feat: scope list_repositories to the authenticated user in service-PAT mode

Previously list_repositories was blocked in service-PAT mode because it has no
repository target for the per-user permission check, so users could not list
their repositories at all (the connector surfaced a generic error).

list_repositories now returns only the repositories the signed-in user owns or
contributes to, instead of everything the bot token can see:
- gitea_client.py: add list_user_repositories(login) — resolves the user id and
  queries /api/v1/repos/search with the uid filter.
- repository.py: list_repositories_tool uses the user-scoped path when a service
  PAT is configured and a user login is present; pure-OAuth mode still uses the
  user's own /user/repos.
- server.py: allow list_repositories through the service-PAT guard (it is scoped
  to the user in the handler); all other tools still require a repository target.
- README.md: document the new user-scoped behavior and its visibility caveat.

Tests: user-scoped client method (uid resolution + unknown user), PAT-mode tool
scoping, and conftest now clears the request context between tests to prevent
contextvar login leakage across files.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

src/aegis_gitea_mcp/gitea_client.py

@@ -173,6 +173,57 @@ class GiteaClient:
             )
             raise
 
+    async def list_user_repositories(self, login: str) -> list[dict[str, Any]]:
+        """List repositories the given user owns or contributes to.
+
+        Used in service-PAT mode so ``list_repositories`` returns repositories
+        scoped to the authenticated user instead of everything the service token
+        can see. Resolves the user id, then queries Gitea's repo search with the
+        ``uid`` filter. Visibility of private repos still depends on what the
+        service token itself can see.
+        """
+        correlation_id = self.audit.log_tool_invocation(
+            tool_name="list_user_repositories",
+            result_status="pending",
+        )
+        try:
+            user = await self._request(
+                "GET",
+                f"/api/v1/users/{quote(login, safe='')}",
+                correlation_id=correlation_id,
+            )
+            uid = user.get("id") if isinstance(user, dict) else None
+            if not isinstance(uid, int):
+                return []
+
+            result = await self._request(
+                "GET",
+                "/api/v1/repos/search",
+                params={"uid": uid, "limit": 50, "page": 1},
+                correlation_id=correlation_id,
+            )
+            repositories: list[dict[str, Any]] = []
+            if isinstance(result, dict):
+                data = result.get("data", [])
+                if isinstance(data, list):
+                    repositories = [item for item in data if isinstance(item, dict)]
+
+            self.audit.log_tool_invocation(
+                tool_name="list_user_repositories",
+                correlation_id=correlation_id,
+                result_status="success",
+                params={"login": login, "count": len(repositories)},
+            )
+            return repositories
+        except Exception as exc:
+            self.audit.log_tool_invocation(
+                tool_name="list_user_repositories",
+                correlation_id=correlation_id,
+                result_status="error",
+                error=str(exc),
+            )
+            raise
+
     async def get_repository(self, owner: str, repo: str) -> dict[str, Any]:
         """Get repository metadata."""
         repo_id = f"{owner}/{repo}"

src/aegis_gitea_mcp/server.py

@@ -1165,26 +1165,32 @@ async def _execute_tool_call(
 
         if settings.gitea_token.strip():
             if not repository:
-                audit.log_access_denied(
-                    tool_name=tool_name,
-                    reason="service_pat_requires_repository_target",
+                # list_repositories is not repo-scoped; the handler scopes it to
+                # the authenticated user's own repositories instead. Every other
+                # tool requires a repository target so per-user permission can be
+                # verified before the privileged service PAT is used.
+                if tool_name != "list_repositories":
+                    audit.log_access_denied(
+                        tool_name=tool_name,
+                        reason="service_pat_requires_repository_target",
+                        correlation_id=correlation_id,
+                    )
+                    raise HTTPException(
+                        status_code=403,
+                        detail=(
+                            "Service PAT mode requires a repository target so per-user "
+                            "permission can be verified."
+                        ),
+                    )
+            else:
+                user_login = get_gitea_user_login()
+                await _verify_user_repository_access(
+                    repository=repository,
+                    required_scope=required_scope,
+                    user_login=user_login or "",
                     correlation_id=correlation_id,
+                    tool_name=tool_name,
                 )
-                raise HTTPException(
-                    status_code=403,
-                    detail=(
-                        "Service PAT mode requires a repository target so per-user "
-                        "permission can be verified."
-                    ),
-                )
-            user_login = get_gitea_user_login()
-            await _verify_user_repository_access(
-                repository=repository,
-                required_scope=required_scope,
-                user_login=user_login or "",
-                correlation_id=correlation_id,
-                tool_name=tool_name,
-            )
 
         # In OAuth mode, Gitea OIDC access_tokens can't call the Gitea REST API
         # (they only carry OIDC scopes).  If a service PAT is configured via

src/aegis_gitea_mcp/tools/repository.py

@@ -6,12 +6,14 @@ import base64
 import binascii
 from typing import Any
 
+from aegis_gitea_mcp.config import get_settings
 from aegis_gitea_mcp.gitea_client import (
     GiteaAuthenticationError,
     GiteaAuthorizationError,
     GiteaClient,
     GiteaError,
 )
+from aegis_gitea_mcp.request_context import get_gitea_user_login
 from aegis_gitea_mcp.response_limits import limit_items, limit_text
 from aegis_gitea_mcp.security import sanitize_untrusted_text
 from aegis_gitea_mcp.tools.arguments import (
@@ -33,8 +35,16 @@ async def list_repositories_tool(gitea: GiteaClient, arguments: dict[str, Any])
         Response payload with bounded repository list.
     """
     ListRepositoriesArgs.model_validate(arguments)
+    settings = get_settings()
+    login = get_gitea_user_login()
     try:
-        repositories = await gitea.list_repositories()
+        # In service-PAT mode the API token is the bot's, so scope the listing to
+        # the authenticated user's own repositories. In pure-OAuth mode the API
+        # token already belongs to the user, so Gitea scopes /user/repos for us.
+        if settings.gitea_token.strip() and login and login != "unknown":
+            repositories = await gitea.list_user_repositories(login)
+        else:
+            repositories = await gitea.list_repositories()
         simplified = [
             {
                 "owner": repo.get("owner", {}).get("login", ""),