SDK-only projects can use @fentaris/core and the fentaris secrets commands without creating fentaris.json. The CLI discovers the nearest package.json that depends on @fentaris/core.
Quick Start
Install the core package and CLI:
pnpm add @fentaris/core
pnpm add -D @fentaris/cli
package.json:
{
"dependencies": {
"@fentaris/core": "^2.0.0"
},
"fentaris": {
"entrypoint": "src/server.ts",
"authDir": ".fentaris"
}
}
import {
bearer,
credential,
credentialJson,
fentaris,
mcp,
streamableHttp,
} from "@fentaris/core";
const app = fentaris({
defaults: {
credentials: {
"github.token": credentialJson("defaults.github.token"),
},
},
servers: [
mcp("github", {
transport: streamableHttp({ url: "https://github.example/mcp" }),
auth: bearer(credential("github.token")),
}),
],
});
await app.start({ port: 4000, path: "/mcp" });
fentaris secrets manifest --entrypoint src/server.ts
export FENTARIS_AUTH_KEY="local-encryption-key"
printf '%s' "$GITHUB_TOKEN" | fentaris secrets set github.token --value-stdin --non-interactive
defaults.github.token, matching the credentialJson(...) declaration. Use --user <id> or --group <id> only when the TypeScript configuration declares the corresponding user or group credential source.
What To Commit
Commit the manifest and the package metadata:
package.json
.fentaris/secrets.manifest.json
.fentaris/credentials.enc.json
.fentaris/secrets.manifest.json contains reference names and scopes only. It is the schema teammates and CI need; it does not contain secret values.
Validate In CI
Use manifest check mode to catch stale credential declarations:
fentaris secrets manifest --entrypoint src/server.ts --check
fentaris secrets doctor locally when a teammate cannot start the proxy because a required credential is missing.