@ric_/forgejo-mcp 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 forgejo-mcp contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,302 @@
+# forgejo-mcp
+
+A Model Context Protocol (MCP) server for [Forgejo](https://forgejo.org/) and [Gitea](https://gitea.com/) instances. Enables AI assistants like Claude, Cursor, and other MCP-compatible tools to interact with your Forgejo/Gitea repositories, issues, pull requests, and more.
+
+## Features
+- Comprehensive API coverage (102 tools across 6 categories)
+- Configurable base URL - works with any Forgejo or Gitea instance
+- Both stdio and HTTP transport modes
+- Token-based authentication with optional HTTP Bearer auth
+- Input validation and security hardening (path traversal protection, SSRF prevention, rate limiting)
+- Docker support with security-hardened container
+
+## Quick Start
+
+### Prerequisites
+- Node.js 18+
+- A Forgejo or Gitea instance
+- API token (generate at `{your-instance}/user/settings/applications`)
+
+### Installation
+
+```bash
+npm install -g forgejo-mcp
+```
+
+Or run directly:
+```bash
+npx forgejo-mcp
+```
+
+### Configuration
+
+Set environment variables:
+```bash
+export FORGEJO_URL=https://your-forgejo-instance.com
+export FORGEJO_TOKEN=your-api-token
+```
+
+Or pass as CLI args:
+```bash
+forgejo-mcp --url https://your-instance.com --token your-token
+```
+
+## Usage
+
+### With Claude Code
+Add to your Claude Code MCP config:
+```json
+{
+  "mcpServers": {
+    "forgejo": {
+      "command": "npx",
+      "args": ["forgejo-mcp"],
+      "env": {
+        "FORGEJO_URL": "https://your-instance.com",
+        "FORGEJO_TOKEN": "your-token"
+      }
+    }
+  }
+}
+```
+
+### With Claude Desktop
+Add to claude_desktop_config.json:
+```json
+{
+  "mcpServers": {
+    "forgejo": {
+      "command": "npx",
+      "args": ["forgejo-mcp"],
+      "env": {
+        "FORGEJO_URL": "https://your-instance.com",
+        "FORGEJO_TOKEN": "your-token"
+      }
+    }
+  }
+}
+```
+
+### HTTP Mode
+For remote/shared access:
+```bash
+FORGEJO_URL=https://your-instance.com \
+FORGEJO_TOKEN=your-token \
+FORGEJO_MCP_API_KEY=your-secret-api-key \
+npx forgejo-mcp-http --port 3000
+```
+Endpoint: `http://localhost:3000/mcp`
+
+**Authentication:** Set `FORGEJO_MCP_API_KEY` to require Bearer token authentication on the HTTP endpoint. Clients must include `Authorization: Bearer your-secret-api-key` in requests. If not set, the endpoint is unauthenticated (only suitable for localhost or behind a reverse proxy).
+
+**Rate Limiting:** Enabled by default at 100 requests/minute per IP. Configure via:
+- `RATE_LIMIT_MAX` - max requests per window (default: 100)
+- `RATE_LIMIT_WINDOW_MS` - window size in milliseconds (default: 60000)
+
+### Docker
+```bash
+# Build and run with docker-compose
+cp .env.example .env
+# Edit .env with your values, then:
+docker compose up -d
+```
+
+Or build and run directly:
+```bash
+docker build -t forgejo-mcp .
+docker run -p 3000:3000 \
+  -e FORGEJO_URL=https://your-instance.com \
+  -e FORGEJO_TOKEN=your-token \
+  -e FORGEJO_MCP_API_KEY=your-secret-key \
+  forgejo-mcp
+```
+
+The Docker image:
+- Uses multi-stage build for minimal image size
+- Runs as non-root user
+- Read-only filesystem
+- No new privileges security option
+
+## Available Tools
+
+### Repository Management (24 tools)
+| Tool | Description |
+|------|-------------|
+| `search_repos` | Search repositories |
+| `get_repo` | Get repository details |
+| `create_repo` | Create a new repository |
+| `create_org_repo` | Create repo in an organization |
+| `delete_repo` | Delete a repository |
+| `fork_repo` | Fork a repository |
+| `list_branches` | List branches |
+| `get_branch` | Get branch details |
+| `create_branch` | Create a branch |
+| `delete_branch` | Delete a branch |
+| `list_repo_commits` | List commits |
+| `get_file_contents` | Get file contents |
+| `create_file` | Create a file |
+| `update_file` | Update a file |
+| `delete_file` | Delete a file |
+| `list_releases` | List releases |
+| `create_release` | Create a release |
+| `list_tags` | List tags |
+| `list_repo_topics` | List topics |
+| `update_repo_topics` | Update topics |
+| `list_forks` | List forks |
+| `list_collaborators` | List collaborators |
+| `add_collaborator` | Add a collaborator |
+| `transfer_repo` | Transfer repository |
+
+### Issue Management (20 tools)
+| Tool | Description |
+|------|-------------|
+| `list_issues` | List repository issues |
+| `get_issue` | Get issue details |
+| `create_issue` | Create an issue |
+| `edit_issue` | Edit an issue |
+| `list_issue_comments` | List issue comments |
+| `create_issue_comment` | Add a comment |
+| `edit_issue_comment` | Edit a comment |
+| `delete_issue_comment` | Delete a comment |
+| `list_labels` | List repository labels |
+| `get_label` | Get label details |
+| `create_label` | Create a label |
+| `edit_label` | Edit a label |
+| `delete_label` | Delete a label |
+| `add_issue_labels` | Add labels to issue |
+| `remove_issue_label` | Remove label from issue |
+| `list_milestones` | List milestones |
+| `get_milestone` | Get milestone details |
+| `create_milestone` | Create a milestone |
+| `edit_milestone` | Edit a milestone |
+| `delete_milestone` | Delete a milestone |
+
+### Pull Request Management (12 tools)
+| Tool | Description |
+|------|-------------|
+| `list_pull_requests` | List pull requests |
+| `get_pull_request` | Get PR details |
+| `create_pull_request` | Create a pull request |
+| `edit_pull_request` | Edit a pull request |
+| `merge_pull_request` | Merge a pull request |
+| `list_pr_commits` | List PR commits |
+| `list_pr_files` | List changed files |
+| `get_pr_diff` | Get PR diff |
+| `list_pr_reviews` | List PR reviews |
+| `create_pr_review` | Create a review |
+| `request_pr_review` | Request reviewers |
+| `update_pr_branch` | Update PR branch |
+
+### Organization Management (14 tools)
+| Tool | Description |
+|------|-------------|
+| `list_orgs` | List organizations |
+| `get_org` | Get org details |
+| `create_org` | Create organization |
+| `edit_org` | Edit organization |
+| `delete_org` | Delete organization |
+| `list_org_repos` | List org repositories |
+| `list_org_members` | List org members |
+| `list_org_teams` | List org teams |
+| `get_team` | Get team details |
+| `create_team` | Create a team |
+| `add_team_member` | Add team member |
+| `remove_team_member` | Remove team member |
+| `list_org_labels` | List org labels |
+| `list_org_hooks` | List org webhooks |
+
+### User Management (13 tools)
+| Tool | Description |
+|------|-------------|
+| `get_authenticated_user` | Get current user |
+| `get_user` | Get user profile |
+| `list_user_repos` | List user repositories |
+| `list_user_orgs` | List user organizations |
+| `search_users` | Search users |
+| `list_followers` | List followers |
+| `list_following` | List following |
+| `list_user_starred` | List starred repos |
+| `list_my_starred` | List my starred repos |
+| `star_repo` | Star a repository |
+| `unstar_repo` | Unstar a repository |
+| `list_my_notifications` | List notifications |
+| `mark_notifications_read` | Mark all as read |
+
+### Admin & System (19 tools)
+| Tool | Description |
+|------|-------------|
+| `admin_list_users` | List all users (admin) |
+| `admin_create_user` | Create user (admin) |
+| `admin_delete_user` | Delete user (admin) |
+| `admin_edit_user` | Edit user (admin) |
+| `admin_list_cron_jobs` | List cron jobs |
+| `admin_run_cron_job` | Run cron task |
+| `admin_list_hooks` | List system webhooks |
+| `get_server_version` | Get server version |
+| `render_markdown` | Render markdown |
+| `render_markup` | Render markup |
+| `list_gitignore_templates` | List gitignore templates |
+| `get_gitignore_template` | Get gitignore template |
+| `list_license_templates` | List license templates |
+| `get_license_template` | Get license template |
+| `list_label_templates` | List label templates |
+| `get_label_template` | Get label template |
+| `get_nodeinfo` | Get instance info |
+| `list_action_runners_jobs` | List action jobs |
+| `get_runner_registration_token` | Get runner token |
+
+## Security
+
+### Environment Variables
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `FORGEJO_URL` | Yes | Base URL of your Forgejo/Gitea instance |
+| `FORGEJO_TOKEN` | Yes | API token ([generate here]({your-instance}/user/settings/applications)) |
+| `FORGEJO_MCP_API_KEY` | No | Bearer token for HTTP endpoint authentication |
+| `RATE_LIMIT_MAX` | No | Max requests per rate limit window (default: 100) |
+| `RATE_LIMIT_WINDOW_MS` | No | Rate limit window in ms (default: 60000) |
+| `PORT` | No | HTTP server port (default: 3000) |
+
+### Security Features
+- **Input validation** - All parameters validated with Zod schemas (path traversal prevention, regex-validated usernames, bounded pagination, enum enforcement)
+- **SSRF protection** - Base URL validated against cloud metadata endpoints and private IP ranges
+- **HTTP authentication** - Optional Bearer token auth for the HTTP transport
+- **Rate limiting** - Per-IP rate limiting on HTTP endpoints
+- **Token safety** - API tokens never leaked in error messages; URLs sanitized in errors
+- **Security headers** - `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY`
+- **Non-root Docker** - Container runs as unprivileged user with read-only filesystem
+
+### Best Practices
+- Always use HTTPS for your Forgejo instance URL
+- Use short-lived API tokens with minimal required permissions
+- Set `FORGEJO_MCP_API_KEY` when running HTTP mode on a network
+- Admin tools require an admin-level Forgejo token - use a non-admin token if you don't need them
+
+## Development
+
+```bash
+git clone https://github.com/your-username/forgejo-mcp.git
+cd forgejo-mcp
+npm install
+npm run dev          # stdio mode
+npm run dev:http     # HTTP mode
+npm test             # run tests
+npm run build        # compile TypeScript
+```
+
+## Compatible Instances
+
+This MCP server works with:
+- [Forgejo](https://forgejo.org/) (v7.0+)
+- [Gitea](https://gitea.com/) (v1.20+)
+- [Codeberg](https://codeberg.org/)
+- Any Gitea-compatible forge
+
+## Contributing
+
+Contributions welcome! Please see [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
+
+## License
+
+MIT - see [LICENSE](LICENSE)

package/dist/client.d.ts

@@ -0,0 +1,35 @@
+import type { ForgejoConfig } from "./config.js";
+export interface PaginationParams {
+    page?: number;
+    limit?: number;
+}
+export interface ApiError {
+    message: string;
+    url: string;
+    status: number;
+}
+export declare class ForgejoClient {
+    private baseUrl;
+    private token;
+    constructor(config: ForgejoConfig);
+    private get apiBase();
+    private headers;
+    /** Strip sensitive information from URLs for error messages */
+    private sanitizeUrl;
+    request<T>(method: string, path: string, options?: {
+        body?: unknown;
+        params?: Record<string, string | number | boolean | undefined>;
+    }): Promise<T>;
+    get<T>(path: string, params?: Record<string, string | number | boolean | undefined>): Promise<T>;
+    post<T>(path: string, body?: unknown, params?: Record<string, string | number | boolean | undefined>): Promise<T>;
+    patch<T>(path: string, body?: unknown): Promise<T>;
+    put<T>(path: string, body?: unknown): Promise<T>;
+    delete<T = void>(path: string): Promise<T>;
+    getRaw(path: string, params?: Record<string, string | number | boolean | undefined>): Promise<string>;
+}
+export declare class ForgejoApiError extends Error {
+    readonly url: string;
+    readonly status: number;
+    constructor(message: string, url: string, status: number);
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,WAAW,gBAAgB;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,QAAQ;IACvB,OAAO,EAAE,MAAM,CAAC;IAChB,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,aAAa;IACxB,OAAO,CAAC,OAAO,CAAS;IACxB,OAAO,CAAC,KAAK,CAAS;gBAEV,MAAM,EAAE,aAAa;IAKjC,OAAO,KAAK,OAAO,GAElB;IAED,OAAO,CAAC,OAAO;IASf,+DAA+D;IAC/D,OAAO,CAAC,WAAW;IAUb,OAAO,CAAC,CAAC,EACb,MAAM,EAAE,MAAM,EACd,IAAI,EAAE,MAAM,EACZ,OAAO,CAAC,EAAE;QACR,IAAI,CAAC,EAAE,OAAO,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,CAAC;KAChE,GACA,OAAO,CAAC,CAAC,CAAC;IAmCP,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhG,IAAI,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC;IAIjH,KAAK,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIlD,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,CAAC,CAAC;IAIhD,MAAM,CAAC,CAAC,GAAG,IAAI,EAAE,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC,CAAC;IAI1C,MAAM,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;CAwB5G;AAED,qBAAa,eAAgB,SAAQ,KAAK;aAGtB,GAAG,EAAE,MAAM;aACX,MAAM,EAAE,MAAM;gBAF9B,OAAO,EAAE,MAAM,EACC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,MAAM;CAKjC"}

package/dist/client.js

@@ -0,0 +1,107 @@
+export class ForgejoClient {
+    baseUrl;
+    token;
+    constructor(config) {
+        this.baseUrl = config.baseUrl;
+        this.token = config.token;
+    }
+    get apiBase() {
+        return `${this.baseUrl}/api/v1`;
+    }
+    headers(extra) {
+        return {
+            Authorization: `token ${this.token}`,
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            ...extra,
+        };
+    }
+    /** Strip sensitive information from URLs for error messages */
+    sanitizeUrl(url) {
+        try {
+            const parsed = new URL(url);
+            // Remove any auth info from the URL; keep path + search for debugging
+            return `${parsed.origin}${parsed.pathname}${parsed.search ? "?[params]" : ""}`;
+        }
+        catch {
+            return "[invalid URL]";
+        }
+    }
+    async request(method, path, options) {
+        const url = new URL(`${this.apiBase}${path}`);
+        if (options?.params) {
+            for (const [key, value] of Object.entries(options.params)) {
+                if (value !== undefined) {
+                    url.searchParams.set(key, String(value));
+                }
+            }
+        }
+        const response = await fetch(url.toString(), {
+            method,
+            headers: this.headers(),
+            body: options?.body ? JSON.stringify(options.body) : undefined,
+        });
+        if (!response.ok) {
+            let message;
+            try {
+                const err = (await response.json());
+                message = err.message || response.statusText;
+            }
+            catch {
+                message = response.statusText;
+            }
+            throw new ForgejoApiError(message, this.sanitizeUrl(url.toString()), response.status);
+        }
+        if (response.status === 204) {
+            return undefined;
+        }
+        return (await response.json());
+    }
+    async get(path, params) {
+        return this.request("GET", path, { params });
+    }
+    async post(path, body, params) {
+        return this.request("POST", path, { body, params });
+    }
+    async patch(path, body) {
+        return this.request("PATCH", path, { body });
+    }
+    async put(path, body) {
+        return this.request("PUT", path, { body });
+    }
+    async delete(path) {
+        return this.request("DELETE", path);
+    }
+    async getRaw(path, params) {
+        const url = new URL(`${this.apiBase}${path}`);
+        if (params) {
+            for (const [key, value] of Object.entries(params)) {
+                if (value !== undefined) {
+                    url.searchParams.set(key, String(value));
+                }
+            }
+        }
+        const response = await fetch(url.toString(), {
+            method: "GET",
+            headers: {
+                Authorization: `token ${this.token}`,
+                Accept: "text/plain",
+            },
+        });
+        if (!response.ok) {
+            throw new ForgejoApiError(response.statusText, this.sanitizeUrl(url.toString()), response.status);
+        }
+        return response.text();
+    }
+}
+export class ForgejoApiError extends Error {
+    url;
+    status;
+    constructor(message, url, status) {
+        super(`Forgejo API error (${status}): ${message}`);
+        this.url = url;
+        this.status = status;
+        this.name = "ForgejoApiError";
+    }
+}
+//# sourceMappingURL=client.js.map

package/dist/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAaA,MAAM,OAAO,aAAa;IAChB,OAAO,CAAS;IAChB,KAAK,CAAS;IAEtB,YAAY,MAAqB;QAC/B,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAC9B,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC;IAC5B,CAAC;IAED,IAAY,OAAO;QACjB,OAAO,GAAG,IAAI,CAAC,OAAO,SAAS,CAAC;IAClC,CAAC;IAEO,OAAO,CAAC,KAA8B;QAC5C,OAAO;YACL,aAAa,EAAE,SAAS,IAAI,CAAC,KAAK,EAAE;YACpC,cAAc,EAAE,kBAAkB;YAClC,MAAM,EAAE,kBAAkB;YAC1B,GAAG,KAAK;SACT,CAAC;IACJ,CAAC;IAED,+DAA+D;IACvD,WAAW,CAAC,GAAW;QAC7B,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;YAC5B,sEAAsE;YACtE,OAAO,GAAG,MAAM,CAAC,MAAM,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;QACjF,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,eAAe,CAAC;QACzB,CAAC;IACH,CAAC;IAED,KAAK,CAAC,OAAO,CACX,MAAc,EACd,IAAY,EACZ,OAGC;QAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC,CAAC;QAE9C,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;YACpB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC1D,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YAC3C,MAAM;YACN,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE;YACvB,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC/D,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,IAAI,OAAe,CAAC;YACpB,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAyB,CAAC;gBAC5D,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,QAAQ,CAAC,UAAU,CAAC;YAC/C,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,QAAQ,CAAC,UAAU,CAAC;YAChC,CAAC;YACD,MAAM,IAAI,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QACxF,CAAC;QAED,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5B,OAAO,SAAc,CAAC;QACxB,CAAC;QAED,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAM,CAAC;IACtC,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY,EAAE,MAA8D;QACvF,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,IAAI,CAAI,IAAY,EAAE,IAAc,EAAE,MAA8D;QACxG,OAAO,IAAI,CAAC,OAAO,CAAI,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;IACzD,CAAC;IAED,KAAK,CAAC,KAAK,CAAI,IAAY,EAAE,IAAc;QACzC,OAAO,IAAI,CAAC,OAAO,CAAI,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAClD,CAAC;IAED,KAAK,CAAC,GAAG,CAAI,IAAY,EAAE,IAAc;QACvC,OAAO,IAAI,CAAC,OAAO,CAAI,KAAK,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,MAAM,CAAW,IAAY;QACjC,OAAO,IAAI,CAAC,OAAO,CAAI,QAAQ,EAAE,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,IAAY,EAAE,MAA8D;QACvF,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAC,CAAC;QAC9C,IAAI,MAAM,EAAE,CAAC;YACX,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;gBAClD,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;gBAC3C,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE;YAC3C,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,aAAa,EAAE,SAAS,IAAI,CAAC,KAAK,EAAE;gBACpC,MAAM,EAAE,YAAY;aACrB;SACF,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,eAAe,CAAC,QAAQ,CAAC,UAAU,EAAE,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC;QACpG,CAAC;QAED,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;IACzB,CAAC;CACF;AAED,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAGtB;IACA;IAHlB,YACE,OAAe,EACC,GAAW,EACX,MAAc;QAE9B,KAAK,CAAC,sBAAsB,MAAM,MAAM,OAAO,EAAE,CAAC,CAAC;QAHnC,QAAG,GAAH,GAAG,CAAQ;QACX,WAAM,GAAN,MAAM,CAAQ;QAG9B,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF"}

package/dist/config.d.ts

@@ -0,0 +1,10 @@
+export interface ForgejoConfig {
+    baseUrl: string;
+    token: string;
+}
+export declare function loadConfig(): ForgejoConfig;
+export declare function parseCliArgs(args: string[]): Partial<ForgejoConfig> & {
+    port?: number;
+};
+export declare function resolveConfig(cliArgs?: Partial<ForgejoConfig>): ForgejoConfig;
+//# sourceMappingURL=config.d.ts.map

package/dist/config.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.d.ts","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf;AAiDD,wBAAgB,UAAU,IAAI,aAAa,CAuB1C;AAED,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC,GAAG;IAAE,IAAI,CAAC,EAAE,MAAM,CAAA;CAAE,CAkBvF;AAED,wBAAgB,aAAa,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAAG,aAAa,CAuB7E"}

package/dist/config.js

@@ -0,0 +1,86 @@
+/**
+ * Validate the base URL for safety.
+ * Blocks private IPs, metadata endpoints, and non-HTTP protocols.
+ */
+function validateBaseUrl(url) {
+    let parsed;
+    try {
+        parsed = new URL(url);
+    }
+    catch {
+        throw new Error(`Invalid FORGEJO_URL: "${url}" is not a valid URL`);
+    }
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+        throw new Error("FORGEJO_URL must use http or https protocol");
+    }
+    const hostname = parsed.hostname.toLowerCase();
+    // Warn (not block) for HTTP - some dev instances use it
+    if (parsed.protocol === "http:" && hostname !== "localhost" && hostname !== "127.0.0.1") {
+        console.error("WARNING: FORGEJO_URL uses HTTP. Tokens will be sent unencrypted. Use HTTPS in production.");
+    }
+    // Block cloud metadata endpoints (SSRF)
+    if (hostname === "169.254.169.254" || hostname === "metadata.google.internal") {
+        throw new Error("FORGEJO_URL must not point to cloud metadata services");
+    }
+    // Block common internal ranges when hostname is an IP
+    const ipMatch = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
+    if (ipMatch) {
+        const [, a, b] = ipMatch.map(Number);
+        if (a === 10 ||
+            (a === 172 && b !== undefined && b >= 16 && b <= 31) ||
+            (a === 192 && b === 168) ||
+            a === 0) {
+            console.error("WARNING: FORGEJO_URL points to a private IP address. Ensure this is intentional.");
+        }
+    }
+}
+export function loadConfig() {
+    const baseUrl = process.env.FORGEJO_URL;
+    const token = process.env.FORGEJO_TOKEN;
+    if (!baseUrl) {
+        throw new Error("FORGEJO_URL environment variable is required. Set it to your Forgejo/Gitea instance URL (e.g., https://codeberg.org)");
+    }
+    if (!token) {
+        throw new Error("FORGEJO_TOKEN environment variable is required. Generate one at {your-instance}/user/settings/applications");
+    }
+    const cleanUrl = baseUrl.replace(/\/+$/, "");
+    validateBaseUrl(cleanUrl);
+    return {
+        baseUrl: cleanUrl,
+        token,
+    };
+}
+export function parseCliArgs(args) {
+    const result = {};
+    for (let i = 0; i < args.length; i++) {
+        switch (args[i]) {
+            case "--url":
+                result.baseUrl = args[++i]?.replace(/\/+$/, "");
+                break;
+            case "--token":
+                result.token = args[++i];
+                break;
+            case "--port":
+                result.port = parseInt(args[++i], 10);
+                break;
+        }
+    }
+    return result;
+}
+export function resolveConfig(cliArgs) {
+    const baseUrl = cliArgs?.baseUrl || process.env.FORGEJO_URL;
+    const token = cliArgs?.token || process.env.FORGEJO_TOKEN;
+    if (!baseUrl) {
+        throw new Error("Forgejo URL is required. Set FORGEJO_URL env var or pass --url <url>");
+    }
+    if (!token) {
+        throw new Error("Forgejo token is required. Set FORGEJO_TOKEN env var or pass --token <token>");
+    }
+    const cleanUrl = baseUrl.replace(/\/+$/, "");
+    validateBaseUrl(cleanUrl);
+    return {
+        baseUrl: cleanUrl,
+        token,
+    };
+}
+//# sourceMappingURL=config.js.map

package/dist/config.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config.js","sourceRoot":"","sources":["../src/config.ts"],"names":[],"mappings":"AAKA;;;GAGG;AACH,SAAS,eAAe,CAAC,GAAW;IAClC,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;IACxB,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,sBAAsB,CAAC,CAAC;IACtE,CAAC;IAED,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAE/C,wDAAwD;IACxD,IAAI,MAAM,CAAC,QAAQ,KAAK,OAAO,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,WAAW,EAAE,CAAC;QACxF,OAAO,CAAC,KAAK,CACX,2FAA2F,CAC5F,CAAC;IACJ,CAAC;IAED,wCAAwC;IACxC,IAAI,QAAQ,KAAK,iBAAiB,IAAI,QAAQ,KAAK,0BAA0B,EAAE,CAAC;QAC9E,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAC3E,CAAC;IAED,sDAAsD;IACtD,MAAM,OAAO,GAAG,QAAQ,CAAC,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAC/D,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;QACrC,IACE,CAAC,KAAK,EAAE;YACR,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,SAAS,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;YACpD,CAAC,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG,CAAC;YACxB,CAAC,KAAK,CAAC,EACP,CAAC;YACD,OAAO,CAAC,KAAK,CACX,kFAAkF,CACnF,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,MAAM,UAAU,UAAU;IACxB,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAExC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,sHAAsH,CACvH,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,4GAA4G,CAC7G,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC7C,eAAe,CAAC,QAAQ,CAAC,CAAC;IAE1B,OAAO;QACL,OAAO,EAAE,QAAQ;QACjB,KAAK;KACN,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,IAAc;IACzC,MAAM,MAAM,GAA+C,EAAE,CAAC;IAE9D,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,QAAQ,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;YAChB,KAAK,OAAO;gBACV,MAAM,CAAC,OAAO,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;gBAChD,MAAM;YACR,KAAK,SAAS;gBACZ,MAAM,CAAC,KAAK,GAAG,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;gBACzB,MAAM;YACR,KAAK,QAAQ;gBACX,MAAM,CAAC,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;gBACtC,MAAM;QACV,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,OAAgC;IAC5D,MAAM,OAAO,GAAG,OAAO,EAAE,OAAO,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IAC5D,MAAM,KAAK,GAAG,OAAO,EAAE,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;IAE1D,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,sEAAsE,CACvE,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;IACJ,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC7C,eAAe,CAAC,QAAQ,CAAC,CAAC;IAE1B,OAAO;QACL,OAAO,EAAE,QAAQ;QACjB,KAAK;KACN,CAAC;AACJ,CAAC"}

package/dist/http.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=http.d.ts.map

package/dist/http.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http.d.ts","sourceRoot":"","sources":["../src/http.ts"],"names":[],"mappings":""}