Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
24 Commits 1 Branch 0 Tags
a00b6a0ba2db1ef4f05e2ecab7e54d8b559fddbb
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
latte a00b6a0ba2 update
2026-02-14 18:18:34 +01:00
docker
fix: use external proxy network in compose configs
2026-02-14 16:15:21 +01:00
docs
quick fix
2026-02-14 17:18:30 +01:00
scripts
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
src/aegis_gitea_mcp
update
2026-02-14 18:18:34 +01:00
tests
update
2026-02-14 18:18:34 +01:00
.env.example
quick fix
2026-02-14 17:18:30 +01:00
.gitignore
feat: add API key authentication system for ChatGPT Business
2026-01-29 20:05:49 +01:00
AGENTS.md
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
CODE_OF_CONDUCT.md
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
docker-compose.yml
fix: use external proxy network in compose configs
2026-02-14 16:15:21 +01:00
LICENSE
.
2026-01-29 19:53:36 +01:00
Makefile
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
policy.yaml
feat: add opt-in write access for all token-visible repos
2026-02-14 16:35:03 +01:00
pyproject.toml
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
README.md
feat: add opt-in write access for all token-visible repos
2026-02-14 16:35:03 +01:00
requirements-dev.txt
.
2026-01-29 19:53:36 +01:00
requirements.txt
feat: harden gateway with policy engine, secure tools, and governance docs
2026-02-14 16:06:43 +01:00
run_tests.sh
docs: add comprehensive testing guide and test runner
2026-01-29 20:46:50 +01:00

README.md

AegisGitea-MCP

Security-first, policy-driven MCP gateway for Gitea.

AegisGitea-MCP exposes controlled read and optional write capabilities to AI agents through MCP-compatible endpoints, with strict validation, policy enforcement, tamper-evident audit logging, and secure-by-default runtime controls.

Highlights

  • Security-first defaults (localhost bind, write mode disabled, no stack traces in production errors).
  • YAML policy engine with global/per-repository tool allow/deny and optional path restrictions.
  • Expanded read tools for repositories, commits, diffs, issues, PRs, labels, tags, and releases.
  • Strict write mode (opt-in + policy enforcement, with whitelist by default).
  • Tamper-evident audit logging with hash-chain integrity validation.
  • Secret detection/sanitization for outbound payloads.
  • Structured JSON logging + Prometheus metrics.
  • Hardened Docker runtime (non-root, no-new-privileges, capability drop, read-only where practical).

Quick Start

1. Install dependencies

make install-dev

2. Configure environment

cp .env.example .env

Set at minimum:

  • GITEA_URL
  • GITEA_TOKEN
  • MCP_API_KEYS

3. Run locally

make run

Server defaults to 127.0.0.1:8080.

Core Commands

  • make test: run pytest with coverage.
  • make lint: run Ruff + mypy.
  • make format: run Black + Ruff autofix.
  • make docker-up: start hardened prod-profile container.
  • make docker-down: stop containers.
  • make validate-audit: validate audit hash chain integrity.

Security Model

  • Authentication: API keys (Authorization: Bearer <key>).
  • Authorization: policy engine (policy.yaml) evaluated before tool execution.
  • Rate limiting: per-IP and per-token.
  • Output controls: bounded response size and optional secret masking/blocking.
  • Write controls: WRITE_MODE=false by default; when enabled, use whitelist or opt into WRITE_ALLOW_ALL_TOKEN_REPOS=true.

Documentation

All detailed docs are under docs/:

  • docs/api-reference.md
  • docs/policy.md
  • docs/security.md
  • docs/audit.md
  • docs/write-mode.md
  • docs/deployment.md
  • docs/observability.md
  • docs/automation.md
  • docs/governance.md
  • docs/roadmap.md
  • docs/todo.md

Conduct and Governance

  • Contributor/maintainer conduct: CODE_OF_CONDUCT.md
  • AI agent behavioral contract: AGENTS.md

License

MIT (see LICENSE).

Reference in New Issue View Git Blame Copy Permalink
Description
AegisGitea MCP is a private, security-first MCP (Model Context Protocol) server that enables controlled, auditable, read-only AI access to a self-hosted Gitea environment. The system allows ChatGPT (Business / Developer environment) to inspect repositories, code, commits, issues, and pull requests only through explicit MCP tool calls, while all access control is dynamically managed through a dedicated bot user inside Gitea itself.
https://gitea-mcp.hiddenden.cafe
Readme MIT 481 KiB
Languages
Python 98.2%
Makefile 0.8%
Shell 0.6%
Dockerfile 0.4%