fix: MCP servers auth via LiteLLM Bearer token, drop unused service tokens

2026-05-30 18:25:14 -07:00 · 2026-05-30 18:25:14 -07:00 · 80e0421be5
commit 80e0421be5
parent 8130544e6a
1 changed files with 13 additions and 12 deletions
--- a/container/entrypoint.py
+++ b/container/entrypoint.py
@ -74,10 +74,10 @@ def get_secret(bao_token: str, path: str, key: str) -> str:
 def fetch_role_secrets(bao_token: str, role: str) -> dict:
    """Fetch all secrets for a role. Returns dict of secret_name -> value."""
    secrets = {}
-    secret_names = ["litellm-key", "vikunja-token", "forgejo-token", "argocd-token"]
+    secret_names = ["litellm-key"]
    for name in secret_names:
        try:
-            key = "token" if name != "litellm-key" else "key"
+            key = "key"
            secrets[name] = get_secret(bao_token, f"autojanet/{role}/{name}", key)
            log.info("Fetched secret: %s", name)
        except Exception as e:
@ -89,12 +89,11 @@ def write_opencode_config(secrets: dict, role: str) -> None:
    """Write opencode config and set secrets as env vars for opencode to pick up."""
    CONFIG_DIR.mkdir(parents=True, exist_ok=True)

-    vikunja_token = secrets.get("vikunja-token", "")
-    forgejo_token = secrets.get("forgejo-token", "")
+    litellm_key = secrets.get("litellm-key", "")

    # Set the LiteLLM API key as env var — opencode reads OPENAI_API_KEY for
-    # openai-compatible providers, or the provider-specific env var
-    os.environ["OPENAI_API_KEY"] = secrets.get("litellm-key", "")
+    # openai-compatible providers
+    os.environ["OPENAI_API_KEY"] = litellm_key

    config = {
        "$schema": "https://opencode.ai/config.json",
@ -110,18 +109,20 @@ def write_opencode_config(secrets: dict, role: str) -> None:
        },
        "mcp": {
            "vikunja": {
-                "type": "sse",
+                "type": "remote",
                "url": f"{LITELLM_BASE_URL}/mcp/vikunja",
                "headers": {
-                    "x-vikunja-token": vikunja_token,
-                }
+                    "Authorization": f"Bearer {litellm_key}",
+                },
+                "enabled": True,
            },
            "forgejo": {
-                "type": "sse",
+                "type": "remote",
                "url": f"{LITELLM_BASE_URL}/mcp/forgejo",
                "headers": {
-                    "x-forgejo-token": forgejo_token,
-                }
+                    "Authorization": f"Bearer {litellm_key}",
+                },
+                "enabled": True,
            },
        }
    }