docs: document static dual-namespace Gitea MCP deployment model (#143)
Record the #139 accepted decision as a deployment doc: two static per-role MCP namespaces (gitea-author, gitea-reviewer), one credential per process, with dynamic profile switching and dispatcher routing explicitly rejected for now. Covers rationale (audit clarity, credential concentration, two-party review boundary, fail-closed behavior), reference-only client setup via GITEA_MCP_CONFIG/GITEA_MCP_PROFILE, the 'Auth unsupported' client-badge caveat, and reconnect/reload requirements after profile/config/code changes. Cross-linked from the execution-profiles model doc and the workflow runbooks; guarded by docs-content tests. Closes #143 Co-Authored-By: Claude Fable 5 <[email protected]>
This commit is contained in:
@@ -265,6 +265,9 @@ For security-sensitive or high-risk tasks, the preferred safety model uses separ
|
||||
- `gitea-author`: Exposes tools configured with author permissions; cannot perform approvals or merges.
|
||||
- `gitea-reviewer`: Exposes tools configured with reviewer permissions; used for PR reviews and merges.
|
||||
This layout maintains physical separation of credentials and prevents privilege escalation within a single session.
|
||||
This is the model accepted in #139; deployment details, rationale, and client
|
||||
setup live in
|
||||
[`gitea-dual-namespace-deployment.md`](gitea-dual-namespace-deployment.md).
|
||||
|
||||
### 3. Verification Post-Switching
|
||||
When dynamic profile switching is enabled and a profile is activated via `gitea_activate_profile`, the session MUST immediately:
|
||||
|
||||
Reference in New Issue
Block a user