Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
aefb243a0507a4aaf0245846311b89a700b48bd8
AegisGitea-MCP/docs/write-mode.md
T
Latte e08ba42697
lint / lint (pull_request) Successful in 35s
Details
test / test (pull_request) Successful in 35s
Details
docker / docker-test (pull_request) Successful in 8s
Details
test / test (push) Successful in 23s
Details
lint / lint (push) Successful in 23s
Details
docker / test (pull_request) Successful in 29s
Details
docker / lint (pull_request) Successful in 35s
Details
docker / docker-publish (pull_request) Has been skipped
Details
feat: assign issues to milestones on create/update (#22) 
Add a `milestone` argument to `create_issue` and `update_issue` accepting
either a numeric milestone id or a title (resolved case-insensitively against
open and closed milestones, with a clear error for unknown titles). On
`update_issue`, `milestone: 0` clears the milestone. A BeforeValidator rejects
booleans so they are not silently coerced to an id.

Gitea Projects (Kanban boards) were investigated for #22 and are intentionally
left unsupported: Gitea 1.26.2 exposes no project endpoints in its REST API.
Documented this in api-reference.md and refreshed the (stale) write-mode tool
list to cover all 16 write tools.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 17:36:01 +02:00

56 lines
1.8 KiB
Markdown
Raw Blame History

# Write Mode
## Threat Model
Write mode introduces mutation risk (issue/PR changes, metadata updates). Risks include unauthorized action, accidental mass updates, and audit evasion.
## Default Posture
- `WRITE_MODE=false` by default.
- When enabled, writes require repository whitelist membership by default.
- Optional opt-in: `WRITE_ALLOW_ALL_TOKEN_REPOS=true` allows writes to any repo the token can access.
- Policy engine remains authoritative and may deny specific write tools.
## Supported Write Tools
- `create_issue` (optional `milestone` id or title)
- `update_issue` (optional `milestone`; `0` clears it)
- `create_issue_comment`
- `create_pr_comment`
- `edit_issue_comment`
- `add_labels`
- `remove_labels`
- `assign_issue`
- `create_label`
- `update_label`
- `create_pull_request`
- `create_release`
- `edit_release`
- `create_branch`
- `create_milestone`
Not supported (explicitly forbidden): merge actions, branch/label/release deletion,
force push, repo/admin management, and repository content writes (file create/edit,
commits). Gitea Projects (Kanban boards) are unsupported because the Gitea REST API
exposes no project endpoints.
## Enablement Steps
1. Set `WRITE_MODE=true`.
2. Choose one:
- `WRITE_REPOSITORY_WHITELIST=owner/repo,...` (recommended)
- `WRITE_ALLOW_ALL_TOKEN_REPOS=true` (broader scope)
3. Review policy file for write-tool scope.
4. Verify audit logging and alerting before rollout.
## Safe Operations
- Start with one repository in whitelist.
- Use narrowly scoped bot credentials.
- Require peer review for whitelist/policy changes.
- Disable write mode during incident response if abuse is suspected.
## Risk Tradeoffs
Write mode improves automation and triage speed but increases blast radius. Use least privilege, tight policy, and strong monitoring.
Reference in New Issue View Git Blame Copy Permalink