simplify configuration for performix

README.md

@@ -48,7 +48,7 @@ docker buildx build -f mcp-local/Dockerfile -t armlimited/arm-mcp . --load
 
 Choose the configuration that matches your MCP client:
 
-The examples below include the optional Docker arguments required for **Arm Performix**. These SSH-related settings are only needed when you want the MCP server to run remote commands on a target device through Arm Performix. If you are not using Arm Performix, you can omit the `-e` and SSH `-v` lines.
+The examples below include the optional Docker arguments required for **Arm Performix**. These SSH-related settings are only needed when you want the MCP server to run remote commands on a target device through Arm Performix. If you are not using Arm Performix, you can omit the SSH `-v` lines.
 
 #### Claude Code
 
@@ -66,8 +66,6 @@ Add to `.mcp.json` in your project:
         "-v", "/path/to/your/workspace:/workspace",
         "-v", "/path/to/your/ssh/private_key:/run/keys/ssh-key.pem:ro",
         "-v", "/path/to/your/ssh/known_hosts:/run/keys/known_hosts:ro",
-        "-e", "SSH_KEY_PATH=/run/keys/ssh-key.pem",
-        "-e", "KNOWN_HOSTS_PATH=/run/keys/known_hosts",
         "armlimited/arm-mcp"
       ]
     }
@@ -92,8 +90,6 @@ Add to `.vscode/mcp.json` in your project, or globally at `~/Library/Application
         "-v", "/path/to/your/workspace:/workspace",
         "-v", "/path/to/your/ssh/private_key:/run/keys/ssh-key.pem:ro",
         "-v", "/path/to/your/ssh/known_hosts:/run/keys/known_hosts:ro",
-        "-e", "SSH_KEY_PATH=/run/keys/ssh-key.pem",
-        "-e", "KNOWN_HOSTS_PATH=/run/keys/known_hosts",
         "armlimited/arm-mcp"
       ]
     }
@@ -121,8 +117,6 @@ Add to `~/.kiro/settings/mcp.json`:
         "-v", "/path/to/your/workspace:/workspace",
         "-v", "/path/to/your/ssh/private_key:/run/keys/ssh-key.pem:ro",
         "-v", "/path/to/your/ssh/known_hosts:/run/keys/known_hosts:ro",
-        "-e", "SSH_KEY_PATH=/run/keys/ssh-key.pem",
-        "-e", "KNOWN_HOSTS_PATH=/run/keys/known_hosts",
         "--name", "arm-mcp",
         "armlimited/arm-mcp"
       ],
@@ -150,8 +144,6 @@ Add to `.gemini/settings.json` in your project root:
         "-v", "/path/to/your/workspace:/workspace",
         "-v", "/path/to/your/ssh/private_key:/run/keys/ssh-key.pem:ro",
         "-v", "/path/to/your/ssh/known_hosts:/run/keys/known_hosts:ro",
-        "-e", "SSH_KEY_PATH=/run/keys/ssh-key.pem",
-        "-e", "KNOWN_HOSTS_PATH=/run/keys/known_hosts",
         "armlimited/arm-mcp"
       ]
     }
@@ -171,13 +163,11 @@ args = [
   "-v", "/path/to/your/workspace:/workspace",
   "-v", "/path/to/your/ssh/private_key:/run/keys/ssh-key.pem:ro",
   "-v", "/path/to/your/ssh/known_hosts:/run/keys/known_hosts:ro",
-  "-e", "SSH_KEY_PATH=/run/keys/ssh-key.pem",
-  "-e", "KNOWN_HOSTS_PATH=/run/keys/known_hosts",
   "armlimited/arm-mcp"
 ]
 ```
 
-**Note**: Replace `/path/to/your/workspace` with the actual path to your project directory that you want the MCP server to access. If you are enabling Arm Performix, also replace the `/path/to/your/ssh/private_key` and `/path/to/your/ssh/known_hosts` paths with your local files.
+**Note**: Replace `/path/to/your/workspace` with the actual path to your project directory that you want the MCP server to access. If you are enabling Arm Performix, also replace the `/path/to/your/ssh/private_key` and `/path/to/your/ssh/known_hosts` paths with your local files. The MCP container auto-discovers files mounted under `/run/keys`, as shown in the configs above.
 
 ### 3. Restart Your MCP Client
 

mcp-local/performix-deployment-scenarios.md

@@ -34,12 +34,14 @@ Validate SSH access:
 ssh -i /path/to/key <remote_user>@<target_ip>
 ```
 
-### 2. MCP server runtime must have SSH config
+### 2. MCP server runtime must have the SSH files mounted
 
-Your MCP server/container configuration must include:
+Your MCP server/container configuration must mount:
 
-- `SSH_KEY_PATH`
-- `KNOWN_HOSTS_PATH`
+- the private key file under `/run/keys`
+- the `known_hosts` file under `/run/keys`
+
+The MCP container will discover these mounts from `/proc/self/mounts` and set the internal `SSH_KEY_PATH` and `KNOWN_HOSTS_PATH` values automatically.
 
 ### 3. Target workload must be runnable
 
@@ -138,6 +140,6 @@ flowchart LR
 If `apx_recipe_run` fails:
 
 - Verify SSH key permissions (`chmod 600 /path/to/key`).
-- Verify `SSH_KEY_PATH` and `KNOWN_HOSTS_PATH` in MCP config.
+- Verify the SSH key and `known_hosts` files are mounted into `/run/keys`.
 - Verify target IP, username, and command path.
-- Verify selected recipe is supported in your target environment.
+- Verify selected recipe is supported in your target environment.

mcp-local/server.py

@@ -19,7 +19,7 @@
 from utils.config import METADATA_PATH, USEARCH_INDEX_PATH, MODEL_NAME, SUPPORTED_SCANNERS, DEFAULT_ARCH
 from utils.search_utils import build_bm25_index, deduplicate_urls, hybrid_search, load_metadata, load_usearch_index
 from utils.docker_utils import check_docker_image_architectures
-from utils.apx import prepare_target, run_workload, get_results
+from utils.apx import prepare_target, run_workload, get_results, resolve_apx_ssh_mount_env
 from utils.migrate_ease_utils import run_migrate_ease_scan
 from utils.skopeo_tool import skopeo_help, skopeo_inspect
 from utils.llvm_mca_tool import mca_help, llvm_mca_analyze
@@ -292,19 +292,20 @@ def apx_recipe_run(cmd:str, remote_ip_addr:str, remote_usr:str, recipe:str="code
         },
     )
     apx_dir = os.environ.get("APX_HOME", "/opt/apx")
-    key_path = os.getenv("SSH_KEY_PATH")
-    known_hosts_path = os.getenv("KNOWN_HOSTS_PATH")
+    ssh_mount_env = resolve_apx_ssh_mount_env()
+    key_path = ssh_mount_env["key_path"]
+    known_hosts_path = ssh_mount_env["known_hosts_path"]
 
     if not key_path or not known_hosts_path:
         return {
             "status": "error",
             "recipe": recipe,
             "stage": "config_validation",
             "message": "Missing SSH configuration for APX target access.",
-            "suggestion": "Set SSH_KEY_PATH and KNOWN_HOSTS_PATH in the MCP docker run configuration, then retry.",
+            "suggestion": "Mount both the SSH private key and known_hosts file into /run/keys, then retry.",
             "details": (
-                "SSH_KEY_PATH and KNOWN_HOSTS_PATH environment variables must be set in the docker run "
-                "command in the MCP config file to mount in the container to use APX."
+                "APX looks for SSH_KEY_PATH and KNOWN_HOSTS_PATH first, then auto-discovers mounted files "
+                f"under /run/keys from /proc/self/mounts. Discovered mounts: {ssh_mount_env['mount_targets']}"
             ),
         }
 

mcp-local/utils/apx.py

@@ -9,6 +9,8 @@
 
 QUERY_REGISTRY_PATH = Path(__file__).resolve().parent.parent / "sql" / "queries.sql"
 ANSI_ESCAPE_RE = re.compile(r"\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])")
+RUN_KEYS_DIR = Path("/run/keys")
+PROC_MOUNTS_PATH = Path("/proc/self/mounts")
 
 
 def load_recipe_query_map(sql_file_path: Path) -> Dict[str, Dict[str, str]]:
@@ -248,6 +250,91 @@ def _build_atp_error_response(
         response["raw_output"] = _trim_output(raw_output)
     return response
 
+
+def _decode_mount_field(field: str) -> str:
+    return re.sub(
+        r"\\([0-7]{3})",
+        lambda match: chr(int(match.group(1), 8)),
+        field,
+    )
+
+
+def discover_run_keys_mounts(
+    mounts_path: Optional[Path] = None,
+    run_keys_dir: Optional[Path] = None,
+) -> List[str]:
+    mounts_path = mounts_path or PROC_MOUNTS_PATH
+    run_keys_dir = run_keys_dir or RUN_KEYS_DIR
+
+    if not mounts_path.exists():
+        return []
+
+    mount_targets: List[str] = []
+    for line in mounts_path.read_text(encoding="utf-8").splitlines():
+        parts = line.split()
+        if len(parts) < 2:
+            continue
+        target = _decode_mount_field(parts[1])
+        if target == str(run_keys_dir) or target.startswith(f"{run_keys_dir}/"):
+            mount_targets.append(target)
+
+    # Preserve input order while removing duplicates.
+    return list(dict.fromkeys(mount_targets))
+
+
+def _select_known_hosts_path(mount_targets: List[str]) -> Optional[str]:
+    matches = [
+        path for path in mount_targets
+        if "known_hosts" in Path(path).name.lower().replace("-", "_")
+    ]
+    return matches[0] if len(matches) == 1 else None
+
+
+def _select_ssh_key_path(mount_targets: List[str], known_hosts_path: Optional[str]) -> Optional[str]:
+    candidates = [path for path in mount_targets if path != known_hosts_path]
+    if len(candidates) == 1:
+        return candidates[0]
+
+    key_like = [
+        path for path in candidates
+        if any(
+            token in Path(path).name.lower()
+            for token in ("ssh", "key", ".pem", "id_rsa", "id_ed25519", "id_ecdsa", "id_dsa")
+        )
+    ]
+    return key_like[0] if len(key_like) == 1 else None
+
+
+def resolve_apx_ssh_mount_env() -> Dict[str, Any]:
+    key_path = os.getenv("SSH_KEY_PATH")
+    known_hosts_path = os.getenv("KNOWN_HOSTS_PATH")
+    mount_targets: List[str] = []
+
+    if key_path and known_hosts_path:
+        return {
+            "key_path": key_path,
+            "known_hosts_path": known_hosts_path,
+            "mount_targets": mount_targets,
+        }
+
+    mount_targets = discover_run_keys_mounts()
+
+    if not known_hosts_path:
+        known_hosts_path = _select_known_hosts_path(mount_targets)
+        if known_hosts_path:
+            os.environ["KNOWN_HOSTS_PATH"] = known_hosts_path
+
+    if not key_path:
+        key_path = _select_ssh_key_path(mount_targets, known_hosts_path)
+        if key_path:
+            os.environ["SSH_KEY_PATH"] = key_path
+
+    return {
+        "key_path": key_path,
+        "known_hosts_path": known_hosts_path,
+        "mount_targets": mount_targets,
+    }
+
 def extract_run_id(output: str) -> str:
     if not output:
         return ""