Save a response in file.cheap
Use an explicit file handoff so the artifact is reviewable before persistence:hitspec-response, format:raw|text|markdown|json, a safe
request name, and status:<code>. Do not put credentials, tokens, cookies, or
URL query parameters in names, tags, or source metadata.
Hitspec does not invoke fcheap itself. This keeps a failed artifact save from
changing HTTP execution semantics and lets each tool evolve independently.
Register both servers in MCPHub
hitspec__hitspec_fetch and
fcheap__fcheap_save. Verify the catalog before changing an agent config:
hitspec_fetch returns inline
content, so the supported durable workflow is CLI → reviewed file → fcheap save. A future workspace-scoped artifact handle can close that gap without
accepting arbitrary output paths from MCP.
TinyVault: deferred boundary
Native TinyVault resolution is intentionally deferred. This release has no TinyVault-specific syntax and never writes fetched credentials back to a Hitspec environment automatically. Until a separate secret-reference contract is defined:- inject required values into the Hitspec process environment outside the request or tool arguments;
- do not place secret values in
.httpfiles, MCPHub YAML, URL query strings, output filenames, tags, logs, or Markdown provenance; and - keep MCPHub’s future
vault/vault_onlyprocess wrapper as the boundary, rather than teaching Hitspec to read a vault ad hoc.