docs(raw-api): document gitea_request, env vars and policy examples
Adds docs/raw-api.md (two-layer policy, sensitive denylist, env vars, write-mode warning), links it from index and api-reference, documents RAW_API_ENABLED / RAW_API_ALLOW_SENSITIVE in .env.example, and adds commented virtual-tool-name deny examples to policy.yaml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -63,6 +63,17 @@ WRITE_MODE=false
|
||||
WRITE_REPOSITORY_WHITELIST=
|
||||
WRITE_ALLOW_ALL_TOKEN_REPOS=false
|
||||
|
||||
# Raw API dispatch (gitea_request escape hatch). See docs/raw-api.md.
|
||||
# gitea_request can call any Gitea REST endpoint (method + path). It is still
|
||||
# subject to policy.yaml, WRITE_MODE + the write whitelist, and a built-in
|
||||
# admin/credential denylist. Set RAW_API_ENABLED=false to remove the tool's
|
||||
# ability to dispatch entirely.
|
||||
RAW_API_ENABLED=true
|
||||
# Allow gitea_request to reach admin/credential surfaces (/admin, *tokens*,
|
||||
# *secrets*, *hooks*, *keys*, applications/oauth2, runner registration tokens).
|
||||
# Leave false unless you fully understand the exposure.
|
||||
RAW_API_ALLOW_SENSITIVE=false
|
||||
|
||||
# Automation mode (disabled by default)
|
||||
AUTOMATION_ENABLED=false
|
||||
AUTOMATION_SCHEDULER_ENABLED=false
|
||||
|
||||
Reference in New Issue
Block a user