feat: add opt-in write access for all token-visible repos
This commit is contained in:
@@ -9,7 +9,7 @@ AegisGitea-MCP exposes controlled read and optional write capabilities to AI age
|
||||
- Security-first defaults (localhost bind, write mode disabled, no stack traces in production errors).
|
||||
- YAML policy engine with global/per-repository tool allow/deny and optional path restrictions.
|
||||
- Expanded read tools for repositories, commits, diffs, issues, PRs, labels, tags, and releases.
|
||||
- Strict write mode (opt-in + repository whitelist + policy enforcement).
|
||||
- Strict write mode (opt-in + policy enforcement, with whitelist by default).
|
||||
- Tamper-evident audit logging with hash-chain integrity validation.
|
||||
- Secret detection/sanitization for outbound payloads.
|
||||
- Structured JSON logging + Prometheus metrics.
|
||||
@@ -57,7 +57,7 @@ Server defaults to `127.0.0.1:8080`.
|
||||
- Authorization: policy engine (`policy.yaml`) evaluated before tool execution.
|
||||
- Rate limiting: per-IP and per-token.
|
||||
- Output controls: bounded response size and optional secret masking/blocking.
|
||||
- Write controls: `WRITE_MODE=false` by default, repository whitelist required when enabled.
|
||||
- Write controls: `WRITE_MODE=false` by default; when enabled, use whitelist or opt into `WRITE_ALLOW_ALL_TOKEN_REPOS=true`.
|
||||
|
||||
## Documentation
|
||||
|
||||
|
||||
Reference in New Issue
Block a user