feat: block direct MCP imports and unsanctioned keychain access (Closes #558)

Require a sanctioned MCP daemon (or pytest) before get_auth_header and
keychain credential fill so raw shell imports cannot bypass preflight gates.
This commit is contained in:
2026-07-08 22:49:03 -04:00
parent 9a2e585a9e
commit 8ff1924047
7 changed files with 209 additions and 0 deletions
+11
View File
@@ -37,6 +37,17 @@ def check_conflict_markers():
check_conflict_markers()
# #558: official entrypoint marks the process as the sanctioned MCP daemon
# before loading mutation modules (blocks raw shell import bypasses).
try:
import mcp_daemon_guard
mcp_daemon_guard.mark_sanctioned_daemon()
except Exception:
# Guard import failures must not hide conflict-marker infra_stop above;
# gitea_mcp_server main also marks sanctioned when run as __main__.
pass
# Execute the actual server logic via exec in this namespace.
impl_path = os.path.join(os.path.dirname(os.path.abspath(__file__)), "gitea_mcp_server.py")
try: