# Security `pi-forgejo-mcp` is an open-source Pi extension that shells out to the official `forgejo-mcp` CLI. It does not implement Forgejo authentication itself. ## Supported versions Security fixes are intended for the latest released version and the `main` branch. Older tags may not receive backports. ## Reporting vulnerabilities Please do not publish access tokens, private repository names, issue contents, or other sensitive data in public reports. - For issues that can be discussed publicly, open a Codeberg issue: - For sensitive vulnerability details, use any private contact method listed on the project or maintainer profile first. If no private channel is available, open a minimal public issue asking for a private contact path and include only high-level impact and affected components. ## Secret handling The extension reads Forgejo credentials from the environment of the running Pi process: - `FORGEJO_URL` - `FORGEJO_ACCESS_TOKEN` The extension does not read `.env` files automatically, does not write tokens to Pi settings, and does not require tokens in tool-call arguments. Captured stdout/stderr is sanitized before being returned to Pi by replacing the configured access token with ``. Do not rely on sanitization as your only control: avoid pasting secrets into prompts, issue bodies, pull request text, or tool arguments. ## Token guidance - Use a token with the least permissions needed for the operations you want Pi to perform. - Store the token in a password manager, `direnv`, your shell environment, or a CI/secret-store environment variable. - Never commit real tokens or include them in examples, prompts, logs, issues, or pull requests. - Rotate the token immediately if it is exposed. ## Local execution trust Pi packages and extensions run with your local user permissions. Only install this package, Pi, and the `forgejo-mcp` binary from sources you trust. This extension executes `forgejo-mcp` from `PATH` by default, or from `FORGEJO_MCP_COMMAND` if set. Forgejo operations run with the permissions granted to `FORGEJO_ACCESS_TOKEN`. Mutating Forgejo operations ask for confirmation in interactive Pi sessions. If no confirmation is taken, either because Pi is non-interactive or `FORGEJO_MCP_CONFIRM_MUTATIONS=false` is set, mutating operations are blocked unless `FORGEJO_MCP_ALLOW_MUTATIONS=true` is set.