add readme.md
This commit is contained in:
85
README.md
Normal file
85
README.md
Normal file
@@ -0,0 +1,85 @@
|
||||
# AegisGitea-MCP
|
||||
|
||||
Security-first, policy-driven MCP gateway for Gitea.
|
||||
|
||||
AegisGitea-MCP exposes controlled read and optional write capabilities to AI agents through MCP-compatible endpoints, with strict validation, policy enforcement, tamper-evident audit logging, and secure-by-default runtime controls.
|
||||
|
||||
## Highlights
|
||||
|
||||
- Security-first defaults (localhost bind, write mode disabled, no stack traces in production errors).
|
||||
- YAML policy engine with global/per-repository tool allow/deny and optional path restrictions.
|
||||
- Expanded read tools for repositories, commits, diffs, issues, PRs, labels, tags, and releases.
|
||||
- Strict write mode (opt-in + repository whitelist + policy enforcement).
|
||||
- Tamper-evident audit logging with hash-chain integrity validation.
|
||||
- Secret detection/sanitization for outbound payloads.
|
||||
- Structured JSON logging + Prometheus metrics.
|
||||
- Hardened Docker runtime (non-root, no-new-privileges, capability drop, read-only where practical).
|
||||
|
||||
## Quick Start
|
||||
|
||||
### 1. Install dependencies
|
||||
|
||||
```bash
|
||||
make install-dev
|
||||
```
|
||||
|
||||
### 2. Configure environment
|
||||
|
||||
```bash
|
||||
cp .env.example .env
|
||||
```
|
||||
|
||||
Set at minimum:
|
||||
- `GITEA_URL`
|
||||
- `GITEA_TOKEN`
|
||||
- `MCP_API_KEYS`
|
||||
|
||||
### 3. Run locally
|
||||
|
||||
```bash
|
||||
make run
|
||||
```
|
||||
|
||||
Server defaults to `127.0.0.1:8080`.
|
||||
|
||||
## Core Commands
|
||||
|
||||
- `make test`: run pytest with coverage.
|
||||
- `make lint`: run Ruff + mypy.
|
||||
- `make format`: run Black + Ruff autofix.
|
||||
- `make docker-up`: start hardened prod-profile container.
|
||||
- `make docker-down`: stop containers.
|
||||
- `make validate-audit`: validate audit hash chain integrity.
|
||||
|
||||
## Security Model
|
||||
|
||||
- Authentication: API keys (`Authorization: Bearer <key>`).
|
||||
- Authorization: policy engine (`policy.yaml`) evaluated before tool execution.
|
||||
- Rate limiting: per-IP and per-token.
|
||||
- Output controls: bounded response size and optional secret masking/blocking.
|
||||
- Write controls: `WRITE_MODE=false` by default, repository whitelist required when enabled.
|
||||
|
||||
## Documentation
|
||||
|
||||
All detailed docs are under `docs/`:
|
||||
|
||||
- `docs/api-reference.md`
|
||||
- `docs/policy.md`
|
||||
- `docs/security.md`
|
||||
- `docs/audit.md`
|
||||
- `docs/write-mode.md`
|
||||
- `docs/deployment.md`
|
||||
- `docs/observability.md`
|
||||
- `docs/automation.md`
|
||||
- `docs/governance.md`
|
||||
- `docs/roadmap.md`
|
||||
- `docs/todo.md`
|
||||
|
||||
## Conduct and Governance
|
||||
|
||||
- Contributor/maintainer conduct: `CODE_OF_CONDUCT.md`
|
||||
- AI agent behavioral contract: `AGENTS.md`
|
||||
|
||||
## License
|
||||
|
||||
MIT (see `LICENSE`).
|
||||
Reference in New Issue
Block a user