feat: block direct MCP imports and unsanctioned keychain access (Closes #558) #566

Merged
sysadmin merged 2 commits from feat/issue-558-block-direct-imports into master 2026-07-09 08:08:43 -05:00
Owner

Summary

Closes #558.

Blocks mutation auth and keychain credential fill outside the official MCP daemon so agents cannot bypass preflight via raw import gitea_auth / shell keychain dumps.

Changes

  • mcp_daemon_guard.py — sanctioned runtime detection (GITEA_MCP_SANCTIONED_DAEMON, pytest, operator opt-in)
  • gitea_auth.get_auth_header requires sanctioned runtime
  • keychain git credential fill path requires daemon or GITEA_ALLOW_KEYCHAIN_CLI=1
  • Official entrypoints (mcp_server.py, gitea_mcp_server __main__) mark the process sanctioned
  • Docs + tests

Worktree

branches/feat-issue-558-block-direct-imports @ 8ff1924 only.

Tests

pytest tests/test_mcp_daemon_guard.py -q
# 5 passed

Self-review: no.

## Summary Closes #558. Blocks mutation auth and keychain credential fill outside the official MCP daemon so agents cannot bypass preflight via raw `import gitea_auth` / shell keychain dumps. ## Changes - `mcp_daemon_guard.py` — sanctioned runtime detection (`GITEA_MCP_SANCTIONED_DAEMON`, pytest, operator opt-in) - `gitea_auth.get_auth_header` requires sanctioned runtime - keychain `git credential fill` path requires daemon or `GITEA_ALLOW_KEYCHAIN_CLI=1` - Official entrypoints (`mcp_server.py`, `gitea_mcp_server` `__main__`) mark the process sanctioned - Docs + tests ## Worktree `branches/feat-issue-558-block-direct-imports` @ `8ff1924` only. ## Tests ``` pytest tests/test_mcp_daemon_guard.py -q # 5 passed ``` Self-review: no.
jcwalker3 added 1 commit 2026-07-08 21:49:22 -05:00
Require a sanctioned MCP daemon (or pytest) before get_auth_header and
keychain credential fill so raw shell imports cannot bypass preflight gates.
jcwalker3 added 1 commit 2026-07-09 07:28:41 -05:00
Owner

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #566
issue: #558
reviewer_identity: sysadmin
profile: prgs-reviewer
session_id: 26681-ebfa77b6f660
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-566-block-direct-imports
phase: claimed
candidate_head: 412f0e0081
target_branch: master
target_branch_sha: 9340dc7009
last_activity: 2026-07-09T13:08:02Z
expires_at: 2026-07-09T15:08:02Z
blocker: none

<!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #566 issue: #558 reviewer_identity: sysadmin profile: prgs-reviewer session_id: 26681-ebfa77b6f660 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-566-block-direct-imports phase: claimed candidate_head: 412f0e0081ac6cdcff416e094ba4854e72c6b95b target_branch: master target_branch_sha: 9340dc7009554f86b6acb8709103ad22f339ff6b last_activity: 2026-07-09T13:08:02Z expires_at: 2026-07-09T15:08:02Z blocker: none
sysadmin approved these changes 2026-07-09 08:08:18 -05:00
sysadmin left a comment
Owner

Review: APPROVE PR #566

Closes #558 — block direct MCP imports and unsanctioned keychain access.

Scope (7 files)

  • mcp_daemon_guard.py — sanctioned runtime detection + fail-closed asserts
  • gitea_auth.get_auth_header requires sanctioned daemon
  • keychain git credential fill requires daemon or GITEA_ALLOW_KEYCHAIN_CLI=1
  • Official entrypoints (mcp_server.py, gitea_mcp_server __main__) mark sanctioned
  • Docs + tests

Validation

  • py_compile + git diff --check clean
  • Focused tests: 5 passed
  • Merge onto current prgs/master (9340dc7): no conflicts; post-sim 5 passed

Assessment

  • Matches #558 acceptance: mutation/auth and keychain fill fail closed outside official daemon/pytest/operator opt-in
  • Operator overrides are explicit env flags (not default for LLM shells)
  • Non-blocking: guard import failure in mcp_server.py is swallowed (documented; __main__ path also marks)

Identity

  • Reviewer: sysadmin / prgs-reviewer
  • Author: jcwalker3 (not self-review)

Canonical PR State

STATE: approved ready-to-merge
WHO_IS_NEXT: merger
NEXT_ACTION: merge PR #566 at the pinned head with expected_changed_files
NEXT_PROMPT:

Merge PR #566 (confirmation MERGE PR 566) at head 412f0e0081ac6cdcff416e094ba4854e72c6b95b using prgs-merger. Files: docs/llm-workflow-runbooks.md, docs/mcp-daemon-import-guard.md, gitea_auth.py, gitea_mcp_server.py, mcp_daemon_guard.py, mcp_server.py, tests/test_mcp_daemon_guard.py. Then continue open PR queue (#565, #486, web UI stack).

WHAT_HAPPENED: Formal review of PR #566 against #558; validation green; merge-sim clean.
WHY: Tight security scope, fail-closed design, tests cover daemon/pytest/opt-in paths.
ISSUE: #558
HEAD_SHA: 412f0e0081
REVIEW_STATUS: approved
MERGE_READY: yes
BLOCKERS: none
VALIDATION: py_compile+diff-check clean; 5 focused tests passed; merge-sim clean on 9340dc7
LAST_UPDATED_BY: sysadmin / prgs-reviewer

## Review: APPROVE PR #566 **Closes #558** — block direct MCP imports and unsanctioned keychain access. ### Scope (7 files) - `mcp_daemon_guard.py` — sanctioned runtime detection + fail-closed asserts - `gitea_auth.get_auth_header` requires sanctioned daemon - keychain `git credential fill` requires daemon or `GITEA_ALLOW_KEYCHAIN_CLI=1` - Official entrypoints (`mcp_server.py`, `gitea_mcp_server` `__main__`) mark sanctioned - Docs + tests ### Validation - py_compile + git diff --check clean - Focused tests: **5 passed** - Merge onto current `prgs/master` (`9340dc7`): **no conflicts**; post-sim **5 passed** ### Assessment - Matches #558 acceptance: mutation/auth and keychain fill fail closed outside official daemon/pytest/operator opt-in - Operator overrides are explicit env flags (not default for LLM shells) - Non-blocking: guard import failure in `mcp_server.py` is swallowed (documented; `__main__` path also marks) ### Identity - Reviewer: sysadmin / prgs-reviewer - Author: jcwalker3 (not self-review) ## Canonical PR State STATE: approved ready-to-merge WHO_IS_NEXT: merger NEXT_ACTION: merge PR #566 at the pinned head with expected_changed_files NEXT_PROMPT: ```text Merge PR #566 (confirmation MERGE PR 566) at head 412f0e0081ac6cdcff416e094ba4854e72c6b95b using prgs-merger. Files: docs/llm-workflow-runbooks.md, docs/mcp-daemon-import-guard.md, gitea_auth.py, gitea_mcp_server.py, mcp_daemon_guard.py, mcp_server.py, tests/test_mcp_daemon_guard.py. Then continue open PR queue (#565, #486, web UI stack). ``` WHAT_HAPPENED: Formal review of PR #566 against #558; validation green; merge-sim clean. WHY: Tight security scope, fail-closed design, tests cover daemon/pytest/opt-in paths. ISSUE: #558 HEAD_SHA: 412f0e0081ac6cdcff416e094ba4854e72c6b95b REVIEW_STATUS: approved MERGE_READY: yes BLOCKERS: none VALIDATION: py_compile+diff-check clean; 5 focused tests passed; merge-sim clean on 9340dc7 LAST_UPDATED_BY: sysadmin / prgs-reviewer
Owner

adopted_at: 2026-07-09T13:08:31Z
adopted_by_identity: sysadmin
adopted_by_profile: prgs-merger
adopted_from_session_id: 26681-ebfa77b6f660
adopted_from_profile: prgs-reviewer
adopted_from_reviewer_identity: sysadmin
adopted_from_comment_id: 7942
adoption_reason: merger-handoff-approved-head

repo: Scaled-Tech-Consulting/Gitea-Tools
pr: #566
issue: #558
reviewer_identity: sysadmin
profile: prgs-merger
session_id: 27153-5851b9362770
worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-566-block-direct-imports
phase: adopted
candidate_head: 412f0e0081
target_branch: master
target_branch_sha: 9340dc7009
last_activity: 2026-07-09T13:08:31Z
expires_at: 2026-07-09T15:08:31Z
blocker: none

<!-- mcp-review-lease-adoption:v1 --> adopted_at: 2026-07-09T13:08:31Z adopted_by_identity: sysadmin adopted_by_profile: prgs-merger adopted_from_session_id: 26681-ebfa77b6f660 adopted_from_profile: prgs-reviewer adopted_from_reviewer_identity: sysadmin adopted_from_comment_id: 7942 adoption_reason: merger-handoff-approved-head <!-- mcp-review-lease:v1 --> repo: Scaled-Tech-Consulting/Gitea-Tools pr: #566 issue: #558 reviewer_identity: sysadmin profile: prgs-merger session_id: 27153-5851b9362770 worktree: /Users/jasonwalker/Development/Gitea-Tools/branches/review-pr-566-block-direct-imports phase: adopted candidate_head: 412f0e0081ac6cdcff416e094ba4854e72c6b95b target_branch: master target_branch_sha: 9340dc7009554f86b6acb8709103ad22f339ff6b last_activity: 2026-07-09T13:08:31Z expires_at: 2026-07-09T15:08:31Z blocker: none
sysadmin merged commit 932b280a27 into master 2026-07-09 08:08:43 -05:00
Sign in to join this conversation.
No Reviewers
No labels
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#566