Add authenticated-user identity lookup to Gitea MCP #11

Closed
opened 2026-07-01 11:15:45 -05:00 by jcwalker3 · 0 comments
Owner

Parent

Roadmap #10 — Task-scoped MCP execution profiles for LLM-operated Gitea workflows

Problem

The Gitea MCP tool can inspect repository and PR state, but current workflows cannot safely prove which Gitea account the MCP server is authenticated as.

This blocks safe review and merge automation because Gitea rejects self-review/self-merge when the authenticated user is also the PR author.

Scope

Add a read-only authenticated-user lookup tool, such as:

  • whoami
  • getAuthenticatedUser
  • getCurrentUser

The tool should return safe identity metadata:

  • username/login
  • display name, if available
  • user id, if available
  • server/base URL
  • active profile name, if profile support exists
  • email only if already exposed safely by Gitea API/config

Acceptance criteria

  • Gitea MCP exposes a read-only authenticated-user lookup.
  • The tool performs no mutations.
  • The tool never exposes tokens, authorization headers, or secrets.
  • Output redacts sensitive values.
  • Review/merge workflows can compare authenticated username against PR author username.
  • If identity cannot be determined, workflows fail closed.
  • Existing Gitea MCP behavior is not broken.

Non-goals

  • Do not implement merge workflow changes yet.
  • Do not add Jenkins/Ops/deploy behavior.
  • Do not add production behavior.

Proposed labels

mcp · gitea · identity · security · read-only

## Parent Roadmap #10 — Task-scoped MCP execution profiles for LLM-operated Gitea workflows ## Problem The Gitea MCP tool can inspect repository and PR state, but current workflows cannot safely prove which Gitea account the MCP server is authenticated as. This blocks safe review and merge automation because Gitea rejects self-review/self-merge when the authenticated user is also the PR author. ## Scope Add a read-only authenticated-user lookup tool, such as: * `whoami` * `getAuthenticatedUser` * `getCurrentUser` The tool should return safe identity metadata: * username/login * display name, if available * user id, if available * server/base URL * active profile name, if profile support exists * email only if already exposed safely by Gitea API/config ## Acceptance criteria * Gitea MCP exposes a read-only authenticated-user lookup. * The tool performs no mutations. * The tool never exposes tokens, authorization headers, or secrets. * Output redacts sensitive values. * Review/merge workflows can compare authenticated username against PR author username. * If identity cannot be determined, workflows fail closed. * Existing Gitea MCP behavior is not broken. ## Non-goals * Do not implement merge workflow changes yet. * Do not add Jenkins/Ops/deploy behavior. * Do not add production behavior. ## Proposed labels `mcp` · `gitea` · `identity` · `security` · `read-only`
jcwalker3 added the mcpsecuritygitearead-only labels 2026-07-01 11:28:14 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#11