From 71c993e4cd385853094aa180eb886cde18db2ccd Mon Sep 17 00:00:00 2001
From: latte <latte@hiddenden.cafe>
Date: Wed, 4 Mar 2026 17:06:28 +0000
Subject: [PATCH] Use GITEA_TOKEN as service PAT for API calls in OAuth mode

Gitea OIDC access_tokens only carry OIDC scopes and cannot call the
Gitea REST API. Fall back to GITEA_TOKEN (service PAT) for actual tool
execution when configured, while OIDC still handles user identity.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/aegis_gitea_mcp/server.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/aegis_gitea_mcp/server.py b/src/aegis_gitea_mcp/server.py
index 8afba44..29bc139 100644
--- a/src/aegis_gitea_mcp/server.py
+++ b/src/aegis_gitea_mcp/server.py
@@ -830,7 +830,12 @@ async def _execute_tool_call(
         if not user_token:
             raise HTTPException(status_code=401, detail="Missing authenticated user token context")
 
-        async with GiteaClient(token=user_token) as gitea:
+        # In OAuth mode, Gitea OIDC access_tokens can't call the Gitea REST API
+        # (they only carry OIDC scopes).  If a service PAT is configured via
+        # GITEA_TOKEN, use that for API calls while OIDC handles identity/authz.
+        api_token = settings.gitea_token.strip() if settings.gitea_token.strip() else user_token
+
+        async with GiteaClient(token=api_token) as gitea:
             result = await handler(gitea, arguments)
 
         if settings.secret_detection_mode != "off":