feat(spec): add bots field to GitHub MCP Access Control Specification

[Copilot]

The GitHub MCP Server Access Control Specification lacked a way to grant bot accounts team-member-level access, forcing all actors through the roles permission check even for trusted automation bots.

Changes

scratchpad/github-mcp-access-control-specification.md — bumped to v1.1.0

• Section 4.4.4 (new): Defines bots?: string[] — bot identifiers that bypass the roles check while repos and private-repos constraints still apply. Accepts both dependabot[bot] and dependabot forms (case-insensitive).
• Section 4.5: Updated evaluation order — bot identity check inserted before roles check (step 4).
• Section 4.6.3–4.6.5: Type validation for bots (must be string[]); new Section 4.6.5 for bot identifier validation rules.
• Section 9.2: Middleware diagram updated to include bot identity check step.
• Sections 9.3 & 9.4: Schema extension and frontmatter→gateway config examples updated.
• Section 10: Added compliance tests T-Fix orphan removal on "gh aw remove" #11–013 (validation) and T-Small docs fixes #27–032 (bypass behavior).
• Appendix A.12 (new): Example configuration for bot team members.

Example

tools:
  github:
    mode: "remote"
    toolsets: [repos, issues, pull_requests]
    repos:
      - "myorg/*"
    roles:
      - "write"
      - "admin"
    bots:
      - "dependabot[bot]"   # bypasses roles check; repos/private-repos still enforced
      - "renovate[bot]"
    private-repos: true

Original prompt

Update the MCP gateway specification:

The github configuration should allow to specify a list of bots that are considered team members. (bots?: string[])

Custom agent used: w3c-specification-writer
AI technical specification writer following W3C conventions and best practices for formal specifications

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.