Require a sanctioned MCP daemon (or pytest) before get_auth_header and keychain credential fill so raw shell imports cannot bypass preflight gates.
24 lines
834 B
Markdown
24 lines
834 B
Markdown
# MCP daemon import and keychain guard (#558)
|
|
|
|
## Problem
|
|
|
|
During deadlock debugging, agents imported `gitea_mcp_server` / ran credential
|
|
helpers from a raw shell, bypassing preflight purity and role gates.
|
|
|
|
## Rule
|
|
|
|
Mutation auth and keychain fill require a **sanctioned MCP daemon** process.
|
|
|
|
| Context | Allowed |
|
|
|---------|---------|
|
|
| Official MCP entrypoint (`mcp_server.py` / `gitea_mcp_server` `__main__`) sets `GITEA_MCP_SANCTIONED_DAEMON=1` | yes |
|
|
| pytest | yes |
|
|
| `GITEA_ALLOW_DIRECT_MCP_IMPORT=1` (operator/tests only) | yes |
|
|
| bare `python -c 'import gitea_auth; get_auth_header(...)'` | **no** |
|
|
| keychain fill without daemon | **no** unless `GITEA_ALLOW_KEYCHAIN_CLI=1` |
|
|
|
|
## Operator note
|
|
|
|
LLM sessions must never set the allow-direct-import or allow-keychain-cli
|
|
overrides. Those are human-only escape hatches.
|