feat(sdk): add built-in core-tools plugin with agent secret-create flow

Introduces `coreToolsPlugin` in @executor-js/sdk exposing three static
tools agents can call directly:

- `scopes.list` — enumerate visible scopes by name; agents pick a scope
  by asking the user, not by guessing or defaulting.
- `secrets.list` — visible secrets as `{id, name, provider}`; values
  never cross the agent boundary.
- `secrets.create` — pre-allocates a secret id and returns a URL to the
  existing /secrets web form, pre-filled with name + id. The user enters
  the value in the browser; the agent confirms by re-listing.

The plugin auto-registers when `coreTools: { webBaseUrl }` is set on
ExecutorConfig, so hosts opt in with one line. apps/local wires it to
the daemon's own port — same host as the API, no separate UI server.

The /secrets web side reads the prefill params via TanStack Router
`validateSearch`, opens the add modal pre-filled, and locks the id via
a new `initialIdOverride` prop on SecretForm. URL prefilling works
fully through the dev:cli vite proxy.

Author: RhysSullivan

apps/local/src/server/executor.ts

@@ -320,6 +320,17 @@ const createLocalExecutorLayer = () => {
         plugins,
         onElicitation: "accept-all",
         oauthEndpointUrlPolicy: { allowHttp: true },
+        // Built-in agent-facing tools (scopes.list, secrets.list,
+        // secrets.create). webBaseUrl is where the executor's web UI
+        // listens — same port as the daemon API since the daemon serves
+        // both. Mirrors serve.ts's port resolution so a custom $PORT
+        // flows through. EXECUTOR_WEB_BASE_URL overrides entirely for
+        // deployments where the UI is on a different host.
+        coreTools: {
+          webBaseUrl:
+            process.env.EXECUTOR_WEB_BASE_URL ??
+            `http://localhost:${process.env.PORT ?? "4788"}`,
+        },
       });
 
       // Sync sources from executor.jsonc (idempotent — plugins upsert).

packages/app/src/routes/secrets.tsx

@@ -1,6 +1,25 @@
+import { Schema } from "effect";
 import { createFileRoute } from "@tanstack/react-router";
 import { SecretsPage } from "@executor-js/react/pages/secrets";
 
+// Query params supported by the agent-facing `secrets.create` static tool:
+// it builds a URL like `/secrets?name=…&scope=…&secretId=…` and hands
+// it to the user. The page opens the add modal pre-filled when any
+// prefill field is present so the user only has to type the value.
+const SearchParams = Schema.toStandardSchemaV1(
+  Schema.Struct({
+    name: Schema.optional(Schema.String),
+    secretId: Schema.optional(Schema.String),
+    provider: Schema.optional(Schema.String),
+    scope: Schema.optional(Schema.String),
+  }),
+);
+
 export const Route = createFileRoute("/secrets")({
-  component: SecretsPage,
+  validateSearch: SearchParams,
+  component: () => {
+    const { name, secretId, provider } = Route.useSearch();
+    const hasPrefill = name != null || secretId != null;
+    return <SecretsPage prefill={hasPrefill ? { name, secretId, provider } : undefined} />;
+  },
 });

packages/core/sdk/src/core-tools.ts

@@ -0,0 +1,190 @@
+// ---------------------------------------------------------------------------
+// core-tools plugin
+//
+// Built-in plugin that contributes agent-facing static tools for managing
+// executor-level primitives (scopes, secrets). Auto-registered by
+// `createExecutor`, so callers don't need to wire it in.
+//
+// Today's surface:
+//   - scopes.list   — enumerate visible scopes by name
+//   - secrets.list  — list visible secrets (collapsed across scopes)
+//   - secrets.create — agent supplies scope + name; tool returns a URL
+//                      that opens the existing /secrets web page with the
+//                      add-modal pre-filled. User enters the value in
+//                      that form (writes via the existing secrets HTTP
+//                      endpoint). Agent confirms by calling secrets.list.
+//
+// No elicitation suspension, no cross-request coordination. Works on
+// Cloudflare Workers because the tool's return value is just a URL.
+//
+// The agent never sees plaintext secret values. The agent never picks a
+// default scope on the user's behalf — every write tool requires an
+// explicit scope name, and `scopes.list` exists so the agent can
+// enumerate options before asking.
+// ---------------------------------------------------------------------------
+
+import { Effect, Schema } from "effect";
+
+import { definePlugin, tool } from "./plugin";
+
+// ---------------------------------------------------------------------------
+// Tool input/output schemas
+// ---------------------------------------------------------------------------
+
+const ScopesListOutput = Schema.Struct({
+  scopes: Schema.Array(
+    Schema.Struct({
+      name: Schema.String,
+    }),
+  ),
+});
+
+const SecretsListOutput = Schema.Struct({
+  secrets: Schema.Array(
+    Schema.Struct({
+      id: Schema.String,
+      name: Schema.String,
+      provider: Schema.String,
+    }),
+  ),
+});
+
+const SecretsCreateInput = Schema.Struct({
+  /** Display name shown in the secrets UI and used to reference this
+   *  secret in subsequent tool calls. */
+  name: Schema.String,
+  /** Name of the scope (from `scopes.list`) that should own this
+   *  secret. Required — there is no default. */
+  scope: Schema.String,
+  /** Optional provider override. If omitted, the executor picks the
+   *  first writable provider in registration order. */
+  provider: Schema.optional(Schema.String),
+});
+
+const SecretsCreateOutput = Schema.Struct({
+  /** Pre-allocated id the secret will receive when the user submits the
+   *  form. The agent can pass this to other tools that need a secret
+   *  reference; it materializes in `secrets.list` once the user saves. */
+  id: Schema.String,
+  /** URL to hand to the user. Opens the /secrets page with the add
+   *  modal pre-filled with name, scope, and the pre-allocated id. */
+  url: Schema.String,
+});
+
+const ScopesListOutputStd = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(ScopesListOutput),
+);
+const SecretsListOutputStd = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(SecretsListOutput),
+);
+const SecretsCreateInputStd = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(SecretsCreateInput),
+);
+const SecretsCreateOutputStd = Schema.toStandardSchemaV1(
+  Schema.toStandardJSONSchemaV1(SecretsCreateOutput),
+);
+
+// ---------------------------------------------------------------------------
+// Options
+// ---------------------------------------------------------------------------
+
+export interface CoreToolsPluginOptions {
+  /** Base URL of the executor's web UI. Used to build the URL handed to
+   *  the user for secret-value entry, e.g. `${webBaseUrl}/secrets?...`.
+   *  If omitted, secrets.create is registered but will fail at invoke
+   *  time — the host must supply a URL it can route back to. */
+  readonly webBaseUrl?: string;
+}
+
+// ---------------------------------------------------------------------------
+// Plugin
+// ---------------------------------------------------------------------------
+
+export const coreToolsPlugin = definePlugin((options: CoreToolsPluginOptions = {}) => ({
+  id: "core-tools" as const,
+  packageName: "@executor-js/sdk/core-tools",
+  storage: () => ({}),
+  extension: () => ({}),
+
+    staticSources: () => [
+      {
+        id: "core-tools",
+        kind: "executor",
+        name: "Executor",
+        tools: [
+          tool({
+            name: "scopes.list",
+            description:
+              "List the scopes visible to this executor. Use this before any tool that takes a `scope` argument so you can ask the user which scope to use.",
+            outputSchema: ScopesListOutputStd,
+            execute: (_args, { ctx }) =>
+              Effect.succeed({
+                scopes: ctx.scopes.map((s) => ({ name: s.name })),
+              }),
+          }),
+
+          tool({
+            name: "secrets.list",
+            description:
+              "List secrets visible to this executor. Returns id, display name, and provider — never values. Use the returned id when other tools ask for a secret reference.",
+            outputSchema: SecretsListOutputStd,
+            execute: (_args, { ctx }) =>
+              Effect.gen(function* () {
+                const refs = yield* ctx.secrets.list();
+                return {
+                  secrets: refs.map((r) => ({
+                    id: r.id,
+                    name: r.name,
+                    provider: r.provider,
+                  })),
+                };
+              }),
+          }),
+
+          tool({
+            name: "secrets.create",
+            description:
+              "Create a new secret. Returns a URL the user should open to enter the value securely; the agent never sees plaintext. The secret materializes once the user submits the form — confirm by calling `secrets.list` and looking for the returned id.",
+            inputSchema: SecretsCreateInputStd,
+            outputSchema: SecretsCreateOutputStd,
+            execute: (input, { ctx }) =>
+              Effect.gen(function* () {
+                const webBaseUrl = options.webBaseUrl;
+                if (!webBaseUrl) {
+                  return yield* Effect.die(
+                    new Error(
+                      "core-tools secrets.create requires webBaseUrl. Pass it to coreToolsPlugin({ webBaseUrl }) at executor construction.",
+                    ),
+                  );
+                }
+
+                const targetScope = ctx.scopes.find((s) => s.name === input.scope);
+                if (!targetScope) {
+                  return yield* Effect.die(
+                    new Error(
+                      `secrets.create: unknown scope "${input.scope}". Call scopes.list to see valid names.`,
+                    ),
+                  );
+                }
+
+                const secretId = crypto.randomUUID();
+
+                const url = new URL(`${webBaseUrl.replace(/\/$/, "")}/secrets`);
+                // Page reads these and opens the add modal pre-filled.
+                // Final value is collected from the user and written via
+                // the existing /scopes/:id/secrets POST. The presence of
+                // `name` is the open-modal signal (no separate flag).
+                url.searchParams.set("scope", String(targetScope.id));
+                url.searchParams.set("name", input.name);
+                url.searchParams.set("secretId", secretId);
+                if (input.provider) url.searchParams.set("provider", input.provider);
+
+                return { id: secretId, url: url.toString() };
+              }),
+          }),
+        ],
+      },
+    ],
+  }));
+
+export default coreToolsPlugin;

packages/core/sdk/src/executor.ts

@@ -24,6 +24,7 @@ import {
 } from "@executor-js/storage-core";
 
 import { pluginBlobStore, type BlobStore } from "./blob";
+import { coreToolsPlugin } from "./core-tools";
 import {
   ConnectionProviderState,
   ConnectionRef,
@@ -368,6 +369,20 @@ export interface ExecutorConfig<TPlugins extends readonly AnyPlugin[] = []> {
     readonly timeout?: Duration.Input;
     readonly hostedOutboundPolicy?: boolean;
   };
+  /**
+   * Enable the built-in `core-tools` plugin which contributes
+   * agent-facing static tools (`scopes.list`, `secrets.list`,
+   * `secrets.create`). The `webBaseUrl` is where the executor's web
+   * UI lives; `secrets.create` builds a URL elicitation that points
+   * the user at `${webBaseUrl}/secrets?...` so the plaintext value
+   * never crosses the agent.
+   *
+   * Omit to skip registration (tests, MCP-only hosts that don't
+   * surface a web UI, etc.).
+   */
+  readonly coreTools?: {
+    readonly webBaseUrl: string;
+  };
 }
 
 // ---------------------------------------------------------------------------
@@ -766,7 +781,7 @@ export const createExecutor = <const TPlugins extends readonly AnyPlugin[] = []>
       const empty: readonly AnyPlugin[] = [];
       return empty as TPlugins;
     };
-    const { scopes, adapter: rootAdapter, blobs, plugins = defaultPlugins() } = config;
+    const { scopes, adapter: rootAdapter, blobs, plugins: userPlugins = defaultPlugins() } = config;
 
     if (scopes.length === 0) {
       return yield* new StorageError({
@@ -775,6 +790,16 @@ export const createExecutor = <const TPlugins extends readonly AnyPlugin[] = []>
       });
     }
 
+    // Built-in core-tools plugin: contributes scopes.list / secrets.list /
+    // secrets.create static tools so agents can manage executor primitives
+    // without the host wiring it explicitly. Opt-in via `coreTools` config.
+    const plugins: readonly AnyPlugin[] = config.coreTools
+      ? ([
+          coreToolsPlugin({ webBaseUrl: config.coreTools.webBaseUrl }),
+          ...userPlugins,
+        ] as readonly AnyPlugin[])
+      : (userPlugins as readonly AnyPlugin[]);
+
     // Scope-wrap the root adapter so every read on a tenant-scoped
     // table filters by `scope_id IN (scopes)` and every write's
     // `scope_id` payload is validated to be in the stack. Reads walk

packages/core/sdk/src/index.ts

@@ -301,6 +301,12 @@ export {
   collectSchemas,
 } from "./executor";
 
+// Built-in core-tools plugin (scopes.list, secrets.list, secrets.create
+// with URL elicitation). Auto-registered by createExecutor when
+// `coreTools` is set on the config; also exportable for callers who
+// want to register it manually.
+export { coreToolsPlugin, type CoreToolsPluginOptions } from "./core-tools";
+
 // CLI / runtime config
 export {
   defineExecutorConfig,

packages/react/src/pages/secrets.tsx

@@ -62,13 +62,20 @@ const isSecretInUseError = Schema.is(SecretInUseError);
 // state always starts fresh — no manual reset.
 // ---------------------------------------------------------------------------
 
+interface SecretPrefill {
+  readonly name?: string;
+  readonly secretId?: string;
+  readonly provider?: string;
+}
+
 function AddSecretDialog(props: {
   open: boolean;
   onOpenChange: (v: boolean) => void;
   description: string;
   storageOptions: readonly SecretStorageOption[];
   existingSecretIds: readonly string[];
   scopeId: ScopeId;
+  prefill?: SecretPrefill;
 }) {
   return (
     <Dialog open={props.open} onOpenChange={props.onOpenChange}>
@@ -79,6 +86,7 @@ function AddSecretDialog(props: {
           storageOptions={props.storageOptions}
           existingSecretIds={props.existingSecretIds}
           scopeId={props.scopeId}
+          prefill={props.prefill}
           onClose={() => props.onOpenChange(false)}
         />
       )}
@@ -91,13 +99,17 @@ function AddSecretDialogContent(props: {
   storageOptions: readonly SecretStorageOption[];
   existingSecretIds: readonly string[];
   scopeId: ScopeId;
+  prefill?: SecretPrefill;
   onClose: () => void;
 }) {
-  const initialProvider = props.storageOptions[0]?.value ?? "auto";
+  const initialProvider =
+    props.prefill?.provider ?? props.storageOptions[0]?.value ?? "auto";
 
   return (
     <SecretForm.Provider
       existingSecretIds={props.existingSecretIds}
+      suggestedName={props.prefill?.name}
+      initialIdOverride={props.prefill?.secretId}
       initialProvider={initialProvider}
       scopeId={props.scopeId}
       onCreated={props.onClose}
@@ -232,14 +244,19 @@ export function SecretsPage(props: {
   addSecretDescription?: string;
   showProviderInfo?: boolean;
   storageOptions?: readonly SecretStorageOption[];
+  /** Pre-fill values for the add-secret modal and auto-open it. Set by
+   *  the route when the URL carries `?openAdd=1&name=…&secretId=…`,
+   *  which is how the agent-facing `secrets.create` tool hands a user
+   *  off to this page. */
+  prefill?: SecretPrefill;
 }) {
   const storageOptions = props.storageOptions ?? defaultStorageOptions;
   const showProviderInfo = props.showProviderInfo ?? true;
   const addSecretDescription =
     props.addSecretDescription ??
     "Store a credential or API key. Values are kept in your system keychain when available, with a local encrypted file fallback.";
   const secretProviderPlugins = useSecretProviderPlugins();
-  const [addOpen, setAddOpen] = useState(false);
+  const [addOpen, setAddOpen] = useState(props.prefill != null);
   const scopeId = useScope();
   const scopeStack = useScopeStack();
   const secrets = useAtomValue(secretsOptimisticAtom(scopeId));
@@ -395,6 +412,7 @@ export function SecretsPage(props: {
           storageOptions={storageOptions}
           existingSecretIds={existingSecretIds}
           scopeId={scopeId}
+          prefill={props.prefill}
         />
       </div>
     </div>