From def4220cda134b0927ff2ebc3d3bd0a8aada9620 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 05:16:54 +0000 Subject: [PATCH 1/5] Initial plan From 61d8bd28a84b2899683921bec01fb9f70fc57654 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 05:50:16 +0000 Subject: [PATCH 2/5] fix: add write-sink guard policies for non-GitHub MCP servers when auto-lockdown is used When a workflow has the github tool configured without explicit repos/min-integrity guard policies, the auto-lockdown detection step runs at runtime and always sets repos=all. Non-GitHub MCP servers (playwright, serena, mcpscripts, safeoutputs, agentic-workflows, web-fetch, custom) were missing the corresponding write-sink guard policies needed for the MCP gateway to allow writes to these servers. - Modify deriveWriteSinkGuardPolicyFromWorkflow to return accept=["*"] write-sink policy when GitHub tool is present, no explicit guard policies configured, and no GitHub App configured (same conditions that trigger auto-lockdown) - Update renderSafeOutputsMCPConfigWithOptions and renderSafeOutputsTOML to use deriveWriteSinkGuardPolicyFromWorkflow instead of deriveSafeOutputsGuardPolicyFromGitHub - Update tests to reflect new behavior and add GitHub App exclusion test - Recompile all 172 workflow lock files with the fix applied Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .../agent-performance-analyzer.lock.yml | 14 ++ .../workflows/agent-persona-explorer.lock.yml | 14 ++ .github/workflows/ai-moderator.lock.yml | 12 ++ .github/workflows/archie.lock.yml | 16 ++- .github/workflows/artifacts-summary.lock.yml | 7 + .github/workflows/audit-workflows.lock.yml | 14 ++ .github/workflows/auto-triage-issues.lock.yml | 7 + .github/workflows/blog-auditor.lock.yml | 16 ++- .github/workflows/bot-detection.lock.yml | 7 + .github/workflows/brave.lock.yml | 14 ++ .../breaking-change-checker.lock.yml | 7 + .github/workflows/changeset.lock.yml | 12 ++ .github/workflows/ci-coach.lock.yml | 7 + .github/workflows/ci-doctor.lock.yml | 7 + .../claude-code-user-docs-review.lock.yml | 7 + .../cli-consistency-checker.lock.yml | 7 + .../workflows/cli-version-checker.lock.yml | 7 + .github/workflows/cloclo.lock.yml | 32 ++++- .../workflows/code-scanning-fixer.lock.yml | 7 + .github/workflows/code-simplifier.lock.yml | 7 + .../commit-changes-analyzer.lock.yml | 7 + .../constraint-solving-potd.lock.yml | 7 + .../workflows/copilot-agent-analysis.lock.yml | 7 + .../copilot-cli-deep-research.lock.yml | 7 + .../copilot-pr-merged-report.lock.yml | 14 ++ .../copilot-pr-nlp-analysis.lock.yml | 7 + .../copilot-pr-prompt-analysis.lock.yml | 7 + .../copilot-session-insights.lock.yml | 7 + .github/workflows/craft.lock.yml | 7 + .../daily-architecture-diagram.lock.yml | 7 + .../daily-assign-issue-to-user.lock.yml | 7 + .github/workflows/daily-choice-test.lock.yml | 7 + .../workflows/daily-cli-performance.lock.yml | 14 ++ .../workflows/daily-cli-tools-tester.lock.yml | 14 ++ .github/workflows/daily-code-metrics.lock.yml | 7 + .../workflows/daily-compiler-quality.lock.yml | 16 ++- .../daily-copilot-token-report.lock.yml | 7 + .github/workflows/daily-doc-healer.lock.yml | 14 ++ .github/workflows/daily-doc-updater.lock.yml | 14 ++ .github/workflows/daily-fact.lock.yml | 12 ++ .github/workflows/daily-file-diet.lock.yml | 16 ++- .../workflows/daily-firewall-report.lock.yml | 14 ++ .../workflows/daily-function-namer.lock.yml | 16 ++- .../workflows/daily-issues-report.lock.yml | 12 ++ .../daily-malicious-code-scan.lock.yml | 7 + .../daily-mcp-concurrency-analysis.lock.yml | 16 ++- .../daily-multi-device-docs-tester.lock.yml | 16 ++- .github/workflows/daily-news.lock.yml | 14 ++ .../daily-observability-report.lock.yml | 24 ++++ .../daily-performance-summary.lock.yml | 14 ++ .github/workflows/daily-regulatory.lock.yml | 14 ++ .../daily-rendering-scripts-verifier.lock.yml | 14 ++ .../workflows/daily-repo-chronicle.lock.yml | 7 + .../daily-safe-output-optimizer.lock.yml | 14 ++ .../daily-safe-outputs-conformance.lock.yml | 7 + .../workflows/daily-secrets-analysis.lock.yml | 7 + .../daily-security-red-team.lock.yml | 7 + .github/workflows/daily-semgrep-scan.lock.yml | 16 ++- .../daily-syntax-error-quality.lock.yml | 7 + .../daily-team-evolution-insights.lock.yml | 7 + .github/workflows/daily-team-status.lock.yml | 7 + .../daily-testify-uber-super-expert.lock.yml | 16 ++- .../workflows/daily-workflow-updater.lock.yml | 7 + .github/workflows/dead-code-remover.lock.yml | 7 + .github/workflows/deep-report.lock.yml | 24 ++++ .github/workflows/delight.lock.yml | 7 + .github/workflows/dependabot-burner.lock.yml | 7 + .../workflows/dependabot-go-checker.lock.yml | 7 + .github/workflows/dev-hawk.lock.yml | 14 ++ .github/workflows/dev.lock.yml | 7 + .../developer-docs-consolidator.lock.yml | 23 +++- .github/workflows/dictation-prompt.lock.yml | 14 ++ .../workflows/discussion-task-miner.lock.yml | 7 + .github/workflows/docs-noob-tester.lock.yml | 16 ++- .github/workflows/draft-pr-cleanup.lock.yml | 7 + .../duplicate-code-detector.lock.yml | 26 +++- .../example-workflow-analyzer.lock.yml | 14 ++ .github/workflows/firewall-escape.lock.yml | 7 + .../workflows/functional-pragmatist.lock.yml | 7 + .../github-mcp-structural-analysis.lock.yml | 7 + .../github-mcp-tools-report.lock.yml | 7 + .../github-remote-mcp-auth-test.lock.yml | 7 + .../workflows/glossary-maintainer.lock.yml | 23 +++- .github/workflows/go-fan.lock.yml | 16 ++- .github/workflows/go-logger.lock.yml | 14 ++ .../workflows/go-pattern-detector.lock.yml | 16 ++- .github/workflows/gpclean.lock.yml | 7 + .github/workflows/grumpy-reviewer.lock.yml | 7 + .github/workflows/hourly-ci-cleaner.lock.yml | 7 + .../workflows/instructions-janitor.lock.yml | 7 + .github/workflows/issue-arborist.lock.yml | 12 ++ .github/workflows/issue-monster.lock.yml | 7 + .github/workflows/issue-triage-agent.lock.yml | 7 + .github/workflows/jsweep.lock.yml | 16 ++- .../workflows/layout-spec-maintainer.lock.yml | 7 + .github/workflows/lockfile-stats.lock.yml | 7 + .github/workflows/mcp-inspector.lock.yml | 126 +++++++++++++++++- .github/workflows/mergefest.lock.yml | 7 + .github/workflows/metrics-collector.lock.yml | 7 + .../workflows/notion-issue-summary.lock.yml | 14 ++ .github/workflows/org-health-report.lock.yml | 7 + .github/workflows/pdf-summary.lock.yml | 16 ++- .github/workflows/poem-bot.lock.yml | 7 + .github/workflows/portfolio-analyst.lock.yml | 14 ++ .../workflows/pr-nitpick-reviewer.lock.yml | 7 + .github/workflows/pr-triage-agent.lock.yml | 7 + .../prompt-clustering-analysis.lock.yml | 14 ++ .github/workflows/python-data-charts.lock.yml | 14 ++ .github/workflows/q.lock.yml | 23 +++- .github/workflows/refiner.lock.yml | 7 + .github/workflows/release.lock.yml | 7 + .../workflows/repo-audit-analyzer.lock.yml | 7 + .github/workflows/repo-tree-map.lock.yml | 7 + .../repository-quality-improver.lock.yml | 16 ++- .github/workflows/research.lock.yml | 14 ++ .github/workflows/safe-output-health.lock.yml | 14 ++ .../schema-consistency-checker.lock.yml | 7 + ...ecurity-alert-burndown.campaign.g.lock.yml | 7 + .../workflows/security-compliance.lock.yml | 7 + .github/workflows/security-review.lock.yml | 14 ++ .../semantic-function-refactor.lock.yml | 16 ++- .github/workflows/sergo.lock.yml | 16 ++- .../workflows/slide-deck-maintainer.lock.yml | 16 ++- .../workflows/smoke-call-workflow.lock.yml | 12 ++ .github/workflows/smoke-claude.lock.yml | 48 ++++++- .github/workflows/smoke-codex.lock.yml | 66 ++++++++- .github/workflows/smoke-copilot-arm.lock.yml | 39 +++++- .github/workflows/smoke-copilot.lock.yml | 39 +++++- .../smoke-create-cross-repo-pr.lock.yml | 7 + .github/workflows/smoke-gemini.lock.yml | 23 +++- .github/workflows/smoke-multi-pr.lock.yml | 7 + .github/workflows/smoke-project.lock.yml | 7 + .github/workflows/smoke-temporary-id.lock.yml | 7 + .github/workflows/smoke-test-tools.lock.yml | 7 + .../smoke-update-cross-repo-pr.lock.yml | 7 + .../smoke-workflow-call-with-inputs.lock.yml | 7 + .../workflows/smoke-workflow-call.lock.yml | 7 + .../workflows/stale-repo-identifier.lock.yml | 7 + .../workflows/static-analysis-report.lock.yml | 14 ++ .../workflows/step-name-alignment.lock.yml | 7 + .github/workflows/sub-issue-closer.lock.yml | 7 + .github/workflows/super-linter.lock.yml | 7 + .../workflows/technical-doc-writer.lock.yml | 14 ++ .github/workflows/terminal-stylist.lock.yml | 16 ++- .../test-create-pr-error-handling.lock.yml | 7 + .github/workflows/test-dispatcher.lock.yml | 7 + .../test-project-url-default.lock.yml | 7 + .github/workflows/tidy.lock.yml | 7 + .github/workflows/typist.lock.yml | 16 ++- .../workflows/ubuntu-image-analyzer.lock.yml | 7 + .github/workflows/unbloat-docs.lock.yml | 23 +++- .github/workflows/video-analyzer.lock.yml | 7 + .../weekly-editors-health-check.lock.yml | 16 ++- .../workflows/weekly-issue-summary.lock.yml | 7 + .../weekly-safe-outputs-spec-review.lock.yml | 7 + .github/workflows/workflow-generator.lock.yml | 7 + .../workflow-health-manager.lock.yml | 7 + .../workflows/workflow-normalizer.lock.yml | 14 ++ .../workflow-skill-extractor.lock.yml | 7 + pkg/workflow/mcp_config_builtin.go | 9 +- pkg/workflow/mcp_config_compilation_test.go | 24 ++-- pkg/workflow/mcp_github_config.go | 28 +++- pkg/workflow/mcp_renderer_builtin.go | 16 +-- .../non_github_mcp_guard_policy_test.go | 58 ++++++-- .../smoke-copilot.golden | 25 +++- 165 files changed, 2051 insertions(+), 85 deletions(-) diff --git a/.github/workflows/agent-performance-analyzer.lock.yml b/.github/workflows/agent-performance-analyzer.lock.yml index 7239591982e..ddcf599e8be 100644 --- a/.github/workflows/agent-performance-analyzer.lock.yml +++ b/.github/workflows/agent-performance-analyzer.lock.yml @@ -649,6 +649,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -672,6 +679,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/agent-persona-explorer.lock.yml b/.github/workflows/agent-persona-explorer.lock.yml index 616d26a9176..a48354cd575 100644 --- a/.github/workflows/agent-persona-explorer.lock.yml +++ b/.github/workflows/agent-persona-explorer.lock.yml @@ -594,6 +594,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -617,6 +624,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/ai-moderator.lock.yml b/.github/workflows/ai-moderator.lock.yml index f21b297bead..425ee44b981 100644 --- a/.github/workflows/ai-moderator.lock.yml +++ b/.github/workflows/ai-moderator.lock.yml @@ -583,6 +583,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -609,6 +614,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/archie.lock.yml b/.github/workflows/archie.lock.yml index 7030d05f2b6..e0ad0f96e20 100644 --- a/.github/workflows/archie.lock.yml +++ b/.github/workflows/archie.lock.yml @@ -594,6 +594,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -602,7 +609,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/artifacts-summary.lock.yml b/.github/workflows/artifacts-summary.lock.yml index e4d11285992..b38aa57bd4e 100644 --- a/.github/workflows/artifacts-summary.lock.yml +++ b/.github/workflows/artifacts-summary.lock.yml @@ -525,6 +525,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/audit-workflows.lock.yml b/.github/workflows/audit-workflows.lock.yml index df76b28041c..84e69fda7ed 100644 --- a/.github/workflows/audit-workflows.lock.yml +++ b/.github/workflows/audit-workflows.lock.yml @@ -662,6 +662,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -684,6 +691,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/auto-triage-issues.lock.yml b/.github/workflows/auto-triage-issues.lock.yml index dbcfa1d65be..cac4c2e0e0c 100644 --- a/.github/workflows/auto-triage-issues.lock.yml +++ b/.github/workflows/auto-triage-issues.lock.yml @@ -558,6 +558,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/blog-auditor.lock.yml b/.github/workflows/blog-auditor.lock.yml index 813c03a81a6..2bf5f9d5815 100644 --- a/.github/workflows/blog-auditor.lock.yml +++ b/.github/workflows/blog-auditor.lock.yml @@ -544,13 +544,27 @@ jobs: "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox" ], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/bot-detection.lock.yml b/.github/workflows/bot-detection.lock.yml index b401b6e460d..10498aacb49 100644 --- a/.github/workflows/bot-detection.lock.yml +++ b/.github/workflows/bot-detection.lock.yml @@ -601,6 +601,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/brave.lock.yml b/.github/workflows/brave.lock.yml index af778092e4d..1c0fa94caa9 100644 --- a/.github/workflows/brave.lock.yml +++ b/.github/workflows/brave.lock.yml @@ -566,6 +566,13 @@ jobs: ], "env": { "BRAVE_API_KEY": "\${BRAVE_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -589,6 +596,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/breaking-change-checker.lock.yml b/.github/workflows/breaking-change-checker.lock.yml index 9d6d0e54dd9..1cbca934b57 100644 --- a/.github/workflows/breaking-change-checker.lock.yml +++ b/.github/workflows/breaking-change-checker.lock.yml @@ -538,6 +538,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/changeset.lock.yml b/.github/workflows/changeset.lock.yml index e0379548bcb..adc48d74e5f 100644 --- a/.github/workflows/changeset.lock.yml +++ b/.github/workflows/changeset.lock.yml @@ -616,6 +616,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -642,6 +647,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/ci-coach.lock.yml b/.github/workflows/ci-coach.lock.yml index 35ee0d38cdc..f13d280ab28 100644 --- a/.github/workflows/ci-coach.lock.yml +++ b/.github/workflows/ci-coach.lock.yml @@ -607,6 +607,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/ci-doctor.lock.yml b/.github/workflows/ci-doctor.lock.yml index 580478517a2..72a6a134766 100644 --- a/.github/workflows/ci-doctor.lock.yml +++ b/.github/workflows/ci-doctor.lock.yml @@ -666,6 +666,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/claude-code-user-docs-review.lock.yml b/.github/workflows/claude-code-user-docs-review.lock.yml index da6b9348634..b51b8f1c709 100644 --- a/.github/workflows/claude-code-user-docs-review.lock.yml +++ b/.github/workflows/claude-code-user-docs-review.lock.yml @@ -548,6 +548,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/cli-consistency-checker.lock.yml b/.github/workflows/cli-consistency-checker.lock.yml index 63a9f54e0c3..11090bffa9e 100644 --- a/.github/workflows/cli-consistency-checker.lock.yml +++ b/.github/workflows/cli-consistency-checker.lock.yml @@ -523,6 +523,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/cli-version-checker.lock.yml b/.github/workflows/cli-version-checker.lock.yml index 11280d9cd06..b306c21c2a2 100644 --- a/.github/workflows/cli-version-checker.lock.yml +++ b/.github/workflows/cli-version-checker.lock.yml @@ -559,6 +559,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/cloclo.lock.yml b/.github/workflows/cloclo.lock.yml index f0cc17b4227..9a80bb46c95 100644 --- a/.github/workflows/cloclo.lock.yml +++ b/.github/workflows/cloclo.lock.yml @@ -759,6 +759,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -791,13 +798,27 @@ jobs: "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox" ], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -814,7 +835,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/code-scanning-fixer.lock.yml b/.github/workflows/code-scanning-fixer.lock.yml index 94ef21bdeb8..c4516914e47 100644 --- a/.github/workflows/code-scanning-fixer.lock.yml +++ b/.github/workflows/code-scanning-fixer.lock.yml @@ -586,6 +586,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/code-simplifier.lock.yml b/.github/workflows/code-simplifier.lock.yml index 3570ddeb3e8..2e471cc7112 100644 --- a/.github/workflows/code-simplifier.lock.yml +++ b/.github/workflows/code-simplifier.lock.yml @@ -550,6 +550,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/commit-changes-analyzer.lock.yml b/.github/workflows/commit-changes-analyzer.lock.yml index 5acde949402..4cdbadedab0 100644 --- a/.github/workflows/commit-changes-analyzer.lock.yml +++ b/.github/workflows/commit-changes-analyzer.lock.yml @@ -532,6 +532,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/constraint-solving-potd.lock.yml b/.github/workflows/constraint-solving-potd.lock.yml index 4f8ad927890..2f6805b2c6e 100644 --- a/.github/workflows/constraint-solving-potd.lock.yml +++ b/.github/workflows/constraint-solving-potd.lock.yml @@ -519,6 +519,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/copilot-agent-analysis.lock.yml b/.github/workflows/copilot-agent-analysis.lock.yml index e008f13b03e..33d38f4b5ee 100644 --- a/.github/workflows/copilot-agent-analysis.lock.yml +++ b/.github/workflows/copilot-agent-analysis.lock.yml @@ -589,6 +589,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/copilot-cli-deep-research.lock.yml b/.github/workflows/copilot-cli-deep-research.lock.yml index 673939b714d..9726c0c8eb5 100644 --- a/.github/workflows/copilot-cli-deep-research.lock.yml +++ b/.github/workflows/copilot-cli-deep-research.lock.yml @@ -550,6 +550,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/copilot-pr-merged-report.lock.yml b/.github/workflows/copilot-pr-merged-report.lock.yml index 1fe9bff5156..44b62d6c98a 100644 --- a/.github/workflows/copilot-pr-merged-report.lock.yml +++ b/.github/workflows/copilot-pr-merged-report.lock.yml @@ -669,6 +669,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -676,6 +683,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/copilot-pr-nlp-analysis.lock.yml b/.github/workflows/copilot-pr-nlp-analysis.lock.yml index fd174b24333..847f44601bb 100644 --- a/.github/workflows/copilot-pr-nlp-analysis.lock.yml +++ b/.github/workflows/copilot-pr-nlp-analysis.lock.yml @@ -636,6 +636,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/copilot-pr-prompt-analysis.lock.yml b/.github/workflows/copilot-pr-prompt-analysis.lock.yml index 8fa3a826536..b8e94b0a1b1 100644 --- a/.github/workflows/copilot-pr-prompt-analysis.lock.yml +++ b/.github/workflows/copilot-pr-prompt-analysis.lock.yml @@ -585,6 +585,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/copilot-session-insights.lock.yml b/.github/workflows/copilot-session-insights.lock.yml index d76868c9cf4..863a56a396c 100644 --- a/.github/workflows/copilot-session-insights.lock.yml +++ b/.github/workflows/copilot-session-insights.lock.yml @@ -639,6 +639,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/craft.lock.yml b/.github/workflows/craft.lock.yml index a8ca9915316..d0e4e4a094e 100644 --- a/.github/workflows/craft.lock.yml +++ b/.github/workflows/craft.lock.yml @@ -596,6 +596,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-architecture-diagram.lock.yml b/.github/workflows/daily-architecture-diagram.lock.yml index a2e2b7bf8a2..e2f7c3fead4 100644 --- a/.github/workflows/daily-architecture-diagram.lock.yml +++ b/.github/workflows/daily-architecture-diagram.lock.yml @@ -585,6 +585,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-assign-issue-to-user.lock.yml b/.github/workflows/daily-assign-issue-to-user.lock.yml index 6cf8f5f6f5a..06b8080071e 100644 --- a/.github/workflows/daily-assign-issue-to-user.lock.yml +++ b/.github/workflows/daily-assign-issue-to-user.lock.yml @@ -527,6 +527,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-choice-test.lock.yml b/.github/workflows/daily-choice-test.lock.yml index 0d393fefbd1..7b4c152d6ad 100644 --- a/.github/workflows/daily-choice-test.lock.yml +++ b/.github/workflows/daily-choice-test.lock.yml @@ -522,6 +522,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-cli-performance.lock.yml b/.github/workflows/daily-cli-performance.lock.yml index 5cfb3ee82b4..9aab0b3c14d 100644 --- a/.github/workflows/daily-cli-performance.lock.yml +++ b/.github/workflows/daily-cli-performance.lock.yml @@ -708,6 +708,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -715,6 +722,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-cli-tools-tester.lock.yml b/.github/workflows/daily-cli-tools-tester.lock.yml index 620d7c6ca6e..93d5ee50c6a 100644 --- a/.github/workflows/daily-cli-tools-tester.lock.yml +++ b/.github/workflows/daily-cli-tools-tester.lock.yml @@ -581,6 +581,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -604,6 +611,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-code-metrics.lock.yml b/.github/workflows/daily-code-metrics.lock.yml index 634744e25b7..d0342dab40b 100644 --- a/.github/workflows/daily-code-metrics.lock.yml +++ b/.github/workflows/daily-code-metrics.lock.yml @@ -613,6 +613,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-compiler-quality.lock.yml b/.github/workflows/daily-compiler-quality.lock.yml index 40839a7747c..cc8451a2c80 100644 --- a/.github/workflows/daily-compiler-quality.lock.yml +++ b/.github/workflows/daily-compiler-quality.lock.yml @@ -544,6 +544,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -552,7 +559,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/daily-copilot-token-report.lock.yml b/.github/workflows/daily-copilot-token-report.lock.yml index 94427cb539f..728b3346106 100644 --- a/.github/workflows/daily-copilot-token-report.lock.yml +++ b/.github/workflows/daily-copilot-token-report.lock.yml @@ -640,6 +640,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-doc-healer.lock.yml b/.github/workflows/daily-doc-healer.lock.yml index 08e3f12832d..cf47135be81 100644 --- a/.github/workflows/daily-doc-healer.lock.yml +++ b/.github/workflows/daily-doc-healer.lock.yml @@ -714,6 +714,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -721,6 +728,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-doc-updater.lock.yml b/.github/workflows/daily-doc-updater.lock.yml index 6ee117b5c55..428572d1b8a 100644 --- a/.github/workflows/daily-doc-updater.lock.yml +++ b/.github/workflows/daily-doc-updater.lock.yml @@ -676,6 +676,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -683,6 +690,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-fact.lock.yml b/.github/workflows/daily-fact.lock.yml index ba1dbc3c51b..82148e0bc1f 100644 --- a/.github/workflows/daily-fact.lock.yml +++ b/.github/workflows/daily-fact.lock.yml @@ -559,6 +559,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -585,6 +590,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-file-diet.lock.yml b/.github/workflows/daily-file-diet.lock.yml index ae11045f4c2..1a5409606b0 100644 --- a/.github/workflows/daily-file-diet.lock.yml +++ b/.github/workflows/daily-file-diet.lock.yml @@ -546,6 +546,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -554,7 +561,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/daily-firewall-report.lock.yml b/.github/workflows/daily-firewall-report.lock.yml index ddb22df06df..f97d2233679 100644 --- a/.github/workflows/daily-firewall-report.lock.yml +++ b/.github/workflows/daily-firewall-report.lock.yml @@ -633,6 +633,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -656,6 +663,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-function-namer.lock.yml b/.github/workflows/daily-function-namer.lock.yml index c6daff5797f..68c02add683 100644 --- a/.github/workflows/daily-function-namer.lock.yml +++ b/.github/workflows/daily-function-namer.lock.yml @@ -557,6 +557,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -573,7 +580,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/daily-issues-report.lock.yml b/.github/workflows/daily-issues-report.lock.yml index 2d6af682d35..b04615099d4 100644 --- a/.github/workflows/daily-issues-report.lock.yml +++ b/.github/workflows/daily-issues-report.lock.yml @@ -649,6 +649,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -676,6 +681,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-malicious-code-scan.lock.yml b/.github/workflows/daily-malicious-code-scan.lock.yml index 64f80f73a5e..5c89bdb483e 100644 --- a/.github/workflows/daily-malicious-code-scan.lock.yml +++ b/.github/workflows/daily-malicious-code-scan.lock.yml @@ -533,6 +533,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml index a2ca1228b39..6545384b5cb 100644 --- a/.github/workflows/daily-mcp-concurrency-analysis.lock.yml +++ b/.github/workflows/daily-mcp-concurrency-analysis.lock.yml @@ -566,6 +566,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -574,7 +581,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/daily-multi-device-docs-tester.lock.yml b/.github/workflows/daily-multi-device-docs-tester.lock.yml index 014127f02c6..56d32843312 100644 --- a/.github/workflows/daily-multi-device-docs-tester.lock.yml +++ b/.github/workflows/daily-multi-device-docs-tester.lock.yml @@ -577,13 +577,27 @@ jobs: "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox" ], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-news.lock.yml b/.github/workflows/daily-news.lock.yml index 9df690cccdb..817d8b87779 100644 --- a/.github/workflows/daily-news.lock.yml +++ b/.github/workflows/daily-news.lock.yml @@ -686,6 +686,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "tavily": { @@ -699,6 +706,13 @@ jobs: ], "env": { "TAVILY_API_KEY": "\${TAVILY_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-observability-report.lock.yml b/.github/workflows/daily-observability-report.lock.yml index e72c1933f58..0d6dfa69b1f 100644 --- a/.github/workflows/daily-observability-report.lock.yml +++ b/.github/workflows/daily-observability-report.lock.yml @@ -609,6 +609,11 @@ jobs: mounts = ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"] env_vars = ["DEBUG", "GH_TOKEN", "GITHUB_TOKEN", "GITHUB_ACTOR", "GITHUB_REPOSITORY"] + [mcp_servers.agenticworkflows."guard-policies"] + + [mcp_servers.agenticworkflows."guard-policies".write-sink] + accept = ["*"] + [mcp_servers.github] user_agent = "daily-observability-report-for-awf-firewall-and-mcp-gateway" startup_timeout_sec = 120 @@ -623,6 +628,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -638,6 +648,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -660,6 +677,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-performance-summary.lock.yml b/.github/workflows/daily-performance-summary.lock.yml index 1e5759a0f89..575623a9856 100644 --- a/.github/workflows/daily-performance-summary.lock.yml +++ b/.github/workflows/daily-performance-summary.lock.yml @@ -1080,6 +1080,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -1087,6 +1094,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-regulatory.lock.yml b/.github/workflows/daily-regulatory.lock.yml index 32d986b491e..c33539cc4f9 100644 --- a/.github/workflows/daily-regulatory.lock.yml +++ b/.github/workflows/daily-regulatory.lock.yml @@ -1021,6 +1021,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -1028,6 +1035,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-rendering-scripts-verifier.lock.yml b/.github/workflows/daily-rendering-scripts-verifier.lock.yml index b70fc348d1b..2f1fe40c331 100644 --- a/.github/workflows/daily-rendering-scripts-verifier.lock.yml +++ b/.github/workflows/daily-rendering-scripts-verifier.lock.yml @@ -613,6 +613,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -635,6 +642,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-repo-chronicle.lock.yml b/.github/workflows/daily-repo-chronicle.lock.yml index b6fe3b72d9a..0ba7278641f 100644 --- a/.github/workflows/daily-repo-chronicle.lock.yml +++ b/.github/workflows/daily-repo-chronicle.lock.yml @@ -585,6 +585,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-safe-output-optimizer.lock.yml b/.github/workflows/daily-safe-output-optimizer.lock.yml index 5ad26863c57..a5e7516a8e5 100644 --- a/.github/workflows/daily-safe-output-optimizer.lock.yml +++ b/.github/workflows/daily-safe-output-optimizer.lock.yml @@ -617,6 +617,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -639,6 +646,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-safe-outputs-conformance.lock.yml b/.github/workflows/daily-safe-outputs-conformance.lock.yml index b32edb90f51..a45317f27be 100644 --- a/.github/workflows/daily-safe-outputs-conformance.lock.yml +++ b/.github/workflows/daily-safe-outputs-conformance.lock.yml @@ -534,6 +534,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-secrets-analysis.lock.yml b/.github/workflows/daily-secrets-analysis.lock.yml index 6418471fe7a..e745a285638 100644 --- a/.github/workflows/daily-secrets-analysis.lock.yml +++ b/.github/workflows/daily-secrets-analysis.lock.yml @@ -552,6 +552,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-security-red-team.lock.yml b/.github/workflows/daily-security-red-team.lock.yml index 133d2936612..0f127b18056 100644 --- a/.github/workflows/daily-security-red-team.lock.yml +++ b/.github/workflows/daily-security-red-team.lock.yml @@ -538,6 +538,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-semgrep-scan.lock.yml b/.github/workflows/daily-semgrep-scan.lock.yml index 7390512482e..2ebc2059d02 100644 --- a/.github/workflows/daily-semgrep-scan.lock.yml +++ b/.github/workflows/daily-semgrep-scan.lock.yml @@ -540,6 +540,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "semgrep": { @@ -553,7 +560,14 @@ jobs: ], "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/daily-syntax-error-quality.lock.yml b/.github/workflows/daily-syntax-error-quality.lock.yml index 710b0a7665b..9e1bd5fe490 100644 --- a/.github/workflows/daily-syntax-error-quality.lock.yml +++ b/.github/workflows/daily-syntax-error-quality.lock.yml @@ -543,6 +543,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-team-evolution-insights.lock.yml b/.github/workflows/daily-team-evolution-insights.lock.yml index 5e1ecc56293..1e79a603b7c 100644 --- a/.github/workflows/daily-team-evolution-insights.lock.yml +++ b/.github/workflows/daily-team-evolution-insights.lock.yml @@ -530,6 +530,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-team-status.lock.yml b/.github/workflows/daily-team-status.lock.yml index 81a0b309f5f..8b0053646fc 100644 --- a/.github/workflows/daily-team-status.lock.yml +++ b/.github/workflows/daily-team-status.lock.yml @@ -544,6 +544,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/daily-testify-uber-super-expert.lock.yml b/.github/workflows/daily-testify-uber-super-expert.lock.yml index 25b622a61d1..e250047da49 100644 --- a/.github/workflows/daily-testify-uber-super-expert.lock.yml +++ b/.github/workflows/daily-testify-uber-super-expert.lock.yml @@ -571,6 +571,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -579,7 +586,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/daily-workflow-updater.lock.yml b/.github/workflows/daily-workflow-updater.lock.yml index 9038be6a80a..d74d344a5b9 100644 --- a/.github/workflows/daily-workflow-updater.lock.yml +++ b/.github/workflows/daily-workflow-updater.lock.yml @@ -527,6 +527,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/dead-code-remover.lock.yml b/.github/workflows/dead-code-remover.lock.yml index 7396469f535..ceb264d9cff 100644 --- a/.github/workflows/dead-code-remover.lock.yml +++ b/.github/workflows/dead-code-remover.lock.yml @@ -572,6 +572,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/deep-report.lock.yml b/.github/workflows/deep-report.lock.yml index 6494c0e26e2..5162d5f5f19 100644 --- a/.github/workflows/deep-report.lock.yml +++ b/.github/workflows/deep-report.lock.yml @@ -681,6 +681,11 @@ jobs: mounts = ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw", "/tmp/gh-aw:/tmp/gh-aw:rw"] env_vars = ["DEBUG", "GH_TOKEN", "GITHUB_TOKEN", "GITHUB_ACTOR", "GITHUB_REPOSITORY"] + [mcp_servers.agenticworkflows."guard-policies"] + + [mcp_servers.agenticworkflows."guard-policies".write-sink] + accept = ["*"] + [mcp_servers.github] user_agent = "deepreport-intelligence-gathering-agent" startup_timeout_sec = 120 @@ -695,6 +700,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -710,6 +720,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -732,6 +749,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/delight.lock.yml b/.github/workflows/delight.lock.yml index 71cf71be4a8..4185c756561 100644 --- a/.github/workflows/delight.lock.yml +++ b/.github/workflows/delight.lock.yml @@ -589,6 +589,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/dependabot-burner.lock.yml b/.github/workflows/dependabot-burner.lock.yml index 7295cbb3334..22357f6b619 100644 --- a/.github/workflows/dependabot-burner.lock.yml +++ b/.github/workflows/dependabot-burner.lock.yml @@ -536,6 +536,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/dependabot-go-checker.lock.yml b/.github/workflows/dependabot-go-checker.lock.yml index 4fef6d1b927..5c76b3abef9 100644 --- a/.github/workflows/dependabot-go-checker.lock.yml +++ b/.github/workflows/dependabot-go-checker.lock.yml @@ -554,6 +554,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/dev-hawk.lock.yml b/.github/workflows/dev-hawk.lock.yml index c991ae27c76..8ddc438f088 100644 --- a/.github/workflows/dev-hawk.lock.yml +++ b/.github/workflows/dev-hawk.lock.yml @@ -588,6 +588,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -611,6 +618,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/dev.lock.yml b/.github/workflows/dev.lock.yml index 32c7aba4a7f..9c590a0ddc3 100644 --- a/.github/workflows/dev.lock.yml +++ b/.github/workflows/dev.lock.yml @@ -520,6 +520,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/developer-docs-consolidator.lock.yml b/.github/workflows/developer-docs-consolidator.lock.yml index 51a2bb54715..ebe1b20ff61 100644 --- a/.github/workflows/developer-docs-consolidator.lock.yml +++ b/.github/workflows/developer-docs-consolidator.lock.yml @@ -736,6 +736,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -743,6 +750,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -759,7 +773,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/dictation-prompt.lock.yml b/.github/workflows/dictation-prompt.lock.yml index fa64f3d0aa7..e41ccbece2e 100644 --- a/.github/workflows/dictation-prompt.lock.yml +++ b/.github/workflows/dictation-prompt.lock.yml @@ -656,6 +656,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -663,6 +670,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/discussion-task-miner.lock.yml b/.github/workflows/discussion-task-miner.lock.yml index 62041e49ecf..44ed47c5128 100644 --- a/.github/workflows/discussion-task-miner.lock.yml +++ b/.github/workflows/discussion-task-miner.lock.yml @@ -583,6 +583,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/docs-noob-tester.lock.yml b/.github/workflows/docs-noob-tester.lock.yml index 5dc53f8cb42..f6342a16dbd 100644 --- a/.github/workflows/docs-noob-tester.lock.yml +++ b/.github/workflows/docs-noob-tester.lock.yml @@ -544,13 +544,27 @@ jobs: "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/draft-pr-cleanup.lock.yml b/.github/workflows/draft-pr-cleanup.lock.yml index d097dee2a70..5aed47d81e2 100644 --- a/.github/workflows/draft-pr-cleanup.lock.yml +++ b/.github/workflows/draft-pr-cleanup.lock.yml @@ -546,6 +546,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/duplicate-code-detector.lock.yml b/.github/workflows/duplicate-code-detector.lock.yml index f5d34c6b9aa..a09c2e1bff2 100644 --- a/.github/workflows/duplicate-code-detector.lock.yml +++ b/.github/workflows/duplicate-code-detector.lock.yml @@ -545,6 +545,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] + [mcp_servers.serena] container = "ghcr.io/github/serena-mcp-server:latest" args = [ @@ -560,6 +565,11 @@ jobs: "${GITHUB_WORKSPACE}" ] mounts = ["${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw"] + + [mcp_servers.serena."guard-policies"] + + [mcp_servers.serena."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -586,6 +596,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -602,7 +619,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/example-workflow-analyzer.lock.yml b/.github/workflows/example-workflow-analyzer.lock.yml index 8985112bfed..41547acd1fa 100644 --- a/.github/workflows/example-workflow-analyzer.lock.yml +++ b/.github/workflows/example-workflow-analyzer.lock.yml @@ -572,6 +572,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -594,6 +601,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/firewall-escape.lock.yml b/.github/workflows/firewall-escape.lock.yml index 8df7cb67659..7e0bc5df92d 100644 --- a/.github/workflows/firewall-escape.lock.yml +++ b/.github/workflows/firewall-escape.lock.yml @@ -580,6 +580,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/functional-pragmatist.lock.yml b/.github/workflows/functional-pragmatist.lock.yml index ce0f1ba4eb4..bcf74768bd7 100644 --- a/.github/workflows/functional-pragmatist.lock.yml +++ b/.github/workflows/functional-pragmatist.lock.yml @@ -540,6 +540,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/github-mcp-structural-analysis.lock.yml b/.github/workflows/github-mcp-structural-analysis.lock.yml index 9cdbb208b27..278e668f4e9 100644 --- a/.github/workflows/github-mcp-structural-analysis.lock.yml +++ b/.github/workflows/github-mcp-structural-analysis.lock.yml @@ -589,6 +589,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/github-mcp-tools-report.lock.yml b/.github/workflows/github-mcp-tools-report.lock.yml index fa6dd49e29d..7778b1e5d38 100644 --- a/.github/workflows/github-mcp-tools-report.lock.yml +++ b/.github/workflows/github-mcp-tools-report.lock.yml @@ -587,6 +587,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/github-remote-mcp-auth-test.lock.yml b/.github/workflows/github-remote-mcp-auth-test.lock.yml index d23b58382ca..dd3d2081609 100644 --- a/.github/workflows/github-remote-mcp-auth-test.lock.yml +++ b/.github/workflows/github-remote-mcp-auth-test.lock.yml @@ -534,6 +534,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/glossary-maintainer.lock.yml b/.github/workflows/glossary-maintainer.lock.yml index 822273b0620..8bf297c4505 100644 --- a/.github/workflows/glossary-maintainer.lock.yml +++ b/.github/workflows/glossary-maintainer.lock.yml @@ -722,6 +722,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -729,6 +736,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -737,7 +751,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/go-fan.lock.yml b/.github/workflows/go-fan.lock.yml index dfc5eace39f..3fa473ebd9f 100644 --- a/.github/workflows/go-fan.lock.yml +++ b/.github/workflows/go-fan.lock.yml @@ -550,6 +550,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -566,7 +573,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/go-logger.lock.yml b/.github/workflows/go-logger.lock.yml index 07addf297a6..d84c59364ce 100644 --- a/.github/workflows/go-logger.lock.yml +++ b/.github/workflows/go-logger.lock.yml @@ -699,6 +699,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -706,6 +713,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/go-pattern-detector.lock.yml b/.github/workflows/go-pattern-detector.lock.yml index 4546a05bfe5..06cde64a009 100644 --- a/.github/workflows/go-pattern-detector.lock.yml +++ b/.github/workflows/go-pattern-detector.lock.yml @@ -530,7 +530,14 @@ jobs: "container": "mcp/ast-grep:latest", "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "github": { "container": "ghcr.io/github/github-mcp-server:v0.32.0", @@ -552,6 +559,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/gpclean.lock.yml b/.github/workflows/gpclean.lock.yml index ebb74f54136..c6c0234daba 100644 --- a/.github/workflows/gpclean.lock.yml +++ b/.github/workflows/gpclean.lock.yml @@ -557,6 +557,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/grumpy-reviewer.lock.yml b/.github/workflows/grumpy-reviewer.lock.yml index ba948a0055b..668e9867049 100644 --- a/.github/workflows/grumpy-reviewer.lock.yml +++ b/.github/workflows/grumpy-reviewer.lock.yml @@ -635,6 +635,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/hourly-ci-cleaner.lock.yml b/.github/workflows/hourly-ci-cleaner.lock.yml index 2fabb747be6..5da05de564f 100644 --- a/.github/workflows/hourly-ci-cleaner.lock.yml +++ b/.github/workflows/hourly-ci-cleaner.lock.yml @@ -590,6 +590,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/instructions-janitor.lock.yml b/.github/workflows/instructions-janitor.lock.yml index ac6447d437d..1a1417ac313 100644 --- a/.github/workflows/instructions-janitor.lock.yml +++ b/.github/workflows/instructions-janitor.lock.yml @@ -549,6 +549,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/issue-arborist.lock.yml b/.github/workflows/issue-arborist.lock.yml index 8d915648aee..eca088fb845 100644 --- a/.github/workflows/issue-arborist.lock.yml +++ b/.github/workflows/issue-arborist.lock.yml @@ -594,6 +594,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -621,6 +626,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/issue-monster.lock.yml b/.github/workflows/issue-monster.lock.yml index 79180d85947..e9e6e144f2f 100644 --- a/.github/workflows/issue-monster.lock.yml +++ b/.github/workflows/issue-monster.lock.yml @@ -904,6 +904,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/issue-triage-agent.lock.yml b/.github/workflows/issue-triage-agent.lock.yml index 466fccf4bdb..258dddb38c1 100644 --- a/.github/workflows/issue-triage-agent.lock.yml +++ b/.github/workflows/issue-triage-agent.lock.yml @@ -525,6 +525,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/jsweep.lock.yml b/.github/workflows/jsweep.lock.yml index b2daa883579..372004ec71f 100644 --- a/.github/workflows/jsweep.lock.yml +++ b/.github/workflows/jsweep.lock.yml @@ -561,6 +561,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -569,7 +576,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/layout-spec-maintainer.lock.yml b/.github/workflows/layout-spec-maintainer.lock.yml index e2eebba5a9c..6901d838115 100644 --- a/.github/workflows/layout-spec-maintainer.lock.yml +++ b/.github/workflows/layout-spec-maintainer.lock.yml @@ -540,6 +540,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/lockfile-stats.lock.yml b/.github/workflows/lockfile-stats.lock.yml index cea0dee5781..7ca67b78f55 100644 --- a/.github/workflows/lockfile-stats.lock.yml +++ b/.github/workflows/lockfile-stats.lock.yml @@ -544,6 +544,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/mcp-inspector.lock.yml b/.github/workflows/mcp-inspector.lock.yml index 195f4b6f1d9..1e85b60fcd0 100644 --- a/.github/workflows/mcp-inspector.lock.yml +++ b/.github/workflows/mcp-inspector.lock.yml @@ -708,6 +708,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "arxiv": { @@ -717,14 +724,28 @@ jobs: "search_arxiv", "get_paper_details", "get_paper_pdf" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "ast-grep": { "type": "stdio", "container": "mcp/ast-grep:latest", "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "brave-search": { "type": "stdio", @@ -734,6 +755,13 @@ jobs: ], "env": { "BRAVE_API_KEY": "\${BRAVE_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "context7": { @@ -745,6 +773,13 @@ jobs: ], "env": { "CONTEXT7_API_KEY": "\${CONTEXT7_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "datadog": { @@ -765,6 +800,13 @@ jobs: "DD_API_KEY": "\${DD_API_KEY}", "DD_APPLICATION_KEY": "\${DD_APPLICATION_KEY}", "DD_SITE": "\${DD_SITE}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "deepwiki": { @@ -774,7 +816,14 @@ jobs: "read_wiki_structure", "read_wiki_contents", "ask_question" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "fabric-rti": { "type": "stdio", @@ -803,6 +852,13 @@ jobs: "AZURE_CLIENT_ID": "\${AZURE_CLIENT_ID}", "AZURE_CLIENT_SECRET": "\${AZURE_CLIENT_SECRET}", "AZURE_TENANT_ID": "\${AZURE_TENANT_ID}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -826,7 +882,14 @@ jobs: "container": "mcp/markitdown", "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "memory": { "type": "stdio", @@ -840,14 +903,28 @@ jobs: "retrieve_memory", "list_memories", "delete_memory" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "microsoftdocs": { "type": "http", "url": "https://learn.microsoft.com/api/mcp", "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "notion": { "type": "stdio", @@ -860,6 +937,13 @@ jobs: ], "env": { "NOTION_API_TOKEN": "\${NOTION_API_TOKEN}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -867,6 +951,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "sentry": { @@ -897,6 +988,13 @@ jobs: "OPENAI_API_KEY": "\${SENTRY_OPENAI_API_KEY}", "SENTRY_ACCESS_TOKEN": "\${SENTRY_ACCESS_TOKEN}", "SENTRY_HOST": "\${SENTRY_HOST}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -905,7 +1003,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "tavily": { "type": "http", @@ -918,6 +1023,13 @@ jobs: ], "env": { "TAVILY_API_KEY": "\${TAVILY_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/mergefest.lock.yml b/.github/workflows/mergefest.lock.yml index 9f4b14e8f2f..9976a570838 100644 --- a/.github/workflows/mergefest.lock.yml +++ b/.github/workflows/mergefest.lock.yml @@ -574,6 +574,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/metrics-collector.lock.yml b/.github/workflows/metrics-collector.lock.yml index a88fe3c0a7d..867367e4141 100644 --- a/.github/workflows/metrics-collector.lock.yml +++ b/.github/workflows/metrics-collector.lock.yml @@ -429,6 +429,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { diff --git a/.github/workflows/notion-issue-summary.lock.yml b/.github/workflows/notion-issue-summary.lock.yml index eff7eac29c1..425ca7da5a5 100644 --- a/.github/workflows/notion-issue-summary.lock.yml +++ b/.github/workflows/notion-issue-summary.lock.yml @@ -525,6 +525,13 @@ jobs: ], "env": { "NOTION_API_TOKEN": "\${NOTION_API_TOKEN}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -532,6 +539,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/org-health-report.lock.yml b/.github/workflows/org-health-report.lock.yml index 0ce679d0d80..c465f8be51d 100644 --- a/.github/workflows/org-health-report.lock.yml +++ b/.github/workflows/org-health-report.lock.yml @@ -597,6 +597,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/pdf-summary.lock.yml b/.github/workflows/pdf-summary.lock.yml index ad7b866e21d..526e573bc58 100644 --- a/.github/workflows/pdf-summary.lock.yml +++ b/.github/workflows/pdf-summary.lock.yml @@ -655,13 +655,27 @@ jobs: "container": "mcp/markitdown", "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/poem-bot.lock.yml b/.github/workflows/poem-bot.lock.yml index 058711956ce..674fbc95367 100644 --- a/.github/workflows/poem-bot.lock.yml +++ b/.github/workflows/poem-bot.lock.yml @@ -915,6 +915,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/portfolio-analyst.lock.yml b/.github/workflows/portfolio-analyst.lock.yml index 2ccb5dff671..c65acbd72c2 100644 --- a/.github/workflows/portfolio-analyst.lock.yml +++ b/.github/workflows/portfolio-analyst.lock.yml @@ -644,6 +644,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -667,6 +674,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/pr-nitpick-reviewer.lock.yml b/.github/workflows/pr-nitpick-reviewer.lock.yml index 0c8acb5fe86..593369eac00 100644 --- a/.github/workflows/pr-nitpick-reviewer.lock.yml +++ b/.github/workflows/pr-nitpick-reviewer.lock.yml @@ -691,6 +691,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/pr-triage-agent.lock.yml b/.github/workflows/pr-triage-agent.lock.yml index b59152916a6..2c7d522f635 100644 --- a/.github/workflows/pr-triage-agent.lock.yml +++ b/.github/workflows/pr-triage-agent.lock.yml @@ -594,6 +594,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/prompt-clustering-analysis.lock.yml b/.github/workflows/prompt-clustering-analysis.lock.yml index 6df71931703..5352077703e 100644 --- a/.github/workflows/prompt-clustering-analysis.lock.yml +++ b/.github/workflows/prompt-clustering-analysis.lock.yml @@ -657,6 +657,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -679,6 +686,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/python-data-charts.lock.yml b/.github/workflows/python-data-charts.lock.yml index 6acb542d02d..7aa3766a984 100644 --- a/.github/workflows/python-data-charts.lock.yml +++ b/.github/workflows/python-data-charts.lock.yml @@ -632,6 +632,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -655,6 +662,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/q.lock.yml b/.github/workflows/q.lock.yml index 781679791b4..c03b25fd12e 100644 --- a/.github/workflows/q.lock.yml +++ b/.github/workflows/q.lock.yml @@ -727,6 +727,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -750,6 +757,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -758,7 +772,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/refiner.lock.yml b/.github/workflows/refiner.lock.yml index 90e44bba110..4b965cbc9b5 100644 --- a/.github/workflows/refiner.lock.yml +++ b/.github/workflows/refiner.lock.yml @@ -586,6 +586,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/release.lock.yml b/.github/workflows/release.lock.yml index 3b9c1bf629a..707a76747b9 100644 --- a/.github/workflows/release.lock.yml +++ b/.github/workflows/release.lock.yml @@ -542,6 +542,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/repo-audit-analyzer.lock.yml b/.github/workflows/repo-audit-analyzer.lock.yml index 2fe33b01b2f..98ffae6e2d3 100644 --- a/.github/workflows/repo-audit-analyzer.lock.yml +++ b/.github/workflows/repo-audit-analyzer.lock.yml @@ -550,6 +550,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/repo-tree-map.lock.yml b/.github/workflows/repo-tree-map.lock.yml index 999302b2ca1..4e21a3ab01f 100644 --- a/.github/workflows/repo-tree-map.lock.yml +++ b/.github/workflows/repo-tree-map.lock.yml @@ -526,6 +526,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/repository-quality-improver.lock.yml b/.github/workflows/repository-quality-improver.lock.yml index 2e69ee8b6fd..6c7e6cc27aa 100644 --- a/.github/workflows/repository-quality-improver.lock.yml +++ b/.github/workflows/repository-quality-improver.lock.yml @@ -549,6 +549,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -557,7 +564,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/research.lock.yml b/.github/workflows/research.lock.yml index c3933eb25c6..cc50bdc8095 100644 --- a/.github/workflows/research.lock.yml +++ b/.github/workflows/research.lock.yml @@ -537,6 +537,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "tavily": { @@ -550,6 +557,13 @@ jobs: ], "env": { "TAVILY_API_KEY": "\${TAVILY_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/safe-output-health.lock.yml b/.github/workflows/safe-output-health.lock.yml index 31b09f19ff6..4800d7edd71 100644 --- a/.github/workflows/safe-output-health.lock.yml +++ b/.github/workflows/safe-output-health.lock.yml @@ -601,6 +601,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -623,6 +630,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/schema-consistency-checker.lock.yml b/.github/workflows/schema-consistency-checker.lock.yml index 29c701b1538..72405ea763e 100644 --- a/.github/workflows/schema-consistency-checker.lock.yml +++ b/.github/workflows/schema-consistency-checker.lock.yml @@ -544,6 +544,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/security-alert-burndown.campaign.g.lock.yml b/.github/workflows/security-alert-burndown.campaign.g.lock.yml index 3353a44a3d3..38469127415 100644 --- a/.github/workflows/security-alert-burndown.campaign.g.lock.yml +++ b/.github/workflows/security-alert-burndown.campaign.g.lock.yml @@ -668,6 +668,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/security-compliance.lock.yml b/.github/workflows/security-compliance.lock.yml index 7f92ef7b2a4..8d69b25c0c3 100644 --- a/.github/workflows/security-compliance.lock.yml +++ b/.github/workflows/security-compliance.lock.yml @@ -581,6 +581,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/security-review.lock.yml b/.github/workflows/security-review.lock.yml index 487c2346947..ac5b095eab8 100644 --- a/.github/workflows/security-review.lock.yml +++ b/.github/workflows/security-review.lock.yml @@ -680,6 +680,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -703,6 +710,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/semantic-function-refactor.lock.yml b/.github/workflows/semantic-function-refactor.lock.yml index a5051324667..371f168a6f9 100644 --- a/.github/workflows/semantic-function-refactor.lock.yml +++ b/.github/workflows/semantic-function-refactor.lock.yml @@ -558,6 +558,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -574,7 +581,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/sergo.lock.yml b/.github/workflows/sergo.lock.yml index ab654b1acf1..87f733547c0 100644 --- a/.github/workflows/sergo.lock.yml +++ b/.github/workflows/sergo.lock.yml @@ -550,6 +550,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -566,7 +573,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/slide-deck-maintainer.lock.yml b/.github/workflows/slide-deck-maintainer.lock.yml index 303acda339f..5e9787839ce 100644 --- a/.github/workflows/slide-deck-maintainer.lock.yml +++ b/.github/workflows/slide-deck-maintainer.lock.yml @@ -589,13 +589,27 @@ jobs: "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-call-workflow.lock.yml b/.github/workflows/smoke-call-workflow.lock.yml index aeeb34b7200..c72f862be1e 100644 --- a/.github/workflows/smoke-call-workflow.lock.yml +++ b/.github/workflows/smoke-call-workflow.lock.yml @@ -530,6 +530,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -556,6 +561,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-claude.lock.yml b/.github/workflows/smoke-claude.lock.yml index 38d72e8f269..a00b3d094e5 100644 --- a/.github/workflows/smoke-claude.lock.yml +++ b/.github/workflows/smoke-claude.lock.yml @@ -1809,6 +1809,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -1831,6 +1838,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "playwright": { @@ -1848,13 +1862,27 @@ jobs: "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox" ], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -1871,7 +1899,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "tavily": { "type": "http", @@ -1881,7 +1916,14 @@ jobs: }, "tools": [ "*" - ] + ], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/smoke-codex.lock.yml b/.github/workflows/smoke-codex.lock.yml index c1546311452..3e185920c16 100644 --- a/.github/workflows/smoke-codex.lock.yml +++ b/.github/workflows/smoke-codex.lock.yml @@ -831,6 +831,11 @@ jobs: url = "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT" headers = { Authorization = "$GH_AW_MCP_SCRIPTS_API_KEY" } + [mcp_servers.mcpscripts."guard-policies"] + + [mcp_servers.mcpscripts."guard-policies".write-sink] + accept = ["*"] + [mcp_servers.playwright] container = "mcr.microsoft.com/playwright/mcp" args = [ @@ -847,6 +852,11 @@ jobs: ] mounts = ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + [mcp_servers.playwright."guard-policies"] + + [mcp_servers.playwright."guard-policies".write-sink] + accept = ["*"] + [mcp_servers.safeoutputs] type = "http" url = "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT" @@ -854,6 +864,11 @@ jobs: [mcp_servers.safeoutputs.headers] Authorization = "$GH_AW_SAFE_OUTPUTS_API_KEY" + [mcp_servers.safeoutputs."guard-policies"] + + [mcp_servers.safeoutputs."guard-policies".write-sink] + accept = ["*"] + [mcp_servers.serena] container = "ghcr.io/github/serena-mcp-server:latest" args = [ @@ -870,8 +885,18 @@ jobs: ] mounts = ["${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE}:rw"] + [mcp_servers.serena."guard-policies"] + + [mcp_servers.serena."guard-policies".write-sink] + accept = ["*"] + [mcp_servers."web-fetch"] container = "mcp/fetch" + + [mcp_servers.web-fetch."guard-policies"] + + [mcp_servers.web-fetch."guard-policies".write-sink] + accept = ["*"] GH_AW_MCP_CONFIG_EOF # Generate JSON config for MCP gateway @@ -898,6 +923,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "playwright": { @@ -915,13 +947,27 @@ jobs: "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox" ], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -938,10 +984,24 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "web-fetch": { - "container": "mcp/fetch" + "container": "mcp/fetch", + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/smoke-copilot-arm.lock.yml b/.github/workflows/smoke-copilot-arm.lock.yml index e518846b2d5..bef4327eaa7 100644 --- a/.github/workflows/smoke-copilot-arm.lock.yml +++ b/.github/workflows/smoke-copilot-arm.lock.yml @@ -1356,6 +1356,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -1379,6 +1386,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "playwright": { @@ -1386,13 +1400,27 @@ jobs: "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -1401,7 +1429,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/smoke-copilot.lock.yml b/.github/workflows/smoke-copilot.lock.yml index 7c4d27801e2..047014873a0 100644 --- a/.github/workflows/smoke-copilot.lock.yml +++ b/.github/workflows/smoke-copilot.lock.yml @@ -1403,6 +1403,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -1426,6 +1433,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "playwright": { @@ -1433,13 +1447,27 @@ jobs: "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -1448,7 +1476,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/smoke-create-cross-repo-pr.lock.yml b/.github/workflows/smoke-create-cross-repo-pr.lock.yml index 4d6e8ca7f37..dce0a09f34e 100644 --- a/.github/workflows/smoke-create-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-create-cross-repo-pr.lock.yml @@ -633,6 +633,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-gemini.lock.yml b/.github/workflows/smoke-gemini.lock.yml index 07654116bcd..1e149be2d5e 100644 --- a/.github/workflows/smoke-gemini.lock.yml +++ b/.github/workflows/smoke-gemini.lock.yml @@ -751,6 +751,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -758,10 +765,24 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "web-fetch": { - "container": "mcp/fetch" + "container": "mcp/fetch", + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/smoke-multi-pr.lock.yml b/.github/workflows/smoke-multi-pr.lock.yml index 8b1c1569c98..745770f6d7e 100644 --- a/.github/workflows/smoke-multi-pr.lock.yml +++ b/.github/workflows/smoke-multi-pr.lock.yml @@ -602,6 +602,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-project.lock.yml b/.github/workflows/smoke-project.lock.yml index c11091642bf..48ce3b47ccc 100644 --- a/.github/workflows/smoke-project.lock.yml +++ b/.github/workflows/smoke-project.lock.yml @@ -759,6 +759,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-temporary-id.lock.yml b/.github/workflows/smoke-temporary-id.lock.yml index a889e919452..160c69dffb1 100644 --- a/.github/workflows/smoke-temporary-id.lock.yml +++ b/.github/workflows/smoke-temporary-id.lock.yml @@ -613,6 +613,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-test-tools.lock.yml b/.github/workflows/smoke-test-tools.lock.yml index d1fe125a605..8c4de4d596b 100644 --- a/.github/workflows/smoke-test-tools.lock.yml +++ b/.github/workflows/smoke-test-tools.lock.yml @@ -574,6 +574,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml index 700babd80b9..a81c445403b 100644 --- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml +++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml @@ -641,6 +641,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml index 65af434075f..263da3e3279 100644 --- a/.github/workflows/smoke-workflow-call-with-inputs.lock.yml +++ b/.github/workflows/smoke-workflow-call-with-inputs.lock.yml @@ -580,6 +580,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/smoke-workflow-call.lock.yml b/.github/workflows/smoke-workflow-call.lock.yml index 8cfc904acb8..bb109c036ed 100644 --- a/.github/workflows/smoke-workflow-call.lock.yml +++ b/.github/workflows/smoke-workflow-call.lock.yml @@ -564,6 +564,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/stale-repo-identifier.lock.yml b/.github/workflows/stale-repo-identifier.lock.yml index 6b5ce528915..d55eaa1fab6 100644 --- a/.github/workflows/stale-repo-identifier.lock.yml +++ b/.github/workflows/stale-repo-identifier.lock.yml @@ -655,6 +655,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/static-analysis-report.lock.yml b/.github/workflows/static-analysis-report.lock.yml index fc49b60a2a1..08c9be85c88 100644 --- a/.github/workflows/static-analysis-report.lock.yml +++ b/.github/workflows/static-analysis-report.lock.yml @@ -597,6 +597,13 @@ jobs: "GITHUB_TOKEN": "$GITHUB_TOKEN", "GITHUB_ACTOR": "$GITHUB_ACTOR", "GITHUB_REPOSITORY": "$GITHUB_REPOSITORY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -619,6 +626,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/step-name-alignment.lock.yml b/.github/workflows/step-name-alignment.lock.yml index a018b1cd3ed..25b21ce7307 100644 --- a/.github/workflows/step-name-alignment.lock.yml +++ b/.github/workflows/step-name-alignment.lock.yml @@ -543,6 +543,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/sub-issue-closer.lock.yml b/.github/workflows/sub-issue-closer.lock.yml index ed08b8cf784..9c98bd33a71 100644 --- a/.github/workflows/sub-issue-closer.lock.yml +++ b/.github/workflows/sub-issue-closer.lock.yml @@ -566,6 +566,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/super-linter.lock.yml b/.github/workflows/super-linter.lock.yml index a68ae2cae9c..35ee50a5b69 100644 --- a/.github/workflows/super-linter.lock.yml +++ b/.github/workflows/super-linter.lock.yml @@ -565,6 +565,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/technical-doc-writer.lock.yml b/.github/workflows/technical-doc-writer.lock.yml index 3a0ecf054da..d3a5f977e0f 100644 --- a/.github/workflows/technical-doc-writer.lock.yml +++ b/.github/workflows/technical-doc-writer.lock.yml @@ -766,6 +766,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "\${GH_AW_MCP_SCRIPTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "safeoutputs": { @@ -773,6 +780,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/terminal-stylist.lock.yml b/.github/workflows/terminal-stylist.lock.yml index 7a124a918b3..2e7bfa54250 100644 --- a/.github/workflows/terminal-stylist.lock.yml +++ b/.github/workflows/terminal-stylist.lock.yml @@ -530,6 +530,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -538,7 +545,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/test-create-pr-error-handling.lock.yml b/.github/workflows/test-create-pr-error-handling.lock.yml index b57e3ecdb7e..40fc238ad38 100644 --- a/.github/workflows/test-create-pr-error-handling.lock.yml +++ b/.github/workflows/test-create-pr-error-handling.lock.yml @@ -544,6 +544,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/test-dispatcher.lock.yml b/.github/workflows/test-dispatcher.lock.yml index b21cd36fc91..f0adf4b1b32 100644 --- a/.github/workflows/test-dispatcher.lock.yml +++ b/.github/workflows/test-dispatcher.lock.yml @@ -503,6 +503,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/test-project-url-default.lock.yml b/.github/workflows/test-project-url-default.lock.yml index f96bb1ca330..8985ae1b103 100644 --- a/.github/workflows/test-project-url-default.lock.yml +++ b/.github/workflows/test-project-url-default.lock.yml @@ -568,6 +568,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/tidy.lock.yml b/.github/workflows/tidy.lock.yml index 6d05dc74e54..5282056d555 100644 --- a/.github/workflows/tidy.lock.yml +++ b/.github/workflows/tidy.lock.yml @@ -634,6 +634,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/typist.lock.yml b/.github/workflows/typist.lock.yml index 4a26444c16b..e431140255c 100644 --- a/.github/workflows/typist.lock.yml +++ b/.github/workflows/typist.lock.yml @@ -531,6 +531,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "serena": { @@ -547,7 +554,14 @@ jobs: "--project", "\${GITHUB_WORKSPACE}" ], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { diff --git a/.github/workflows/ubuntu-image-analyzer.lock.yml b/.github/workflows/ubuntu-image-analyzer.lock.yml index b3872fc6c4b..b3920dee719 100644 --- a/.github/workflows/ubuntu-image-analyzer.lock.yml +++ b/.github/workflows/ubuntu-image-analyzer.lock.yml @@ -546,6 +546,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/unbloat-docs.lock.yml b/.github/workflows/unbloat-docs.lock.yml index f02cc8a24b6..6ff020d776e 100644 --- a/.github/workflows/unbloat-docs.lock.yml +++ b/.github/workflows/unbloat-docs.lock.yml @@ -785,6 +785,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_MCP_SCRIPTS_PORT", "headers": { "Authorization": "$GH_AW_MCP_SCRIPTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "playwright": { @@ -804,13 +811,27 @@ jobs: "--viewport-size", "1920x1080" ], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "$GH_AW_SAFE_OUTPUTS_API_KEY" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/video-analyzer.lock.yml b/.github/workflows/video-analyzer.lock.yml index 9d993706988..2cd4aa70fc9 100644 --- a/.github/workflows/video-analyzer.lock.yml +++ b/.github/workflows/video-analyzer.lock.yml @@ -547,6 +547,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/weekly-editors-health-check.lock.yml b/.github/workflows/weekly-editors-health-check.lock.yml index dccb22b15cd..93621e5314c 100644 --- a/.github/workflows/weekly-editors-health-check.lock.yml +++ b/.github/workflows/weekly-editors-health-check.lock.yml @@ -550,13 +550,27 @@ jobs: "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "safeoutputs": { "type": "http", "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/weekly-issue-summary.lock.yml b/.github/workflows/weekly-issue-summary.lock.yml index 58afa091214..48e7087ecd4 100644 --- a/.github/workflows/weekly-issue-summary.lock.yml +++ b/.github/workflows/weekly-issue-summary.lock.yml @@ -577,6 +577,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml index 80e4e61917a..5533c7dcff5 100644 --- a/.github/workflows/weekly-safe-outputs-spec-review.lock.yml +++ b/.github/workflows/weekly-safe-outputs-spec-review.lock.yml @@ -535,6 +535,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/workflow-generator.lock.yml b/.github/workflows/workflow-generator.lock.yml index 9b6ccde817b..86939925451 100644 --- a/.github/workflows/workflow-generator.lock.yml +++ b/.github/workflows/workflow-generator.lock.yml @@ -618,6 +618,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/workflow-health-manager.lock.yml b/.github/workflows/workflow-health-manager.lock.yml index 8a1a7278b60..ccbc8fde8ee 100644 --- a/.github/workflows/workflow-health-manager.lock.yml +++ b/.github/workflows/workflow-health-manager.lock.yml @@ -636,6 +636,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/workflow-normalizer.lock.yml b/.github/workflows/workflow-normalizer.lock.yml index 6584aeab408..6acdfa37150 100644 --- a/.github/workflows/workflow-normalizer.lock.yml +++ b/.github/workflows/workflow-normalizer.lock.yml @@ -580,6 +580,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -603,6 +610,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/.github/workflows/workflow-skill-extractor.lock.yml b/.github/workflows/workflow-skill-extractor.lock.yml index 141a150167d..bf4d67b84ed 100644 --- a/.github/workflows/workflow-skill-extractor.lock.yml +++ b/.github/workflows/workflow-skill-extractor.lock.yml @@ -561,6 +561,13 @@ jobs: "url": "http://host.docker.internal:$GH_AW_SAFE_OUTPUTS_PORT", "headers": { "Authorization": "\${GH_AW_SAFE_OUTPUTS_API_KEY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } } }, diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go index 0bf99def32e..f894c073f30 100644 --- a/pkg/workflow/mcp_config_builtin.go +++ b/pkg/workflow/mcp_config_builtin.go @@ -144,14 +144,9 @@ func renderSafeOutputsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, i } yaml.WriteString(" }") - // Check if GitHub tool has guard-policies configured + // Check if GitHub tool has guard-policies configured (or auto-lockdown will run) // If so, generate a linked write-sink guard-policy for safeoutputs - var guardPolicies map[string]any - if workflowData != nil && workflowData.Tools != nil { - if githubTool, hasGitHub := workflowData.Tools["github"]; hasGitHub { - guardPolicies = deriveSafeOutputsGuardPolicyFromGitHub(githubTool) - } - } + guardPolicies := deriveWriteSinkGuardPolicyFromWorkflow(workflowData) // Add guard-policies if configured if len(guardPolicies) > 0 { diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index abc6cd6c59e..7be8fa5e8c2 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -217,9 +217,11 @@ mcp-servers: Test workflow. `, - serverName: `"my-api"`, - expectedContent: []string{`"get_data"`, `"list_items"`}, - unexpectedInServer: []string{`"*"`}, + serverName: `"my-api"`, + expectedContent: []string{`"get_data"`, `"list_items"`}, + // Check that the tools array specifically does not have the wildcard + // (guard-policies accept may still contain "*" at deeper indentation) + unexpectedInServer: []string{"\"tools\": [\n \"*\""}, }, { name: "copilot - stdio mcp server with specific allowed tools", @@ -240,9 +242,11 @@ mcp-servers: Test workflow. `, - serverName: `"my-tool"`, - expectedContent: []string{`"run_query"`, `"fetch_results"`}, - unexpectedInServer: []string{`"*"`}, + serverName: `"my-tool"`, + expectedContent: []string{`"run_query"`, `"fetch_results"`}, + // Check that the tools array specifically does not have the wildcard + // (guard-policies accept may still contain "*" at deeper indentation) + unexpectedInServer: []string{"\"tools\": [\n \"*\""}, }, { name: "copilot - mcp server with no allowed field defaults to wildcard", @@ -285,9 +289,11 @@ mcp-servers: Test workflow. `, - serverName: `"my-api"`, - expectedContent: []string{`"get_data"`, `"list_items"`}, - unexpectedInServer: []string{`"*"`}, + serverName: `"my-api"`, + expectedContent: []string{`"get_data"`, `"list_items"`}, + // Check that the tools array specifically does not have the wildcard + // (guard-policies accept may still contain "*" at deeper indentation) + unexpectedInServer: []string{"\"tools\": [\n \"*\""}, }, { name: "claude - http mcp server with no allowed field has no tools filter", diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go index 630ebf61b1f..e0f2134ff33 100644 --- a/pkg/workflow/mcp_github_config.go +++ b/pkg/workflow/mcp_github_config.go @@ -347,14 +347,38 @@ func transformRepoPattern(pattern string) string { // from the workflow's GitHub guard-policy configuration. This uses the same derivation as // deriveSafeOutputsGuardPolicyFromGitHub, ensuring that as guard policies are rolled out, only // GitHub inputs are filtered while outputs to non-GitHub servers are not restricted. +// +// When no explicit guard policy is configured but automatic lockdown detection would run +// (GitHub tool present and not disabled, no GitHub App configured), a write-sink policy with +// accept=["*"] is returned because automatic lockdown always sets repos=all at runtime. +// // Returns nil when no GitHub guard policies are configured or when workflowData is nil. func deriveWriteSinkGuardPolicyFromWorkflow(workflowData *WorkflowData) map[string]any { if workflowData == nil || workflowData.Tools == nil { return nil } - if githubTool, hasGitHub := workflowData.Tools["github"]; hasGitHub { - return deriveSafeOutputsGuardPolicyFromGitHub(githubTool) + githubTool, hasGitHub := workflowData.Tools["github"] + if !hasGitHub { + return nil + } + + // Try to derive from explicit guard policy first + policy := deriveSafeOutputsGuardPolicyFromGitHub(githubTool) + if policy != nil { + return policy } + + // When no explicit guard policy is configured but automatic lockdown detection would run + // (GitHub tool present and not disabled, no GitHub App configured), return accept=["*"] + // because automatic lockdown always sets repos=all at runtime. + if githubTool != false && len(getGitHubGuardPolicies(githubTool)) == 0 && !hasGitHubApp(githubTool) { + return map[string]any{ + "write-sink": map[string]any{ + "accept": []string{"*"}, + }, + } + } + return nil } diff --git a/pkg/workflow/mcp_renderer_builtin.go b/pkg/workflow/mcp_renderer_builtin.go index 9bef8563614..853d839ef81 100644 --- a/pkg/workflow/mcp_renderer_builtin.go +++ b/pkg/workflow/mcp_renderer_builtin.go @@ -170,17 +170,13 @@ func (r *MCPConfigRendererUnified) renderSafeOutputsTOML(yaml *strings.Builder, yaml.WriteString(" [mcp_servers." + constants.SafeOutputsMCPServerID.String() + ".headers]\n") yaml.WriteString(" Authorization = \"$GH_AW_SAFE_OUTPUTS_API_KEY\"\n") - // Check if GitHub tool has guard-policies configured + // Check if GitHub tool has guard-policies configured (or auto-lockdown will run) // If so, generate a linked write-sink guard-policy for safeoutputs - if workflowData != nil && workflowData.Tools != nil { - if githubTool, hasGitHub := workflowData.Tools["github"]; hasGitHub { - guardPolicies := deriveSafeOutputsGuardPolicyFromGitHub(githubTool) - if len(guardPolicies) > 0 { - mcpRendererLog.Print("Adding guard-policies to safeoutputs TOML (derived from GitHub guard-policy)") - // Render guard-policies in TOML format - renderGuardPoliciesToml(yaml, guardPolicies, constants.SafeOutputsMCPServerID.String()) - } - } + guardPolicies := deriveWriteSinkGuardPolicyFromWorkflow(workflowData) + if len(guardPolicies) > 0 { + mcpRendererLog.Print("Adding guard-policies to safeoutputs TOML (derived from GitHub guard-policy)") + // Render guard-policies in TOML format + renderGuardPoliciesToml(yaml, guardPolicies, constants.SafeOutputsMCPServerID.String()) } } diff --git a/pkg/workflow/non_github_mcp_guard_policy_test.go b/pkg/workflow/non_github_mcp_guard_policy_test.go index a395349245e..1ccacc456e8 100644 --- a/pkg/workflow/non_github_mcp_guard_policy_test.go +++ b/pkg/workflow/non_github_mcp_guard_policy_test.go @@ -42,7 +42,7 @@ func TestDeriveWriteSinkGuardPolicyFromWorkflow(t *testing.T) { description: "no github tool means no guard policy", }, { - name: "github tool without guard policy", + name: "github tool without guard policy (auto-lockdown)", workflowData: &WorkflowData{ Tools: map[string]any{ "github": map[string]any{ @@ -50,8 +50,20 @@ func TestDeriveWriteSinkGuardPolicyFromWorkflow(t *testing.T) { }, }, }, - expectNil: true, - description: "github tool without repos/min-integrity has no guard policy", + expectNil: false, + expectedKey: "write-sink", + description: "github tool without repos/min-integrity triggers auto-lockdown which sets accept=[*]", + }, + { + name: "github tool with nil value (auto-lockdown)", + workflowData: &WorkflowData{ + Tools: map[string]any{ + "github": nil, + }, + }, + expectNil: false, + expectedKey: "write-sink", + description: "github tool with nil value triggers auto-lockdown which sets accept=[*]", }, { name: "github tool with repos=all", @@ -366,9 +378,10 @@ func TestAllNonGitHubMCPServersGetGuardPoliciesViaRenderer(t *testing.T) { }) } -// TestNonGitHubMCPServersNoGuardPoliciesWhenGitHubNotConfigured verifies that servers -// do not get guard policies when the GitHub tool has no guard policy configured -func TestNonGitHubMCPServersNoGuardPoliciesWhenGitHubNotConfigured(t *testing.T) { +// TestNonGitHubMCPServersGetGuardPoliciesFromAutoLockdown verifies that non-GitHub MCP servers +// get write-sink: {accept: ["*"]} guard policies when the GitHub tool is configured without +// explicit guard policies (auto-lockdown detection will set repos=all at runtime) +func TestNonGitHubMCPServersGetGuardPoliciesFromAutoLockdown(t *testing.T) { workflowData := &WorkflowData{ Tools: map[string]any{ "github": map[string]any{ @@ -379,9 +392,16 @@ func TestNonGitHubMCPServersNoGuardPoliciesWhenGitHubNotConfigured(t *testing.T) } policies := deriveWriteSinkGuardPolicyFromWorkflow(workflowData) - assert.Nil(t, policies, "no guard policies when GitHub has no guard policy configured") + require.NotNil(t, policies, "guard policies should be derived when GitHub tool triggers auto-lockdown") - // Verify playwright JSON rendering has no guard-policies + expectedPolicies := map[string]any{ + "write-sink": map[string]any{ + "accept": []string{"*"}, + }, + } + assert.Equal(t, expectedPolicies, policies, "auto-lockdown should produce write-sink with accept=*") + + // Verify playwright JSON rendering has guard-policies var output strings.Builder renderer := NewMCPConfigRenderer(MCPRendererOptions{ Format: "json", @@ -389,7 +409,27 @@ func TestNonGitHubMCPServersNoGuardPoliciesWhenGitHubNotConfigured(t *testing.T) WriteSinkGuardPolicies: policies, }) renderer.RenderPlaywrightMCP(&output, nil) - assert.NotContains(t, output.String(), "guard-policies", "playwright should not have guard-policies when GitHub has no guard policy") + assert.Contains(t, output.String(), "guard-policies", "playwright should have guard-policies when auto-lockdown is active") +} + +// TestNonGitHubMCPServersNoGuardPoliciesWithGitHubApp verifies that non-GitHub MCP servers +// do NOT get write-sink guard policies when a GitHub App is configured. +// GitHub App tokens are already repo-scoped, so auto-lockdown detection is skipped. +func TestNonGitHubMCPServersNoGuardPoliciesWithGitHubApp(t *testing.T) { + workflowData := &WorkflowData{ + Tools: map[string]any{ + "github": map[string]any{ + "toolsets": []string{"default"}, + "github-app": map[string]any{ + "app-id": "12345", + }, + }, + "playwright": nil, + }, + } + + policies := deriveWriteSinkGuardPolicyFromWorkflow(workflowData) + assert.Nil(t, policies, "no guard policies when GitHub App is configured (auto-lockdown is skipped)") } // TestNonGitHubMCPServersGetGuardPoliciesWhenGitHubConfigured verifies the end-to-end flow: diff --git a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden index 909b2ee96df..1cbefe01348 100644 --- a/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden +++ b/pkg/workflow/testdata/wasm_golden/TestWasmGolden_CompileFixtures/smoke-copilot.golden @@ -467,6 +467,13 @@ jobs: "GITHUB_TOKEN": "\${GITHUB_TOKEN}", "GITHUB_ACTOR": "\${GITHUB_ACTOR}", "GITHUB_REPOSITORY": "\${GITHUB_REPOSITORY}" + }, + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } } }, "github": { @@ -490,7 +497,14 @@ jobs: "container": "mcr.microsoft.com/playwright/mcp", "args": ["--init", "--network", "host", "--security-opt", "seccomp=unconfined", "--ipc=host"], "entrypointArgs": ["--output-dir", "/tmp/gh-aw/mcp-logs/playwright", "--no-sandbox"], - "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"] + "mounts": ["/tmp/gh-aw/mcp-logs:/tmp/gh-aw/mcp-logs:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } }, "serena": { "type": "stdio", @@ -498,7 +512,14 @@ jobs: "args": ["--network", "host"], "entrypoint": "serena", "entrypointArgs": ["start-mcp-server", "--context", "codex", "--project", "\${GITHUB_WORKSPACE}"], - "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"] + "mounts": ["\${GITHUB_WORKSPACE}:\${GITHUB_WORKSPACE}:rw"], + "guard-policies": { + "write-sink": { + "accept": [ + "*" + ] + } + } } }, "gateway": { From 485e6993115c02a1031b1213f47d5a868a797139 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 06:04:46 +0000 Subject: [PATCH 3/5] test: add TestAllNonGitHubMCPServersGetWriteSinkWhenGitHubHasAllowOnly for explicit allow-only guard policies Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- .../non_github_mcp_guard_policy_test.go | 140 ++++++++++++++++++ 1 file changed, 140 insertions(+) diff --git a/pkg/workflow/non_github_mcp_guard_policy_test.go b/pkg/workflow/non_github_mcp_guard_policy_test.go index 1ccacc456e8..c81aa68b0c4 100644 --- a/pkg/workflow/non_github_mcp_guard_policy_test.go +++ b/pkg/workflow/non_github_mcp_guard_policy_test.go @@ -432,6 +432,146 @@ func TestNonGitHubMCPServersNoGuardPoliciesWithGitHubApp(t *testing.T) { assert.Nil(t, policies, "no guard policies when GitHub App is configured (auto-lockdown is skipped)") } +// TestAllNonGitHubMCPServersGetWriteSinkWhenGitHubHasAllowOnly verifies that when the GitHub +// MCP server has an explicit allow-only guard-policy configured (repos + min-integrity), +// ALL non-GitHub MCP server types receive a corresponding write-sink guard-policy via +// the MCPConfigRendererUnified. +func TestAllNonGitHubMCPServersGetWriteSinkWhenGitHubHasAllowOnly(t *testing.T) { + tests := []struct { + name string + githubConfig map[string]any + expectedAccept []string + description string + }{ + { + name: "repos=all min-integrity=none", + githubConfig: map[string]any{ + "repos": "all", + "min-integrity": "none", + }, + expectedAccept: []string{"*"}, + description: "repos=all should produce accept=[*]", + }, + { + name: "repos=public min-integrity=approved", + githubConfig: map[string]any{ + "repos": "public", + "min-integrity": "approved", + }, + expectedAccept: []string{"*"}, + description: "repos=public should produce accept=[*]", + }, + { + name: "repos=specific-repo min-integrity=approved", + githubConfig: map[string]any{ + "repos": "myorg/myrepo", + "min-integrity": "approved", + }, + expectedAccept: []string{"private:myorg/myrepo"}, + description: "specific repo should produce accept=[private:myorg/myrepo]", + }, + { + name: "repos=owner-wildcard min-integrity=merged", + githubConfig: map[string]any{ + "repos": "myorg/*", + "min-integrity": "merged", + }, + expectedAccept: []string{"private:myorg"}, + description: "owner/* should produce accept=[private:myorg]", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + workflowData := &WorkflowData{ + Tools: map[string]any{ + "github": tt.githubConfig, + "playwright": nil, + "serena": nil, + "agentic-workflows": nil, + "web-fetch": nil, + }, + } + + // Derive write-sink guard policies from the configured allow-only GitHub guard policy + policies := deriveWriteSinkGuardPolicyFromWorkflow(workflowData) + require.NotNil(t, policies, "write-sink guard policies should be derived when GitHub has allow-only policy: %s", tt.description) + + writeSink, ok := policies["write-sink"].(map[string]any) + require.True(t, ok, "write-sink should be a map: %s", tt.description) + assert.Equal(t, tt.expectedAccept, writeSink["accept"], "accept list should match: %s", tt.description) + + // Verify every non-GitHub MCP server type gets the guard policies via the renderer + serverChecks := []struct { + serverName string + render func(*strings.Builder, *MCPConfigRendererUnified) + }{ + { + serverName: "playwright", + render: func(out *strings.Builder, r *MCPConfigRendererUnified) { + r.RenderPlaywrightMCP(out, nil) + }, + }, + { + serverName: "serena", + render: func(out *strings.Builder, r *MCPConfigRendererUnified) { + r.RenderSerenaMCP(out, nil) + }, + }, + { + serverName: "agentic-workflows", + render: func(out *strings.Builder, r *MCPConfigRendererUnified) { + r.RenderAgenticWorkflowsMCP(out) + }, + }, + { + serverName: "mcp-scripts", + render: func(out *strings.Builder, r *MCPConfigRendererUnified) { + mcpScripts := &MCPScriptsConfig{} + r.RenderMCPScriptsMCP(out, mcpScripts, workflowData) + }, + }, + { + serverName: "safe-outputs", + render: func(out *strings.Builder, r *MCPConfigRendererUnified) { + r.RenderSafeOutputsMCP(out, workflowData) + }, + }, + } + + for _, check := range serverChecks { + t.Run(check.serverName+" JSON", func(t *testing.T) { + renderer := NewMCPConfigRenderer(MCPRendererOptions{ + Format: "json", + IsLast: true, + WriteSinkGuardPolicies: policies, + }) + var output strings.Builder + check.render(&output, renderer) + result := output.String() + assert.Contains(t, result, "\"guard-policies\"", + "%s should have guard-policies when GitHub has allow-only policy: %s", check.serverName, tt.description) + assert.Contains(t, result, "\"write-sink\"", + "%s should have write-sink policy: %s", check.serverName, tt.description) + assert.Contains(t, result, "\"accept\"", + "%s should have accept field: %s", check.serverName, tt.description) + }) + } + + // Also test web-fetch (has its own render function) + t.Run("web-fetch JSON", func(t *testing.T) { + var output strings.Builder + renderMCPFetchServerConfig(&output, "json", " ", true, false, policies) + result := output.String() + assert.Contains(t, result, "\"guard-policies\"", + "web-fetch should have guard-policies when GitHub has allow-only policy: %s", tt.description) + assert.Contains(t, result, "\"write-sink\"", + "web-fetch should have write-sink policy: %s", tt.description) + }) + }) + } +} + // TestNonGitHubMCPServersGetGuardPoliciesWhenGitHubConfigured verifies the end-to-end flow: // when GitHub has repos=all, all non-GitHub MCP servers get write-sink: {accept: ["*"]} func TestNonGitHubMCPServersGetGuardPoliciesWhenGitHubConfigured(t *testing.T) { From 78f43de6db1ab47ca7145be13d54d0437a795298 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 06:12:07 +0000 Subject: [PATCH 4/5] fix: update docstring and log messages for deriveWriteSinkGuardPolicyFromWorkflow auto-lockdown case Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- pkg/workflow/mcp_config_builtin.go | 2 +- pkg/workflow/mcp_github_config.go | 12 ++++++++---- pkg/workflow/mcp_renderer_builtin.go | 2 +- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/pkg/workflow/mcp_config_builtin.go b/pkg/workflow/mcp_config_builtin.go index f894c073f30..35e7500619c 100644 --- a/pkg/workflow/mcp_config_builtin.go +++ b/pkg/workflow/mcp_config_builtin.go @@ -150,7 +150,7 @@ func renderSafeOutputsMCPConfigWithOptions(yaml *strings.Builder, isLast bool, i // Add guard-policies if configured if len(guardPolicies) > 0 { - mcpBuiltinLog.Print("Adding guard-policies to safeoutputs (derived from GitHub guard-policy)") + mcpBuiltinLog.Print("Adding guard-policies to safeoutputs (derived from GitHub guard-policy or auto-lockdown detection)") yaml.WriteString(",\n") renderGuardPoliciesJSON(yaml, guardPolicies, " ") } else { diff --git a/pkg/workflow/mcp_github_config.go b/pkg/workflow/mcp_github_config.go index e0f2134ff33..5d90afafa07 100644 --- a/pkg/workflow/mcp_github_config.go +++ b/pkg/workflow/mcp_github_config.go @@ -348,11 +348,15 @@ func transformRepoPattern(pattern string) string { // deriveSafeOutputsGuardPolicyFromGitHub, ensuring that as guard policies are rolled out, only // GitHub inputs are filtered while outputs to non-GitHub servers are not restricted. // -// When no explicit guard policy is configured but automatic lockdown detection would run -// (GitHub tool present and not disabled, no GitHub App configured), a write-sink policy with -// accept=["*"] is returned because automatic lockdown always sets repos=all at runtime. +// Two cases produce a non-nil policy: +// 1. Explicit guard policy — when repos/min-integrity are set on the GitHub tool, a write-sink +// policy is derived from those settings (e.g. "private:myorg/myrepo"). +// 2. Auto-lockdown — when the GitHub tool is present without explicit guard policies and without +// a GitHub App configured, auto-lockdown detection will set repos=all at runtime, so a +// write-sink policy with accept=["*"] is returned to match that runtime behaviour. // -// Returns nil when no GitHub guard policies are configured or when workflowData is nil. +// Returns nil when workflowData is nil, when no GitHub tool is present, or when a GitHub App is +// configured (auto-lockdown is skipped for GitHub App tokens, which are already repo-scoped). func deriveWriteSinkGuardPolicyFromWorkflow(workflowData *WorkflowData) map[string]any { if workflowData == nil || workflowData.Tools == nil { return nil diff --git a/pkg/workflow/mcp_renderer_builtin.go b/pkg/workflow/mcp_renderer_builtin.go index 853d839ef81..98c15a99e24 100644 --- a/pkg/workflow/mcp_renderer_builtin.go +++ b/pkg/workflow/mcp_renderer_builtin.go @@ -174,7 +174,7 @@ func (r *MCPConfigRendererUnified) renderSafeOutputsTOML(yaml *strings.Builder, // If so, generate a linked write-sink guard-policy for safeoutputs guardPolicies := deriveWriteSinkGuardPolicyFromWorkflow(workflowData) if len(guardPolicies) > 0 { - mcpRendererLog.Print("Adding guard-policies to safeoutputs TOML (derived from GitHub guard-policy)") + mcpRendererLog.Print("Adding guard-policies to safeoutputs TOML (derived from GitHub guard-policy or auto-lockdown detection)") // Render guard-policies in TOML format renderGuardPoliciesToml(yaml, guardPolicies, constants.SafeOutputsMCPServerID.String()) } From 2543fd9b52227e4dd1eff16ac9becd4a16308cb2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Mar 2026 06:19:03 +0000 Subject: [PATCH 5/5] fix: replace whitespace-sensitive unexpectedInServer checks with regex patterns Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com> --- pkg/workflow/mcp_config_compilation_test.go | 31 ++++++++++++--------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/pkg/workflow/mcp_config_compilation_test.go b/pkg/workflow/mcp_config_compilation_test.go index 7be8fa5e8c2..e917d5dc9c9 100644 --- a/pkg/workflow/mcp_config_compilation_test.go +++ b/pkg/workflow/mcp_config_compilation_test.go @@ -4,6 +4,7 @@ package workflow import ( "os" + "regexp" "strings" "testing" ) @@ -219,9 +220,9 @@ Test workflow. `, serverName: `"my-api"`, expectedContent: []string{`"get_data"`, `"list_items"`}, - // Check that the tools array specifically does not have the wildcard - // (guard-policies accept may still contain "*" at deeper indentation) - unexpectedInServer: []string{"\"tools\": [\n \"*\""}, + // Regex: "tools" key whose value array starts with "*" (ignores whitespace/indentation). + // guard-policies "accept": ["*"] has a different key, so it is never matched. + unexpectedInServer: []string{`"tools"\s*:\s*\[\s*"\*"`}, }, { name: "copilot - stdio mcp server with specific allowed tools", @@ -244,9 +245,9 @@ Test workflow. `, serverName: `"my-tool"`, expectedContent: []string{`"run_query"`, `"fetch_results"`}, - // Check that the tools array specifically does not have the wildcard - // (guard-policies accept may still contain "*" at deeper indentation) - unexpectedInServer: []string{"\"tools\": [\n \"*\""}, + // Regex: "tools" key whose value array starts with "*" (ignores whitespace/indentation). + // guard-policies "accept": ["*"] has a different key, so it is never matched. + unexpectedInServer: []string{`"tools"\s*:\s*\[\s*"\*"`}, }, { name: "copilot - mcp server with no allowed field defaults to wildcard", @@ -291,9 +292,9 @@ Test workflow. `, serverName: `"my-api"`, expectedContent: []string{`"get_data"`, `"list_items"`}, - // Check that the tools array specifically does not have the wildcard - // (guard-policies accept may still contain "*" at deeper indentation) - unexpectedInServer: []string{"\"tools\": [\n \"*\""}, + // Regex: "tools" key whose value array starts with "*" (ignores whitespace/indentation). + // guard-policies "accept": ["*"] has a different key, so it is never matched. + unexpectedInServer: []string{`"tools"\s*:\s*\[\s*"\*"`}, }, { name: "claude - http mcp server with no allowed field has no tools filter", @@ -361,10 +362,14 @@ Test workflow. } } - for _, content := range tt.unexpectedInServer { - if strings.Contains(serverBlock, content) { - t.Errorf("Unexpected %q found in server block for %s.\nServer block:\n%s", - content, tt.serverName, serverBlock) + for _, pattern := range tt.unexpectedInServer { + matched, err := regexp.MatchString(pattern, serverBlock) + if err != nil { + t.Fatalf("Invalid regex pattern %q: %v", pattern, err) + } + if matched { + t.Errorf("Unexpected pattern %q matched in server block for %s.\nServer block:\n%s", + pattern, tt.serverName, serverBlock) } } })