MokoConsulting/mcp-mokogitea-api
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
387 Commits 3 Branches 0 Tags
dev
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
jmiller 9c543e2f65 chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]
2026-06-06 19:50:54 +00:00
.mokogitea
chore: sync .mokogitea/workflows/auto-release.yml from moko-platform [skip ci]
2026-06-06 19:50:54 +00:00
automation
chore(ci): add CI issue reporter for auto-filing gate failures
2026-06-02 20:37:17 +00:00
scripts
feat: initial Gitea API MCP server with 61 tools
2026-05-07 15:50:28 -05:00
src
feat: new MCP tools (#10)
2026-05-23 00:58:26 +00:00
.gitattributes
feat: initial Gitea API MCP server with 61 tools
2026-05-07 15:50:28 -05:00
.gitignore
feat: initial Gitea API MCP server with 61 tools
2026-05-07 15:50:28 -05:00
.gitmessage
feat: initial Gitea API MCP server with 61 tools
2026-05-07 15:50:28 -05:00
CHANGELOG.md
docs: update CHANGELOG with infrastructure changes [skip ci]
2026-05-27 05:28:47 +00:00
CLAUDE.md
chore: update CLAUDE.md to reference .mokogitea/ [skip ci]
2026-05-21 20:09:15 +00:00
config.example.json
feat: initial Gitea API MCP server with 61 tools
2026-05-07 15:50:28 -05:00
CONTRIBUTING.md
feat(tools): expand to 88 tools — topics, collaborators, deploy keys, branch protection, org labels, actions secrets, mirrors, stats, compare, admin, issue labels
2026-05-07 16:17:26 -05:00
package.json
chore: rename package to @mokoconsulting/mcp-mokogitea-api
2026-05-16 08:19:05 -05:00
README.md
feat(tools): expand to 88 tools — topics, collaborators, deploy keys, branch protection, org labels, actions secrets, mirrors, stats, compare, admin, issue labels
2026-05-07 16:17:26 -05:00
SECURITY.md
feat(tools): expand to 88 tools — topics, collaborators, deploy keys, branch protection, org labels, actions secrets, mirrors, stats, compare, admin, issue labels
2026-05-07 16:17:26 -05:00
tsconfig.json
feat: initial Gitea API MCP server with 61 tools
2026-05-07 15:50:28 -05:00
Readme Contributing Security Changelog

SECURITY.md

Security Policy

Supported Versions

Version Supported
0.0.x Yes

Reporting a Vulnerability

To report a security vulnerability, please email hello@mokoconsulting.tech with the subject line [SECURITY] gitea-api-mcp. Do not open a public issue for security vulnerabilities.

We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.

Token Storage Security

Configuration File

The config file ~/.gitea-api-mcp.json stores Gitea API tokens in plaintext. Follow these practices to protect your tokens:

File Permissions

Set restrictive permissions on the config file so only your user can read it:

chmod 600 ~/.gitea-api-mcp.json

On Windows, ensure the file is only readable by your user account through the file properties security tab.

What to Avoid

  • Never commit ~/.gitea-api-mcp.json or any file containing tokens to version control
  • Never share config files containing real tokens
  • Never log or print token values in debug output
  • Never store tokens in environment variables visible to other processes if avoidable

Token Scope

When generating Gitea access tokens, follow the principle of least privilege:

  • Only grant the scopes (permissions) your workflow requires
  • Use separate tokens for separate purposes or environments
  • Rotate tokens periodically
  • Revoke tokens that are no longer needed

Token Generation

  1. Navigate to your Gitea instance Settings > Applications
  2. Under "Manage Access Tokens," enter a token name
  3. Select only the required scopes
  4. Click "Generate Token"
  5. Copy the token immediately -- it will not be shown again

Network Security

TLS Verification

By default, the client verifies TLS certificates. The insecure: true option disables certificate verification for self-signed certificates. Use this only for:

  • Local development instances
  • Internal instances with self-signed certificates where the network is trusted

Never use insecure: true for production instances accessible over the public internet.

API Prefix

All requests are sent to /api/v1 endpoints with:

  • Authorization: token <your-token> header
  • Content-Type: application/json header
  • 30-second request timeout

MCP Transport Security

This server uses stdio transport, meaning it communicates through standard input/output with the MCP client (e.g., Claude Code). The token is never exposed through network ports or HTTP endpoints by the MCP server itself.

Security Checklist

  • Config file permissions set to 600 (Unix) or user-only (Windows)
  • Tokens scoped to minimum required permissions
  • Config file excluded from version control (.gitignore)
  • insecure flag only used for trusted internal instances
  • Tokens rotated on a regular schedule
  • Unused tokens revoked promptly
Reference in New Issue View Git Blame Copy Permalink
S
Description
MCP server for Gitea REST API v1 operations — 61 tools for repos, issues, PRs, releases, branches, actions, orgs, wiki, webhooks, and more
Readme
798 KiB
Languages
TypeScript 55.3%
Markdown 35.1%
Shell 6.2%
JavaScript 1.5%
JSON 1.1%
Other 0.8%