# MCP daemon import and keychain guard (#558) ## Problem During deadlock debugging, agents imported `gitea_mcp_server` / ran credential helpers from a raw shell, bypassing preflight purity and role gates. ## Rule Mutation auth and keychain fill require a **sanctioned MCP daemon** process. | Context | Allowed | |---------|---------| | Official MCP entrypoint (`mcp_server.py` / `gitea_mcp_server` `__main__`) sets `GITEA_MCP_SANCTIONED_DAEMON=1` | yes | | pytest | yes | | `GITEA_ALLOW_DIRECT_MCP_IMPORT=1` (operator/tests only) | yes | | bare `python -c 'import gitea_auth; get_auth_header(...)'` | **no** | | keychain fill without daemon | **no** unless `GITEA_ALLOW_KEYCHAIN_CLI=1` | ## Operator note LLM sessions must never set the allow-direct-import or allow-keychain-cli overrides. Those are human-only escape hatches.