Add Stripe MCP support for environments like staging and production and enforce restricted keys

Author: tjementum

.claude/scripts/stripe-mcp-dev.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Reads a Stripe API key from dotnet user-secrets and execs @stripe/mcp.
+# Only accepts restricted keys (rk_*) so write-capable full secret keys (sk_*)
+# can never reach the MCP, regardless of environment. Configure the restricted
+# key with read-only scopes in the Stripe dashboard.
+# Usage: stripe-mcp.sh <secret-name>
+# Example: stripe-mcp.sh Parameters:stripe-api-key
+SECRET_NAME="${1:?Secret name required, e.g. Parameters:stripe-api-key}"
+
+STRIPE_SECRET_KEY=$(dotnet user-secrets list --project application/AppHost/AppHost.csproj | sed -n "s/^${SECRET_NAME} = //p")
+
+if [ -z "$STRIPE_SECRET_KEY" ]; then
+  echo "Stripe MCP: secret '${SECRET_NAME}' not found in dotnet user-secrets." >&2
+  exit 1
+fi
+
+if [[ "$STRIPE_SECRET_KEY" != rk_* ]]; then
+  echo "Stripe MCP: secret '${SECRET_NAME}' must be a restricted key (rk_test_* or rk_live_*); full secret keys (sk_*) are not allowed." >&2
+  exit 1
+fi
+
+export STRIPE_SECRET_KEY
+exec npx -y @stripe/mcp

.claude/scripts/stripe-mcp.sh

@@ -39,7 +39,12 @@
       }
     },
     "stripe-development": {
-      "command": ".claude/scripts/stripe-mcp-dev.sh"
+      "command": ".claude/scripts/stripe-mcp.sh",
+      "args": ["Parameters:stripe-api-key"]
+    },
+    "stripe-staging": {
+      "command": ".claude/scripts/stripe-mcp.sh",
+      "args": ["Parameters:stripe-api-key-staging"]
     }
   }
 }