keycard-cli

Shows what credentials are configured in this Keycard session — which services are available and what they provide access to. TRIGGER when: user asks what credentials, tokens, or services are available in the current Keycard session ("what tokens do I have", "what services are available", "am I authenticated", "list my credentials", "do I have access to X", "am I signed in to X", "is my X token loaded"). DO NOT TRIGGER when: user wants to add, remove, or rotate credentials (use `keycard credential` commands directly).

Discover and wire credential entities or MCP servers via the Keycard Management API — find available entity URIs and register them in keycard.toml, or find MCP-provider applications and add them to .mcp.json. TRIGGER when: user says "I need X credentials", "add a resource", "add an X credential", "what entities are available in the Management API", "configure access to X service", "set up X integration", "user wants to add an MCP server", "what MCP servers are available in my zone", "discover MCP servers". DO NOT TRIGGER when: the user already has credentials and wants to inspect them (use `keycard-credentials`); user wants to edit an existing config field that is not a credential entry (use `keycard-upsert-config`); user wants to set a non-MCP config field (use `keycard-upsert-config`).

Answer questions about the active Cedar policy and diagnose tool blocks — read-only; does not modify the policy. TRIGGER when: user asks what tools are allowed, whether a specific tool is permitted (e.g. "Can I use X?", "Am I allowed to use X?", "What's my policy?"), why a tool was blocked, or reports "a tool was just blocked." DO NOT TRIGGER when: user wants to change, add, or remove a policy rule (→ `keycard-upsert-policy`); user asks general questions about Cedar concepts without reference to their active policy.

Set or change a field in keycard.toml — reads the current value and writes a targeted update. TRIGGER when: user wants to set or change a field in keycard.toml; wants to add or update a credentials entry. DO NOT TRIGGER when: user asks about Cedar policy rules (use `keycard-query-policy`); user asks what credentials are active in the current session (use `keycard-credentials`); user is asking a field question only with no intent to write (read `.agents/reference/keycard-config-fields.md` directly).

Add or update an MCP server entry in .mcp.json. TRIGGER when: user wants to add or update an MCP server in .mcp.json. DO NOT TRIGGER when: user wants to set a keycard.toml field (use keycard-upsert-config); user wants to discover which MCP servers are available (use keycard-discover-entities).

3 hooks across 3 events