential to update
  members?: string;                 // optional — new member scope ("*" or comma-separated)
  ttl_seconds?: number;             // optional — new TTL (null to remove expiry)
  network_policy?: 'allow' | 'deny' | 'confirm';  // optional
}

No OOB dialog — the secret value is never touched. Only the listed fields are updated; unspecified fields retain their current values.

Error cases:

  • Credential does not exist → clear error (cannot update a non-existent credential)
  • No fields specified → reject (no-op update is an error)

Behaviour of credential_store_set (unchanged)

credential_store_set retains its current behaviour: always prompts OOB, always does a full overwrite. It remains the right tool for initial creation and for rotating the secret value itself.

Example

# Created with wrong members
credential_store_set  name=db_password  members="alice"

# Fix members without re-entering the password
credential_store_update  name=db_password  members="alice,bob"

# Add a TTL retroactively
credential_store_update  name=db_password  ttl_seconds=86400

Related

Tickets: #192

Discussion

  • Anonymous

    Anonymous - 2026-04-28

    Originally posted by: kumaakh

    Addressed in PR [#183] (sprint/session-lifecycle-oob-fix → main).

    Changes shipped: credential_store_update tool added — update credential metadata without re-entering the secret.

    PR is open for testing — will be merged once testing is complete.

     

    Related

    Tickets: #183

  • Anonymous

    Anonymous - 2026-04-28

    Ticket changed by: kumaakh

    • status: open --> closed
     

Log in to post a comment.

MongoDB Logo MongoDB