release: v0.2.0 — local stdio package + safe full-API coverage #61

Closed

Latte wants to merge 0 commits from old-dev into main

pull from: old-dev

merge into: Hiddenden:main

Hiddenden:main

Hiddenden:dev

Conversation 0 Commits - Files Changed -

+3024 -151

Latte commented 2026-06-27 13:01:01 +00:00

Owner

Copy Link

Copy Source

Release: promote dev → main (v0.2.0)

Promotes the accumulated dev work to main so a v0.2.0 tag can be cut (the publish workflow builds + publishes the Python package on a v* tag).

Highlights

• Dual transport on a shared core: local stdio adapter (uvx aegis-gitea-mcp) alongside the public HTTP/OAuth server; core imports no FastAPI (boundary-tested).
• Packaging: core install + [server] extra, console scripts aegis-gitea-mcp / aegis-gitea-mcp-server, version 0.2.0.
• Safe full-API coverage: classified gitea_request (write classifier + known-path gate + admin/credential denylist).
• Resource-type-aware authorization (repo/org/user/admin/misc), fail-closed; admin default-deny.
• CI: publish.yml builds with uv and publishes to the Gitea PyPI registry on a v* tag, reusing the existing REGISTRY_TOKEN secret.
• Also promotes the earlier raw-API dispatch work (#58) that was not yet on main.

After merge

Tag the release on main to trigger the package build:

git checkout main && git pull
git tag v0.2.0 && git push origin v0.2.0

🤖 Generated with Claude Code

## Release: promote dev → main (v0.2.0) Promotes the accumulated `dev` work to `main` so a `v0.2.0` tag can be cut (the publish workflow builds + publishes the Python package on a `v*` tag). ### Highlights - **Dual transport on a shared core**: local stdio adapter (`uvx aegis-gitea-mcp`) alongside the public HTTP/OAuth server; core imports no FastAPI (boundary-tested). - **Packaging**: core install + `[server]` extra, console scripts `aegis-gitea-mcp` / `aegis-gitea-mcp-server`, version 0.2.0. - **Safe full-API coverage**: classified `gitea_request` (write classifier + known-path gate + admin/credential denylist). - **Resource-type-aware authorization** (repo/org/user/admin/misc), fail-closed; admin default-deny. - **CI**: `publish.yml` builds with `uv` and publishes to the Gitea PyPI registry on a `v*` tag, reusing the existing `REGISTRY_TOKEN` secret. - Also promotes the earlier raw-API dispatch work (#58) that was not yet on `main`. ### After merge Tag the release on `main` to trigger the package build: ``` git checkout main && git pull git tag v0.2.0 && git push origin v0.2.0 ``` 🤖 Generated with [Claude Code](https://claude.com/claude-code)

Latte added 17 commits 2026-06-27 13:01:01 +00:00

feat(raw-api): add gitea_request schema, path parsing, client dispatch and handler ... 2844c42ec8

Adds the RawApiRequestArgs schema (extra=forbid), raw path normalization/
parsing helpers, a GiteaClient.raw_request that audits method+path only (never
the body), and the raw_api_request_tool handler. The handler derives a coarse
virtual tool name (gitea_request:METHOD:topsegment) plus repository/target_path
from the path and runs them back through the policy engine, enforces an
admin/credential sensitive-path denylist, and bounds responses. Two config
flags gate it: RAW_API_ENABLED (killswitch) and RAW_API_ALLOW_SENSITIVE.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(raw-api): register gitea_request tool and wire server dispatch ... 8e41fd12af

Registers gitea_request in AVAILABLE_TOOLS with write_operation=False
(deliberate: a static flag cannot describe a read-or-write tool; the handler
authorizes writes per-method) and maps the tool name to raw_api_request_tool in
the server handler registry.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs(raw-api): document gitea_request, env vars and policy examples ... 8c84d76bd5

Adds docs/raw-api.md (two-layer policy, sensitive denylist, env vars, write-mode
warning), links it from index and api-reference, documents RAW_API_ENABLED /
RAW_API_ALLOW_SENSITIVE in .env.example, and adds commented virtual-tool-name
deny examples to policy.yaml.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test(raw-api): cover gitea_request handler and path parsing ... 7f7aaab5a6

Covers read allow + repository parsing, write denied without write-mode, write
allowed only for whitelisted repos, non-repo write denial, sensitive-path
denial (incl. GET) and override, cross-repo search handling, unknown-method and
traversal rejection before any network call, killswitch, response truncation,
and the raw path-parsing helpers and raw-aware extractors.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Merge pull request 'Feat/raw api dispatch' (#58) from feat/raw-api-dispatch into dev ... aefb243a05

Reviewed-on: #58

chore: add PLAN.md and branch for local package + full coverage ... dd253f87e5

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

refactor: extract transport-agnostic core and shared tool registry ... 7da0c46de8

Introduce aegis_gitea_mcp.registry as the single name->handler source of
truth consumed by every transport adapter, moving TOOL_HANDLERS out of the
FastAPI server module. Add aegis_gitea_mcp.errors.ToolError so core handlers
no longer import fastapi.HTTPException; raw_tools now raises ToolError and the
HTTP adapter maps it back to HTTPException, preserving status codes and audit
behavior. Add a subprocess boundary test asserting the core imports without
pulling in fastapi/uvicorn/starlette.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat: add local stdio adapter and uv-installable package with extras ... 8902c4f642

Add aegis_gitea_mcp.stdio_app: a single-user, local MCP server over stdio
(official mcp SDK) that serves the same tools from the shared registry,
resolves the PAT owner via GET /user and pins request context to it, and runs
policy + WRITE_MODE + secret sanitization + audit while skipping the per-user
repo probe (the operator is the trusted token owner). Audit log falls back to a
per-user state path when the container default is unwritable.

Packaging: split deps into core (httpx/pydantic/mcp/...) and a [server] extra
(fastapi/uvicorn/PyJWT/python-multipart); add console scripts aegis-gitea-mcp
(stdio) and aegis-gitea-mcp-server (guarded HTTP entry); bump to 0.2.0 and fix
repo URLs. mcp added to requirements for CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat: safe full-API coverage via classified gitea_request dispatch ... 2d7f12d0d0

Add a deterministic (method, path) read/write classifier with an explicit
render-only override table that can only downgrade provably side-effect-free
POSTs (markdown/markup) to reads, never the reverse — so a mutating call cannot
slip past the write-mode gate. Add a known-Gitea-prefix gate: gitea_request now
fails closed on any path whose top segment is not a recognized /api/v1 route
instead of passing unknown paths through. Expose raw_relative_segments for the
authorization layer.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(security): resource-type-aware authorization with fail-closed defaults ... 3392d8f69b

Add aegis_gitea_mcp.authz: classify every dispatched call (typed tools and
gitea_request) by resource type (repository/org/user_self/user_owned/
misc_global/admin/unknown) and enforce a type-specific rule in service-PAT
mode, on top of policy + WRITE_MODE. Every decision fails closed:

- org: signed-in user must be a verified org member (Gitea-checked).
- user_owned: owner must be the caller or a member org of the caller.
- user_self: token-owner-scoped endpoints denied (token is the bot's).
- admin: default-deny; allowed only with RAW_API_ALLOW_SENSITIVE opt-in AND a
  verified site admin.
- misc_global: reads allowed, writes denied.
- unknown / unverifiable: denied and audited.

Wire it into the server's service-PAT dispatch: repository calls keep the
existing per-user collaborator check; non-repo calls (previously blanket-denied)
now go through the resource-type gate, opening the org/user/admin surface
safely. Verification results are cached briefly (fail-closed: positives only).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

test: stdio adapter dispatch, owner resolution and local env bootstrap ... 1636ae1501

Cover the stdio adapter: local-mode env bootstrap (OAuth off, API-key gate off,
per-user audit path), missing-env failure, PAT owner resolution, and dispatch
(unknown tool, write-mode policy denial, and the happy path pinning request
context to the PAT owner via the shared registry). Tidy the boundary-test
assertion so ruff and black agree.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

style: apply ruff/black formatting to stdio_app ... 2859a7f917

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

docs: local vs server quickstart, authz model, packaging ... 385b442b6f

Reframe the README around two transports and add a local stdio quickstart with
uvx/pip and Claude Desktop / Claude Code wiring. New docs: local-quickstart.md
and packaging.md (uv build/publish). Document resource-type-aware authorization
and classified gitea_request in security.md; stdio env vars + audit-log
fallback in configuration.md; local install in deployment.md; core+adapters in
architecture.md. Add the missing root AGENTS.md contract, update CLAUDE.md with
the core/adapter layout, fail-closed invariants, and the branching flow
(HEAD -> feature -> dev -> main). Update roadmap/todo and .env.example.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

ci: build and publish package to Gitea registry on tag ... 499bf98d92

Add .gitea/workflows/publish.yml: on a v* tag, gate on the existing lint + test
jobs, then build sdist+wheel with uv and publish to the self-hosted Gitea PyPI
registry using least-privilege Actions secrets (GITEA_PACKAGE_USER /
GITEA_PACKAGE_TOKEN). The job fails loudly when the secrets are absent rather
than publishing anonymously, uploads the built artifacts, and leaves a disabled
public-PyPI stub. Public PyPI is intentionally not published in this pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Merge pull request 'feat: local stdio package + safe full-API coverage' (#59) from feat/local-package-and-full-coverage into dev ... cf19a320b0

Reviewed-on: #59

ci: reuse existing REGISTRY_TOKEN secret for package publish ... 1ca5bcbc6b

The repo already has a write:package REGISTRY_TOKEN secret (used by docker.yml).
Reuse it for uv publish instead of requiring new GITEA_PACKAGE_* secrets:
authenticate as GITHUB_ACTOR with the token as password. Update packaging docs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Merge pull request 'ci: reuse existing REGISTRY_TOKEN secret for package publish' (#60) from feat/publish-reuse-registry-token into dev ... da66200be7

Reviewed-on: #60

Latte closed this pull request 2026-06-27 13:01:41 +00:00

Latte referenced this pull request 2026-06-27 13:07:55 +00:00

release: v0.2.0 — local stdio package, safe full-API coverage & resource-type authz #63

Some checks are pending

Hide all checks

docker / test (push) Successful in 33s

Details

docker / lint (push) Successful in 38s

Details

lint / lint (push) Successful in 40s

Details

test / test (push) Successful in 39s

Details

docker / docker (push) Successful in 43s

Details

docker / test (pull_request) Successful in 33s

Details

docker / lint (pull_request) Successful in 39s

Details

lint / lint (pull_request) Successful in 39s

Details

test / test (pull_request) Successful in 39s

Details

docker / docker (pull_request) Successful in 58s

Details

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

Compat/Breaking

Breaking change, not backwards compatible

Kind/Bug

Something is not working

Kind/Chore

Maintenance, deps, CI/CD

Kind/Documentation

Documentation changes

Kind/Enhancement

Improve existing functionality

Kind/Feature

New functionality

Kind/Refactor

Code restructuring, no behavior change

Kind/Security

Security-related issue

Priority/Critical

Must be addressed immediately

Priority/High

Important, address soon

Priority/Low

Nice to have

Priority/Medium

Normal priority

Reviewed/Confirmed

Issue has been confirmed

Reviewed/Duplicate

Already tracked elsewhere

Reviewed/Won't Fix

Acknowledged but won't be addressed

Status/Blocked

Blocked by an external dependency

Status/In Progress

Currently being worked on

Status/Need More Info

Needs more information to proceed

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Bartender (Bartender) Latte (Latte)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Hiddenden/AegisGitea-MCP#61