Skip to content

Add ifc label for search_repositories tool#2459

Merged
gokhanarkan merged 1 commit into
mainfrom
gokhanarkan/fides-search-repositories
May 13, 2026
Merged

Add ifc label for search_repositories tool#2459
gokhanarkan merged 1 commit into
mainfrom
gokhanarkan/fides-search-repositories

Conversation

@gokhanarkan

@gokhanarkan gokhanarkan commented May 12, 2026

Copy link
Copy Markdown
Member

Emits an IFC SecurityLabel on the search_repositories tool result when the InsidersMode flag is enabled, mirroring the pattern landed for get_me (#2432), list_issues (#2453), get_file_contents (#2454), search_issues (#2456), and issue_read (#2457).

Refs github/copilot-mcp-core#1623, github/copilot-mcp-core#1389. The last ingress tool from #1623's table.

Chained on #2457 (which is itself chained on #2456). GitHub will auto-retarget the base to main as the upstream PRs merge.

What this PR does

Search results may span multiple repositories, so _meta.ifc for search_repositories is the IFC meet of the per-repository labels — same semantics as search_issues (#2456) after Joanna's review:

  • Integrity is always untrusted (repository names, descriptions, and topics are user-authored).
  • Confidentiality follows the IFC meet (greatest lower bound): private wins. A reader of the combined result must be authorised to read every matched private repository.
    • Empty result set → ["public"] (no data leaked).
    • All matched repos public → ["public"].
    • Otherwise → intersection of the collaborator sets across the private matches only (public repos contribute the universe set and drop out of the intersection without shrinking it).

If any per-repo collaborators lookup fails, the label is omitted entirely (consistent with get_file_contents, search_issues, and issue_read) to avoid misclassifying the result.

Helper consolidation

The math is identical to search_issues, so the helper has been renamed and is now shared:

  • ifc.LabelSearchIssuesifc.LabelSearchMultiRepo in pkg/ifc/ifc.go. Both search_issues and search_repositories call the same join function.
  • Removed the previous constant LabelSearchRepositories() (which returned PublicUntrusted()).
  • New attachSearchRepositoriesIFCLabel in pkg/github/search.go iterates result.Repositories, reads repo.GetPrivate() directly off the search response (no extra visibility API call), and fetches collaborators only for private hits.

Cost per request: 0 calls for an all-public result; N calls for N private matches (collaborators only). Cheaper than search_issues because visibility comes for free on the repository search payload.

Tests

Test_SearchRepositories_IFC_InsidersMode in pkg/github/search_test.go with 6 subtests mirroring the search_issues coverage:

  1. Insiders off → result.Meta == nil.
  2. Insiders on, all public → integrity=untrusted, confidentiality=["public"].
  3. Insiders on, mixed public + private → readers = the private repo's collaborator set (private wins).
  4. Insiders on, two private repos → intersection of collaborator sets.
  5. Insiders on, collaborators lookup fails (500) → no ifc meta.
  6. Insiders on, empty results → ["public"].

Validation

  • go test -race ./... — green.
  • gofmt -s clean; go vet ./... clean.
  • (./script/lint itself fails locally with a pre-existing golangci-lint Go-version mismatch unrelated to this change.)
  • No tool schema/annotation changes → no toolsnap or README regeneration needed.
Copilot AI review requested due to automatic review settings May 12, 2026 14:56
@gokhanarkan gokhanarkan requested a review from a team as a code owner May 12, 2026 14:56

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds IFC (_meta.ifc) annotation to the search_repositories MCP tool output when InsidersMode is enabled, aligning search_repositories with the existing IFC-labeling pattern used across other ingress tools.

Changes:

  • Added ifc.LabelSearchRepositories() returning a constant PublicUntrusted() label for repository search results.
  • Updated SearchRepositories to attach _meta.ifc on successful responses when deps.GetFlags(ctx).InsidersMode is true.
  • Added unit test coverage verifying IFC metadata is omitted when insiders mode is off and present (public/untrusted) when on.
Show a summary per file
File Description
pkg/ifc/ifc.go Adds LabelSearchRepositories() helper documenting/encapsulating the label decision for search_repositories.
pkg/github/search.go Attaches _meta.ifc to search_repositories successful results behind InsidersMode.
pkg/github/search_test.go Adds Test_SearchRepositories_IFC_InsidersMode covering both insiders on/off behavior.

Copilot's findings

  • Files reviewed: 3/3 changed files
  • Comments generated: 0
@gokhanarkan gokhanarkan force-pushed the gokhanarkan/fides-issue-read branch from 6181edd to 5271c51 Compare May 12, 2026 15:04
@gokhanarkan gokhanarkan force-pushed the gokhanarkan/fides-search-repositories branch from 86d20eb to ea5755f Compare May 12, 2026 15:05
@gokhanarkan gokhanarkan force-pushed the gokhanarkan/fides-issue-read branch from 5271c51 to 513d12b Compare May 13, 2026 12:15
@gokhanarkan gokhanarkan force-pushed the gokhanarkan/fides-search-repositories branch 2 times, most recently from 9568f77 to ff861d2 Compare May 13, 2026 12:20
@gokhanarkan gokhanarkan requested a review from JoannaaKL May 13, 2026 12:23
JoannaaKL
JoannaaKL previously approved these changes May 13, 2026
Base automatically changed from gokhanarkan/fides-issue-read to main May 13, 2026 12:48
@gokhanarkan gokhanarkan dismissed JoannaaKL’s stale review May 13, 2026 12:48

The base branch was changed.

Emits an IFC SecurityLabel on the search_repositories tool result when
the InsidersMode flag is enabled, mirroring the pattern landed for
get_me (#2432), list_issues (#2453), get_file_contents (#2454),
search_issues (#2456), and issue_read (#2457).

Search results may span multiple repositories, so the join math
(integrity always untrusted; private wins by intersecting collaborator
sets across the matched private repos only) is shared with search_issues
via ifc.LabelSearchIssues. Visibility is read directly off the search
response's repo.Private field — no extra API call. Collaborators are
fetched only for private hits, and any failure causes the label to be
omitted entirely (consistent with search_issues / issue_read /
get_file_contents).

Refs github/copilot-mcp-core#1623, github/copilot-mcp-core#1389.
@gokhanarkan gokhanarkan force-pushed the gokhanarkan/fides-search-repositories branch from ff861d2 to d99a34b Compare May 13, 2026 12:54
@gokhanarkan gokhanarkan merged commit 3a4bc26 into main May 13, 2026
18 checks passed
@gokhanarkan gokhanarkan deleted the gokhanarkan/fides-search-repositories branch May 13, 2026 12:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

4 participants