Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
AegisGitea-MCP/docs/todo.md

2.7 KiB
Raw Permalink Blame History

TODO

Phase 0 Governance

  • Add CODE_OF_CONDUCT.md.
  • Add governance policy documentation.
  • Upgrade AGENTS.md as authoritative AI contract.

Phase 1 Architecture

  • Publish roadmap and threat/security model updates.
  • Publish phased TODO tracker.

Phase 2 Expanded Read Tools

  • Implement search_code.
  • Implement list_commits.
  • Implement get_commit_diff.
  • Implement compare_refs.
  • Implement list_issues.
  • Implement get_issue.
  • Implement list_pull_requests.
  • Implement get_pull_request.
  • Implement list_labels.
  • Implement list_tags.
  • Implement list_releases.
  • Add input validation and response bounds.
  • Add unit/failure-mode tests.

Phase 3 Policy Engine

  • Implement YAML policy loader and validator.
  • Implement per-tool and per-repo allow/deny.
  • Implement optional path restrictions.
  • Enforce default write deny.
  • Add policy unit tests.

Phase 4 Write Mode

  • Implement write tools (create_issue, update_issue, comments, labels, assignment).
  • Keep write mode disabled by default.
  • Enforce repository whitelist.
  • Ensure no merge/deletion/force-push capabilities.
  • Add write denial tests.

Phase 5 Hardening

  • Add secret detection + mask/block controls.
  • Add prompt-injection defensive model (data-only handling).
  • Add tamper-evident audit chaining and validation.
  • Add per-IP and per-token rate limiting.

Phase 6 Automation

  • Implement webhook ingestion pipeline.
  • Implement on-demand scheduled jobs runner endpoint.
  • Implement auto issue creation job scaffold from findings.
  • Implement dependency hygiene scan orchestration scaffold.
  • Implement stale issue detection automation.
  • Add automation endpoint tests.

Phase 7 Deployment

  • Harden Docker runtime defaults.
  • Separate dev/prod compose profiles.
  • Preserve non-root runtime and health checks.

Phase 8 Observability

  • Add Prometheus metrics endpoint.
  • Add structured JSON logging.
  • Add request ID correlation.
  • Add tool timing metrics.

Phase 9 Testing and Release Readiness

  • Extend unit tests.
  • Add policy tests.
  • Add secret detection tests.
  • Add write-mode denial tests.
  • Add audit integrity tests.
  • Add integration-tagged tests against live Gitea (optional CI stage).
  • Final security review sign-off.
  • Release checklist execution.

Release Checklist

  • make lint
  • make test
  • Documentation review complete
  • Policy file reviewed for production scope
  • Write mode remains disabled unless explicitly approved
Reference in New Issue View Git Blame Copy Permalink