Latte
8c84d76bd5
Adds docs/raw-api.md (two-layer policy, sensitive denylist, env vars, write-mode warning), links it from index and api-reference, documents RAW_API_ENABLED / RAW_API_ALLOW_SENSITIVE in .env.example, and adds commented virtual-tool-name deny examples to policy.yaml. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
24 lines
835 B
YAML
24 lines
835 B
YAML
defaults:
|
|
read: allow
|
|
write: deny
|
|
|
|
tools:
|
|
deny: []
|
|
# The generic `gitea_request` tool authorizes each call under a coarse virtual
|
|
# tool name of the form `gitea_request:<METHOD>:<top-path-segment>`, e.g.
|
|
# `gitea_request:GET:repos` or `gitea_request:DELETE:repos`. To keep raw
|
|
# dispatch read-only while still allowing GETs, deny the write methods here:
|
|
#
|
|
# deny:
|
|
# - gitea_request:POST:repos
|
|
# - gitea_request:PUT:repos
|
|
# - gitea_request:PATCH:repos
|
|
# - gitea_request:DELETE:repos
|
|
#
|
|
# NOTE: The admin/credential denylist (/admin, *tokens*, *secrets*, *hooks*,
|
|
# *keys*, applications/oauth2, runner registration tokens) is enforced in the
|
|
# handler independently of this file and is NOT configured here. It can only be
|
|
# overridden by setting RAW_API_ALLOW_SENSITIVE=true.
|
|
|
|
repositories: {}
|