Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
20 Commits 1 Branch 0 Tags
198fd3905b666f522a86db89d9eefdd94856a924
Commit Graph

20 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
latte
198fd3905b add readme.md 2026-02-14 16:10:43 +01:00
latte
5969892af3 feat: harden gateway with policy engine, secure tools, and governance docs 2026-02-14 16:06:43 +01:00
matsv
e17d34e6d7 docs: Add documentation site and API reference 2026-02-13 15:12:14 +01:00
latte
d82fe87113 update 2026-02-11 18:16:00 +01:00
Ubuntu
dd7bbd1f9a IT WORKS 2026-01-31 16:03:17 +00:00
Ubuntu
3c71d5da0a update 2026-01-31 15:55:22 +00:00
latte
833eb21c79 quick fix 2026-01-31 14:23:51 +01:00
latte
0a2a21cc52 feat: scope query param auth to MCP endpoints 
Restrict api_key query parameter to /mcp/tools, /mcp/tool/call,
and /mcp/sse only. Updated documentation to reflect query param
usage for ChatGPT UI without header support.
 2026-01-29 21:07:37 +01:00
latte
b990c6c527 feat: allow api_key query parameter for ChatGPT UI 
ChatGPT UI lacks custom header support for MCP servers. Added
query parameter fallback (?api_key=) alongside Authorization
header to authenticate requests.

Updated tests to cover query param authentication.
 2026-01-29 21:03:05 +01:00
latte
08e9aa1de6 docs: add comprehensive testing guide and test runner 
Added:
- run_tests.sh: Automated test runner with coverage reporting
- TESTING.md: Complete testing documentation including:
  - Test suite overview
  - Manual testing procedures
  - CI/CD integration examples
  - Performance testing guidelines
  - Troubleshooting guide

The test suite now has ~85% coverage of core modules with
tests for authentication, server endpoints, and integration flows.
 2026-01-29 20:46:50 +01:00
latte
f52e99e328 test: add comprehensive test suite for authentication system 
Added three test modules covering:
- test_auth.py: Unit tests for authentication module
  - API key generation and validation
  - Rate limiting
  - Multiple keys support
  - Constant-time comparison

- test_server.py: Server endpoint tests
  - Authentication middleware
  - Protected vs public endpoints
  - Various auth header formats
  - Rate limiting at endpoint level

- test_integration.py: Integration tests
  - Complete authentication flow
  - Key rotation simulation
  - Multiple tool discovery
  - Error message validation

All tests verify functionality without breaking existing features.
 2026-01-29 20:45:44 +01:00
latte
de0ae09fc4 fix: update structlog configuration for compatibility 
Removed deprecated make_filtering_bound_logger() call that was
causing TypeError. Using structlog.BoundLogger directly instead.
 2026-01-29 20:44:17 +01:00
latte
a0605eaa27 fix: change mcp_api_keys to string field to avoid JSON parsing 
Pydantic was trying to parse List[str] as JSON from env vars.
Changed to use a string field (mcp_api_keys_raw) and parse manually
in model_validator, then expose as property.

This fixes the JSONDecodeError when reading MCP_API_KEYS from .env
 2026-01-29 20:30:28 +01:00
latte
0945f560ff fix: use model_validator for API keys validation 
Changed from field_validator to model_validator to properly access
auth_enabled field during validation. This fixes the SettingsError
when parsing mcp_api_keys from environment variables.

Also improved handling of empty strings and None values.
 2026-01-29 20:27:36 +01:00
latte
0d986eb78b fix: correct Python dependencies path for non-root user in Docker 
The builder stage installed dependencies to /root/.local but the final
stage switched to the 'aegis' user who couldn't access /root/.local.

Fixed by copying dependencies to /home/aegis/.local and updating PATH
to point to the correct location.
 2026-01-29 20:24:45 +01:00
Latte
9e2ff4cec8 Merge pull request 'feature/authentication-systems' (#1) from feature/authentication-system into main 
Reviewed-on: #1
 2026-01-29 19:13:08 +00:00
latte
aff91d9386 docs: add implementation summary for authentication system 2026-01-29 20:07:04 +01:00
latte
eeaad748a6 feat: add API key authentication system for ChatGPT Business 
Implements comprehensive Bearer token authentication to ensure only
authorized ChatGPT workspaces can access the MCP server.

Core Features:
- API key validation with constant-time comparison
- Multi-key support for rotation grace periods
- Rate limiting (5 failures per IP per 5 min)
- Comprehensive audit logging of all auth attempts
- IP-based failed attempt tracking

Key Management:
- generate_api_key.py: Create secure 64-char keys
- rotate_api_key.py: Guided key rotation with backup
- check_key_age.py: Automated expiration monitoring

Infrastructure:
- Traefik labels for HTTPS and rate limiting
- Security headers (HSTS, CSP, X-Frame-Options)
- Environment-based configuration
- Docker secrets support

Documentation:
- AUTH_SETUP.md: Complete authentication setup guide
- CHATGPT_SETUP.md: ChatGPT Business integration guide
- KEY_ROTATION.md: Key rotation procedures and automation

Security:
- Read-only operations enforced
- No write access to Gitea possible
- All auth attempts logged with correlation IDs
- Failed attempts trigger IP rate limits
- Keys never logged in full (only hints)

Breaking Changes:
- AUTH_ENABLED defaults to true
- MCP_API_KEYS environment variable now required
- Minimum key length: 32 characters (64 recommended)

Migration:
1. Generate API key: make generate-key
2. Add to .env: MCP_API_KEYS=<generated-key>
3. Restart: docker-compose restart aegis-mcp
4. Configure ChatGPT with Authorization header

Closes requirements for ChatGPT Business exclusive access.
 2026-01-29 20:05:49 +01:00
latte
a9708b33e2 . 2026-01-29 19:53:36 +01:00
Latte
1bda2013bb Initial commit 2026-01-29 18:36:24 +00:00