Zero-setup bootstrap for a Codex agent that manages multi-tenant VPS fleets from this repository.
The primary supported path is Hostinger via the official global MCP server: hostinger-api-mcp.
This repository also supports direct read/list Contabo operations via the official REST API, plus an optional remote Contabo MCP connector via mcp-remote (no custom MCP server code in this repo).
It now also ships project-scoped Codex artefacts for bounded actor-critic work: AGENTS.md, .codex/config.toml, reusable custom agents under .codex/agents/, and prompt templates in PROMPT.md.
This repository does not implement a custom MCP server.
When you open this repo in a VS Code Dev Container:
- Tools are already installed in the container:
codexhostinger-api-mcp
- A guided onboarding script runs automatically.
- The script guides you through:
- Codex login (ChatGPT or API key)
- Creating or updating
profiles.json - Entering a Hostinger tenant/provider token
- Final health check
- Codex starts automatically and sends an intro that includes:
- Agent purpose
- Repository version from
ver.yaml
After that, you can immediately chat with the agent.
- Docker Desktop
- Visual Studio Code
- VS Code extension:
Dev Containers(by Microsoft)
git clone <your-repo-url>
cd "VPS Agent"
code .In VS Code:
- Press
F1 - Run
Dev Containers: Reopen in Container - Wait until container build finishes
The script runs automatically and asks for:
- Codex authentication:
ChatGPT login(recommended), orOPENAI_API_KEY
- A tenant name and a
HOSTINGER_API_TOKEN(from Hostinger hPanel -> Profile -> API)
The script writes profiles.json for you and runs checks.
If the prompt window does not appear, run manually in the container terminal:
bash scripts/devcontainer-onboarding.shAfter onboarding finishes, Codex auto-launches.
If VS Code runs postAttachCommand in a non-interactive context, auto-start is deferred to your first interactive terminal in the workspace and runs automatically there.
If it does not launch (rare terminal issue), run:
bash scripts/devcontainer-onboarding.shNow ask things like:
How many VPS do I have?Give me the name of each VPSCreate a new VPS in PhoenixAdd this SSH key to VPS smart14.domain.tld
- Creating/deleting/upgrading VPS can cost money.
- Ask the agent to list/show details first before mutating anything.
- Never commit
profiles.json.
The repository now includes a bounded actor-critic workflow and reusable project-scoped Codex profiles.
Common entry points:
codex -p vps_actor_critic
codex -p vps_review "Review this branch and list real risks first."
codex -p vps_docs "Look up the latest Codex config keys for custom agents."When you explicitly ask for parallel agent work, Codex can use these custom agents from .codex/agents/:
ops_explorerops_builderops_criticops_verifierdocs_researcher
The default repository workflow is still doctor-first, read-first, and confirmation-gated for destructive or billable provider actions.
Repository credentials now live in profiles.json, not .env.
- Tracked example:
profiles.json.template - Real local file:
profiles.json - Shape:
{
"tenants": [
{
"tenant": "customer-a",
"accounts": [
{
"provider": "hostinger",
"credentials": {
"API_TOKEN": "..."
}
},
{
"provider": "contabo",
"credentials": {
"CLIENT_ID": "...",
"CLIENT_SECRET": "...",
"API_USER": "...",
"API_PASSWORD": "..."
}
}
]
},
{
"tenant": "customer-b",
"accounts": [
{
"provider": "hostinger",
"credentials": {
"API_TOKEN": "..."
}
}
]
}
]
}The repository startup flow does not assume a default tenant or provider. In the normal model, each tenant/provider pair is unique. Start neutral, then pass --tenant when you want a provider-specific session. The shared resolver still honors explicit selector flags, environment overrides, and optional defaults if you choose to maintain them yourself.
- Inspect configured provider entries:
node scripts/profiles.js list --format text- Run the standard cross-tenant VPS inventory smoke test:
node scripts/vps-inventory-smoke.js- Start a neutral session with no tenant or provider preselected:
bash scripts/start-agent.shSelect a tenant explicitly when you want to work in a single tenant context:
bash scripts/start-agent.sh --tenant customer-a- Validate a non-secret example without creating a real
profiles.jsonyet:
VPS_PROFILES_PATH=profiles.json.template bash scripts/doctor-unix.shThe resolver uses this precedence:
- Explicit CLI selector flags on
start-agent - Process environment overrides such as
VPS_TENANT - Optional
defaultsinprofiles.json - Auto-select only when there is exactly one matching tenant/provider entry
Usable now with the current repository mechanics:
-
hostinger- Canonical credential key in
profiles.json:API_TOKEN - Also accepted:
HOSTINGER_API_TOKEN - Source: create a token in Hostinger hPanel API settings
- Current repo path: official
hostinger-api-mcp, enabled only when you opt into a provider-specific MCP session for a specific tenant/provider
- Canonical credential key in
-
contabo- Direct official API credentials:
CLIENT_ID,CLIENT_SECRET,API_USER,API_PASSWORD - Optional pre-minted token:
CONTABO_ACCESS_TOKEN - Optional settings:
CONTABO_AUTH_URL,CONTABO_API_BASE_URL - Direct repo path:
node scripts/contabo-api.js list-instances --tenant customer-a --format summary - Optional remote MCP connector key:
CONTABO_MCP_API_KEY - Optional remote MCP settings:
CONTABO_MCP_URL,CONTABO_MCP_TRANSPORT
- Direct official API credentials:
Can be connected immediately for validation with the current regression scripts, but are not yet wired into agent-management MCP wrappers here:
-
awsAWS_PROFILEorAWS_ACCESS_KEY_ID+AWS_SECRET_ACCESS_KEY- Optional:
AWS_SESSION_TOKEN,AWS_REGION
-
gcpGOOGLE_APPLICATION_CREDENTIALSor an already activegcloudsession- Required for non-interactive project-scoped checks:
GOOGLE_CLOUD_PROJECT - Optional:
GOOGLE_CLOUD_REGION
-
azureAZURE_CLIENT_ID,AZURE_TENANT_ID,AZURE_CLIENT_SECRET- Optional but recommended:
AZURE_SUBSCRIPTION_ID
-
ovhOVH_APPLICATION_KEY,OVH_APPLICATION_SECRET,OVH_CONSUMER_KEY- Optional:
OVH_ENDPOINT
This repo ships wrappers for the remote Contabo connector endpoint:
https://contabo.run.mcp.com.ai/mcp- Transport:
Streamable HTTP
Setup:
- Put a
contaboprovider entry inprofiles.json. - Set
CONTABO_MCP_API_KEYfor the remote connector path. - Optional endpoint overrides go in that provider entry's
settings:CONTABO_MCP_URLCONTABO_MCP_TRANSPORT
- Provider MCP entries are disabled by default in
.codex/config*.tomlso agent startup stays neutral across tenants and providers. - Enable
contabo_apionly after adding the connector key and selecting an explicit tenant/provider context for that session. - Enable
hostinger_apionly when you intentionally want a Hostinger MCP session for a specific tenant/provider. - Use the updated
.codex/config*.tomltemplate(s), which include:hostinger_api(official Hostinger MCP wrapper)contabo_api(remote Contabo MCP wrapper)
The wrapper runs mcp-remote in silent mode to avoid leaking credential headers in logs.
Official Contabo REST API credentials are not reused as the remote connector key.
Recommended operational path for Contabo with the current repo:
- Primary: use the official Contabo REST API for direct scripted read/list operations from this repo.
- Secondary: use the optional remote MCP connector when you specifically need Contabo tool exposure inside Codex and have a connector key.
- Fallback: use the official
cntbCLI when you want a fully official non-MCP path from a shell session. - Caveat: Contabo's official API/CLI documentation states Storage VPS are not supported through the API/CLI path.
Run read-only regression checks (instance count + status distribution) for providers whose selected account is present in profiles.json or whose local CLI session is already active:
Linux/macOS:
./scripts/regression-tests.shWindows PowerShell:
powershell -ExecutionPolicy Bypass -File scripts/regression-tests.ps1By default, AWS/GCP/Azure checks run only when the selected profile provides credentials. To also include already logged-in local CLI sessions, set REGRESSION_USE_LOCAL_SESSIONS=true before running the script.
- Devcontainer config:
.devcontainer/devcontainer.json - Onboarding script:
scripts/devcontainer-onboarding.sh - Agent launcher with intro prompt:
scripts/start-agent.sh - MCP wrapper (Linux):
scripts/hostinger-mcp.sh - Contabo direct API helper:
scripts/contabo-api.js - MCP wrapper (Linux, Contabo):
scripts/contabo-mcp.sh - MCP wrapper (Windows, Contabo):
scripts/contabo-mcp.ps1 - Shared profile resolver:
scripts/profiles.js - Multi-tenant credentials template:
profiles.json.template - Linux Codex MCP template:
.codex/config.toml.example - Windows Codex MCP template:
.codex/config.windows.toml.example - Custom Codex agents:
.codex/agents/*.toml - Prompt templates:
PROMPT.md - Agent rules:
AGENTS.md
Linux/macOS:
./scripts/bootstrap-unix.sh
node scripts/profiles.js list --format text
./scripts/doctor-unix.sh
bash scripts/start-agent.sh --tenant customer-aWindows PowerShell:
powershell -ExecutionPolicy Bypass -File scripts/bootstrap-windows.ps1
node scripts/profiles.js list --format text
powershell -ExecutionPolicy Bypass -File scripts/doctor-windows.ps1
powershell -ExecutionPolicy Bypass -File scripts/start-agent.ps1 -Tenant customer-aSet AUTO_START_CODEX to false in .devcontainer/devcontainer.json if you do not want Codex to auto-open on the first interactive terminal after each container start.
This repository is licensed under the Apache License, Version 2.0.
- Origin: Ratio1 open-source project.
- License grant: Apache-2.0 permits use, reproduction, modification, distribution, sublicensing, and use in commercial products and services, subject to the license terms.
- Express permission: Any person or entity may clone this repository and create, distribute, or sell commercial products derived from it, provided Apache-2.0 obligations are met.
- No additional field-of-use or commercial restrictions are imposed by this repository beyond Apache-2.0.
- Full license text:
LICENSE(andLICENSE.mdmirror) - Attribution notice:
NOTICE