docs: document static dual-namespace Gitea MCP deployment model (#143)

Record the #139 accepted decision as a deployment doc: two static
per-role MCP namespaces (gitea-author, gitea-reviewer), one credential
per process, with dynamic profile switching and dispatcher routing
explicitly rejected for now. Covers rationale (audit clarity, credential
concentration, two-party review boundary, fail-closed behavior),
reference-only client setup via GITEA_MCP_CONFIG/GITEA_MCP_PROFILE,
the 'Auth unsupported' client-badge caveat, and reconnect/reload
requirements after profile/config/code changes. Cross-linked from the
execution-profiles model doc and the workflow runbooks; guarded by
docs-content tests.

Closes #143

Co-Authored-By: Claude Fable 5 <[email protected]>
This commit is contained in:
2026-07-05 03:23:40 -04:00
co-authored by Claude Fable 5
parent 3c1ab87e1b
commit 2ad876be9f
4 changed files with 230 additions and 0 deletions
+3
View File
@@ -265,6 +265,9 @@ For security-sensitive or high-risk tasks, the preferred safety model uses separ
- `gitea-author`: Exposes tools configured with author permissions; cannot perform approvals or merges.
- `gitea-reviewer`: Exposes tools configured with reviewer permissions; used for PR reviews and merges.
This layout maintains physical separation of credentials and prevents privilege escalation within a single session.
This is the model accepted in #139; deployment details, rationale, and client
setup live in
[`gitea-dual-namespace-deployment.md`](gitea-dual-namespace-deployment.md).
### 3. Verification Post-Switching
When dynamic profile switching is enabled and a profile is activated via `gitea_activate_profile`, the session MUST immediately: