[review] feat: implement private-to-public-flows: allow as a tools.github frontmatter field#45129
Conversation
…ield - Add `private-to-public-flows` to the workflow frontmatter JSON schema under `tools.github`, accepting either `"allow"` (blanket opt-out) or an array of server ID strings (selective exemption) - Add `PrivateToPublicFlows any` field to `GitHubToolConfig` struct - Parse `private-to-public-flows` in `parseGitHubTool` (string and []string/[]any forms) - Add `ForcePublicRepos *bool` and `SinkVisibilityExemptServers []string` to `MCPGatewayRuntimeConfig` - In `buildMCPGatewayConfig`, translate `PrivateToPublicFlows` to the gateway config fields - Emit `"forcePublicRepos": false` and `"sinkVisibilityExemptServers"` in the gateway JSON section of the renderer - Reject `private-to-public-flows: allow` in strict mode (list form allowed per MCP Gateway Spec Section 10.9.4) - Add documentation section to github-tools.md - Add tests: parsing, gateway config building, emission, strict mode Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
…date server IDs, fix shell safety, update docs Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
@copilot please run the
|
Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>
Done. I ran PR finisher actions: refreshed the branch from |
|
@copilot please run the
|
Completed a second PR-finisher pass on current HEAD |
Caution
agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.
Reason: agent_failure
Review the workflow run logs for details.
This PR contains changes that were originally intended for PR #45113 (
copilot/implement-private-to-public-flows).Please review the changes carefully before merging.