feat: load profiles.json v2 contexts shape with enabled enforcement and LLM-safe output (#120)
Support the canonical contexts-shape version 2 config (contexts / profiles / projects / rules) alongside the existing environments shape and v1: - Require a boolean 'enabled' on every context, profile, service, and project. Disabled entries are surfaced in audits but fail closed at selection/resolution — never a silent fallback to another profile, service, or credential source. - Resolve the active identity from GITEA_MCP_PROFILE via the existing select_profile path; profile base_url falls back to the context's enabled gitea block. - Add resolve_service() and project_for_path() for context service and project-to-context resolution (internal use; fail closed on disabled). - get_auth_header now propagates ConfigError when GITEA_MCP_CONFIG is set instead of silently degrading to Basic auth. - Hide endpoint URLs and keychain ids from normal LLM-facing output: gitea_whoami / gitea_get_profile report logical names and auth status only; new gitea_audit_config tool reports enabled/disabled state and safe one-line service summaries. The GITEA_MCP_REVEAL_ENDPOINTS opt-in (and 'python3 gitea_config.py audit --reveal-endpoints' locally) restores endpoints and auth source names for admin diagnostics; token values are never printed on any path. - Ship gitea-mcp.v2-contexts.example.json (synthetic values) and validate it in tests. Implements #120 Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
+7
-3
@@ -123,13 +123,17 @@ def get_auth_header(host):
|
||||
token = os.environ.get("GITEA_TOKEN")
|
||||
|
||||
# 3. Fall back to a JSON runtime-profile token reference (token_env).
|
||||
# Explicit env tokens above take precedence. A broken config never breaks
|
||||
# auth here — it fails closed to "no token"; the clear error surfaces via
|
||||
# get_profile() / startup instead.
|
||||
# Explicit env tokens above take precedence. When GITEA_MCP_CONFIG is
|
||||
# configured, a broken config or unresolvable profile/credential fails
|
||||
# closed here (no silent fallback to Basic auth or another source,
|
||||
# #120). Without a configured JSON layer, env-only behaviour is
|
||||
# unchanged.
|
||||
if not token:
|
||||
try:
|
||||
token = gitea_config.resolve_token(gitea_config.resolve_profile())
|
||||
except gitea_config.ConfigError:
|
||||
if gitea_config.config_path():
|
||||
raise
|
||||
token = None
|
||||
|
||||
if token:
|
||||
|
||||
Reference in New Issue
Block a user