jetpac/dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

devops-mcp and codex-mcp config and auth wrapper

Browse Source
This commit is contained in:
Petr Nyc
2026-03-11 16:59:17 +01:00
parent b10c0d0bda
commit 7c6c295eb8
2 changed files with 166 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.codex/config.toml
View File

@@ -10,8 +10,8 @@ preferred_auth_method = "apikey"
# model = "oca/gpt-5.1-codex-mini" # model = "oca/gpt-5.1-codex-mini"
# profile = "gpt-5-1-codex-mini" # profile = "gpt-5-1-codex-mini"
model = "gpt-5.3-codex" model = "gpt-5.4"
profile = "gpt-5-3-codex" profile = "gpt-5-4"
web_search_request = true web_search_request = true
@@ -127,16 +127,33 @@ review_model = "gpt-5.3-codex"
personality = "pragmatic" personality = "pragmatic"
model_reasoning_effort = "high" model_reasoning_effort = "high"
[profiles.gpt-5-4]
model = "gpt-5.4"
model_provider = "oca-responses"
review_model = "gpt-5.4"
personality = "pragmatic"
model_reasoning_effort = "high"
[mcp_servers.playwright] [mcp_servers.playwright]
command = "/Users/jetpac/.codex/bin/playwright-mcp" command = "/Users/jetpac/.codex/bin/playwright-mcp"
startup_timeout_sec = 30.0 startup_timeout_sec = 30.0
PLAYWRIGHT_BROWSERS_PATH = "0" PLAYWRIGHT_BROWSERS_PATH = "0"
# [mcp_servers.oci-kb] [mcp_servers.oci-kb]
# command = "/Users/jetpac/.local/bin/ocikb-mcp-server" # command = "/Users/jetpac/.local/bin/ocikb-mcp-server"
# #
## command = "uvx" command = "uvx"
## args = ["--index", "https://artifactory.oci.oraclecorp.com/api/pypi/global-release-pypi/simple/", "--from", "oci-kb-mcp@latest", "ocikb-mcp-server"] args = ["--index", "https://artifactory.oci.oraclecorp.com/api/pypi/global-release-pypi/simple/", "--from", "oci-kb-mcp@latest", "ocikb-mcp-server"]
## startup_timeout_sec = 30.0 startup_timeout_sec = 30.0
## Adjust args if you need --browser=firefox, --headed, or custom launch flags. ## Adjust args if you need --browser=firefox, --headed, or custom launch flags.
[mcp_servers.devops_mcp]
command = "/Users/jetpac/bin/devops-mcp-wrapper.sh"
env_vars = ["OP_TOKEN", "OPERATOR_ACCESS_TOKEN"]
startup_timeout_sec = 180.0
[projects."/Users/jetpac/bin"]
trust_level = "trusted"

143
bin/codex-devops-auth.sh Executable file
View File

@@ -0,0 +1,143 @@
#!/bin/zsh
set -euo pipefail
PKCS11_LIB="${PKCS11_LIB:-/usr/local/lib/opensc-pkcs11.so}"
TOKEN_HOST="${TOKEN_HOST:-operator-access-token.svc.ad1.r2}"
SSH_CONFIG_FILE="${SSH_CONFIG_FILE:-$HOME/.ssh/config.oci}"
OCI_BIN="${OCI_BIN:-/opt/homebrew/bin/oci}"
OCI_SESSION_REGION="${OCI_SESSION_REGION:-us-chicago-1}"
RESET_AGENT="${RESET_AGENT:-0}"
DEDICATED_AGENT_PID=""
log() {
print -u2 -- "$@"
}
inherited_agent_likely_rejects_pkcs11() {
[[ -n "${SSH_AUTH_SOCK:-}" ]] || return 1
[[ -z "${SSH_AGENT_PID:-}" ]] || return 1
case "${SSH_AUTH_SOCK}" in
/private/tmp/com.apple.launchd.*/Listeners)
return 0
;;
esac
return 1
}
cleanup() {
if [[ -n "${DEDICATED_AGENT_PID}" ]]; then
SSH_AGENT_PID="${DEDICATED_AGENT_PID}" ssh-agent -k >/dev/null 2>&1 || true
fi
}
ensure_oci_session() {
if [[ ! -x "${OCI_BIN}" ]]; then
print -u2 "OCI CLI not found or not executable: ${OCI_BIN}"
exit 1
fi
set +e
"${OCI_BIN}" session validate >/dev/null 2>&1
local validate_rc=$?
set -e
if [[ ${validate_rc} -eq 0 ]]; then
log "OCI CLI session is already valid."
return 0
fi
log "OCI CLI session is not valid; attempting refresh."
set +e
"${OCI_BIN}" session refresh >/dev/null 2>&1
local refresh_rc=$?
set -e
if [[ ${refresh_rc} -eq 0 ]]; then
log "OCI CLI session refresh succeeded."
return 0
fi
log "Running OCI CLI session authenticate for ${OCI_SESSION_REGION}."
"${OCI_BIN}" session authenticate --region "${OCI_SESSION_REGION}"
}
ensure_ssh_agent() {
if [[ -n "${SSH_AUTH_SOCK:-}" && -S "${SSH_AUTH_SOCK}" ]]; then
set +e
ssh-add -l >/dev/null 2>&1
local rc=$?
set -e
case ${rc} in
0|1)
return 0
;;
esac
fi
log "Starting ssh-agent for Codex."
eval "$(ssh-agent -s)" >/dev/null
DEDICATED_AGENT_PID="${SSH_AGENT_PID:-}"
}
add_pkcs11_provider() {
log "Loading PKCS#11 provider: ${PKCS11_LIB}"
ssh-add -s "${PKCS11_LIB}" >/dev/null
}
prepare_agent() {
local had_inherited_agent=0
if [[ -n "${SSH_AUTH_SOCK:-}" && -S "${SSH_AUTH_SOCK}" ]]; then
had_inherited_agent=1
fi
if inherited_agent_likely_rejects_pkcs11; then
log "Inherited launchd SSH agent is unlikely to support PKCS#11; starting a dedicated ssh-agent for Codex."
unset SSH_AUTH_SOCK SSH_AGENT_PID
had_inherited_agent=0
fi
ensure_ssh_agent
if add_pkcs11_provider; then
return 0
fi
if [[ ${had_inherited_agent} -eq 1 ]]; then
log "Existing SSH agent rejected PKCS#11 provider; starting a dedicated ssh-agent for Codex."
unset SSH_AUTH_SOCK SSH_AGENT_PID
ensure_ssh_agent
add_pkcs11_provider
return 0
fi
return 1
}
if [[ ! -f "${SSH_CONFIG_FILE}" ]]; then
print -u2 "SSH config file not found: ${SSH_CONFIG_FILE}"
exit 1
fi
if [[ "${RESET_AGENT}" == "1" ]]; then
log "Resetting SSH agent on explicit request."
pkill -9 ssh-agent >/dev/null 2>&1 || true
pkill -9 ssh-pkcs11-helper >/dev/null 2>&1 || true
sleep 1
fi
trap cleanup EXIT INT TERM
ensure_oci_session
prepare_agent
log "Refreshing OPERATOR_ACCESS_TOKEN from ${TOKEN_HOST} using ${SSH_CONFIG_FILE}"
export OPERATOR_ACCESS_TOKEN="$(ssh -F "${SSH_CONFIG_FILE}" "${TOKEN_HOST}" "generate --mode jwt")"
export OP_TOKEN="${OPERATOR_ACCESS_TOKEN}"
log "Using fresh OP_TOKEN for Codex and DevOps MCP."
/opt/homebrew/bin/codex "$@"