diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
index 0e985e6d1c2..01998313f38 100644
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -343,6 +343,11 @@ const DefaultGeminiVersion Version = "latest"
 // DefaultGitHubMCPServerVersion is the default version of the GitHub MCP server Docker image
 const DefaultGitHubMCPServerVersion Version = "v0.32.0"
 
+// DefaultGitHubLockdown is the default value for the GitHub MCP server lockdown setting.
+// Lockdown mode restricts the GitHub MCP server to the triggering repository only.
+// Defaults to false (lockdown disabled).
+const DefaultGitHubLockdown = false
+
 // DefaultFirewallVersion is the default version of the gh-aw-firewall (AWF) binary
 const DefaultFirewallVersion Version = "v0.24.2"
 
diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go
index bdb570337ac..630ebf61b1f 100644
--- a/pkg/workflow/mcp_github_config.go
+++ b/pkg/workflow/mcp_github_config.go
@@ -120,7 +120,7 @@ func getGitHubReadOnly(_ any) bool {
 }
 
 // getGitHubLockdown checks if lockdown mode is enabled for GitHub tool
-// Defaults to false (lockdown disabled)
+// Defaults to constants.DefaultGitHubLockdown (false)
 func getGitHubLockdown(githubTool any) bool {
 	if toolConfig, ok := githubTool.(map[string]any); ok {
 		if lockdownSetting, exists := toolConfig["lockdown"]; exists {
@@ -129,7 +129,7 @@ func getGitHubLockdown(githubTool any) bool {
 			}
 		}
 	}
-	return false // default to lockdown disabled
+	return constants.DefaultGitHubLockdown
 }
 
 // hasGitHubLockdownExplicitlySet checks if lockdown field is explicitly set in GitHub tool config