chore: simplify remove campaign discovery steps

[mnkiefer]

• Simplifies and updates the campaign orchestrator's discovery process and configuration.

[mnkiefer]

@copilot fix lint errors

[Copilot]

@mnkiefer I've opened a new pull request, #12107, to work on those changes. Once the pull request is ready, I'll request review from you.

[github-actions]

🛡️ Security Posture Analysis

This PR contains changes that expand security boundaries. Please review the following concerns:

🟡 Safe-Outputs: Project Update Limit Increased 10x

Location: .github/workflows/security-alert-burndown.lock.yml:157

Change Detected:

- {"create_project_status_update":{"max":1},"update_project":{"max":10}}
+ {"create_project_status_update":{"max":1},"update_project":{"max":100}}

Security Impact: The update_project safe-output limit increased from 10 to 100 operations per run (10x increase). This significantly expands the workflow's ability to modify the project board in a single execution, which could amplify the impact of any bugs or misconfigurations.

Recommendation: Verify this increase is necessary for the campaign's operation. Consider whether a smaller increment (e.g., 25-50) would be sufficient, and ensure there are adequate guardrails to prevent unintended mass updates.

---

🟡 Tool Access: GitHub MCP Added to Orchestrators

Location: pkg/campaign/orchestrator.go:346-349

Change Detected:

  tools := map[string]any{
+   "github": map[string]any{
+     "toolsets": []string{"repos", "issues", "pull_requests"},
+     "mode":     "remote",
+   },
    "repo-memory": []any{

Security Impact: Orchestrators previously had NO GitHub tool access by design, with the explicit policy: "Deliberately omit GitHub tool access from orchestrators. All writes and GitHub API operations should be performed by dispatched worker workflows."

This change reverses that policy, allowing orchestrators to directly query GitHub repositories, issues, and pull requests. While the toolsets are read-oriented, this expands the orchestrator's capabilities beyond its original security boundary.

Evidence of Policy Reversal: The test in pkg/campaign/orchestrator_test.go:179 was updated from:

- if _, ok := data.Tools["github"]; ok {
-   t.Fatalf("expected orchestrator to omit github tools")
- }
+ if _, ok := data.Tools["github"]; !ok {
+   t.Fatalf("expected orchestrator to have github tools configured")
+ }

Recommendation: Confirm this architectural change is intentional and necessary for the simplified discovery approach. Document the new security policy for orchestrator tool access and ensure discovery operations are properly scoped and rate-limited.

---

Summary

Category	Severity	Count
Safe-Outputs Expansion	🟡 Medium	1
Tool Access Expansion	🟡 Medium	1

Note: This is an automated analysis. These changes appear to be intentional refactoring for the simplified campaign discovery strategy, but they do expand security boundaries that were previously more restrictive. Please verify the changes align with security requirements.

AI generated by Security Guard Agent 🛡️