Add conversational SSH connection setup

Author: MehediHossain95

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.3.0
+
+- Added conversational SSH connection management with `remote_add_host`.
+- Added `remote_remove_host` for deleting saved connection profiles.
+- Added `remote_test_connection` for validating saved profiles.
+- Added default config discovery at `~/.codex/remote-ssh-hosts.json`.
+- Reduced setup friction so users no longer need environment variables for normal use.
+
 ## 0.2.0
 
 - Added Zain Technologies LTD marketplace metadata.

plugins/remote-ssh/.codex-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "remote-ssh",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Enterprise-grade Remote SSH tools for Codex with host policies, audit logging, and safe file operations.",
   "author": {
     "name": "Zain Technologies LTD",
@@ -22,7 +22,7 @@
   "interface": {
     "displayName": "Remote SSH",
     "shortDescription": "Enterprise Remote SSH operations for Codex",
-    "longDescription": "Remote SSH by Zain Technologies LTD connects Codex to trusted servers, devboxes, and private infrastructure through a local MCP bridge. It supports host aliases, path allowlists, write opt-in controls, blocked command policies, timeouts, output limits, and JSONL audit logs for professional remote development and operations workflows.",
+    "longDescription": "Remote SSH by Zain Technologies LTD connects Codex to trusted servers, devboxes, and private infrastructure through a local MCP bridge. It supports conversational connection setup, saved host aliases, path allowlists, write opt-in controls, blocked command policies, timeouts, output limits, and JSONL audit logs for professional remote development and operations workflows.",
     "developerName": "Zain Technologies LTD",
     "category": "Development",
     "capabilities": [
@@ -34,9 +34,9 @@
     "privacyPolicyURL": "https://github.com/ZainTechnologiesLTD/codex-remote-ssh/blob/main/PRIVACY.md",
     "termsOfServiceURL": "https://github.com/ZainTechnologiesLTD/codex-remote-ssh/blob/main/TERMS.md",
     "defaultPrompt": [
+      "Add a new SSH connection.",
       "Check my configured remote host health.",
-      "Tail the latest application log over SSH.",
-      "Run tests on my remote devbox."
+      "Tail the latest application log over SSH."
     ],
     "brandColor": "#2563EB",
     "composerIcon": "./assets/app-icon.svg",

plugins/remote-ssh/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## 0.3.0
+
+- Added conversational SSH connection management with `remote_add_host`.
+- Added `remote_remove_host` for deleting saved connection profiles.
+- Added `remote_test_connection` for validating saved profiles.
+- Added default config discovery at `~/.codex/remote-ssh-hosts.json`.
+- Reduced setup friction so users no longer need environment variables for normal use.
+
 ## 0.2.0
 
 - Added Zain Technologies LTD marketplace metadata.
@@ -12,4 +20,3 @@
 
 - Initial plugin scaffold.
 - Added basic MCP tools for commands, file reads, directory listing, and file writes.
-

plugins/remote-ssh/CONFIGURATION.md

@@ -1,6 +1,31 @@
 # Configuration Reference
 
-Codex Remote SSH reads host aliases from either `REMOTE_SSH_HOSTS` or `REMOTE_SSH_CONFIG_FILE`.
+Codex Remote SSH can save connection profiles automatically. Most users should ask Codex to add a connection instead of editing JSON by hand.
+
+```text
+Add an SSH connection named my-server for user@hostname on port 22 using identity file ~/.ssh/id_rsa.
+```
+
+Saved profiles are stored at:
+
+```text
+~/.codex/remote-ssh-hosts.json
+```
+
+Advanced users can override this with `REMOTE_SSH_CONFIG_FILE` or provide ephemeral configuration with `REMOTE_SSH_HOSTS`.
+
+## Automatic Connection Setup
+
+`remote_add_host` accepts the same fields users expect from a modern Remote SSH form:
+
+| Form Field | Tool Field | Notes |
+| --- | --- | --- |
+| Name | `name` | Friendly alias such as `my-server`. |
+| SSH Host | `sshHost` | `user@hostname` or a host from `~/.ssh/config`. |
+| SSH Port | `port` | Defaults to `22`. |
+| Identity File | `identityFile` | Optional. Leave empty to use default SSH behavior. |
+| Allowed Paths | `allowedPaths` | Optional safety policy for file tools. |
+| Allow Writes | `allowWrites` | Defaults to `false`. |
 
 ## `REMOTE_SSH_HOSTS`
 
@@ -74,4 +99,3 @@ $env:REMOTE_SSH_AUDIT_LOG="$HOME\.codex\remote-ssh-audit.jsonl"
 ```
 
 Each record includes timestamp, tool name, host alias, command phase, exit code, timeout status, and duration.
-

plugins/remote-ssh/README.md

@@ -10,6 +10,7 @@ Modern teams often keep source code, logs, services, and deployment tools on rem
 
 This plugin exposes clear tools for common remote work:
 
+- add and save SSH connections conversationally
 - discover configured host aliases
 - run non-interactive remote commands
 - list directories
@@ -46,7 +47,19 @@ For local development, keep this plugin folder under a repo-level `plugins/remot
 
 ## Configuration
 
-Configure hosts through `REMOTE_SSH_HOSTS` or `REMOTE_SSH_CONFIG_FILE`.
+Most users should add connections conversationally:
+
+```text
+Add an SSH connection named hms for hmsadmin@192.168.128.7 using identity file ~/.ssh/id_ed25519_hms.
+```
+
+The plugin saves profiles to:
+
+```text
+~/.codex/remote-ssh-hosts.json
+```
+
+Advanced users can still configure hosts through `REMOTE_SSH_HOSTS` or `REMOTE_SSH_CONFIG_FILE`.
 
 PowerShell example:
 
@@ -90,6 +103,9 @@ Use Remote SSH to tail the last 100 lines of /var/log/nginx/error.log on hms.
 
 | Tool | Purpose |
 | --- | --- |
+| `remote_add_host` | Saves or updates an SSH connection profile. |
+| `remote_remove_host` | Removes a saved SSH connection profile. |
+| `remote_test_connection` | Validates a saved SSH connection. |
 | `remote_hosts` | Lists configured host aliases and non-secret policy metadata. |
 | `remote_run` | Runs a non-interactive command on a configured host. |
 | `remote_list_dir` | Lists an allowlisted directory. |

plugins/remote-ssh/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@zaintechnologiesltd/codex-remote-ssh",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "description": "Enterprise-grade Remote SSH MCP tools for OpenAI Codex.",
   "license": "MIT",
   "author": {

plugins/remote-ssh/scripts/remote-ssh-mcp.js

@@ -7,7 +7,7 @@ const os = require("node:os");
 const path = require("node:path");
 const readline = require("node:readline");
 
-const SERVER_VERSION = "0.2.0";
+const SERVER_VERSION = "0.3.0";
 const PROTOCOL_VERSION = "2024-11-05";
 const DEFAULT_MAX_OUTPUT_BYTES = 1024 * 1024;
 const DEFAULT_CONNECT_TIMEOUT_SECONDS = 15;
@@ -56,6 +56,24 @@ function parseJson(raw, label) {
   }
 }
 
+function defaultConfigFile() {
+  return path.join(os.homedir(), ".codex", "remote-ssh-hosts.json");
+}
+
+function activeConfigFile() {
+  return expandHome(process.env.REMOTE_SSH_CONFIG_FILE || defaultConfigFile());
+}
+
+function ensureConfigShape(config) {
+  if (!config || typeof config !== "object" || Array.isArray(config)) {
+    return { hosts: {} };
+  }
+  if (config.hosts && typeof config.hosts === "object" && !Array.isArray(config.hosts)) {
+    return config;
+  }
+  return { hosts: config };
+}
+
 function loadHostConfig() {
   const configFile = process.env.REMOTE_SSH_CONFIG_FILE;
   if (configFile) {
@@ -64,7 +82,58 @@ function loadHostConfig() {
     return parsed.hosts || parsed;
   }
 
-  return parseJson(process.env.REMOTE_SSH_HOSTS || "{}", "REMOTE_SSH_HOSTS");
+  const envHosts = process.env.REMOTE_SSH_HOSTS;
+  if (envHosts) {
+    return parseJson(envHosts, "REMOTE_SSH_HOSTS");
+  }
+
+  const resolved = defaultConfigFile();
+  if (!fs.existsSync(resolved)) return {};
+  const parsed = parseJson(fs.readFileSync(resolved, "utf8"), resolved);
+  return parsed.hosts || parsed;
+}
+
+function readWritableConfig() {
+  const resolved = activeConfigFile();
+  if (!fs.existsSync(resolved)) return { file: resolved, config: { hosts: {} } };
+  return {
+    file: resolved,
+    config: ensureConfigShape(parseJson(fs.readFileSync(resolved, "utf8"), resolved)),
+  };
+}
+
+function writeWritableConfig(file, config) {
+  fs.mkdirSync(path.dirname(file), { recursive: true });
+  fs.writeFileSync(file, `${JSON.stringify(config, null, 2)}\n`, { encoding: "utf8", mode: 0o600 });
+}
+
+function parseSshHost(input) {
+  const value = String(input || "").trim();
+  if (!value) throw new Error("SSH host is required.");
+  if (value.includes("@")) {
+    const [user, ...hostParts] = value.split("@");
+    const host = hostParts.join("@");
+    if (!user || !host) throw new Error("SSH host must look like user@hostname.");
+    return { user, host };
+  }
+  return { sshConfigHost: value };
+}
+
+function cleanHostProfile(args) {
+  const parsed = parseSshHost(args.sshHost);
+  const profile = {
+    ...parsed,
+    port: args.port || 22,
+    identityFile: args.identityFile || undefined,
+    allowedPaths: Array.isArray(args.allowedPaths) ? args.allowedPaths : [],
+    allowWrites: Boolean(args.allowWrites),
+    strictHostKeyChecking: args.strictHostKeyChecking !== false,
+    connectTimeoutSeconds: args.connectTimeoutSeconds || DEFAULT_CONNECT_TIMEOUT_SECONDS,
+    commandTimeoutMs: args.commandTimeoutMs || DEFAULT_COMMAND_TIMEOUT_MS,
+    maxOutputBytes: args.maxOutputBytes || DEFAULT_MAX_OUTPUT_BYTES,
+  };
+
+  return Object.fromEntries(Object.entries(profile).filter(([, value]) => value !== undefined));
 }
 
 function getHost(alias) {
@@ -262,6 +331,57 @@ function textResult(payload) {
 }
 
 const tools = [
+  {
+    name: "remote_add_host",
+    description: "Add or update a saved SSH connection profile in the Remote SSH config file.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        name: { type: "string", description: "Friendly connection name, used as the host alias." },
+        sshHost: { type: "string", description: "user@hostname or a host alias from ~/.ssh/config." },
+        port: { type: "integer", minimum: 1, maximum: 65535, default: 22 },
+        identityFile: { type: "string", description: "Optional private key path. Supports ~." },
+        allowedPaths: {
+          type: "array",
+          items: { type: "string" },
+          description: "Optional remote path allowlist for file tools.",
+          default: [],
+        },
+        allowWrites: { type: "boolean", default: false },
+        strictHostKeyChecking: { type: "boolean", default: true },
+        connectTimeoutSeconds: { type: "integer", minimum: 1, default: 15 },
+        commandTimeoutMs: { type: "integer", minimum: 1000, default: 120000 },
+        maxOutputBytes: { type: "integer", minimum: 1024, default: 1048576 },
+        overwrite: { type: "boolean", default: false },
+      },
+      required: ["name", "sshHost"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "remote_remove_host",
+    description: "Remove a saved SSH connection profile from the Remote SSH config file.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        name: { type: "string", description: "Host alias to remove." },
+      },
+      required: ["name"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "remote_test_connection",
+    description: "Test a configured SSH connection with a small non-interactive command.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        host: { type: "string", description: "Configured host alias." },
+      },
+      required: ["host"],
+      additionalProperties: false,
+    },
+  },
   {
     name: "remote_hosts",
     description: "List configured SSH host aliases and their non-secret policy metadata.",
@@ -355,6 +475,36 @@ const tools = [
 ];
 
 async function callTool(name, args) {
+  if (name === "remote_add_host") {
+    const alias = String(args.name || "").trim();
+    if (!alias || !/^[A-Za-z0-9_.-]+$/.test(alias)) {
+      throw new Error("Connection name must contain only letters, numbers, dots, underscores, or hyphens.");
+    }
+    const { file, config } = readWritableConfig();
+    if (config.hosts[alias] && !args.overwrite) {
+      throw new Error(`Connection ${alias} already exists. Pass overwrite=true to update it.`);
+    }
+    config.hosts[alias] = cleanHostProfile(args);
+    writeWritableConfig(file, config);
+    return textResult({
+      saved: true,
+      name: alias,
+      configFile: file,
+      profile: redactConfig({ alias, ...config.hosts[alias] }),
+    });
+  }
+
+  if (name === "remote_remove_host") {
+    const alias = String(args.name || "").trim();
+    const { file, config } = readWritableConfig();
+    if (!config.hosts[alias]) {
+      throw new Error(`Connection ${alias} does not exist in ${file}.`);
+    }
+    delete config.hosts[alias];
+    writeWritableConfig(file, config);
+    return textResult({ removed: true, name: alias, configFile: file });
+  }
+
   if (name === "remote_hosts") {
     const hosts = loadHostConfig();
     return textResult({
@@ -366,6 +516,10 @@ async function callTool(name, args) {
 
   const config = getHost(args.host);
 
+  if (name === "remote_test_connection") {
+    return textResult(await runSsh(config, "printf 'connected\\n'; hostname; whoami", name));
+  }
+
   if (name === "remote_run") {
     assertCommandAllowed(config, args.command);
     return textResult(await runSsh(config, args.command, name));
@@ -465,6 +619,8 @@ if (require.main === module) {
 module.exports = {
   assertCommandAllowed,
   assertPathAllowed,
+  cleanHostProfile,
+  defaultConfigFile,
   expandHome,
   handle,
   loadHostConfig,

plugins/remote-ssh/skills/remote-ssh/SKILL.md

@@ -10,14 +10,21 @@ Use this skill when the user asks Codex to inspect or operate a configured remot
 ## Workflow
 
 1. Confirm the target host alias, remote path, and command intent from the user's request.
-2. Prefer narrow tools over broad shell access:
+2. When the user wants to add a connection, collect:
+   - friendly name
+   - SSH host as `user@hostname` or a `~/.ssh/config` host
+   - optional port
+   - optional identity file
+   - optional allowed remote paths
+   Then use `remote_add_host` and test with `remote_test_connection`.
+3. Prefer narrow tools over broad shell access:
    - use `remote_list_dir` before reading unknown paths
    - use `remote_read_file` for file inspection
    - use `remote_write_file` only when the user clearly wants a remote edit
    - use `remote_run` for tests, service status, logs, and other explicit commands
-3. Keep remote commands non-interactive.
-4. Do not request or echo private key material.
-5. Summarize remote command output clearly when the user cannot see the tool output.
+4. Keep remote commands non-interactive.
+5. Do not request or echo private key material. Only ask for the identity file path.
+6. Summarize remote command output clearly when the user cannot see the tool output.
 
 ## Safety
 
@@ -28,4 +35,3 @@ If authentication fails, guide the user to verify SSH access locally first:
 ```powershell
 ssh -i $HOME\.ssh\id_ed25519_hms user@host "hostname"
 ```
-