Files
Gitea-Tools/docs/mcp-daemon-import-guard.md
T
sysadmin 8ff1924047 feat: block direct MCP imports and unsanctioned keychain access (Closes #558)
Require a sanctioned MCP daemon (or pytest) before get_auth_header and
keychain credential fill so raw shell imports cannot bypass preflight gates.
2026-07-08 22:49:03 -04:00

834 B

MCP daemon import and keychain guard (#558)

Problem

During deadlock debugging, agents imported gitea_mcp_server / ran credential helpers from a raw shell, bypassing preflight purity and role gates.

Rule

Mutation auth and keychain fill require a sanctioned MCP daemon process.

Context Allowed
Official MCP entrypoint (mcp_server.py / gitea_mcp_server __main__) sets GITEA_MCP_SANCTIONED_DAEMON=1 yes
pytest yes
GITEA_ALLOW_DIRECT_MCP_IMPORT=1 (operator/tests only) yes
bare python -c 'import gitea_auth; get_auth_header(...)' no
keychain fill without daemon no unless GITEA_ALLOW_KEYCHAIN_CLI=1

Operator note

LLM sessions must never set the allow-direct-import or allow-keychain-cli overrides. Those are human-only escape hatches.