b88ca0c929
Rework the JSON runtime-profile config from the earlier ad-hoc schema (profiles + token_env) to the canonical single-file model in #19, so every LLM launcher can reference one shared Gitea profiles file instead of duplicating GITEA_USER_*/GITEA_PASS_* blocks or embedding tokens. Canonical schema (gitea_config.py): - top-level "version" (1) + "profiles" map. - each profile: base_url, username, default_owner, execution_profile, and a typed auth reference: { "type": "keychain", "id": "..." } -> macOS keychain (security(1)) { "type": "env", "name": "..." } -> named environment variable - inline "token"/"password" keys are rejected (never accepted or echoed). - select via GITEA_MCP_CONFIG (path) + GITEA_MCP_PROFILE (name). gitea_auth integration: - get_profile() overlays env over the selected profile (env wins; JSON fills the rest); profile_name <- execution_profile; token_source_name <- the non-secret auth reference name (env var name or "keychain:<id>"); now also surfaces username + default_owner. - get_auth_header() resolves the profile's auth reference (env/keychain) as a token fallback after explicit env tokens; a ConfigError there fails closed. Security / safety: - Secrets referenced only (keychain id / env name); token values never stored in or returned as metadata. Errors never print file contents, tokens, or passwords (JSONDecodeError context suppressed). - Missing file / invalid JSON / unsupported version / unknown-or-unset profile / unresolvable secret reference all raise a clear, safe ConfigError. - No network calls during config parsing; keychain lookup is on-demand and injectable for tests. - Backwards compatible: GITEA_MCP_CONFIG unset => legacy env-only mode (existing get_profile/get_auth_header tests unchanged). Docs: README canonical-profile + thin-launcher (Claude/Gemini/Codex) sections and a migration note away from duplicated GITEA_PASS_* blocks; .env.example and gitea-mcp.example.json updated to the canonical shape (safe placeholders only). Tests: tests/test_config.py (31 cases) — legacy env-only, JSON selection, multiple profiles, missing/unset profile, invalid JSON, unsupported version, env-override precedence, keychain + env auth-reference parsing and resolution, missing-secret errors, inline token/password redaction, and no-network parse. Refs #10. Completes the closed #19 (env-based profiles) by adding the canonical shared-file model. Supersedes this PR's earlier simpler JSON schema. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
49 lines
2.3 KiB
Bash
49 lines
2.3 KiB
Bash
# Gitea MCP runtime profile — EXAMPLE / PLACEHOLDERS ONLY.
|
|
#
|
|
# Copy to a real, gitignored env file (e.g. .env.reviewer) per runtime profile.
|
|
# The same MCP server code is launched as separate MCP entries, each pointed at
|
|
# a different env file so each process authenticates as ONE token and carries
|
|
# ONE profile name. Do NOT put real tokens in this file.
|
|
#
|
|
# The token is read only by the auth layer; it is never returned, logged, or
|
|
# committed. Profile name and allowed operations are non-secret metadata.
|
|
|
|
# Base URL of the Gitea instance (informational).
|
|
GITEA_BASE_URL=https://gitea.example.invalid
|
|
|
|
# The API token for THIS runtime profile. Placeholder only — replace in a real,
|
|
# gitignored env file. Never commit a real token.
|
|
GITEA_TOKEN=replace-with-token
|
|
|
|
# Human label for the running profile (non-secret metadata).
|
|
# Examples: gitea-author, gitea-reviewer, gitea-merger, gitea-issue-manager.
|
|
GITEA_PROFILE_NAME=gitea-reviewer
|
|
|
|
# Optional, comma-separated operation categories this profile is intended for
|
|
# (descriptive only in this issue; enforcement is a later roadmap item).
|
|
GITEA_ALLOWED_OPERATIONS=read,review,approve
|
|
|
|
# Optional, comma-separated operation categories this profile must NOT perform
|
|
# (descriptive metadata; surfaced by gitea_get_profile).
|
|
GITEA_FORBIDDEN_OPERATIONS=merge,branch.push
|
|
|
|
# Optional short label attached to this runtime for audit purposes.
|
|
GITEA_AUDIT_LABEL=reviewer-runtime
|
|
|
|
# Optional path to an audit log file (#18). When set, each mutating action
|
|
# appends one redacted JSON record (profile + authenticated user + outcome).
|
|
# Leave unset to disable auditing entirely (no records, no extra API calls).
|
|
GITEA_AUDIT_LOG=/path/to/gitea-mcp-audit.log
|
|
|
|
# Optional NAME of the token's source (e.g. an env var name). This is a name
|
|
# only — never the token value. Surfaced by gitea_get_profile.
|
|
GITEA_TOKEN_SOURCE=GITEA_TOKEN
|
|
|
|
# Optional canonical runtime-profile config (#19). Instead of the fields above,
|
|
# point every LLM launcher at ONE JSON file of named profiles and select one.
|
|
# Secrets are referenced (keychain id / env var name), never inlined. See
|
|
# gitea-mcp.example.json. Explicit env vars above still override the selected
|
|
# profile's values. Leave unset for pure env-based configuration.
|
|
GITEA_MCP_CONFIG=/Users/jasonwalker/.config/gitea-tools/profiles.json
|
|
GITEA_MCP_PROFILE=prgs
|