From 543f9b64ec6ad2aafab38b062e79adc5c757838d Mon Sep 17 00:00:00 2001 From: Petr Nyc Date: Tue, 19 May 2026 10:07:40 +0200 Subject: [PATCH] periodic commit --- .codex/config.toml | 89 +++++++++++++- .spacemacs | 1 + .ssh/config.oci | 34 +++++- .ssh/config.solaris | 12 +- bin/codex-wrapper.sh | 5 + bin/load-yubikey-piv-ssh | 258 +++++++++++++++++++++++++++++++++++++++ 6 files changed, 394 insertions(+), 5 deletions(-) create mode 100755 bin/codex-wrapper.sh create mode 100755 bin/load-yubikey-piv-ssh diff --git a/.codex/config.toml b/.codex/config.toml index e21ddaa..0bfa346 100644 --- a/.codex/config.toml +++ b/.codex/config.toml @@ -209,6 +209,12 @@ approval_mode = "approve" [mcp_servers.playwright.tools.browser_click] approval_mode = "approve" +[mcp_servers.playwright.tools.browser_type] +approval_mode = "approve" + +[mcp_servers.playwright.tools.browser_tabs] +approval_mode = "approve" + [mcp_servers.oci-kb] command = "/Users/jetpac/.local/bin/ocikb-mcp-server" startup_timeout_sec = 30.0 @@ -290,6 +296,15 @@ approval_mode = "approve" [mcp_servers.devops_mcp.tools.get_shepherd_execution_target_state] approval_mode = "approve" +[mcp_servers.devops_mcp.tools.get_tenancy_by_id] +approval_mode = "approve" + +[mcp_servers.devops_mcp.tools.list_subscription_mappings] +approval_mode = "approve" + +[mcp_servers.devops_mcp.tools.list_subscriptions] +approval_mode = "approve" + [mcp_servers.mcp_shepherd] command = "uvx" args = ["--default-index", "https://artifactory.oci.oraclecorp.com/api/pypi/global-release-pypi/simple/", "--from", "mcp-shepherd-server", "mcp-shepherd", "--transport", "stdio"] @@ -352,6 +367,9 @@ approval_mode = "approve" [mcp_servers.mcp_shepherd.tools.shepherd_get_latest_static_analysis_for_execution_target] approval_mode = "approve" +[mcp_servers.mcp_shepherd.tools.shepherd_get_release_phase_target_guardrails_metadata] +approval_mode = "approve" + [mcp_servers.grt] command = "/Users/jetpac/.codex/bin/grt-mcp" startup_timeout_sec = 30.0 @@ -450,6 +468,9 @@ approval_mode = "approve" [mcp_servers.central_confluence.tools.confluence_get_macro_hints] approval_mode = "approve" +[mcp_servers.central_confluence.tools.confluence_search_user] +approval_mode = "approve" + [mcp_servers.notmuch] command = "node" args = ["/Users/jetpac/Documents/codex-tools/MCPs/notmuch/dist/index.js"] @@ -537,7 +558,7 @@ BITBUCKET_ENABLE_READ_ONLY = "true" BITBUCKET_ENABLE_SAFE_WRITE = "true" BITBUCKET_URL = "https://bitbucket.oci.oraclecorp.com" MCP_PROJECT_DEFAULT = "ODAAS" -MCP_PROJECT_LIST = "ODAAS" +MCP_PROJECT_LIST = "ODAAS,CARE" [mcp_servers.oracle-bitbucket.tools.get_activities] approval_mode = "approve" @@ -569,6 +590,9 @@ approval_mode = "approve" [mcp_servers.oracle-bitbucket.tools.search] approval_mode = "approve" +[mcp_servers.oracle-bitbucket.tools.browse_repository] +approval_mode = "approve" + [mcp_servers.mcp-atlassian] command = "uvx" args = ["--python=3.11", "mcp-atlassian"] @@ -892,6 +916,33 @@ trust_level = "trusted" [projects."/private/tmp/merge-marian/oci-desktop-service-shepherd"] trust_level = "trusted" +[projects."/Users/jetpac/Documents/akidr/ips-repo-pkg-delivery"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/OSD/guardrails-skill"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/11.4.93"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/OSD/merino"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/codex"] +trust_level = "trusted" + +[projects."/private/tmp/hjovno"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/codex/update-solarisx86-linux"] +trust_level = "trusted" + +[projects."/Users/jetpac/Documents/codex/symphony"] +trust_level = "trusted" + +[projects."/Users/jetpac/src/symphony"] +trust_level = "trusted" + [marketplaces.openai-bundled] last_updated = "2026-05-05T21:54:34Z" source_type = "local" @@ -1003,3 +1054,39 @@ approval_mode = "approve" [mcp_servers.mcp_gateway.tools.jira__jira_get_issue_development_info] approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__get_shepherd_flocks] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__get_shepherd_releases] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_details] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_phase_target_guardrails_metadata] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__list_shepherd_execution_targets_for_flock] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__get_shepherd_phase_execution_targets] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__get_shepherd_release_target_blocker] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__list_shepherd_system_settings] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.devops__list_shepherd_system_setting_names] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.jirasd__jira_search] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.sks__search] +approval_mode = "approve" + +[mcp_servers.mcp_gateway.tools.kcm__search] +approval_mode = "approve" diff --git a/.spacemacs b/.spacemacs index f4f998d..e8ff1b1 100644 --- a/.spacemacs +++ b/.spacemacs @@ -1077,6 +1077,7 @@ before packages are loaded." "~/Documents/org/work/oracle.org" "~/Documents/org/someday.org" "~/Documents/org/calendar.org" + "~/Documents/organice/telefon.org" )) diff --git a/.ssh/config.oci b/.ssh/config.oci index 621898f..955f19f 100644 --- a/.ssh/config.oci +++ b/.ssh/config.oci @@ -8,7 +8,7 @@ Host bitbucket.oci.oraclecorp.com HostkeyAlgorithms +ssh-rsa PubkeyAcceptedAlgorithms +ssh-rsa -Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com +Host dabel dabel.us.oracle.com andel andel.us.oracle.com gates gates.us.oracle.com on10-patch.us.oracle.com scapen* User pnyc IdentityFile ~/.ssh/dabel.key RequestTTY yes @@ -17,3 +17,35 @@ Host codex.webad1phx.solarisx86phx.oraclevcn.com User pnyc IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes + +Host operator-access-token.svc.ad1.r2 + User pnyc + +Host jenkins-java-test + HostName 100.106.196.24 + User opc + IdentityFile ~/.ssh/id_rsa + IdentitiesOnly yes + WarnWeakCrypto no + +Host nginx-osd-dev + HostName 100.106.197.175 + User opc + IdentityFile ~/.ssh/osd-dev-pnyc + IdentitiesOnly yes + WarnWeakCrypto no + +Host osd-calico-dev + HostName 100.106.197.237 + User opc + IdentityFile ~/.ssh/id_ed25519 + IdentitiesOnly yes + WarnWeakCrypto no + +Host pnyc-ws + HostName 100.106.196.59 + User opc + IdentityFile ~/.ssh/id_pnyc-ws + IdentitiesOnly yes + WarnWeakCrypto no + ForwardAgent yes \ No newline at end of file diff --git a/.ssh/config.solaris b/.ssh/config.solaris index 3eb2710..1925fa7 100644 --- a/.ssh/config.solaris +++ b/.ssh/config.solaris @@ -160,9 +160,15 @@ Host adam-test HostName 100.106.212.188 User opc -Host nori nori.commonsub.zsphx.oraclevcn.com - Hostname nori.commonsub.zsphx.oraclevcn.com - User opc +# Host nori nori.commonsub.zsphx.oraclevcn.com +# Hostname nori.commonsub.zsphx.oraclevcn.com +# User opc + +Host nori sfzfs-nori.commonsub.zsphx.oraclevcn.com + Hostname sfzfs-nori.commonsub.zsphx.oraclevcn.com + User opc + IdentityFile ~/.ssh/nori + # Host operator-access-token.svc.ad1.r2 bastion*.oracleiaas.com # Include ~/.ssh/ssh_configs/config diff --git a/bin/codex-wrapper.sh b/bin/codex-wrapper.sh new file mode 100755 index 0000000..8507eeb --- /dev/null +++ b/bin/codex-wrapper.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env zsh + +export BITBUCKET_TOKEN=NzQ0MDE3NjEzNDE1Oh6PpMt8Rl+a569vzoPOfCRJ+Kwt +"$HOME/bin/codex-devops-auth.sh" -a on-request -s danger-full-access "$@" + diff --git a/bin/load-yubikey-piv-ssh b/bin/load-yubikey-piv-ssh new file mode 100755 index 0000000..bbb16db --- /dev/null +++ b/bin/load-yubikey-piv-ssh @@ -0,0 +1,258 @@ +#!/bin/zsh +# Load YubiKey PIV SSH keys into the macOS launchd-managed ssh-agent. +# The default health check verifies the PIV AUTH key with ssh-add -T so +# listed-but-stale PKCS#11 keys are reloaded instead of being trusted. +set -u + +PKCS11_LIB="${PKCS11_LIB:-/usr/local/lib/opensc-pkcs11.so}" +PIV_KEY_PATTERN="${PIV_KEY_PATTERN:-PIV AUTH pubkey|SIGN pubkey|KEY MAN pubkey|CARD AUTH pubkey}" +PIV_AUTH_PATTERN="${PIV_AUTH_PATTERN:-PIV AUTH pubkey}" +VERIFY_MODE="auth" +TMP_DIRS=() +SCRIPT_NAME="${0:t}" + +usage() { + # Print the small CLI surface; normal operation intentionally has few knobs. + cat <&2 + exit 2 + ;; + esac + shift +done + +cleanup() { + # Remove temporary public-key files created for ssh-add -T verification. + local dir + for dir in "${TMP_DIRS[@]}"; do + [[ -n "${dir}" && -d "${dir}" ]] && rm -rf -- "${dir}" + done +} +trap cleanup EXIT INT TERM + +die() { + # Report a fatal script error with a stable prefix for shell output. + print -u2 -- "load-yubikey-piv-ssh: $*" + exit 1 +} + +note() { + # Emit status messages to stderr so stdout stays clean for callers. + print -u2 -- "load-yubikey-piv-ssh: $*" +} + +agent_socket() { + # Return the launchd-published ssh-agent socket if it exists. + local sock + sock="$(launchctl getenv SSH_AUTH_SOCK 2>/dev/null || true)" + [[ -n "${sock}" && -S "${sock}" ]] || return 1 + print -r -- "${sock}" +} + +use_launchd_agent() { + # Force this shell to use Apple's launchd-managed agent socket and ignore + # stale SSH_AGENT_PID values from manually started agents. + local sock + sock="$(agent_socket)" || die "could not find launchd SSH_AUTH_SOCK" + export SSH_AUTH_SOCK="${sock}" + unset SSH_AGENT_PID +} + +agent_has_piv_keys() { + # Check for any listed YubiKey PIV identities in the active agent. + ssh-add -l 2>/dev/null | egrep -q "${PIV_KEY_PATTERN}" +} + +loaded_piv_public_keys() { + # Select loaded public keys for either health verification or no-verify mode. + local pattern + case "${VERIFY_MODE}" in + auth) pattern="${PIV_AUTH_PATTERN}" ;; + none) pattern="${PIV_KEY_PATTERN}" ;; + *) die "internal error: unknown verify mode: ${VERIFY_MODE}" ;; + esac + + ssh-add -L 2>/dev/null | egrep "${pattern}" || true +} + +verify_loaded_piv_keys() { + # Export the loaded PIV AUTH public key to a temp file and ask ssh-add to + # perform a local sign-and-verify operation through the agent. + [[ "${VERIFY_MODE}" == "none" ]] && return 0 + + local tmp key_file line count + local -a key_files + + tmp="$(mktemp -d "${TMPDIR:-/tmp}/load-yubikey-piv-ssh.XXXXXX")" || + die "failed to create temporary directory" + TMP_DIRS+=("${tmp}") + + count=0 + while IFS= read -r line; do + [[ -n "${line}" ]] || continue + count=$((count + 1)) + key_file="${tmp}/piv-${count}.pub" + print -r -- "${line}" >| "${key_file}" || + die "failed to write temporary public key" + chmod 600 "${key_file}" || die "failed to chmod temporary public key" + key_files+=("${key_file}") + done < <(loaded_piv_public_keys) + + if [[ "${count}" -eq 0 ]]; then + note "no matching PIV AUTH public key found for verification" + return 1 + fi + + SSH_ASKPASS_REQUIRE=never ssh-add -T "${key_files[@]}" >/dev/null 2>&1 +} + +agent_has_healthy_piv_keys() { + # A healthy state requires both listed PIV keys and a successful sign test. + if ! agent_has_piv_keys; then + return 1 + fi + + if verify_loaded_piv_keys; then + return 0 + fi + + return 1 +} + +agent_responds() { + # Treat "no identities" as a working agent, but reject broken sockets. + ssh-add -l >/dev/null 2>&1 + case "$?" in + 0|1) return 0 ;; # 1 means a reachable agent with no identities. + *) return 1 ;; + esac +} + +restart_launchd_agent() { + # Restart only the launchd-managed ssh-agent. macOS may block kickstart under + # SIP, so fall back to terminating the exact PID reported by launchctl. + local pid + local i + + note "restarting launchd ssh-agent" + + if launchctl kickstart -k "gui/${UID}/com.openssh.ssh-agent" >/dev/null 2>&1; then + sleep 1 + use_launchd_agent + return 0 + fi + + pid="$(launchctl print "gui/${UID}/com.openssh.ssh-agent" 2>/dev/null | + awk '/pid = / { print $3; exit }')" + + if [[ -n "${pid}" ]]; then + note "launchctl kickstart failed; terminating launchd ssh-agent pid ${pid}" + kill -TERM "${pid}" >/dev/null 2>&1 || + die "failed to terminate launchd ssh-agent pid ${pid}" + + for i in {1..10}; do + kill -0 "${pid}" >/dev/null 2>&1 || break + sleep 0.2 + done + + if kill -0 "${pid}" >/dev/null 2>&1; then + note "launchd ssh-agent pid ${pid} did not exit after TERM; sending KILL" + kill -KILL "${pid}" >/dev/null 2>&1 || + die "failed to kill launchd ssh-agent pid ${pid}" + fi + else + note "launchctl kickstart failed and no running launchd ssh-agent pid was found" + fi + + use_launchd_agent + + if ! agent_responds; then + die "failed to restart launchd ssh-agent" + fi +} + +load_provider() { + # Load the OpenSC PKCS#11 provider and force PIN entry on the terminal. + SSH_ASKPASS_REQUIRE=never ssh-add -s "${PKCS11_LIB}" +} + +verify_or_report_stale() { + # Treat listed PIV keys as healthy only after verification succeeds. + if agent_has_healthy_piv_keys; then + case "${VERIFY_MODE}" in + none) note "PIV keys are already loaded" ;; + auth) note "PIV AUTH key is already loaded and verified" ;; + esac + return 0 + fi + + if agent_has_piv_keys; then + note "PIV keys are listed but failed verification; treating agent as stale" + fi + + return 1 +} + +[[ -r "${PKCS11_LIB}" ]] || die "PKCS#11 library is not readable: ${PKCS11_LIB}" + +use_launchd_agent + +if verify_or_report_stale; then + exit 0 +fi + +if agent_has_piv_keys; then + restart_launchd_agent +elif ! agent_responds; then + restart_launchd_agent +fi + +if load_provider && agent_has_healthy_piv_keys; then + case "${VERIFY_MODE}" in + none) note "PIV keys loaded" ;; + auth) note "PIV keys loaded and PIV AUTH key verified" ;; + esac + exit 0 +fi + +note "initial load failed; checking agent state" + +if verify_or_report_stale; then + exit 0 +fi + +restart_launchd_agent + +if load_provider && agent_has_healthy_piv_keys; then + case "${VERIFY_MODE}" in + none) note "PIV keys loaded after agent restart" ;; + auth) note "PIV keys loaded after agent restart and PIV AUTH key verified" ;; + esac + exit 0 +fi + +die "failed to load and verify PIV keys"