docs(raw-api): document gitea_request, env vars and policy examples
Adds docs/raw-api.md (two-layer policy, sensitive denylist, env vars, write-mode warning), links it from index and api-reference, documents RAW_API_ENABLED / RAW_API_ALLOW_SENSITIVE in .env.example, and adds commented virtual-tool-name deny examples to policy.yaml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+15
@@ -4,5 +4,20 @@ defaults:
|
||||
|
||||
tools:
|
||||
deny: []
|
||||
# The generic `gitea_request` tool authorizes each call under a coarse virtual
|
||||
# tool name of the form `gitea_request:<METHOD>:<top-path-segment>`, e.g.
|
||||
# `gitea_request:GET:repos` or `gitea_request:DELETE:repos`. To keep raw
|
||||
# dispatch read-only while still allowing GETs, deny the write methods here:
|
||||
#
|
||||
# deny:
|
||||
# - gitea_request:POST:repos
|
||||
# - gitea_request:PUT:repos
|
||||
# - gitea_request:PATCH:repos
|
||||
# - gitea_request:DELETE:repos
|
||||
#
|
||||
# NOTE: The admin/credential denylist (/admin, *tokens*, *secrets*, *hooks*,
|
||||
# *keys*, applications/oauth2, runner registration tokens) is enforced in the
|
||||
# handler independently of this file and is NOT configured here. It can only be
|
||||
# overridden by setting RAW_API_ALLOW_SENSITIVE=true.
|
||||
|
||||
repositories: {}
|
||||
|
||||
Reference in New Issue
Block a user