Files
Gitea-Tools/docs/safety-model.md
T
sysadminandClaude Opus 4.8 2f4672218c docs: forbid improvised commit fallbacks when MCP commit exists (#260)
Document MCP-native gitea_commit_files as the only approved commit path when
gitea.repo.commit is allowed; ban WebFetch, Playwright, and manual base64
workarounds in runbooks and safety model. Add doc tests.

Closes #260.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
2026-07-06 14:44:41 -04:00

49 lines
2.8 KiB
Markdown

# MCP Safety Model
This document outlines the safety requirements for all tools within the MCP monorepo.
## 1. Audit Logging and Confirmation
All mutating actions (e.g., triggering builds, creating resources, updating environments) must be recorded in an audit log. These actions require explicit confirmation from the user before execution to prevent accidental state changes.
## 2. Production Environment Safety
Any action that targets a production environment must have a hard confirmation gate. Production actions must never run based on vague or ambiguous prompts. The user must provide explicit, unambiguous consent to proceed with a production deployment or modification.
## 3. Secret Redaction
To maintain a secure environment, all secrets, tokens, passwords, and sensitive keys must be strictly redacted from:
- System and application logs
- Tool return values/outputs
- Any form of persistent storage or console output
## 4. Read-Only First Policy
By default, MCP servers (such as `jenkins-mcp` and `ops-mcp`) operate in a **read-only** mode. Mutation capabilities are deny-by-default and fail-closed.
Note on naming: Historical design docs used `jenkins-readonly` / `glitchtip-readonly` skill names. Actual server packages are `jenkins-mcp` / `glitchtip-mcp` (registered via entry points in mcp-control-plane). See Gitea-Tools skills and mcp-control-plane #55 for registration.
## 5. Mutation Gating
Any mutating action (e.g., Gitea issue creation from GlitchTip, or Jenkins builds) must be explicitly allowed by the execution profile.
- **Jenkins build triggers** are gated on a separate write boundary
(`jenkins-write-mcp` / `jenkins_mcp.write_server`), not on the read-only
`jenkins-mcp` surface. Triggers require a dedicated profile with
`jenkins.build.trigger`, exact confirmation, and fail-closed mutation audit.
No default profile carries trigger capability (#152 / mcp-control-plane #56).
- **GlitchTip to Gitea issue filing** is a library-only orchestrator in
mcp-control-plane (not on `glitchtip-mcp`). See #153 / mcp-control-plane #57.
## 6. Agent Commit Path (no improvised fallbacks)
When an author execution profile allows **`gitea.repo.commit`** and the
**`gitea_commit_files`** tool is visible, agents must use that MCP path for
repository commits. Fail closed instead of improvising alternate transports.
Forbidden when MCP commit is available:
- WebFetch or other HTTP calls to external base64/decode services
- Playwright or browser automation used to work around MCP commit
- Manual LLM-generated base64 embedded in throwaway scripts as the primary
commit transport
If shell helpers are unavailable and MCP commit cannot run, stop with a recovery
report (restart session, clear hung terminals, use MCP-native commit). See
[`llm-workflow-runbooks.md`](llm-workflow-runbooks.md) § MCP-native commit path
(#260) and agent temp artifact cleanup (#261).