fix: redact Gitea web links from PR/issue MCP tool output (#125) #133

Merged
sysadmin merged 2 commits from feat/issue-125-pr-url-redaction into master 2026-07-04 16:44:24 -05:00
Owner

Summary

Implements #125: url/web-link fields are omitted from normal LLM-facing output of the PR/issue tools, closing the leak found in the 2026-07-03 MCP connectivity proof and making behavior match the redaction rules already stated by the operator guide (hide_service_urls_from_llm, #120 pattern).

Changes

  • New helper _with_optional_url(result, url): attaches the web link only when GITEA_MCP_REVEAL_ENDPOINTS=1 is set.
  • Covered tools (audit-and-cover per issue scope): gitea_list_prs, gitea_view_pr, gitea_create_issue, gitea_create_pr, gitea_edit_pr, gitea_view_issue. Docstrings updated.
  • Output shaping only — no API call, gate, permission list, or profile-resolution path touched. All LLM-useful fields preserved (number/title/state/head/base/mergeable/body/user/labels/assignee/cleanup_status).
  • Pre-existing reveal gates (#120 whoami/profile/audit, #126 issue comments, #128/#131 guide/runtime tools) unchanged and consistent.

Tests

Paired tests per affected tool: default path asserts no url key (clean env), reveal path asserts the link returns under GITEA_MCP_REVEAL_ENDPOINTS=1.

Full suite: 513 passed, 6 skipped. py_compile clean; git diff --check clean; secret/provenance sweep clean.

Subagent review

Independent read-only code-review subagent ran before this PR opened. Verdict: NO BLOCKERS. It confirmed: #125 scope fully satisfied; redaction complete for both gitea_list_prs and gitea_view_pr; reveal opt-in works everywhere touched; whole-file leak sweep found no remaining URL/keychain/token sinks in normal output (gitea_get_file/gitea_commit_files/gitea_merge_pr extract only safe fields); both-path test coverage present per tool; no gate weakened; no doc updates required (the change makes the #128 guide's stated redaction claims true); no over-redaction of safe metadata. Its one LOW note (document the helper's in-place mutation contract) is addressed in the follow-up commit.

Closes #125

## Summary Implements #125: `url`/web-link fields are omitted from normal LLM-facing output of the PR/issue tools, closing the leak found in the 2026-07-03 MCP connectivity proof and making behavior match the redaction rules already stated by the operator guide (`hide_service_urls_from_llm`, #120 pattern). ## Changes - New helper `_with_optional_url(result, url)`: attaches the web link only when `GITEA_MCP_REVEAL_ENDPOINTS=1` is set. - Covered tools (audit-and-cover per issue scope): `gitea_list_prs`, `gitea_view_pr`, `gitea_create_issue`, `gitea_create_pr`, `gitea_edit_pr`, `gitea_view_issue`. Docstrings updated. - Output shaping only — no API call, gate, permission list, or profile-resolution path touched. All LLM-useful fields preserved (number/title/state/head/base/mergeable/body/user/labels/assignee/cleanup_status). - Pre-existing reveal gates (#120 whoami/profile/audit, #126 issue comments, #128/#131 guide/runtime tools) unchanged and consistent. ## Tests Paired tests per affected tool: default path asserts no `url` key (clean env), reveal path asserts the link returns under `GITEA_MCP_REVEAL_ENDPOINTS=1`. Full suite: **513 passed, 6 skipped**. `py_compile` clean; `git diff --check` clean; secret/provenance sweep clean. ## Subagent review Independent read-only code-review subagent ran before this PR opened. Verdict: **NO BLOCKERS.** It confirmed: #125 scope fully satisfied; redaction complete for both `gitea_list_prs` and `gitea_view_pr`; reveal opt-in works everywhere touched; whole-file leak sweep found no remaining URL/keychain/token sinks in normal output (`gitea_get_file`/`gitea_commit_files`/`gitea_merge_pr` extract only safe fields); both-path test coverage present per tool; no gate weakened; no doc updates required (the change makes the #128 guide's stated redaction claims true); no over-redaction of safe metadata. Its one LOW note (document the helper's in-place mutation contract) is addressed in the follow-up commit. Closes #125
jcwalker3 added 2 commits 2026-07-04 16:07:06 -05:00
Subagent review (read-only) found no blockers; this addresses its one
LOW note by documenting that the helper mutates the passed dict and
must receive a freshly-built one.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
sysadmin reviewed 2026-07-04 16:10:52 -05:00
sysadmin left a comment
Owner

Independent reviewer validation passed for PR #133 at pinned head c349b98206.

Reviewed scope is limited to mcp_server.py and tests/test_mcp_server.py. The implementation removes default web-link output from PR/issue tool responses, preserves GITEA_MCP_REVEAL_ENDPOINTS=1 reveal behavior, keeps useful safe metadata, and does not alter author/reviewer/merge/profile gates.

Validation run in a clean detached review worktree:

  • Targeted PR URL redaction tests: passed, 15 tests
  • Full test suite: passed, 513 passed, 6 skipped
  • py_compile for changed Python files: passed
  • git diff --check against master: passed
  • Secret/provenance sweep of Git diff: clean

Verdict: APPROVE.

Independent reviewer validation passed for PR #133 at pinned head c349b98206c017b79620c544d218e97a1af80e7b. Reviewed scope is limited to mcp_server.py and tests/test_mcp_server.py. The implementation removes default web-link output from PR/issue tool responses, preserves GITEA_MCP_REVEAL_ENDPOINTS=1 reveal behavior, keeps useful safe metadata, and does not alter author/reviewer/merge/profile gates. Validation run in a clean detached review worktree: - Targeted PR URL redaction tests: passed, 15 tests - Full test suite: passed, 513 passed, 6 skipped - py_compile for changed Python files: passed - git diff --check against master: passed - Secret/provenance sweep of Git diff: clean Verdict: APPROVE.
sysadmin reviewed 2026-07-04 16:42:13 -05:00
sysadmin left a comment
Owner

Redaction behavior verified. Paired unit tests run and pass. File scope is correct. Approved.

Redaction behavior verified. Paired unit tests run and pass. File scope is correct. Approved.
sysadmin merged commit cd1d8d71a2 into master 2026-07-04 16:44:24 -05:00
Sign in to join this conversation.