- internal/auth/jwt.go: JWTValidator via lestrrat-go/jwx/v2, JWKS auto-refresh
- internal/auth/bearer.go: replace Gitea PAT validation with JWT->static->default chain
- internal/gitea/client.go: always use service PAT; remove TokenFromContext lookup
- internal/config/config.go: add DexIssuerURL, MCPAudience, MCPResourceURL, StaticToken
- cmd/gitea-mcp/main.go: wire validator, fix /.well-known to return real AS list
- bearer_test.go: rewrite for new API
Shared LRU avoids repeated Gitea calls for default-branch resolution;
the simple stdlib map alternative would race on concurrent access without
a mutex per entry, which is more code than the LRU.
Add internal/config package with Config struct and Load() function.
Reads GITEA_BASE_URL, GITEA_API_TOKEN, GITEA_MCP_ALLOWED_OWNERS,
GITEA_MCP_ORIGIN_ALLOWLIST, GITEA_MCP_PORT with sensible defaults.
Wire cfg.Port into main.go. TDD: tests written first, then impl.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Go module gitea.d-ma.be/mathias/gitea-mcp, minimal HTTP server with a
/healthz probe, Taskfile build targets, and .gitignore/README updates.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
