Conversation
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
@lpcox why is the PR description so dull? |
|
@lpcox do you need a fresh gateway version too? |
|
@copilot improve the pr title and summary |
|
@pelikhan activated in gateway v0.1.14 |
Updated the PR title to "feat: automatically derive safeoutputs guard-policy from GitHub MCP guard-policy" and expanded the description to summarize all the changes — schema update, JSON + TOML rendering, the |
|
@lpcox Make sure lock files are recompiled, and smoke test runs. |
|
@copilot update the mcpg gateway container image to v0.1.14 |
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Done in 8ab8712 — Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
@copilot rebase this branch onto main |
…mpile Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Done in 48885e8 — merged Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟 |
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS
|
|
Smoke test (Codex) summary:
Warning
|
Smoke Test Results — Run §22967493132Core tests #1–10: ✅✅✅✅✅✅✅✅✅✅ Overall: PARTIAL (15 ✅, 2
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
💥 [THE END] — Illustrated by Smoke Claude
| await determineAutomaticLockdown(github, context, core); | ||
| - name: Download container images | ||
| run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.8 ghcr.io/github/github-mcp-server:v0.32.0 | ||
| run: bash /opt/gh-aw/actions/download_docker_images.sh ghcr.io/github/gh-aw-firewall/agent:0.23.0 ghcr.io/github/gh-aw-firewall/api-proxy:0.23.0 ghcr.io/github/gh-aw-firewall/squid:0.23.0 ghcr.io/github/gh-aw-mcpg:v0.1.14 ghcr.io/github/github-mcp-server:v0.32.0 |
There was a problem hiding this comment.
Bumping gh-aw-mcpg from v0.1.8 to v0.1.14 — good catch on keeping this image version up to date with the gateway changes.
|
|
||
| export GH_AW_ENGINE="copilot" | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.8' | ||
| export MCP_GATEWAY_DOCKER_COMMAND='docker run -i --rm --network host -v /var/run/docker.sock:/var/run/docker.sock -e MCP_GATEWAY_PORT -e MCP_GATEWAY_DOMAIN -e MCP_GATEWAY_API_KEY -e MCP_GATEWAY_PAYLOAD_DIR -e MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD -e DEBUG -e MCP_GATEWAY_LOG_DIR -e GH_AW_MCP_LOG_DIR -e GH_AW_SAFE_OUTPUTS -e GH_AW_SAFE_OUTPUTS_CONFIG_PATH -e GH_AW_SAFE_OUTPUTS_TOOLS_PATH -e GH_AW_ASSETS_BRANCH -e GH_AW_ASSETS_MAX_SIZE_KB -e GH_AW_ASSETS_ALLOWED_EXTS -e DEFAULT_BRANCH -e GITHUB_MCP_SERVER_TOKEN -e GITHUB_MCP_LOCKDOWN -e GITHUB_REPOSITORY -e GITHUB_SERVER_URL -e GITHUB_SHA -e GITHUB_WORKSPACE -e GITHUB_TOKEN -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RUN_ATTEMPT -e GITHUB_JOB -e GITHUB_ACTION -e GITHUB_EVENT_NAME -e GITHUB_EVENT_PATH -e GITHUB_ACTOR -e GITHUB_ACTOR_ID -e GITHUB_TRIGGERING_ACTOR -e GITHUB_WORKFLOW -e GITHUB_WORKFLOW_REF -e GITHUB_WORKFLOW_SHA -e GITHUB_REF -e GITHUB_REF_NAME -e GITHUB_REF_TYPE -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -v /tmp/gh-aw/mcp-payloads:/tmp/gh-aw/mcp-payloads:rw -v /opt:/opt:ro -v /tmp:/tmp:rw -v '"${GITHUB_WORKSPACE}"':'"${GITHUB_WORKSPACE}"':rw ghcr.io/github/gh-aw-mcpg:v0.1.14' |
There was a problem hiding this comment.
The MCP_GATEWAY_DOCKER_COMMAND env var also updated to v0.1.14 — consistent with the image download step above. Looks correct.
|
✅ PR #20467 - feat: automatically derive safeoutputs guard-policy Overall: PASS 🎉 cc
|
There was a problem hiding this comment.
This PR bumps the MCP gateway from v0.1.8 to v0.1.14 and adds automatic derivation of safeoutputs guard-policy from the GitHub MCP guard-policy. The auto-derivation logic is a nice UX improvement. Left two inline comments for minor clarification points.
📰 BREAKING: Report filed by Smoke Copilot
|
|
||
| // DefaultMCPGatewayVersion is the default version of the MCP Gateway (gh-aw-mcpg) Docker image | ||
| const DefaultMCPGatewayVersion Version = "v0.1.8" | ||
| const DefaultMCPGatewayVersion Version = "v0.1.14" |
There was a problem hiding this comment.
Version bump from v0.1.8 to v0.1.14 — 6 minor versions in one go! Worth confirming in the PR description what major features/fixes are included in this range (v0.1.9 through v0.1.14).
| if githubPolicies == nil { | ||
| return nil | ||
| } | ||
|
|
There was a problem hiding this comment.
Nice design — automatically deriving the safeoutputs guard-policy from the GitHub MCP guard-policy removes a footgun where users could accidentally configure mismatched policies. The private: prefix convention here would benefit from a link to docs or inline explanation of what "private" means in this context.
|
📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤 |
There was a problem hiding this comment.
Pull request overview
This PR introduces automatic derivation/linking of a Safe Outputs write-sink guard-policy from the GitHub MCP server’s guard policy, updates JSON/TOML renderers to emit the derived policy, bumps the default MCP gateway image version, and recompiles workflow lockfiles accordingly.
Changes:
- Derive Safe Outputs
write-sinkguard-policy (accept: ["private:<repo>"]) from GitHuballow-only.repos. - Emit derived guard-policies in both JSON (Copilot/gateway) and TOML (Claude) MCP configs.
- Update the MCP gateway config schema + bump default MCP gateway image version to
v0.1.14(with lockfile recompilation).
Reviewed changes
Copilot reviewed 172 out of 172 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/mcp_github_config.go | Adds derivation logic to translate GitHub guard-policy repos into Safe Outputs accept-list entries. |
| pkg/workflow/mcp_config_builtin.go | Emits derived guard-policies into the Safe Outputs JSON gateway config. |
| pkg/workflow/mcp_renderer.go | Emits derived guard-policies into Safe Outputs TOML and adds a TOML guard-policy rendering helper. |
| docs/public/schemas/mcp-gateway-config.schema.json | Adds guard-policies to the schema (currently only for HTTP server configs). |
| pkg/constants/constants.go | Bumps default gateway image version to v0.1.14. |
| .github/workflows/*.lock.yml | Recompiled lockfiles to reference the new gateway image version. |
Comments suppressed due to low confidence (1)
docs/public/schemas/mcp-gateway-config.schema.json:171
guard-policiesis only added tohttpServerConfig, but guard-policies can also be emitted for stdio servers (e.g., GitHub local/docker config viaRenderGitHubMCPDockerConfiginpkg/workflow/mcp_renderer.go). WithadditionalProperties: falseonstdioServerConfig, schema validation will still fail for workflows that use GitHub guard policies in local mode. Consider adding the sameguard-policiesproperty tostdioServerConfig(and any other relevant server config variants) for consistency.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
| // renderGuardPoliciesToml renders a "guard-policies" section in TOML format for a given server. | ||
| // The policies map contains policy names (e.g., "write-sink") mapped to their configurations. | ||
| func renderGuardPoliciesToml(yaml *strings.Builder, policies map[string]any, serverID string) { | ||
| if len(policies) == 0 { | ||
| return | ||
| } | ||
|
|
||
| yaml.WriteString(" \n") | ||
| yaml.WriteString(" [mcp_servers." + serverID + ".\"guard-policies\"]\n") | ||
|
|
||
| // Iterate over each policy (e.g., "write-sink") | ||
| for policyName, policyConfig := range policies { | ||
| yaml.WriteString(" \n") | ||
| yaml.WriteString(" [mcp_servers." + serverID + ".\"guard-policies\"." + policyName + "]\n") | ||
|
|
||
| // Extract policy fields (e.g., "accept") | ||
| if configMap, ok := policyConfig.(map[string]any); ok { | ||
| for fieldName, fieldValue := range configMap { | ||
| // Handle array values (e.g., accept = ["private:github/gh-aw*"]) | ||
| if arrayValue, ok := fieldValue.([]string); ok { | ||
| yaml.WriteString(" " + fieldName + " = [") | ||
| for i, item := range arrayValue { | ||
| if i > 0 { | ||
| yaml.WriteString(", ") | ||
| } | ||
| yaml.WriteString("\"" + item + "\"") | ||
| } | ||
| yaml.WriteString("]\n") | ||
| } | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
renderGuardPoliciesToml iterates over Go maps (policies and configMap) without sorting keys, so the generated TOML can be nondeterministic once multiple policies/fields are present. Elsewhere in this file deterministic output is enforced (e.g., env var keys are sorted in RenderGitHubMCPDockerConfig). Consider sorting policy names and field names before rendering, and either handle non-[]string values explicitly (or fail/log) to avoid silently dropping fields.
…ation When a GitHub MCP guard-policy is configured with a specific repos array, the compiler (since #20467, gateway v0.1.14) automatically derives a linked write-sink guard-policy for the safeoutputs MCP server. Document this behavior in the Guard Policies section of github-tools.md. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ation (#20569) When a GitHub MCP guard-policy is configured with a specific repos array, the compiler (since #20467, gateway v0.1.14) automatically derives a linked write-sink guard-policy for the safeoutputs MCP server. Document this behavior in the Guard Policies section of github-tools.md. Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
When the GitHub MCP server is configured with a
guard-policy, the compiler now automatically derives and adds a linkedwrite-sinkguard-policy for the safeoutputs MCP server. Each repo entry in GitHub'sallow-only.reposlist gets a correspondingprivate:<repo>entry in safeoutputsacceptlist, allowing the MCP gateway to read private data from GitHub and still write to safeoutputs.Changes Made
deriveSafeOutputsGuardPolicyFromGitHubinmcp_github_config.goto derive a safeoutputswrite-sinkguard-policy from the GitHub MCP server'sallow-onlypolicymcp_config_builtin.goto emit the derived guard-policy in the Copilot/gateway JSON MCP configurationmcp_renderer.gowith a newrenderGuardPoliciesTomlhelper to emit the derived guard-policy in the Claude TOML MCP configurationguard-policiesfield todocs/public/schemas/mcp-gateway-config.schema.jsonso compiled workflows pass schema validationDefaultMCPGatewayVersiontov0.1.14inpkg/constants/constants.go, which activates the guard-policy feature in the gateway containersafeoutputs_guard_policy_test.gocovering single repo, wildcard patterns, multiple repos, and no-policy cases📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.
✨ PR Review Safe Output Test - Run 22967493132