Add PUBLIC_BASE_URL and refine OAuth scopes

src/aegis_gitea_mcp/config.py

@@ -46,6 +46,13 @@ class Settings(BaseSettings):
         default=False,
         description="Allow binding to 0.0.0.0 (disabled by default for local hardening)",
     )
+    public_base_url: HttpUrl | None = Field(
+        default=None,
+        description=(
+            "Public externally-reachable base URL for this MCP server. "
+            "When set, OAuth metadata endpoints use this URL for absolute links."
+        ),
+    )
 
     # Logging and observability
     log_level: str = Field(default="INFO", description="Application logging level")
@@ -204,6 +211,14 @@ class Settings(BaseSettings):
             raise ValueError(f"log_level must be one of {_ALLOWED_LOG_LEVELS}")
         return normalized
 
+    @field_validator("public_base_url", mode="before")
+    @classmethod
+    def normalize_public_base_url(cls, value: object) -> object:
+        """Treat empty PUBLIC_BASE_URL as unset."""
+        if isinstance(value, str) and not value.strip():
+            return None
+        return value
+
     @field_validator("gitea_token")
     @classmethod
     def validate_token_not_empty(cls, value: str) -> str:
@@ -298,6 +313,13 @@ class Settings(BaseSettings):
         """Get Gitea base URL as normalized string."""
         return str(self.gitea_url).rstrip("/")
 
+    @property
+    def public_base(self) -> str | None:
+        """Get normalized public base URL when explicitly configured."""
+        if self.public_base_url is None:
+            return None
+        return str(self.public_base_url).rstrip("/")
+
 
 _settings: Settings | None = None