Gitea MCP - how to run codex like a pro - with local private code repo

• My code is API AI + patches tool + no shell + code constraints = no Git; drop just what AI should see in to “workspace” and select files out of it for “artifact/canvas” (no dozens of tool loops exploring with shell), option to approve every file name for read or read/write. Anything touched with a diff is backed up.

At a high level this is a local, console-based “agent loop” that (1) snapshots a curated view of your workspace into the model’s prompt, (2) lets the model propose structured file edits via a tool call, (3) validates and applies those edits safely and atomically, and (4) repeats until the model returns normal assistant text.

What the system is made of

1) Workspace isolation + path safety

• All file operations are constrained to workspace/.

• PathValidator.validate_and_resolve() rejects:

  • absolute paths,
  • .. traversal,
  • backslashes (so you don’t accidentally accept Windows-style escapes),
  • reserved/ignored directories like .git, venv, .backups, etc.

• FileWorkspace maintains an explicit allowlist (_tracked) of files the model is even allowed to “see” and modify. If it’s not tracked, it’s not in the prompt and it can’t be edited.

2) “Context window” construction

• FileWorkspace.build_context_section() embeds tracked file contents into the model instructions between <BEGIN_FILES> / <END_FILES> and labels each file with ===== path.
• That means the model’s edits are grounded in the exact text currently on disk (for tracked files), not guessed structure.

3) Responses API with server-side conversation state

• A conversation is created once (/conversations), then each turn calls /responses with:

  • conversation: {id: ...} so state accumulates server-side,
  • store: True so the server retains it.

• ConversationLifecycle uses a lockfile to prevent “orphaned” conversations:

  • On startup, if conversation.lock exists, it attempts to delete that prior conversation.
  • On exit, it deletes the active conversation and removes the lock.
  • If deletion fails, it keeps the lock so the next run can clean up.

4) Tool-mediated code editing: apply_patch

• The model can return apply_patch_call items instead of (or before) plain text.

• Each tool call contains an operation dict like:

  • type: update_file / create_file / delete_file
  • path: a workspace-relative path
  • diff: unified diff text

• Your host code does not let the model write arbitrary bytes; it only accepts tool calls and then enforces the patch rules.

5) Unified diff parsing + context validation

• UnifiedDiffParser.parse_hunks() extracts @@ -old,+new @@ hunks and their +/-/ lines.

• apply_hunks() applies them linearly and verifies context:

  • For each context ( ) line and deletion (-) line it checks the current file’s exact line content matches the diff.
  • If anything doesn’t match, it raises an error (prevents “patch drift” or editing the wrong file version).

• This is basically a minimal, safe “3-way merge avoidance” approach: instead of trying to be clever, it refuses when the base doesn’t match.

6) Atomic multi-patch operations

• PatchApplier.apply_operations() does a two-phase approach:

  1. Prepare in memory for every requested operation (and for updates, backs up current file).
  2. Commit writes/deletes only after all prepares succeed.

• If preparation fails for any op, none of the operations are committed (so you don’t end up half-edited).

• Note: commits aren’t fully transactional against mid-commit failures (e.g., disk write error on op #2 after op #1 wrote), but the design does minimize partial application by front-loading validation.

7) Interactive file browser for “zero friction”

• /browse scans the workspace (skipping ignored dirs, huge files, and likely-binary files) and allows tracking by index.
• Tracking is the user’s explicit consent mechanism: the model is limited to what you track.

What an AI Codex-style model can do inside this framework

Within this architecture, a code-capable model can employ a few reliable methods:

1. Patch planning from exact context

• It can read the tracked file snapshot and propose a unified diff that targets precise lines with sufficient surrounding context, so application succeeds deterministically.

2. Iterative tool loop (“plan → patch → observe → patch …”)

• Your run_turn() loop feeds tool results back as the next input, so the model can:

  • attempt an edit,
  • see success/failure messages,
  • adjust the diff if the patch didn’t apply,
  • continue until it’s done.

3. Safe refactoring via small, verifiable hunks

• Because context mismatches hard-fail, the model tends to make smaller, well-anchored diffs:

  • rename a symbol,
  • extract a helper,
  • adjust a function signature and its callsites,
  • update imports/tests in the same atomic batch.

4. Multi-file consistency edits

• Since tool calls can be parallel and you support multiple operations per turn, it can update several tracked files in one atomic commit to keep builds/tests consistent (e.g., update an API and its callers together).

5. Grounded error correction

• When a patch fails, your error messages (context mismatch / deletion mismatch / “file not tracked”) give the model actionable feedback:

  • rebase the patch onto the latest content,
  • ask the user to track the needed file,
  • switch from create_file to update_file, etc.

That’s the core: a constrained local editor with an explicit file allowlist, deterministic patch application with validation, and a conversational loop that lets the model iteratively converge on correct edits while keeping the blast radius small.