Hiddenden/AegisGitea-MCP

feat: harden OAuth state secret validation, DCR file permissions, and policy defaults #17

Merged

Latte merged 2 commits from feat/retarget-claude-mcp into main

2026-06-14 12:17:38 +00:00

Author	SHA1	Message	Date
Latte	6be5ac3608	Merge branch 'main' into feat/retarget-claude-mcp lint / lint (push) Successful in 39s Details test / test (push) Successful in 37s Details docker / lint (pull_request) Successful in 37s Details docker / test (pull_request) Successful in 27s Details docker / docker-test (pull_request) Successful in 11s Details lint / lint (pull_request) Successful in 34s Details test / test (pull_request) Successful in 32s Details docker / docker-publish (pull_request) Has been skipped Details	2026-06-14 12:14:20 +00:00
Latte	b8217dce8a	feat: harden OAuth state secret validation, DCR file permissions, and policy defaults docker / test (pull_request) Successful in 24s Details lint / lint (pull_request) Successful in 37s Details lint / lint (push) Successful in 1m26s Details test / test (push) Successful in 1m40s Details test / test (pull_request) Successful in 34s Details docker / lint (pull_request) Successful in 1m59s Details docker / docker-test (pull_request) Successful in 14s Details docker / docker-publish (pull_request) Has been skipped Details - Enforce 32-char minimum on OAUTH_STATE_SECRET at startup (config.py) - Write DCR client registry with owner-only (0o600) permissions before atomic replace - Flip policy.yaml default write action from allow → deny - Add CLAUDE.md with architecture, commands, and AGENTS.md contract summary - Add .pre-commit-config.yaml mirroring `make lint` checks - Update .gitignore: add .venv, .claude, .mypy_cache, .ruff_cache, .coverage.* - Extend docs: audit log rotation guidance, OAUTH_STATE_SECRET and DCR_STORAGE_PATH notes - Tests: short-secret rejection, 32-char acceptance, POSIX permission check for DCR store Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-14 14:13:22 +02:00