stripe

gaby-stripe

First-party MCP connector for Stripe. Read-only.

Policy: money-touching actions never run inside Gaby

This connector exposes only read tools. Refunds, charges, subscription changes — anything that moves money — are not Gaby tools. When an investigation lands on a money-related case, Gaby's job ends at "surface the case (charge, amount, customer history, eligibility) to a human." The human takes the action in Stripe themselves.

Rationale: approving a refund draft from Slack is too thin a safeguard — one bad click moves money to the wrong customer. See docs/operations/escalation.md for the full policy.

Safety / PCI scope

Gaby never receives, stores, or transmits cardholder data (PAN, CVC, track data, PIN). The only Stripe-sensitive value that crosses this process's boundary is the API key itself, which Gaby envelope-encrypts at rest. See docs/security/pci-scope.md for the full SAQ-A justification.

Tools

Tool	Scope	Notes
healthcheck	read	Runs a cached restricted-key probe.
get_customer	read	/v1/customers/{id}
list_recent_charges	read	/v1/charges with since/limit.
list_failed_invoices	read	/v1/invoices?status=open
get_subscription	read	/v1/subscriptions/{id}

Environment

Var	Required	Notes
STRIPE_API_KEY	✓	sk_live_* or sk_test_*. Use a restricted key scoped to Customers: Read + Charges: Read + Invoices: Read + Subscriptions: Read. No write scopes are needed.
STRIPE_API_VERSION	—	Pinned default 2024-11-20.acacia.
STRIPE_DISABLE_KEY_PROBE	—	1 to skip the restricted-key probe (for vault setups where probe calls are noisy).

Restricted-key probe

On first healthcheck call we issue two read probes:

1. Refund.list(limit=1) — used to be required for the (removed) issue_refund tool. We keep the probe so operators get a clean warning when their key is over-privileged.
2. Customer.list(limit=1) — if this succeeds, the key has broader read scope than Gaby needs. healthcheck.warnings surfaces a recommendation to tighten the key.

Result is cached for the process lifetime. Restart to re-probe.