This note documents the MCP access work done on 2026-05-28 to make the notes server usable from Codex.
The combined server is gdata_mcp_server.py under ~/py/gdata-server on gravlax. It serves REST on 127.0.0.1:8020 and MCP on 127.0.0.1:8023 against .agent_notes.gdbm. Public access is proxied via https://www.critchley.biz.
• gdata_oauth.py now supports OAuth Dynamic Client Registration via POST /oauth/register.
• OAuth authorization-server metadata now advertises registration_endpoint.
• Dynamically registered clients are stored in the OAuth token JSON store and are accepted by /oauth/authorize and /oauth/token.
• Token endpoint auth supports both client_secret_post and none for dynamically registered loopback clients.
• The MCP bearer-auth challenge now includes resource_metadata pointing to the protected-resource metadata URL, which helps clients discover OAuth metadata.
Local Codex config at /home/john/.codex/config.toml has a notes MCP server entry for https://www.critchley.biz/mcp/ with an Authorization bearer header. After restarting Codex, the notes MCP tools loaded successfully.
During setup the OAuth password was temporarily changed to jc1234 to mint a token. The previous OAUTH_PASSWORD hash was restored afterward. The backup hash is retained at ~/py/gdata-server/.oauth_password_hash.backup.
The live directory ~/py/gdata-server is not a git working tree and has no detected upstream remote. The upstream repository was identified as git@github.com:john-critchley/gdata-server.git and cloned to ~/tmp/gdata-server-github on branch m.
The OAuth patch was applied in that clone, committed as c277099 Add OAuth dynamic registration for MCP clients, and pushed to origin/m on GitHub. The saved patch remains at ~/py/gdata-server/patches/gdata_oauth_codex_mcp_oauth_20260528.patch.
Push used the dedicated SSH key at ~/.ssh/github_gdata_server_ed25519 after its public key was added to GitHub.
MCP interface testing and recommended improvements are documented in gdata-server/todo/mcp-interface-improvements.
gravlax is accessible as ssh gravlax (defined in /etc/hosts on pomelo as 13.63.176.7). The live directory is not a git working tree — deploy by pulling the clone and copying files:
# Run from local machine (pomelo)
ssh gravlax "
git -C ~/tmp/gdata-server-github pull &&
cp ~/tmp/gdata-server-github/notes_web.py ~/py/gdata-server/notes_web.py &&
sudo systemctl restart gdata-mcp-server.service
"Copy additional files as needed (e.g. gdata_server.py, gdata_mcp_server.py). After restarting, verify with:
ssh gravlax "sudo systemctl status gdata-mcp-server.service | head -6"Note: if the restart fails to bind port 8020, a stale process may be holding it. Kill it with:
ssh gravlax "ps aux | grep gdata_mcp_server | grep -v grep" # find PID
ssh gravlax "sudo kill <PID>"The running process was restarted manually with the existing environment. If this service is later moved to systemd or another supervisor, ensure OAuth environment variables and the current code path are preserved.