Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
main
AegisGitea-MCP/PLAN.md
T
Latte 385b442b6f docs: local vs server quickstart, authz model, packaging 
Reframe the README around two transports and add a local stdio quickstart with
uvx/pip and Claude Desktop / Claude Code wiring. New docs: local-quickstart.md
and packaging.md (uv build/publish). Document resource-type-aware authorization
and classified gitea_request in security.md; stdio env vars + audit-log
fallback in configuration.md; local install in deployment.md; core+adapters in
architecture.md. Add the missing root AGENTS.md contract, update CLAUDE.md with
the core/adapter layout, fail-closed invariants, and the branching flow
(HEAD -> feature -> dev -> main). Update roadmap/todo and .env.example.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-27 11:17:01 +02:00

32 lines
1.8 KiB
Markdown
Raw Permalink Blame History

# PLAN — local stdio package + safe full-API coverage
Branch: `feat/local-package-and-full-coverage` (from `dev`). All PRs target `dev`.
Flow: HEAD -> custom branch -> dev -> main. Never push directly to dev/main.
Baseline (recorded Phase 0): 284 passed, 1 skipped, coverage 84.04%, threshold 80%.
## Phase checklist
- [x] Phase 0 — Branch from dev, baseline recorded, PLAN.md committed.
- [x] Phase 1 — Extract transport-agnostic core + shared tool registry (+ boundary test).
- [x] Phase 2 — stdio adapter (`stdio_app.py`) + packaging (core + `[server]` extra, 0.2.0).
- [x] Phase 3 — Resource-type-aware authorization (fail-closed).
- [x] Phase 4 — gitea_request classifier + known-path gate (unknown path => deny).
- [x] Phase 5 — Tests: authz matrix, write-mode bypass, classifier, stdio adapter, boundary.
- [x] Phase 6 — Docs & README (local vs server quickstart, authz model, packaging, CLAUDE/AGENTS).
- [ ] Phase 7 — `.gitea/workflows/publish.yml` (uv build + publish to Gitea registry on tag).
- [ ] Phase 8 — Verify green + coverage >= baseline, `uv build`, push, open PR into dev.
Note: version bumped to 0.2.0 (the app already reported 0.2.0; pyproject was 0.1.0).
TODO(authz): make `list_organizations` user-scoped (`/users/{login}/orgs`) so it can
be allowed rather than denied in service-PAT mode.
## Key deltas found during orientation
- No single tool registry today: definitions in `mcp_protocol.AVAILABLE_TOOLS`,
handlers in `server.TOOL_HANDLERS`. Phase 1 unifies them.
- `tools/raw_tools.py` imports `fastapi.HTTPException` — the only core->web import to break.
- Current authz is repo-only and lives in `server._verify_user_repository_access`.
- stdio mode must run with `AUTH_ENABLED=false` (config otherwise requires MCP_API_KEYS).
- `AGENTS.md` absent at root though CLAUDE.md cites it; create it from the contract.
Reference in New Issue View Git Blame Copy Permalink