Hiddenden/AegisGitea-MCP

Files

latte 8504a95a11 feat: add opt-in write access for all token-visible repos

2026-02-14 16:35:03 +01:00

1012 B

Raw Blame History

Deployment

Secure Defaults

Default bind: MCP_HOST=127.0.0.1.
Binding 0.0.0.0 requires explicit ALLOW_INSECURE_BIND=true.
Write mode disabled by default.
Policy file path configurable via POLICY_FILE_PATH.

Local Development

make install-dev
cp .env.example .env
make generate-key
make run

Docker

Use docker/Dockerfile (non-root runtime).
Use compose profiles:
- prod: hardened runtime profile.
- dev: local development profile (localhost-only port bind).

Run examples:

docker compose --profile prod up -d
docker compose --profile dev up -d

Environment Validation

Startup validates:

Required Gitea settings.
API keys (when auth enabled).
Insecure bind opt-in.
Write whitelist when write mode enabled (unless WRITE_ALLOW_ALL_TOKEN_REPOS=true).

Production Recommendations

Run behind TLS-terminating reverse proxy.
Restrict network exposure.
Persist and rotate audit logs.
Enable external monitoring for /metrics.