feat: block direct MCP imports and unsanctioned keychain access (Closes #558)

Require a sanctioned MCP daemon (or pytest) before get_auth_header and
keychain credential fill so raw shell imports cannot bypass preflight gates.
This commit is contained in:
2026-07-08 22:49:03 -04:00
parent 9a2e585a9e
commit 8ff1924047
7 changed files with 209 additions and 0 deletions
+8
View File
@@ -408,6 +408,14 @@ The guard blocks when the **control checkout** (repository root) is:
`branches/...` directories are disposable role worktrees; the root checkout is
the stable orchestration surface only.
## No direct-import mutation path (#558)
Never `import gitea_mcp_server` or call `gitea_auth.get_auth_header` /
keychain fill from a raw shell to bypass MCP preflight.
Use the official MCP daemon only. See [`docs/mcp-daemon-import-guard.md`](mcp-daemon-import-guard.md).
## Shell Spawn Hard-Stop Rule
Symptom: a shell tool call returns `exit_code: -1` with empty stdout/stderr.