gitea-mcp: 初次落地 Gitea MCP Server (.NET 10, V1 only-read)

把 Gitea (git.zhengchentao.win) 通过 MCP 暴露给 Claude.ai：列 repo、读代码、看 commits / issues / PR / orgs / packages / actions。
设计文档见 vault Coding/gitea-mcp/gitea-mcp 设计.md。
代码模板复用 obsidian-mcp（.NET 10 + ModelContextProtocol SDK + JwtBearer）。

19 个只读 Tool（全部 scope=read:gitea）：

Repo / 文件：
- list_repos / read_repo
- list_tree（max_entries=500 防爆）
- read_file（max_bytes=1MB，超出 truncated=true）
- search_code（走 /repos/search-code，indexer 未启用时返回结构化错误说明）

分支 / 提交：
- list_branches / list_commits / read_commit（diff 文件数限 50）

Issue / PR：
- list_issues / read_issue（含评论）
- list_pulls / read_pull（含评论 + 改动文件列表）

Org / Package（用户额外授权 read:organization + read:package）：
- list_orgs / read_org
- list_packages / read_package

Gitea Actions（运维友好）：
- list_workflow_runs / read_run_log

技术栈：
- .NET 10 + ModelContextProtocol SDK 1.0
- HttpClientFactory + Microsoft.Extensions.Http.Resilience（指数 backoff，5xx/429/网络错误重试）
- JwtBearer (HS256, Current+Previous fallback, MapInboundClaims=false)
- aud=gitea, scope=read:gitea, iss=https://auth.zhengchentao.win

Gitea API client：
- Authorization: token <PAT> (admin PAT，仅 read scope)
- BaseUrl=https://git.zhengchentao.win
- 错误映射：401/403 → UnauthorizedAccessException，404 → KeyNotFoundException，5xx → InvalidOperationException
- RepoBlacklist 黑名单（owner/repo 精确匹配，默认空）

部署：
- Dockerfile multi-stage，COPY --chown，non-root user
- .gitea/workflows/build-image.yml：build + deploy 双 job，buildkit v0.13.2
- 容器内 :8080，宿主端口 9092
- 子域名 git-mcp.zhengchentao.win（区别于 Gitea 本体 git.zhengchentao.win）

测试：6/6 单测过（GiteaRepoFilter 黑名单匹配）

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Tools/RepoTools.cs

@@ -0,0 +1,89 @@
+using GiteaMcp.Config;
+using GiteaMcp.Services;
+using GiteaMcp.Services.Models;
+using Microsoft.Extensions.Options;
+using ModelContextProtocol.Server;
+using System.ComponentModel;
+
+namespace GiteaMcp.Tools;
+
+/// <summary>仓库级别 Tool：list_repos / read_repo</summary>
+[McpServerToolType]
+public class RepoTools(
+    GiteaApiClient gitea,
+    GiteaRepoFilter filter,
+    IOptions<GiteaOptions> opts)
+{
+    private readonly GiteaOptions _opts = opts.Value;
+
+    [McpServerTool]
+    [Description(
+        "List Gitea repositories accessible to the admin token. " +
+        "When owner is omitted, returns ALL repos across personal account and all orgs (up to limit). " +
+        "Use visibility='private' to show only private repos, 'public' for public-only. " +
+        "Returns: owner, repo name, description, default_branch, private flag, size (KB), updated_at, html_url. " +
+        "Tip: call this first to discover available repos before using read_repo or read_file.")]
+    public async Task<List<object>> list_repos(
+        [Description("Filter by owner login (user or org name). Omit to list everything.")] string? owner = null,
+        [Description("Visibility filter: 'public', 'private', or 'all' (default 'all').")] string? visibility = null,
+        [Description("Max number of repos to return. Default 50, max 50.")] int? limit = null,
+        CancellationToken ct = default)
+    {
+        var vis = visibility ?? "all";
+        var lim = Math.Min(limit ?? _opts.DefaultLimit, 50);
+
+        var repos = await gitea.SearchReposAsync(owner, vis, lim, ct);
+        repos = filter.Filter(repos);
+
+        return repos.Select(r => (object)new
+        {
+            owner = r.Owner?.Login ?? r.FullName.Split('/').FirstOrDefault() ?? "",
+            repo = r.Name,
+            full_name = r.FullName,
+            description = r.Description,
+            default_branch = r.DefaultBranch,
+            @private = r.Private,
+            mirror = r.Mirror,
+            archived = r.Archived,
+            size_kb = r.Size,
+            updated_at = r.UpdatedAt,
+            html_url = r.HtmlUrl,
+        }).ToList();
+    }
+
+    [McpServerTool]
+    [Description(
+        "Get detailed metadata for a single Gitea repository: topics, homepage, default branch, " +
+        "stars, forks, archived status, mirror flag, size, and description. " +
+        "Use this after list_repos to inspect a specific repo before reading files or commits.")]
+    public async Task<object> read_repo(
+        [Description("Repository owner (user login or org name).")] string owner,
+        [Description("Repository name (without owner prefix).")] string repo,
+        CancellationToken ct = default)
+    {
+        if (filter.IsBlocked($"{owner}/{repo}"))
+            throw new UnauthorizedAccessException($"Repo {owner}/{repo} is on the access blocklist.");
+
+        var r = await gitea.GetRepoAsync(owner, repo, ct);
+        return new
+        {
+            owner = r.Owner?.Login ?? owner,
+            repo = r.Name,
+            full_name = r.FullName,
+            description = r.Description,
+            default_branch = r.DefaultBranch,
+            @private = r.Private,
+            fork = r.Fork,
+            mirror = r.Mirror,
+            archived = r.Archived,
+            stars = r.StarsCount,
+            forks = r.ForksCount,
+            size_kb = r.Size,
+            website = r.Website,
+            topics = r.Topics ?? [],
+            html_url = r.HtmlUrl,
+            clone_url = r.CloneUrl,
+            updated_at = r.UpdatedAt,
+        };
+    }
+}