feat: add read-only gitea_get_profile discovery tool (#13)

Add a read-only MCP tool that reports the active runtime execution
profile so an LLM can inspect what the current process is configured to
do before deciding whether to attempt an action later.

- gitea_get_profile: returns profile_name, allowed/forbidden operation
  categories, audit_label, token_source_name (a NAME, never a value),
  base_url, remote, resolved server, and — optionally — the verified
  authenticated username. Identity resolution fails soft and marks
  identity_status (verified/unknown/unavailable/not_resolved); the
  profile config is always returned. Never mutates Gitea.
- gitea_auth.get_profile(): extended with forbidden_operations,
  audit_label, token_source_name from env (non-secret metadata).
- .env.example / README: document the new optional metadata vars and
  the discovery tool.
- tests: metadata parsing, verified/unavailable/unknown identity paths,
  skip-identity, and secret-redaction.

Read-only. No token exposure. No multi-token switching. No PR
eligibility, review, or merge workflow. No Jenkins/Ops/GlitchTip/
Release/deploy behavior.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-07-01 13:41:14 -04:00
parent 769bec05e7
commit 38c96d5815
5 changed files with 195 additions and 8 deletions
+11
View File
@@ -22,3 +22,14 @@ GITEA_PROFILE_NAME=gitea-reviewer
# Optional, comma-separated operation categories this profile is intended for
# (descriptive only in this issue; enforcement is a later roadmap item).
GITEA_ALLOWED_OPERATIONS=read,review,approve
# Optional, comma-separated operation categories this profile must NOT perform
# (descriptive metadata; surfaced by gitea_get_profile).
GITEA_FORBIDDEN_OPERATIONS=merge,branch.push
# Optional short label attached to this runtime for audit purposes.
GITEA_AUDIT_LABEL=reviewer-runtime
# Optional NAME of the token's source (e.g. an env var name). This is a name
# only — never the token value. Surfaced by gitea_get_profile.
GITEA_TOKEN_SOURCE=GITEA_TOKEN