Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

Add OAuth2/OIDC per-user Gitea authentication
Some checks failed
docker / lint (push) Has been cancelled
Details
docker / test (push) Has been cancelled
Details
docker / docker-build (push) Has been cancelled
Details
lint / lint (push) Has been cancelled
Details
test / test (push) Has been cancelled
Details

Browse Source 
Introduce a GiteaOAuthValidator for JWT and userinfo validation and
fallbacks, add /oauth/token proxy, and thread per-user tokens through
the
request context and automation paths. Update config and .env.example for
OAuth-first mode, add OpenAPI, extensive unit/integration tests,
GitHub/Gitea CI workflows, docs, and lint/test enforcement (>=80% cov).
This commit is contained in:
Latte
2026-02-25 16:54:01 +01:00
parent a00b6a0ba2
commit 59e1ea53a8
31 changed files with 2575 additions and 660 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
docs/deployment.md
View File

@@ -2,26 +2,29 @@
## Secure Defaults
- Default bind: `MCP_HOST=127.0.0.1`.
- Binding `0.0.0.0` requires explicit `ALLOW_INSECURE_BIND=true`.
- Default bind is `127.0.0.1`.
- Binding `0.0.0.0` requires `ALLOW_INSECURE_BIND=true`.
- Write mode disabled by default.
- Policy file path configurable via `POLICY_FILE_PATH`.
- Policy checks run before tool execution.
- OAuth-protected MCP challenge responses are enabled by default for tool calls.
## Local Development
```bash
make install-dev
cp .env.example .env
make generate-key
make run
```
## Docker
- Use `docker/Dockerfile` (non-root runtime).
- Use compose profiles:
- `prod`: hardened runtime profile.
- `dev`: local development profile (localhost-only port bind).
Use `docker/Dockerfile`:
- Multi-stage image build.
- Non-root runtime user.
- Production env flags (`NODE_ENV=production`, `ENVIRONMENT=production`).
- Only required app files copied.
- Healthcheck on `/health`.
Run examples:
@@ -30,17 +33,18 @@ docker compose --profile prod up -d
docker compose --profile dev up -d
```
## Environment Validation
## CI/CD (Gitea Workflows)
Startup validates:
- Required Gitea settings.
- API keys (when auth enabled).
- Insecure bind opt-in.
- Write whitelist when write mode enabled (unless `WRITE_ALLOW_ALL_TOKEN_REPOS=true`).
Workflows live in `.gitea/workflows/`:
- `lint.yml`: ruff + format checks + mypy.
- `test.yml`: lint + tests + coverage fail-under `80`.
- `docker.yml`: gated Docker build (depends on lint+test), SHA tag, `latest` on `main`.
## Production Recommendations
- Run behind TLS-terminating reverse proxy.
- Restrict network exposure.
- Persist and rotate audit logs.
- Enable external monitoring for `/metrics`.
- Place MCP behind TLS reverse proxy.
- Restrict inbound traffic to expected clients.
- Persist and monitor audit logs.
- Monitor `/metrics` and auth-failure events.
- Rotate OAuth client credentials when required.