Jonathan Miller
fb36a209a9
MCP: Copilot Agent / Run Copilot Coding Agent (pull_request) Failing after 2s
Universal: PR Check / Branch Policy (pull_request) Failing after 2s
Universal: Changelog Validation / Validate CHANGELOG.md (pull_request) Failing after 4s
Generic: Repo Health / Site Health (pull_request) Has been skipped
Generic: Repo Health / Access control (pull_request) Successful in 1s
Universal: PR Check / Validate PR (pull_request) Successful in 4s
MCP: Standards Compliance / Secret Scanning (pull_request) Successful in 3s
Universal: Auto Version Bump / Version Bump (push) Successful in 4s
MCP: Standards Compliance / License Header Validation (pull_request) Failing after 5s
Universal: Build & Release / Promote to RC (pull_request) Has been skipped
Universal: Build & Release / Build & Release Pipeline (pull_request) Has been skipped
MCP: Standards Compliance / Repository Structure Validation (pull_request) Failing after 4s
MCP: Standards Compliance / Coding Standards Check (pull_request) Failing after 4s
MCP: Standards Compliance / Workflow Configuration Check (pull_request) Failing after 4s
MCP: Standards Compliance / Documentation Quality Check (pull_request) Successful in 4s
Generic: Project CI / Lint & Validate (pull_request) Successful in 17s
MCP: Standards Compliance / README Completeness Check (pull_request) Failing after 4s
MCP: Standards Compliance / Git Repository Hygiene (pull_request) Successful in 4s
MCP: Standards Compliance / Script Integrity Validation (pull_request) Successful in 6s
MCP: Standards Compliance / Line Length Check (pull_request) Failing after 9s
MCP: Standards Compliance / File Naming Standards (pull_request) Successful in 9s
MCP: Standards Compliance / Insecure Code Pattern Detection (pull_request) Successful in 7s
MCP: Standards Compliance / Code Complexity Analysis (pull_request) Failing after 3s
MCP: Standards Compliance / Dead Code Detection (pull_request) Successful in 4s
MCP: Standards Compliance / File Size Limits (pull_request) Successful in 3s
MCP: Standards Compliance / TODO/FIXME Tracking (pull_request) Successful in 3s
MCP: Standards Compliance / Binary File Detection (pull_request) Successful in 4s
MCP: Standards Compliance / Version Consistency Check (pull_request) Successful in 46s
Universal: CodeQL Analysis / Analyze (javascript) (pull_request) Failing after 58s
MCP: Standards Compliance / Broken Link Detection (pull_request) Successful in 4s
Universal: CodeQL Analysis / Analyze (actions) (pull_request) Failing after 1m3s
MCP: Standards Compliance / Accessibility Check (pull_request) Successful in 3s
MCP: Standards Compliance / API Documentation Coverage (pull_request) Successful in 3s
MCP: Standards Compliance / Performance Metrics (pull_request) Successful in 4s
MCP: Standards Compliance / Code Duplication Detection (pull_request) Successful in 41s
Universal: Auto-Assign / Assign unassigned issues and PRs (pull_request_target) Successful in 2s
MCP: Standards Compliance / Terraform Configuration Validation (pull_request) Successful in 9s
Generic: Repo Health / Site Health (push) Has been skipped
Generic: Repo Health / Access control (push) Successful in 2s
Branch Cleanup / Delete merged branch (pull_request) Has been skipped
MCP: Standards Compliance / Unused Dependencies Check (pull_request) Successful in 47s
MCP: Standards Compliance / Dependency Vulnerability Scanning (pull_request) Successful in 50s
MCP: Standards Compliance / Enterprise Readiness Check (pull_request) Successful in 41s
MCP: Standards Compliance / Repository Health Check (pull_request) Successful in 40s
Generic: Project CI / Tests (pull_request) Has been cancelled
Universal: CodeQL Analysis / Security Scan Summary (pull_request) Has been cancelled
Universal: PR Check / Build RC Package (pull_request) Has been cancelled
Universal: PR Check / Report Issues (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (pull_request) Has been cancelled
Generic: Repo Health / Repository health (pull_request) Has been cancelled
Generic: Repo Health / Report Issues (pull_request) Has been cancelled
MCP: Standards Compliance / Compliance Summary (pull_request) Has been cancelled
Generic: Repo Health / Scripts governance (push) Has been cancelled
Generic: Repo Health / Repository health (push) Has been cancelled
Generic: Repo Health / Report Issues (push) Has been cancelled
Adds three new MCP tools for full wiki CRUD support: - gitea_wiki_page_create: create wiki pages with markdown content - gitea_wiki_page_edit: edit existing pages (with optional rename) - gitea_wiki_page_delete: delete wiki pages Content is automatically base64-encoded to match the Gitea API contract.
Security Policy
Supported Versions
| Version | Supported |
|---|---|
| 0.0.x | Yes |
Reporting a Vulnerability
To report a security vulnerability, please email hello@mokoconsulting.tech with the subject line [SECURITY] gitea-api-mcp. Do not open a public issue for security vulnerabilities.
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
Token Storage Security
Configuration File
The config file ~/.gitea-api-mcp.json stores Gitea API tokens in plaintext. Follow these practices to protect your tokens:
File Permissions
Set restrictive permissions on the config file so only your user can read it:
chmod 600 ~/.gitea-api-mcp.json
On Windows, ensure the file is only readable by your user account through the file properties security tab.
What to Avoid
- Never commit
~/.gitea-api-mcp.jsonor any file containing tokens to version control - Never share config files containing real tokens
- Never log or print token values in debug output
- Never store tokens in environment variables visible to other processes if avoidable
Token Scope
When generating Gitea access tokens, follow the principle of least privilege:
- Only grant the scopes (permissions) your workflow requires
- Use separate tokens for separate purposes or environments
- Rotate tokens periodically
- Revoke tokens that are no longer needed
Token Generation
- Navigate to your Gitea instance Settings > Applications
- Under "Manage Access Tokens," enter a token name
- Select only the required scopes
- Click "Generate Token"
- Copy the token immediately -- it will not be shown again
Network Security
TLS Verification
By default, the client verifies TLS certificates. The insecure: true option disables certificate verification for self-signed certificates. Use this only for:
- Local development instances
- Internal instances with self-signed certificates where the network is trusted
Never use insecure: true for production instances accessible over the public internet.
API Prefix
All requests are sent to /api/v1 endpoints with:
Authorization: token <your-token>headerContent-Type: application/jsonheader- 30-second request timeout
MCP Transport Security
This server uses stdio transport, meaning it communicates through standard input/output with the MCP client (e.g., Claude Code). The token is never exposed through network ports or HTTP endpoints by the MCP server itself.
Security Checklist
- Config file permissions set to
600(Unix) or user-only (Windows) - Tokens scoped to minimum required permissions
- Config file excluded from version control (
.gitignore) insecureflag only used for trusted internal instances- Tokens rotated on a regular schedule
- Unused tokens revoked promptly