Conversation
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
|
Hey The PR description is thorough, each change is traceable to a named requirement or test ID, and the RFC 2119 keyword statement added to the model-alias spec is a nice normative clarity touch. This looks ready for review. 🚀
|
PR Triage
Breakdown: SPDD batch 4 — adds safeguards/norms/sync-notes to spec files and MCP access-control compliance fixtures. 583 add / 4 del. Draft. Docs/spec-only changes, no production code impact. Low urgency. Next: Queue for human spec review when batch-4 SPDD sprint is scheduled.
|
There was a problem hiding this comment.
Pull request overview
This PR updates several internal specifications and adds new GitHub MCP access-control “compliance fixture stubs” intended to document (and eventually drive) normative conformance scenarios across repository scoping, role filtering, private repo controls, and integrity enforcement.
Changes:
- Adds a new
specs/github-mcp-access-control-compliance/directory containing YAML fixture stubs plus a README describing their intended use. - Expands guard-policy and other specs with new Safeguards/Entities/Norms content and cross-references to implementation and tests.
- Links the new fixture stubs from the GitHub MCP access-control specification (§11.4).
Show a summary per file
| File | Description |
|---|---|
| specs/github-mcp-access-control-compliance/README.md | Documents fixture intent/schema and how to add/run fixtures |
| specs/github-mcp-access-control-compliance/exact-match-allow.yaml | Fixture stub for exact repository pattern allow/deny |
| specs/github-mcp-access-control-compliance/wildcard-deny.yaml | Fixture stub for owner-wildcard allow/deny (and an extra scenario currently inconsistent with the spec) |
| specs/github-mcp-access-control-compliance/role-deny.yaml | Fixture stub for role-based allow/deny |
| specs/github-mcp-access-control-compliance/private-repo-block.yaml | Fixture stub for private-repos enforcement |
| specs/github-mcp-access-control-compliance/integrity-level-block.yaml | Fixture stub for min-integrity threshold enforcement and ordering |
| scratchpad/github-mcp-access-control-specification.md | Adds §11.4 linking to the new fixture directory |
| scratchpad/guard-policies-specification.md | Adds Entities + Safeguards + Sync Notes for guard policies |
| docs/src/content/docs/specs/repository-package-manifest-specification.md | Adds path-traversal MUST NOT rule and safeguard cross-references |
| docs/src/content/docs/specs/model-alias-specification.md | Improves alias-chain overflow spec with explicit error code/test ID and RFC keyword statement |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 10/10 changed files
- Comments generated: 7
- Review effort level: Low
| | Filename | Scenario | Spec Coverage | | ||
| |---|---|---| | ||
| | `exact-match-allow.yaml` | Exact repository pattern allows matching repo | T-GH-011, T-GH-012 | | ||
| | `wildcard-deny.yaml` | Owner-wildcard pattern denies non-matching owner | T-GH-013, T-GH-014 | | ||
| | `role-deny.yaml` | Role filter denies access when user role is insufficient | T-GH-019, T-GH-020 | | ||
| | `private-repo-block.yaml` | `private-repos: false` blocks access to private repository | T-GH-024, T-GH-025 | | ||
| | `integrity-level-block.yaml` | `min-integrity: approved` blocks content below the threshold | T-GH-051, T-GH-052 | |
| Each fixture file is a YAML document with the following top-level keys: | ||
|
|
||
| ```yaml | ||
| fixture_id: string # Unique identifier matching the test IDs in §11.1 | ||
| description: string # Human-readable scenario description | ||
| spec_refs: # Normative requirements under test (§ references) | ||
| - string | ||
| input: | ||
| tool_config: object # Compiled GitHub MCP tool configuration under test | ||
| request: object # Simulated access request (repository, user, content) | ||
| expected: | ||
| decision: allow | deny # Required access-control outcome | ||
| error_code: integer | null # Expected MCP JSON-RPC error code on deny (e.g., -32001) | ||
| reason: string # Expected denial reason substring (informative) | ||
| ``` |
| Compliance tests that consume these fixtures are located in (or will be added to): | ||
|
|
||
| ``` | ||
| pkg/workflow/tools_validation_test.go — §11.1.1 configuration validation | ||
| pkg/workflow/tools_validation_test.go — §11.1.8 blocked-user tests | ||
| ``` | ||
|
|
||
| To run all related tests: | ||
|
|
||
| ```bash | ||
| go test -v -run "TestValidateGitHubGuardPolicy" ./pkg/workflow/ | ||
| ``` |
| # Tests: T-GH-013, T-GH-014 | ||
| # Spec: §5 Repository Scoping, §5.2 Wildcard Pattern Matching | ||
|
|
||
| fixture_id: "wildcard-deny" | ||
| description: > | ||
| An owner-wildcard pattern (e.g., "github/*") MUST allow access to any repository under the | ||
| specified owner (T-GH-013), and MUST deny access to repositories under a different owner | ||
| (T-GH-014). The wildcard matches all repository names under the given owner and does not | ||
| match across owners. | ||
|
|
||
| spec_refs: | ||
| - "§5.2 — Owner wildcard matches all repositories under the specified owner" | ||
| - "§5.2 — Owner wildcard rejects repositories under a different owner" |
|
|
||
| # --- Scenario C: prefix wildcard within owner --- | ||
| - scenario_id: "wildcard-deny-C" | ||
| description: "Pattern 'github/gh-*' denies repository 'github/copilot' (no 'gh-' prefix)" | ||
| input: | ||
| tool_config: | ||
| repos: | ||
| - "github/gh-*" | ||
| min-integrity: "none" | ||
| request: | ||
| repository: "github/copilot" | ||
| content_integrity: "none" | ||
| expected: | ||
| decision: deny | ||
| error_code: -32001 | ||
| reason: "repository not in allowed list" |
| The following fixture files in [`specs/github-mcp-access-control-compliance/`](../../specs/github-mcp-access-control-compliance/) define normative test scenarios for the five core access-control categories. Each fixture is a YAML document specifying an input tool configuration, a simulated access request, and the required access-control decision. Implementations MUST produce the `expected.decision` outcome for every scenario in each fixture. | ||
|
|
||
| | Fixture File | Scenario | Test IDs | | ||
| |---|---|---| | ||
| | [`exact-match-allow.yaml`](../../specs/github-mcp-access-control-compliance/exact-match-allow.yaml) | Exact repository pattern allows matching repo; denies non-matching | T-GH-011, T-GH-012 | | ||
| | [`wildcard-deny.yaml`](../../specs/github-mcp-access-control-compliance/wildcard-deny.yaml) | Owner-wildcard allows same-owner repos; denies different-owner repos | T-GH-013, T-GH-014 | | ||
| | [`role-deny.yaml`](../../specs/github-mcp-access-control-compliance/role-deny.yaml) | Role filter allows matching role; denies insufficient role | T-GH-019, T-GH-020, T-GH-023 | | ||
| | [`private-repo-block.yaml`](../../specs/github-mcp-access-control-compliance/private-repo-block.yaml) | `private-repos: false` blocks private repo; allows public repo | T-GH-024, T-GH-025, T-GH-026 | | ||
| | [`integrity-level-block.yaml`](../../specs/github-mcp-access-control-compliance/integrity-level-block.yaml) | `min-integrity` allows content at/above threshold; blocks content below | T-GH-051, T-GH-052, T-GH-054 | |
| ### GP-S001: Empty Allowlist Prevention | ||
|
|
||
| Implementations MUST reject an empty `allowed-repos` array (`allowed-repos: []`) with a compilation error. An empty allowlist provides no access and is almost always a misconfiguration. The error message MUST identify the field and indicate that an empty array is not a valid scope value. A `MUST` sentinel such as `"all"` or `"public"` MUST be used instead. |
Five specs reviewed in batch 4 of the daily SPDD rotation had gaps in Safeguards, Sync Notes, Norms, and compliance test coverage. Addresses all nine checklist items.
scratchpad/guard-policies-specification.md## Entities— normative definitions forGitHubReposScope,GitHubIntegrityLevel,GitHubToolConfigguard-policy fields, and a formal deprecation block for the legacyreposalias (migration viagh aw fix, removal target v2.0.0)## Safeguards— five MUST requirements (GP-S001–GP-S005): empty-allowlist rejection, lockdown supremacy,allowed-repos+min-integrityco-requirement, legacy-field isolation, absent-policy-is-not-permissive## Sync Notes— maps spec sections topkg/workflow/mcp_github_config.go,tools_validation_github.go,tools_types.go, andsafeoutputs_guard_policy_test.godocs/src/content/docs/specs/repository-package-manifest-specification.mdfilesentries containing../or resolving outside the package root must be rejecteddocs/src/content/docs/specs/model-alias-specification.mdmodel_alias_validation_test.go); informative error-message format addedscratchpad/github-mcp-access-control-specification.md+specs/github-mcp-access-control-compliance/exact-match-allow.yamlwildcard-deny.yamlrole-deny.yamlprivate-repo-block.yamlprivate-repos: falseblocks private, passes publicintegrity-level-block.yamlmin-integritythreshold enforcement + no-policy pass-through