feat: add opt-in write access for all token-visible repos

docs/deployment.md

@@ -36,7 +36,7 @@ Startup validates:
 - Required Gitea settings.
 - API keys (when auth enabled).
 - Insecure bind opt-in.
-- Write whitelist when write mode enabled.
+- Write whitelist when write mode enabled (unless `WRITE_ALLOW_ALL_TOKEN_REPOS=true`).
 
 ## Production Recommendations
 

docs/policy.md

@@ -10,7 +10,9 @@ Aegis uses a YAML policy engine to authorize tool execution before any Gitea API
 - Per-repository tool allow/deny supported.
 - Optional repository path allow/deny supported.
 - Write operations are denied by default.
-- Write operations also require `WRITE_MODE=true` and `WRITE_REPOSITORY_WHITELIST` match.
+- Write operations also require `WRITE_MODE=true` and either:
+  - `WRITE_REPOSITORY_WHITELIST` match, or
+  - `WRITE_ALLOW_ALL_TOKEN_REPOS=true`.
 
 ## Example Configuration
 

docs/write-mode.md

@@ -7,7 +7,8 @@ Write mode introduces mutation risk (issue/PR changes, metadata updates). Risks
 ## Default Posture
 
 - `WRITE_MODE=false` by default.
-- Even when enabled, writes require repository whitelist membership.
+- When enabled, writes require repository whitelist membership by default.
+- Optional opt-in: `WRITE_ALLOW_ALL_TOKEN_REPOS=true` allows writes to any repo the token can access.
 - Policy engine remains authoritative and may deny specific write tools.
 
 ## Supported Write Tools
@@ -24,7 +25,9 @@ Not supported (explicitly forbidden): merge actions, branch deletion, force push
 ## Enablement Steps
 
 1. Set `WRITE_MODE=true`.
-2. Set `WRITE_REPOSITORY_WHITELIST=owner/repo,...`.
+2. Choose one:
+   - `WRITE_REPOSITORY_WHITELIST=owner/repo,...` (recommended)
+   - `WRITE_ALLOW_ALL_TOKEN_REPOS=true` (broader scope)
 3. Review policy file for write-tool scope.
 4. Verify audit logging and alerting before rollout.