Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
68 Commits 2 Branches 0 Tags
2844c42ec82843d89d5079e44a47302361b9404b
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Latte 2844c42ec8 feat(raw-api): add gitea_request schema, path parsing, client dispatch and handler 
Adds the RawApiRequestArgs schema (extra=forbid), raw path normalization/
parsing helpers, a GiteaClient.raw_request that audits method+path only (never
the body), and the raw_api_request_tool handler. The handler derives a coarse
virtual tool name (gitea_request:METHOD:topsegment) plus repository/target_path
from the path and runs them back through the policy engine, enforces an
admin/credential sensitive-path denylist, and bounds responses. Two config
flags gate it: RAW_API_ENABLED (killswitch) and RAW_API_ALLOW_SENSITIVE.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-26 12:26:26 +02:00
.claude
Add PUBLIC_BASE_URL and refine OAuth scopes
2026-02-25 20:49:08 +01:00
.gitea/workflows
fix: harden get_issue parsing and surface real errors (#27); align CI image publish
2026-06-25 16:51:58 +02:00
docker
fix: keep OAuth flow working on read-only container roots
2026-06-14 16:28:52 +02:00
docs
feat: assign issues to milestones on create/update (#22)
2026-06-22 17:36:01 +02:00
scripts
docs: retarget setup to Claude connectors
2026-06-13 21:05:21 +02:00
src/aegis_gitea_mcp
feat(raw-api): add gitea_request schema, path parsing, client dispatch and handler
2026-06-26 12:26:26 +02:00
tests
fix: harden get_issue parsing and surface real errors (#27); align CI image publish
2026-06-25 16:51:58 +02:00
.env.example
fix: surface Gitea auth errors and document the service PAT
2026-06-14 16:47:10 +02:00
.gitignore
feat: harden OAuth state secret validation, DCR file permissions, and policy defaults
2026-06-14 14:13:22 +02:00
.pre-commit-config.yaml
feat: harden OAuth state secret validation, DCR file permissions, and policy defaults
2026-06-14 14:13:22 +02:00
CLAUDE.md
feat: harden OAuth state secret validation, DCR file permissions, and policy defaults
2026-06-14 14:13:22 +02:00
CODE_OF_CONDUCT.md
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
docker-compose.yml
fix: keep OAuth flow working on read-only container roots
2026-06-14 16:28:52 +02:00
LICENSE
.
2026-01-29 19:53:36 +01:00
Makefile
Add OAuth2/OIDC per-user Gitea authentication
2026-02-25 16:54:01 +01:00
policy.yaml
feat: harden OAuth state secret validation, DCR file permissions, and policy defaults
2026-06-14 14:13:22 +02:00
pyproject.toml
Add OAuth2/OIDC per-user Gitea authentication
2026-02-25 16:54:01 +01:00
README.md
feat: scope list_repositories to the authenticated user in service-PAT mode
2026-06-14 17:07:19 +02:00
requirements-dev.txt
.
2026-01-29 19:53:36 +01:00
requirements.txt
Add OAuth2/OIDC per-user Gitea authentication
2026-02-25 16:54:01 +01:00
run_tests.sh
docs: add comprehensive testing guide and test runner
2026-01-29 20:46:50 +01:00

README.md

AegisGitea-MCP

Security-first MCP server for self-hosted Gitea with per-user OAuth2/OIDC authentication for Claude, Claude Code, and Cowork.

AegisGitea-MCP exposes MCP tools over Streamable HTTP and a legacy SSE alias. Each user authenticates with Gitea through OAuth2/OIDC; repository authorization is checked per user before any service PAT call is allowed.

Securing MCP with Gitea OAuth

This guide uses the live deployment values as the running example:

Thing Value
Gitea instance (GITEA_URL) https://git.hiddenden.cafe
This MCP server (PUBLIC_BASE_URL) https://gitea-mcp.hiddenden.cafe
OAuth callback to register in Gitea https://gitea-mcp.hiddenden.cafe/oauth/callback
MCP URL you give to Claude https://gitea-mcp.hiddenden.cafe/mcp

Substitute your own hostnames if they differ. The two URLs are different hosts: git.* is Gitea, gitea-mcp.* is this proxy.

1) Create a Gitea OAuth2 application

  1. Open https://git.hiddenden.cafe/user/settings/applications (or admin application settings).
  2. Create an OAuth2 app.
  3. Set the redirect URI to this MCP server's callback (not Gitea's own host): https://gitea-mcp.hiddenden.cafe/oauth/callback This is the only redirect URI Gitea needs — the MCP server forwards each client's real callback through a signed state parameter.
  4. Save the app and copy the generated Client ID and Client Secret.

Required scopes:

  • read:repository
  • write:repository (only needed when using write tools)

2) Configure this MCP server

cp .env.example .env

Fill in exactly these values in .env (everything else has safe defaults):

# The Gitea instance this server talks to
GITEA_URL=https://git.hiddenden.cafe

# Per-user OAuth mode (recommended)
OAUTH_MODE=true
GITEA_OAUTH_CLIENT_ID=<client-id-from-step-1>
GITEA_OAUTH_CLIENT_SECRET=<client-secret-from-step-1>

# Public URL of THIS server (no trailing slash). Claude's MCP URL is this + /mcp
PUBLIC_BASE_URL=https://gitea-mcp.hiddenden.cafe

# Secret that signs the OAuth proxy state. Generate with: openssl rand -hex 32
OAUTH_STATE_SECRET=<random-32-byte-minimum-secret>

# Where dynamically-registered OAuth clients are stored — MUST be a writable,
# persistent path. The default matches the aegis-mcp-data volume in compose.
DCR_STORAGE_PATH=/var/lib/aegis-mcp/dcr_clients.json

2b) Service PAT (GITEA_TOKEN) — needed in practice

Gitea issues OIDC access tokens that carry only openid/profile/email. They establish identity but cannot call the repository REST API, so in pure-OAuth mode most tools fail (you will see a generic error, or list_repositories returning nothing usable). Configure a service PAT so the tools actually work:

  1. Create a dedicated bot account in Gitea (not a personal account).
  2. Generate a Personal Access Token with least privilege:
    • read:repository
    • write:repository only if you enable WRITE_MODE
  3. Set it in .env:
GITEA_TOKEN=<bot-personal-access-token>

This does not weaken per-user security. OAuth remains authoritative: before every repository call the server verifies that the signed-in user has permission on the target repo through Gitea (_verify_user_repository_access) and denies it otherwise. The PAT only performs the API call after that check; OAuth provides identity, per-user authorization, and audit attribution.

Note: with a service PAT, list_repositories is scoped to the signed-in user — it returns only the repositories that user owns or contributes to (resolved via Gitea's repo search with the uid filter), not everything the bot can see. Visibility of private repos still depends on what the service token itself can access. All other tools require an explicit owner/repo and run the per-user permission check first.

2a) Required writable volumes (read-only container)

The provided docker-compose.yml runs the container with a read-only root filesystem. The server therefore needs two writable volumes, both already wired up in compose:

Path Purpose Volume
/var/log/aegis-mcp tamper-evident audit log aegis-mcp-logs
/var/lib/aegis-mcp dynamic client registration store (DCR_STORAGE_PATH) aegis-mcp-data

If /var/lib/aegis-mcp is not writable/persistent, the OAuth authorize, token, and register endpoints fail and the browser shows a bare Internal Server Error during login. Keep the aegis-mcp-data volume mounted (or point DCR_STORAGE_PATH at another writable, persistent location), and make sure it survives restarts so registered clients are not lost.

3) Configure Claude, Claude Code, or Cowork

Claude's hosted, desktop, mobile, Claude Code, and Cowork surfaces share the same remote MCP connector infrastructure. There is no Claude-specific server code path.

In claude.ai:

  1. Open Settings > Connectors.
  2. Choose Add custom connector.
  3. Paste https://gitea-mcp.hiddenden.cafe/mcp.
  4. Complete the OAuth consent flow. Dynamic Client Registration (/register) handles Claude client registration.

In Claude Code:

claude mcp add --transport http aegis-gitea https://gitea-mcp.hiddenden.cafe/mcp

Cowork uses the same connector model and MCP URL.

Manual OAuth client configuration remains available for clients that do not use DCR:

  • MCP server URL: https://gitea-mcp.hiddenden.cafe/mcp
  • Authentication: OAuth
  • OAuth client ID: the client id returned by /register or your preconfigured client id
  • OAuth client secret: only for confidential clients

Hosted Claude callbacks are allowed by default: https://claude.ai/api/mcp/auth_callback and https://claude.com/api/mcp/auth_callback. Loopback redirects for Claude Code local development are allowed for http://127.0.0.1:* and http://localhost:*.

4) OAuth-protected MCP behavior

The server publishes protected-resource metadata:

  • GET /.well-known/oauth-protected-resource

Example response:

{
  "resource": "https://gitea-mcp.hiddenden.cafe",
  "authorization_servers": [
    "https://gitea-mcp.hiddenden.cafe",
    "https://git.hiddenden.cafe"
  ],
  "bearer_methods_supported": ["header"],
  "scopes_supported": ["read:repository", "write:repository"],
  "resource_documentation": "https://hiddenden.cafe/docs/mcp-gitea"
}

If a tool call is missing/invalid auth, MCP endpoints return 401 with:

WWW-Authenticate: Bearer resource_metadata="https://<mcp-host>/.well-known/oauth-protected-resource", scope="read:repository"

Architecture

Claude / Claude Code / Cowork
  -> Authorization Code Flow
  -> Gitea OAuth2/OIDC (issuer: https://git.hiddenden.cafe)
  -> Access token
   -> MCP Server (/mcp, /mcp/sse, /mcp/tool/call)
     -> OIDC discovery + JWKS cache
     -> Scope enforcement (read:repository / write:repository)
     -> Policy allow/deny
     -> If GITEA_TOKEN is set: check Gitea collaborator permission for <user, repo>
     -> Gitea API call with either the user token or the service PAT after authz

Example curl

Protected resource metadata:

curl -s https://<mcp-host>/.well-known/oauth-protected-resource | jq

Expected 401 challenge when missing token:

curl -i https://<mcp-host>/mcp/tool/call \
  -H "Content-Type: application/json" \
  -d '{"tool":"list_repositories","arguments":{}}'

Authenticated tool call:

curl -s https://<mcp-host>/mcp/tool/call \
  -H "Authorization: Bearer <user_access_token>" \
  -H "Content-Type: application/json" \
  -d '{"tool":"get_repository_info","arguments":{"owner":"acme","repo":"demo"}}'

Threat model

  • Shared bot tokens are dangerous:
    • one leaked token can expose all repositories reachable by that bot account.
    • blast radius is repository-wide and cross-user.
  • Token-in-URL is insecure:
    • URLs leak via logs, proxies, browser history, and referers.
    • bearer tokens must be sent in Authorization headers only.
  • Per-user OAuth reduces lateral access:
    • identity comes from Gitea OIDC/JWKS or userinfo validation.
    • without GITEA_TOKEN, API calls use the user's token and Gitea enforces permissions.
    • with GITEA_TOKEN, every repository-targeted call first checks the user's Gitea permission and fails closed if the check cannot be made.

CI/CD

Gitea workflows were added under .gitea/workflows/:

  • lint.yml: Ruff + formatting + mypy.
  • test.yml: lint + pytest + enforced coverage (>=80%).
  • docker.yml: lint+test gated Docker build, SHA tag, latest tag on main.

Docker hardening

docker/Dockerfile uses a multi-stage build, non-root runtime user, production env flags, minimal runtime dependencies, and a healthcheck.

Commands

  • make test
  • make lint
  • make format
  • make docker-build
  • make docker-up

Documentation

  • docs/api-reference.md
  • docs/security.md
  • docs/configuration.md
  • docs/deployment.md
  • docs/write-mode.md
Reference in New Issue View Git Blame Copy Permalink
S
Description
AegisGitea MCP is a private, security-first MCP (Model Context Protocol) server that enables controlled, auditable, read-only AI access to a self-hosted Gitea environment. The system allows ChatGPT (Business / Developer environment) to inspect repositories, code, commits, issues, and pull requests only through explicit MCP tool calls, while all access control is dynamically managed through a dedicated bot user inside Gitea itself.
Readme MIT 992 KiB
Languages
Python 98.8%
Makefile 0.5%
Shell 0.4%
Dockerfile 0.3%