feat: block direct MCP imports and unsanctioned keychain access (Closes #558)

Require a sanctioned MCP daemon (or pytest) before get_auth_header and
keychain credential fill so raw shell imports cannot bypass preflight gates.
This commit is contained in:
2026-07-08 22:49:03 -04:00
parent 9a2e585a9e
commit 8ff1924047
7 changed files with 209 additions and 0 deletions
+5
View File
@@ -9079,6 +9079,11 @@ def gitea_capability_stop_terminal_report() -> dict:
# ── Entry point ───────────────────────────────────────────────────────────────
if __name__ == "__main__":
# #558: mark this process as the official MCP daemon before any tool
# dispatch so direct shell imports cannot reuse mutation/auth paths.
import mcp_daemon_guard
mcp_daemon_guard.mark_sanctioned_daemon()
# Lock this session's launch profile into the environment so child CLI
# processes (e.g. review_pr.py) can detect and refuse profile
# side-channel overrides (#199).