Require a sanctioned MCP daemon (or pytest) before get_auth_header and keychain credential fill so raw shell imports cannot bypass preflight gates.
834 B
834 B
MCP daemon import and keychain guard (#558)
Problem
During deadlock debugging, agents imported gitea_mcp_server / ran credential
helpers from a raw shell, bypassing preflight purity and role gates.
Rule
Mutation auth and keychain fill require a sanctioned MCP daemon process.
| Context | Allowed |
|---|---|
Official MCP entrypoint (mcp_server.py / gitea_mcp_server __main__) sets GITEA_MCP_SANCTIONED_DAEMON=1 |
yes |
| pytest | yes |
GITEA_ALLOW_DIRECT_MCP_IMPORT=1 (operator/tests only) |
yes |
bare python -c 'import gitea_auth; get_auth_header(...)' |
no |
| keychain fill without daemon | no unless GITEA_ALLOW_KEYCHAIN_CLI=1 |
Operator note
LLM sessions must never set the allow-direct-import or allow-keychain-cli overrides. Those are human-only escape hatches.