From 39ac4eb2435bf84e6c184c02bb9daf8c91666135 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Mar 2026 23:10:04 +0000
Subject: [PATCH 1/2] Initial plan


From 784df4c0dc0300004765c02ec73028512cd9a04b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 16 Mar 2026 23:17:23 +0000
Subject: [PATCH 2/2] Store default GitHub lockdown value as a constant (false)

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 pkg/constants/constants.go        | 5 +++++
 pkg/workflow/mcp_github_config.go | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go
index 0e985e6d1c2..01998313f38 100644
--- a/pkg/constants/constants.go
+++ b/pkg/constants/constants.go
@@ -343,6 +343,11 @@ const DefaultGeminiVersion Version = "latest"
 // DefaultGitHubMCPServerVersion is the default version of the GitHub MCP server Docker image
 const DefaultGitHubMCPServerVersion Version = "v0.32.0"
 
+// DefaultGitHubLockdown is the default value for the GitHub MCP server lockdown setting.
+// Lockdown mode restricts the GitHub MCP server to the triggering repository only.
+// Defaults to false (lockdown disabled).
+const DefaultGitHubLockdown = false
+
 // DefaultFirewallVersion is the default version of the gh-aw-firewall (AWF) binary
 const DefaultFirewallVersion Version = "v0.24.2"
 
diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go
index bdb570337ac..630ebf61b1f 100644
--- a/pkg/workflow/mcp_github_config.go
+++ b/pkg/workflow/mcp_github_config.go
@@ -120,7 +120,7 @@ func getGitHubReadOnly(_ any) bool {
 }
 
 // getGitHubLockdown checks if lockdown mode is enabled for GitHub tool
-// Defaults to false (lockdown disabled)
+// Defaults to constants.DefaultGitHubLockdown (false)
 func getGitHubLockdown(githubTool any) bool {
 	if toolConfig, ok := githubTool.(map[string]any); ok {
 		if lockdownSetting, exists := toolConfig["lockdown"]; exists {
@@ -129,7 +129,7 @@ func getGitHubLockdown(githubTool any) bool {
 			}
 		}
 	}
-	return false // default to lockdown disabled
+	return constants.DefaultGitHubLockdown
 }
 
 // hasGitHubLockdownExplicitlySet checks if lockdown field is explicitly set in GitHub tool config