From 80e0421be5b92abb318d4ff918d9bb969147eb70 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zo=C3=AB?= <zoe@myhosted.site>
Date: Sat, 30 May 2026 18:25:14 -0700
Subject: [PATCH] fix: MCP servers auth via LiteLLM Bearer token, drop unused
 service tokens

---
 container/entrypoint.py | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/container/entrypoint.py b/container/entrypoint.py
index b302963..10360a2 100644
--- a/container/entrypoint.py
+++ b/container/entrypoint.py
@@ -74,10 +74,10 @@ def get_secret(bao_token: str, path: str, key: str) -> str:
 def fetch_role_secrets(bao_token: str, role: str) -> dict:
     """Fetch all secrets for a role. Returns dict of secret_name -> value."""
     secrets = {}
-    secret_names = ["litellm-key", "vikunja-token", "forgejo-token", "argocd-token"]
+    secret_names = ["litellm-key"]
     for name in secret_names:
         try:
-            key = "token" if name != "litellm-key" else "key"
+            key = "key"
             secrets[name] = get_secret(bao_token, f"autojanet/{role}/{name}", key)
             log.info("Fetched secret: %s", name)
         except Exception as e:
@@ -89,12 +89,11 @@ def write_opencode_config(secrets: dict, role: str) -> None:
     """Write opencode config and set secrets as env vars for opencode to pick up."""
     CONFIG_DIR.mkdir(parents=True, exist_ok=True)
 
-    vikunja_token = secrets.get("vikunja-token", "")
-    forgejo_token = secrets.get("forgejo-token", "")
+    litellm_key = secrets.get("litellm-key", "")
 
     # Set the LiteLLM API key as env var — opencode reads OPENAI_API_KEY for
-    # openai-compatible providers, or the provider-specific env var
-    os.environ["OPENAI_API_KEY"] = secrets.get("litellm-key", "")
+    # openai-compatible providers
+    os.environ["OPENAI_API_KEY"] = litellm_key
 
     config = {
         "$schema": "https://opencode.ai/config.json",
@@ -110,18 +109,20 @@ def write_opencode_config(secrets: dict, role: str) -> None:
         },
         "mcp": {
             "vikunja": {
-                "type": "sse",
+                "type": "remote",
                 "url": f"{LITELLM_BASE_URL}/mcp/vikunja",
                 "headers": {
-                    "x-vikunja-token": vikunja_token,
-                }
+                    "Authorization": f"Bearer {litellm_key}",
+                },
+                "enabled": True,
             },
             "forgejo": {
-                "type": "sse",
+                "type": "remote",
                 "url": f"{LITELLM_BASE_URL}/mcp/forgejo",
                 "headers": {
-                    "x-forgejo-token": forgejo_token,
-                }
+                    "Authorization": f"Bearer {litellm_key}",
+                },
+                "enabled": True,
             },
         }
     }