Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e08ba426978508faf8c46acc17e95b438a03a59c
AegisGitea-MCP/docs/write-mode.md
T
Latte e08ba42697
docker / test (pull_request) Successful in 29s
Details
docker / lint (pull_request) Successful in 35s
Details
lint / lint (pull_request) Successful in 35s
Details
test / test (pull_request) Successful in 35s
Details
docker / docker-test (pull_request) Successful in 8s
Details
docker / docker-publish (pull_request) Has been skipped
Details
test / test (push) Successful in 23s
Details
lint / lint (push) Successful in 23s
Details
feat: assign issues to milestones on create/update (#22) 
Add a `milestone` argument to `create_issue` and `update_issue` accepting
either a numeric milestone id or a title (resolved case-insensitively against
open and closed milestones, with a clear error for unknown titles). On
`update_issue`, `milestone: 0` clears the milestone. A BeforeValidator rejects
booleans so they are not silently coerced to an id.

Gitea Projects (Kanban boards) were investigated for #22 and are intentionally
left unsupported: Gitea 1.26.2 exposes no project endpoints in its REST API.
Documented this in api-reference.md and refreshed the (stale) write-mode tool
list to cover all 16 write tools.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-22 17:36:01 +02:00

1.8 KiB
Raw Blame History

Write Mode

Threat Model

Write mode introduces mutation risk (issue/PR changes, metadata updates). Risks include unauthorized action, accidental mass updates, and audit evasion.

Default Posture

  • WRITE_MODE=false by default.
  • When enabled, writes require repository whitelist membership by default.
  • Optional opt-in: WRITE_ALLOW_ALL_TOKEN_REPOS=true allows writes to any repo the token can access.
  • Policy engine remains authoritative and may deny specific write tools.

Supported Write Tools

  • create_issue (optional milestone id or title)
  • update_issue (optional milestone; 0 clears it)
  • create_issue_comment
  • create_pr_comment
  • edit_issue_comment
  • add_labels
  • remove_labels
  • assign_issue
  • create_label
  • update_label
  • create_pull_request
  • create_release
  • edit_release
  • create_branch
  • create_milestone

Not supported (explicitly forbidden): merge actions, branch/label/release deletion, force push, repo/admin management, and repository content writes (file create/edit, commits). Gitea Projects (Kanban boards) are unsupported because the Gitea REST API exposes no project endpoints.

Enablement Steps

  1. Set WRITE_MODE=true.
  2. Choose one:
    • WRITE_REPOSITORY_WHITELIST=owner/repo,... (recommended)
    • WRITE_ALLOW_ALL_TOKEN_REPOS=true (broader scope)
  3. Review policy file for write-tool scope.
  4. Verify audit logging and alerting before rollout.

Safe Operations

  • Start with one repository in whitelist.
  • Use narrowly scoped bot credentials.
  • Require peer review for whitelist/policy changes.
  • Disable write mode during incident response if abuse is suspected.

Risk Tradeoffs

Write mode improves automation and triage speed but increases blast radius. Use least privilege, tight policy, and strong monitoring.

Reference in New Issue View Git Blame Copy Permalink