Skip to content

[review] docs: document sink-visibility field in MCP Gateway write-sink guard policy (spec v1.15.0)#44320

Closed
github-actions[bot] wants to merge 8 commits into
mainfrom
copilot/document-sink-visibility-field-review-1783522988692
Closed

[review] docs: document sink-visibility field in MCP Gateway write-sink guard policy (spec v1.15.0)#44320
github-actions[bot] wants to merge 8 commits into
mainfrom
copilot/document-sink-visibility-field-review-1783522988692

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Caution

agentic threat detected
Threat detection flagged this output in warn mode. Manual review is REQUIRED before any follow-up automation.

Reason: agent_failure

Review the workflow run logs for details.

This PR contains changes that were originally intended for PR #44305 (copilot/document-sink-visibility-field).
Please review the changes carefully before merging.


Generated by 👨‍🍳 PR Sous Chef · 6.93 AIC · ⌖ 5.06 AIC · ⊞ 7.1K ·
Comment /souschef to run again


Generated by 👨‍🍳 PR Sous Chef · 6.55 AIC · ⌖ 5.29 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI and others added 7 commits July 8, 2026 13:39
…spec

- Add Section 4.1.3.8 documenting the new `forcePublicRepos` gateway config field
- Add `forcePublicRepos` to the gateway config fields table (Section 4.1.3)
- Add Section 10.8 — Write-Sink Guard Policy with full `sink-visibility` field specification,
  enforcement model, DIFC semantics, runtime verification, and compiler behavior
- Add Section 10.9 — Cross-Visibility Opt-Out documenting `private-to-public-flows: allow`
  frontmatter option, its constraints, compiler responsibilities, and interaction matrix
- Add compliance test category 11.1.12 with T-WS-001 through T-WS-008
- Update compliance checklist with Write-Sink Guard Policy row
- Add changelog entry for spec version 1.15.0
- Update both JSON schema files (docs/public and pkg/workflow) with:
  - New `writeSinkGuardPolicyConfig` definition with `accept` and `sink-visibility` fields
  - Typed `write-sink` property in `guard-policies` for both stdioServerConfig and httpServerConfig
  - New `forcePublicRepos` boolean field in `gatewayConfig`
  - Added `guard-policies` to `stdioServerConfig` in docs/public schema (was missing)

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
…nition

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, ensure the branch is up to date, and rerun checks.

Generated by 👨‍🍳 PR Sous Chef · 6.93 AIC · ⌖ 5.06 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@copilot please run the pr-finisher skill, ensure the branch is up to date, and rerun checks.

...

Checked PR #44320 on head 7ee209b: the branch is already up to date with base copilot/document-sink-visibility-field (f94d875 is the current base tip and ancestor of HEAD). Local validation passed with make fmt, make lint, make test-unit, make test, and make recompile. I can’t re-run GitHub Actions checks from this cloud agent, but the existing Copilot run on this head is already in progress: https://github.com/github/gh-aw/actions/runs/28957025063

Copilot AI requested a review from gh-aw-bot July 8, 2026 16:15
Base automatically changed from copilot/document-sink-visibility-field to main July 8, 2026 16:22
@gh-aw-bot

Copy link
Copy Markdown
Collaborator

@copilot please run the pr-finisher skill, make any remaining updates needed to get this PR ready, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.55 AIC · ⌖ 5.29 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Co-authored-by: gh-aw-bot <259018956+gh-aw-bot@users.noreply.github.com>

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

@copilot please run the pr-finisher skill, make any remaining updates needed to get this PR ready, and rerun checks once the branch is up to date.

...

Updated the branch in 1d01dec by merging main, resolving the overlap with the already-landed docs/schema changes, and reducing the PR diff to the remaining changeset file. Local validation passed with make fmt, make lint, make test-unit, make test, make recompile, and make agent-report-progress. GitHub created new runs on the updated head automatically; if you need a fresh full CI pass beyond that, a maintainer will need to retrigger it.

@gh-aw-bot

Copy link
Copy Markdown
Collaborator

pr-sous-chef
@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.

Generated by 👨‍🍳 PR Sous Chef · 6.43 AIC · ⌖ 4.84 AIC · ⊞ 7.1K ·
Comment /souschef to run again

Copilot AI commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

pr-sous-chef
@copilot please run the pr-finisher skill, address any unresolved review feedback, and rerun checks once the branch is up to date.
...

I checked the current PR state: there are no unresolved in-scope review threads or review comments to address, and the only prior CI result on the current head is Smoke CI in action_required with no failed jobs to fix. I also tried to bring the branch up to date with main, but git fetch --unshallow origin timed out on all 3 attempts from the cloud agent, so I couldn’t safely refresh the branch here. A maintainer can re-trigger CI after updating or pushing the branch if needed.

@pelikhan pelikhan closed this Jul 9, 2026
@github-actions github-actions Bot added the closed:unknown PR was closed without merging: unknown label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

closed:unknown PR was closed without merging: unknown needs-review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants