Skip to content

fix(difc): use human-readable secrecy level in write-denial reason#2205

Merged
lpcox merged 2 commits intofix/difc-error-messagesfrom
copilot/sub-pr-2202
Mar 20, 2026
Merged

fix(difc): use human-readable secrecy level in write-denial reason#2205
lpcox merged 2 commits intofix/difc-error-messagesfrom
copilot/sub-pr-2202

Conversation

Copy link
Contributor

Copilot AI commented Mar 20, 2026
edited
Loading

The write-secrecy denial Reason exposed raw internal tag slices (e.g. [private:owner/repo]) in the user-facing message, inconsistent with read-denial messages which already use formatSecrecyLevel/formatIntegrityLevel.

Changes

  • internal/difc/evaluator.go: Replace %v extraTags with formatSecrecyLevel(extraTags) in the write-secrecy denial Reason, producing e.g. "private (owner/repo)" instead of [private:owner/repo].

Before:

Agent has secrecy tags [private:owner/repo] that cannot flow to 'public-repo'.
The agent carries sensitive data that the target resource is not authorized to receive.

After:

Agent carries private (owner/repo)-scoped data that cannot be written to 'public-repo' due to secrecy constraints.
The target resource is not authorized to receive this sensitive data.

Raw tag details remain available in the debug log (extraTags=%v) and in FormatViolationError's "Current Agent Labels" output.

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Copilot AI mentioned this pull request Mar 20, 2026
Merged
Copy link
Contributor Author

Copilot AI commented Mar 20, 2026

Just as a heads up, I was blocked by some firewall rules while working on your feedback. Expand below for details.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /tmp/go-build1225579323/b329/launcher.test /tmp/go-build1225579323/b329/launcher.test -test.testlogfile=/tmp/go-build1225579323/b329/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true go --global x_amd64/vet user.name (dns block)
    • Triggering command: /tmp/go-build2786051352/b333/launcher.test /tmp/go-build2786051352/b333/launcher.test -test.testlogfile=/tmp/go-build2786051352/b333/testlog.txt -test.paniconexit0 -test.timeout=10m0s 2255�� ih5pgpl15 -I ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 -o ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ortc�� se stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link . --gdwarf2 --64 ache/go/1.25.8/x-trimpath (dns block)
  • invalid-host-that-does-not-exist-12345.com
    • Triggering command: /tmp/go-build1225579323/b314/config.test /tmp/go-build1225579323/b314/config.test -test.testlogfile=/tmp/go-build1225579323/b314/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true -c=4 -nolocalimports -importcfg /tmp/go-build1225579323/b286/importcfg -pack /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.4.1/auth/auth.go /home/REDACTED/go/pkg/mod/github.com/modelcontextprotocol/go-sdk@v1.4.1/auth/client.go ortc�� a20poly1305 _CLxCaFS4 ache/go/1.25.8/x64/pkg/tool/linu--64 pull.rebase (dns block)
    • Triggering command: /tmp/go-build2786051352/b318/config.test /tmp/go-build2786051352/b318/config.test -test.testlogfile=/tmp/go-build2786051352/b318/testlog.txt -test.paniconexit0 -test.timeout=10m0s 5579�� /mcp/connection.go /mcp/dockerenv.go 64/pkg/tool/linux_amd64/compile -p log/slog -lang=go1.25 64/pkg/tool/linux_amd64/compile ortc�� g_.a 64/src/net/textproto/header.go .cfg go1.25.8 -c=4 -nolocalimports ache/go/1.25.8/x64/pkg/tool/linuc (dns block)
  • nonexistent.local
    • Triggering command: /tmp/go-build1225579323/b329/launcher.test /tmp/go-build1225579323/b329/launcher.test -test.testlogfile=/tmp/go-build1225579323/b329/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true go --global x_amd64/vet user.name (dns block)
    • Triggering command: /tmp/go-build2786051352/b333/launcher.test /tmp/go-build2786051352/b333/launcher.test -test.testlogfile=/tmp/go-build2786051352/b333/testlog.txt -test.paniconexit0 -test.timeout=10m0s 2255�� ih5pgpl15 -I ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 -o ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ortc�� se stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link . --gdwarf2 --64 ache/go/1.25.8/x-trimpath (dns block)
  • slow.example.com
    • Triggering command: /tmp/go-build1225579323/b329/launcher.test /tmp/go-build1225579323/b329/launcher.test -test.testlogfile=/tmp/go-build1225579323/b329/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true go --global x_amd64/vet user.name (dns block)
    • Triggering command: /tmp/go-build2786051352/b333/launcher.test /tmp/go-build2786051352/b333/launcher.test -test.testlogfile=/tmp/go-build2786051352/b333/testlog.txt -test.paniconexit0 -test.timeout=10m0s 2255�� ih5pgpl15 -I ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet --gdwarf-5 --64 -o ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet ortc�� se stmain.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/link . --gdwarf2 --64 ache/go/1.25.8/x-trimpath (dns block)
  • this-host-does-not-exist-12345.com
    • Triggering command: /tmp/go-build1225579323/b338/mcp.test /tmp/go-build1225579323/b338/mcp.test -test.testlogfile=/tmp/go-build1225579323/b338/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true go 7luPlZJ6G git user.name (dns block)
    • Triggering command: /tmp/go-build2786051352/b342/mcp.test /tmp/go-build2786051352/b342/mcp.test -test.testlogfile=/tmp/go-build2786051352/b342/testlog.txt -test.paniconexit0 -test.timeout=10m0s -uns�� -unreachable=false /tmp/go-build1225579323/b040/vetgithub.com/github/gh-aw-mcpg/internal/server x_amd64/vet istec/p256_asm_abash (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI changed the title [WIP] [WIP] Address feedback on improving DIFC error messages and sentinel replacement fix(difc): use human-readable secrecy level in write-denial reason Mar 20, 2026
Copilot AI requested a review from lpcox March 20, 2026 04:26
@lpcox lpcox marked this pull request as ready for review March 20, 2026 04:27
Copilot AI review requested due to automatic review settings March 20, 2026 04:27
@lpcox lpcox merged commit 1c8ba56 into fix/difc-error-messages Mar 20, 2026
@lpcox lpcox deleted the copilot/sub-pr-2202 branch March 20, 2026 04:27
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves DIFC write-denial messaging by making secrecy violation reasons human-readable and consistent with existing read-denial formatting, while keeping raw tag details in logs/debug output.

Changes:

  • Update evaluateWrite secrecy-denial Reason to use formatSecrecyLevel(extraTags) instead of printing the raw tag slice.
  • Adjust the wording of the write-secrecy denial message to match the style of other user-facing DIFC denial messages.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Mar 20, 2026
Closed
Open
Closed
Copilot AI mentioned this pull request Mar 20, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lpcox