feat: add read-only gitea_whoami authenticated-user lookup (#11) #20

Merged
sysadmin merged 1 commits from feature/11-gitea-authenticated-user-lookup into master 2026-07-01 12:00:18 -05:00
Owner

Closes #11
Roadmap parent: #10

What

Adds a read-only MCP tool gitea_whoami that calls Gitea's authenticated-user endpoint (GET /api/v1/user) with the configured token and returns safe identity metadata only:

  • username (login)
  • display_name (full name, if available)
  • user_id
  • email (only as already exposed by the Gitea API for the authenticated user)
  • server (base URL)
  • remote

Why

This is the blocker discovered during PR #8 dogfooding: review/merge workflows could inspect Gitea state but could not prove which account the MCP server is authenticated as, so self-review/self-merge could not be safely detected. gitea_whoami provides that identity so future eligibility checks (#14) can compare authenticated user vs PR author.

Safety

  • No secrets exposed — never returns the token, Authorization header, password, or raw env/credential material. The auth header is used only to make the request.
  • Fails closed — raises a clear error if the identity cannot be determined (missing credentials or no login in the response).
  • Read-only — a single GET /api/v1/user; no mutation.
  • No review/approve/merge behavior added. No profile switching added.
  • No Jenkins/Ops/GlitchTip/Release/deploy/production behavior.

Scope

Three files, additions only (+96):

  • mcp_server.py — new gitea_whoami tool
  • tests/test_mcp_server.py — 4 new tests
  • README.md — one tool-table row

Validation

  • pytest tests/test_mcp_server.py30 passed (incl. 4 new: identity mapping, secret-redaction assertion, fail-closed on missing login, unknown-remote rejection).
  • ast.parse compile check on mcp_server.py → OK.
  • Diff scan: no token/header values returned; only the auth variable passed into the API call.
  • Confirmed no unrelated files changed (.codex/ and prior WIP left untracked/stashed, not included).

Scoped to #11 only. Does not touch #12–#19. Do not merge — awaiting independent review.

Closes #11 Roadmap parent: #10 ## What Adds a **read-only** MCP tool `gitea_whoami` that calls Gitea's authenticated-user endpoint (`GET /api/v1/user`) with the configured token and returns safe identity metadata only: * `username` (login) * `display_name` (full name, if available) * `user_id` * `email` (only as already exposed by the Gitea API for the authenticated user) * `server` (base URL) * `remote` ## Why This is the blocker discovered during PR #8 dogfooding: review/merge workflows could inspect Gitea state but could not prove which account the MCP server is authenticated as, so self-review/self-merge could not be safely detected. `gitea_whoami` provides that identity so future eligibility checks (#14) can compare authenticated user vs PR author. ## Safety * **No secrets exposed** — never returns the token, Authorization header, password, or raw env/credential material. The auth header is used only to make the request. * **Fails closed** — raises a clear error if the identity cannot be determined (missing credentials or no `login` in the response). * **Read-only** — a single `GET /api/v1/user`; no mutation. * **No review/approve/merge behavior added.** No profile switching added. * **No Jenkins/Ops/GlitchTip/Release/deploy/production behavior.** ## Scope Three files, additions only (+96): * `mcp_server.py` — new `gitea_whoami` tool * `tests/test_mcp_server.py` — 4 new tests * `README.md` — one tool-table row ## Validation * `pytest tests/test_mcp_server.py` → **30 passed** (incl. 4 new: identity mapping, secret-redaction assertion, fail-closed on missing login, unknown-remote rejection). * `ast.parse` compile check on `mcp_server.py` → OK. * Diff scan: no token/header **values** returned; only the `auth` variable passed into the API call. * Confirmed no unrelated files changed (`.codex/` and prior WIP left untracked/stashed, not included). Scoped to #11 only. Does not touch #12–#19. **Do not merge** — awaiting independent review.
jcwalker3 added 1 commit 2026-07-01 11:43:00 -05:00
Add a read-only MCP tool that calls Gitea's authenticated-user
endpoint (GET /api/v1/user) and returns safe identity metadata only:
username, display name, user id, email, server, and remote.

This lets future review/merge workflows prove which Gitea account the
MCP server is authenticated as, so self-review/self-merge can be
detected before acting — the blocker discovered during PR #8 dogfooding.

- Never returns the token, Authorization header, password, or secrets.
- Fails closed with a clear error if identity cannot be determined.
- No mutation; no profile switching; no review/approve/merge behavior.

Tests: identity mapping, secret-redaction, fail-closed, unknown-remote.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author
Owner

Independent review for issue #11 is held due reviewer eligibility.

Validation performed:

  • PR #20 is open and targets master.
  • Authenticated Gitea account is jcwalker3, which matches the PR author, so I cannot approve this PR from this account.
  • Head reviewed: 03e28c1.
  • Changed files verified exactly: mcp_server.py, tests/test_mcp_server.py, README.md.
  • git diff --check prgs/master...prgs/feature/11-gitea-authenticated-user-lookup passed.
  • pytest tests/test_mcp_server.py passed: 30 passed.
  • python3 -m py_compile mcp_server.py tests/test_mcp_server.py passed.

Manual review notes:

  • gitea_whoami is read-only and uses GET /api/v1/user.
  • No create/update/delete/approve/merge/label/deploy/trigger/restart mutation was added by this PR.
  • Returned fields are limited to authenticated identity metadata; token, authorization header, password, raw environment values, and credential file paths are not returned.
  • Missing login and unknown remote paths fail closed.
  • Tests cover successful identity mapping, secret/header redaction, fail-closed missing login, and unknown remote handling.
  • No unrelated #12-#19 work, profile switching, PR review/merge workflow, Jenkins/Ops/GlitchTip/Release/deploy/rollback/migration/restart/production behavior found.

Blocker: reviewer is ineligible from the current authenticated Gitea account (jcwalker3). A different reviewer account is required to approve.

Independent review for issue #11 is held due reviewer eligibility. Validation performed: - PR #20 is open and targets `master`. - Authenticated Gitea account is `jcwalker3`, which matches the PR author, so I cannot approve this PR from this account. - Head reviewed: `03e28c1`. - Changed files verified exactly: `mcp_server.py`, `tests/test_mcp_server.py`, `README.md`. - `git diff --check prgs/master...prgs/feature/11-gitea-authenticated-user-lookup` passed. - `pytest tests/test_mcp_server.py` passed: 30 passed. - `python3 -m py_compile mcp_server.py tests/test_mcp_server.py` passed. Manual review notes: - `gitea_whoami` is read-only and uses `GET /api/v1/user`. - No create/update/delete/approve/merge/label/deploy/trigger/restart mutation was added by this PR. - Returned fields are limited to authenticated identity metadata; token, authorization header, password, raw environment values, and credential file paths are not returned. - Missing login and unknown remote paths fail closed. - Tests cover successful identity mapping, secret/header redaction, fail-closed missing login, and unknown remote handling. - No unrelated #12-#19 work, profile switching, PR review/merge workflow, Jenkins/Ops/GlitchTip/Release/deploy/rollback/migration/restart/production behavior found. Blocker: reviewer is ineligible from the current authenticated Gitea account (`jcwalker3`). A different reviewer account is required to approve.
sysadmin merged commit 89fe118279 into master 2026-07-01 12:00:18 -05:00
sysadmin deleted branch feature/11-gitea-authenticated-user-lookup 2026-07-01 12:00:18 -05:00
Sign in to join this conversation.