fix: context propagation in checkActorPermission already correctly implemented

[Copilot]

The issue requested that checkActorPermission be updated to accept a caller context instead of creating a fresh context.Background(), so permission checks respect request lifecycle cancellation.

Findings

Upon investigation, the code in pkg/cli/mcp_server_helpers.go already implements the correct behavior:

func checkActorPermission(ctx context.Context, actor string, validateActor bool, toolName string) error {
    ...
    ctx, cancel := context.WithTimeout(ctx, 5*time.Second) // uses caller's context
    defer cancel()
    permission, err := queryActorRole(ctx, actor, repo)
    ...
}

Both call sites in mcp_tools_privileged.go also already pass the tool handler's ctx:

• checkActorPermission(ctx, actor, validateActor, "logs")
• checkActorPermission(ctx, actor, validateActor, "audit")

All acceptance criteria from the issue are satisfied in the current codebase — no functional changes were required.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw main -lang=go1.25 git conf�� user.name Test User /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha t0 -tests (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha agent-performance-analyzer.md (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -bool on rkflow/js/**/*.json /../../.prettiergit erignore -nilfunc tail -30 runs/20260225-124350-6701/test-3958442218/.github/workflows -tests 6144936/b422/testutil.test l (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha 950325944/001 -buildtags /home/REDACTED/go/bin/node /../../.prettiergit -ifaceassert -nilfunc node /opt�� runs/20260225-124350-6701/test-2627550329/.github/workflows format:cjs /usr/sbin/sh (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha user.name Test User /usr/bin/git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 060413830/.github/workflows 523449/b030/vet.cfg cfg (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha v1.0.0 (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linu--jq /usr/bin/git st.md st.lock.yml 64/pkg/tool/linu--show-toplevel git conf�� --get remote.origin.url /usr/bin/git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha -c=4 -nolocalimports -importcfg /tmp/go-build3076144936/b402/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/logger/example_test.go x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha ath ../../../.pr**/*.json (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha ormatted successfully" build_command_test.go /opt/hostedtoolcache/go/1.25.0/x64/bin/gofmt /../../.prettiergit -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.0/x64/bin/gofmt -l -w pkg/workflow/create_pull_request_cross_repo_integration_test.go ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile pkg/workflow/cregit pkg/workflow/cusrev-parse run-script/lib/n--show-toplevel ache/go/1.25.0/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha -unreachable=false on .cfg /../../.prettiergit erignore (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 .go x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu-goversion /usr/bin/git ascoGIyFT /tmp/go-build253rev-parse k/gh-aw/gh-aw/no--show-toplevel git rev-�� --show-toplevel ortcfg /usr/bin/git g/repoutil/repougit g/repoutil/repouconfig x_amd64/compile git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 cfg x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 /opt/hostedtoolcache/go/1.25.0/xTest User /usr/bin/git vaScript31655067git /tmp/go-build253-C .cfg git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x12345 /usr/bin/git te '../../../**/git /tmp/go-build253rev-parse ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 cfg x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 /opt/hostedtoolcache/go/1.25.0/xtest@example.com e/git pYLQS4wXJ -buildtags e_modules/.bin/s--git-dir e/git rev-�� --show-toplevel ortcfg /opt/hostedtoolcache/node/24.13.0/x64/bin/npm g/mathutil/mathugit g/mathutil/mathurev-parse ache/go/1.25.0/x--show-toplevel /opt/hostedtoolcache/node/24.13.0/x64/bin/npm (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 cfg x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 /opt/hostedtoolcache/go/1.25.0/xremote.origin.url /usr/bin/git Gz_Wa5yJE /tmp/go-build253-C k/gh-aw/node_mod/tmp/gh-aw-test-runs/20260225-124541-10732/test-3410186992 git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x2 /usr/bin/git te '../../../**/git stmain.go x_amd64/link git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 cfg 64/pkg/tool/linux_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 3BG4Hm-/QjVgNoQeiTwDF7dlXq91 /usr/bin/git te '**/*.cjs' '*git /tmp/go-build253-C g_.a git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x3 /usr/bin/git te '../../../**/git /tmp/go-build253rev-parse x_amd64/vet git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 cfg x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu^remote\..*\.gh-resolved$ /usr/bin/git 4350-6701/test-4git /tmp/go-build253reset e_modules/.bin/sHEAD git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x4 /usr/bin/git te '../../../**/git /tmp/go-build253rev-parse ache/go/1.25.0/x--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 cfg x_amd64/compile =fetch (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 wE6G5vac4MzNj/m0rBUtpV4gL8Qs7FDacz/1Yeg6_QYy6k49/tmp/go-build3076144936/b113/vet.cfg /usr/bin/git 4350-6701/test-4git /tmp/go-build253checkout .cfg git rev-�� ]*:[[:space:]]*"(create_pull_request|push_to_pull_request_branch)" /opt/hostedtoolcache/go/1.25.0/x5 /opt/hostedtoolcache/node/24.13.0/x64/bin/npm te '../../../**/git /tmp/go-build253rev-parse ache/go/1.25.0/x--show-toplevel /opt/hostedtoolcache/node/24.13.0/x64/bin/npm (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion -bool -buildtags e_modules/.bin/n--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.0/x12345 /usr/bin/git -bool on .cfg git (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git -errorsas -ifaceassert -nilfunc git rev-�� --show-toplevel -tests /usr/bin/git 958442218/.githugit --local x_amd64/vet git (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo /usr/bin/git -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel git rev-�� --show-toplevel 64/bin/gofmt /usr/bin/git se o (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build3076144936/b381/cli.test /tmp/go-build3076144936/b381/cli.test -test.testlogfile=/tmp/go-build3076144936/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • Triggering command: /tmp/go-build1233883517/b001/cli.test /tmp/go-build1233883517/b001/cli.test -test.paniconexit0 -test.timeout=10m0s -test.count=1 remo�� -v 64/pkg/tool/linux_amd64/vet /usr/bin/git ../pkg/workflow/git cfg ache/go/1.25.0/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.0/xtest@example.com /usr/bin/git se 523449/b007/vet.rev-parse tions/setup/node--show-toplevel git (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name (http block)
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name test/race-image:v1.0.0 64/pkg/tool/linuconfig /usr/bin/infocmp (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[plan] Fix context propagation in checkActorPermission to respect request lifecycle</issue_title>
<issue_description>## Objective

Fix context propagation in checkActorPermission in pkg/cli/mcp_server_helpers.go to use the caller's context instead of context.Background(), so permission checks respect request lifecycle cancellation.

Context

From discussion #18080 (go-sdk module review): When a tool handler's context is cancelled (e.g., client disconnects), the permission check currently still runs for up to 5 seconds against the GitHub API because it uses a fresh context.Background(). Using the parent context would respect request lifecycle and avoid unnecessary work.

File to Modify

pkg/cli/mcp_server_helpers.go — the checkActorPermission function

Change Required

Update checkActorPermission to accept a parent context parameter and use it as the base for the timeout:

// Before
func checkActorPermission(actor, repo string) error {
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
    defer cancel()
    permission, err := queryActorRole(ctx, actor, repo)
    ...
}

// After
func checkActorPermission(callerCtx context.Context, actor, repo string) error {
    permCtx, cancel := context.WithTimeout(callerCtx, 5*time.Second)
    defer cancel()
    permission, err := queryActorRole(permCtx, actor, repo)
    ...
}

All call sites must be updated to pass the tool handler's context.

Acceptance Criteria

• checkActorPermission accepts a context.Context parameter
• All call sites updated to pass the handler context
• make test-unit passes
• make agent-finish passes

Generated by Plan Command for issue #discussion #18080

• expires on Feb 27, 2026, 12:38 PM UTC

Comments on the Issue (you are @copilot in this section)

• Fixes [plan] Fix context propagation in checkActorPermission to respect request lifecycle #18336

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

---

✨ PR Review Safe Output Test - Run 22397346878

💥 [THE END] — Illustrated by Smoke Claude

[github-actions]

Commit pushed: 4d0b33b

💥 [THE END] — Illustrated by Smoke Claude