Skip to content

spdd batch 4: promote guard-policies spec, add safeguards/norms to manifest and alias specs, create MCP access-control compliance fixtures#43245

Open
pelikhan with Copilot wants to merge 3 commits into
mainfrom
copilot/spdd-daily-spec-work-plan-2026-07-03
Open

spdd batch 4: promote guard-policies spec, add safeguards/norms to manifest and alias specs, create MCP access-control compliance fixtures#43245
pelikhan with Copilot wants to merge 3 commits into
mainfrom
copilot/spdd-daily-spec-work-plan-2026-07-03

Conversation

Copilot AI commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Five specs reviewed in batch 4 of the daily SPDD rotation had gaps in Safeguards, Sync Notes, Norms, and compliance test coverage. Addresses all nine checklist items.

scratchpad/guard-policies-specification.md

  • ## Entities — normative definitions for GitHubReposScope, GitHubIntegrityLevel, GitHubToolConfig guard-policy fields, and a formal deprecation block for the legacy repos alias (migration via gh aw fix, removal target v2.0.0)
  • ## Safeguards — five MUST requirements (GP-S001–GP-S005): empty-allowlist rejection, lockdown supremacy, allowed-repos+min-integrity co-requirement, legacy-field isolation, absent-policy-is-not-permissive
  • ## Sync Notes — maps spec sections to pkg/workflow/mcp_github_config.go, tools_validation_github.go, tools_types.go, and safeoutputs_guard_policy_test.go

docs/src/content/docs/specs/repository-package-manifest-specification.md

  • §4.8 — MUST NOT path-traversal rule: files entries containing ../ or resolving outside the package root must be rejected
  • §5.1 / §5.3 — cross-references to §10 Safeguards (R-PKG-003/004/006/007) added inline to the install and remove lifecycle paragraphs
  • §11.1 norms table — new row for the path-traversal prohibition

docs/src/content/docs/specs/model-alias-specification.md

  • §13.1 — alias chain overflow now names error code V-MAF-008 and test case T-MAF-055 (model_alias_validation_test.go); informative error-message format added
  • §15.2 — R-MAF-S001 norm updated to reference V-MAF-008
  • §15 intro — explicit RFC 2119 / RFC 8174 keyword statement added

scratchpad/github-mcp-access-control-specification.md + specs/github-mcp-access-control-compliance/

  • New §11.4 links five YAML compliance fixture stubs covering the core access-control decision matrix:
Fixture Scenarios Test IDs
exact-match-allow.yaml exact pattern allow + deny T-GH-11, T-GH-12
wildcard-deny.yaml owner-wildcard allow + cross-owner deny T-GH-13, T-GH-14
role-deny.yaml role match allow + insufficient role deny T-GH-19, T-GH-20, T-GH-23
private-repo-block.yaml private-repos: false blocks private, passes public T-GH-024–026
integrity-level-block.yaml min-integrity threshold enforcement + no-policy pass-through T-GH-51, T-GH-52, T-GH-54, T-GH-59

Copilot AI linked an issue Jul 3, 2026 that may be closed by this pull request
10 tasks
Copilot AI and others added 2 commits July 3, 2026 16:44
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Update draft specs based on review feedback spdd batch 4: promote guard-policies spec, add safeguards/norms to manifest and alias specs, create MCP access-control compliance fixtures Jul 3, 2026
Copilot AI requested a review from pelikhan July 3, 2026 16:46
@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Hey @Copilot 👋 — great work on SPDD batch 4! The guard-policies safeguards block (GP-S001–GP-S005), the path-traversal prohibition in the package manifest spec, and the five MCP access-control compliance fixtures with their full decision-matrix coverage (T-GH-11 through T-GH-59) are all well-structured and clearly documented.

The PR description is thorough, each change is traceable to a named requirement or test ID, and the RFC 2119 keyword statement added to the model-alias spec is a nice normative clarity touch. This looks ready for review. 🚀

Generated by ✅ Contribution Check · 131.6 AIC · ⌖ 12.8 AIC · ⊞ 6.3K ·

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

PR Triage

Field Value
Category docs (SPDD spec batch)
Risk Low
Score 28 (impact 14 + urgency 6 + quality 8)
Action defer

Breakdown: SPDD batch 4 — adds safeguards/norms/sync-notes to spec files and MCP access-control compliance fixtures. 583 add / 4 del. Draft. Docs/spec-only changes, no production code impact. Low urgency.

Next: Queue for human spec review when batch-4 SPDD sprint is scheduled.

Generated by 🔧 PR Triage Agent · 86.6 AIC · ⌖ 10.9 AIC · ⊞ 5.5K ·

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates several internal specifications and adds new GitHub MCP access-control “compliance fixture stubs” intended to document (and eventually drive) normative conformance scenarios across repository scoping, role filtering, private repo controls, and integrity enforcement.

Changes:

  • Adds a new specs/github-mcp-access-control-compliance/ directory containing YAML fixture stubs plus a README describing their intended use.
  • Expands guard-policy and other specs with new Safeguards/Entities/Norms content and cross-references to implementation and tests.
  • Links the new fixture stubs from the GitHub MCP access-control specification (§11.4).
Show a summary per file
File Description
specs/github-mcp-access-control-compliance/README.md Documents fixture intent/schema and how to add/run fixtures
specs/github-mcp-access-control-compliance/exact-match-allow.yaml Fixture stub for exact repository pattern allow/deny
specs/github-mcp-access-control-compliance/wildcard-deny.yaml Fixture stub for owner-wildcard allow/deny (and an extra scenario currently inconsistent with the spec)
specs/github-mcp-access-control-compliance/role-deny.yaml Fixture stub for role-based allow/deny
specs/github-mcp-access-control-compliance/private-repo-block.yaml Fixture stub for private-repos enforcement
specs/github-mcp-access-control-compliance/integrity-level-block.yaml Fixture stub for min-integrity threshold enforcement and ordering
scratchpad/github-mcp-access-control-specification.md Adds §11.4 linking to the new fixture directory
scratchpad/guard-policies-specification.md Adds Entities + Safeguards + Sync Notes for guard policies
docs/src/content/docs/specs/repository-package-manifest-specification.md Adds path-traversal MUST NOT rule and safeguard cross-references
docs/src/content/docs/specs/model-alias-specification.md Improves alias-chain overflow spec with explicit error code/test ID and RFC keyword statement

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 10/10 changed files
  • Comments generated: 7
  • Review effort level: Low

Comment on lines +12 to +18
| Filename | Scenario | Spec Coverage |
|---|---|---|
| `exact-match-allow.yaml` | Exact repository pattern allows matching repo | T-GH-011, T-GH-012 |
| `wildcard-deny.yaml` | Owner-wildcard pattern denies non-matching owner | T-GH-013, T-GH-014 |
| `role-deny.yaml` | Role filter denies access when user role is insufficient | T-GH-019, T-GH-020 |
| `private-repo-block.yaml` | `private-repos: false` blocks access to private repository | T-GH-024, T-GH-025 |
| `integrity-level-block.yaml` | `min-integrity: approved` blocks content below the threshold | T-GH-051, T-GH-052 |
Comment on lines +22 to +36
Each fixture file is a YAML document with the following top-level keys:

```yaml
fixture_id: string # Unique identifier matching the test IDs in §11.1
description: string # Human-readable scenario description
spec_refs: # Normative requirements under test (§ references)
- string
input:
tool_config: object # Compiled GitHub MCP tool configuration under test
request: object # Simulated access request (repository, user, content)
expected:
decision: allow | deny # Required access-control outcome
error_code: integer | null # Expected MCP JSON-RPC error code on deny (e.g., -32001)
reason: string # Expected denial reason substring (informative)
```
Comment on lines +48 to +59
Compliance tests that consume these fixtures are located in (or will be added to):

```
pkg/workflow/tools_validation_test.go — §11.1.1 configuration validation
pkg/workflow/tools_validation_test.go — §11.1.8 blocked-user tests
```

To run all related tests:

```bash
go test -v -run "TestValidateGitHubGuardPolicy" ./pkg/workflow/
```
Comment on lines +2 to +14
# Tests: T-GH-013, T-GH-014
# Spec: §5 Repository Scoping, §5.2 Wildcard Pattern Matching

fixture_id: "wildcard-deny"
description: >
An owner-wildcard pattern (e.g., "github/*") MUST allow access to any repository under the
specified owner (T-GH-013), and MUST deny access to repositories under a different owner
(T-GH-014). The wildcard matches all repository names under the given owner and does not
match across owners.

spec_refs:
- "§5.2 — Owner wildcard matches all repositories under the specified owner"
- "§5.2 — Owner wildcard rejects repositories under a different owner"
Comment on lines +48 to +63

# --- Scenario C: prefix wildcard within owner ---
- scenario_id: "wildcard-deny-C"
description: "Pattern 'github/gh-*' denies repository 'github/copilot' (no 'gh-' prefix)"
input:
tool_config:
repos:
- "github/gh-*"
min-integrity: "none"
request:
repository: "github/copilot"
content_integrity: "none"
expected:
decision: deny
error_code: -32001
reason: "repository not in allowed list"
Comment on lines +2141 to +2149
The following fixture files in [`specs/github-mcp-access-control-compliance/`](../../specs/github-mcp-access-control-compliance/) define normative test scenarios for the five core access-control categories. Each fixture is a YAML document specifying an input tool configuration, a simulated access request, and the required access-control decision. Implementations MUST produce the `expected.decision` outcome for every scenario in each fixture.

| Fixture File | Scenario | Test IDs |
|---|---|---|
| [`exact-match-allow.yaml`](../../specs/github-mcp-access-control-compliance/exact-match-allow.yaml) | Exact repository pattern allows matching repo; denies non-matching | T-GH-011, T-GH-012 |
| [`wildcard-deny.yaml`](../../specs/github-mcp-access-control-compliance/wildcard-deny.yaml) | Owner-wildcard allows same-owner repos; denies different-owner repos | T-GH-013, T-GH-014 |
| [`role-deny.yaml`](../../specs/github-mcp-access-control-compliance/role-deny.yaml) | Role filter allows matching role; denies insufficient role | T-GH-019, T-GH-020, T-GH-023 |
| [`private-repo-block.yaml`](../../specs/github-mcp-access-control-compliance/private-repo-block.yaml) | `private-repos: false` blocks private repo; allows public repo | T-GH-024, T-GH-025, T-GH-026 |
| [`integrity-level-block.yaml`](../../specs/github-mcp-access-control-compliance/integrity-level-block.yaml) | `min-integrity` allows content at/above threshold; blocks content below | T-GH-051, T-GH-052, T-GH-054 |
Comment on lines +514 to +516
### GP-S001: Empty Allowlist Prevention

Implementations MUST reject an empty `allowed-repos` array (`allowed-repos: []`) with a compilation error. An empty allowlist provides no access and is almost always a misconfiguration. The error message MUST identify the field and indicate that an empty array is not a valid scope value. A `MUST` sentinel such as `"all"` or `"public"` MUST be used instead.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[spdd] Daily spec work plan - 2026-07-03

3 participants