fix: pass GITHUB_REPOSITORY as --repo in MCP logs and audit tools to avoid git dependency

[Copilot]

The gh aw logs MCP tool fails in the audit-workflows sandbox with unable to find git executable in PATH because gh run list falls back to git to detect the base repo when --repo is not provided.

GITHUB_REPOSITORY is already forwarded to the MCP server container via env_vars in the agentic-workflows config — it just wasn't being used.

Changes

• registerLogsTool: reads GITHUB_REPOSITORY and appends --repo <owner/repo> to the gh aw logs subprocess args, bypassing the git-based repo detection in gh run list
• registerAuditTool: same fix; safe because the audit command ignores --repo when owner/repo is already embedded in a URL input
• Tests: two new unit tests (TestLogsToolPassesGithubRepositoryAsRepoFlag, TestAuditToolPassesGithubRepositoryAsRepoFlag) using mcp.NewInMemoryTransports() with a mock execCmd that captures subprocess args

// In registerLogsTool and registerAuditTool, after building other cmdArgs:
if repo := os.Getenv("GITHUB_REPOSITORY"); repo != "" {
    cmdArgs = append(cmdArgs, "--repo", repo)
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git 8078043/b252/_pkgit 8078043/b007/imprev-parse 8078043/b252=> git (http block)
• https://api.github.com/orgs/test-owner/actions/secrets
  • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE _modules/.bin/no-lang=go1.25 GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
  • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha --show-toplevel x_amd64/link /usr/bin/gh -json irent.go 64/pkg/tool/linu--show-toplevel gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts /usr/bin/git .artifacts[].namgit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha --show-toplevel /tmp/go-build2588078043/b249/embedcfg /usr/bin/git -json GO111MODULE 64/bin/go git -C /home/REDACTED/work/gh-aw/gh-aw/.github/workflows rev-parse /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha ortcfg 4Gx5UXvR1 x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env ortcfg GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE 8078043/b078/ GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/compile /usr/bin/git g_.a GO111MODULE 64/pkg/tool/linu--show-toplevel git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git 96/001/test-simpgit PumV21ljR ache/go/1.25.8/x--show-toplevel git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuupstream /usr/bin/git /tmp/go-build258git -trimpath /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet /usr/bin/git -bool -buildtags /usr/bin/git git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --show-toplevel ache/go/1.25.8/x64/pkg/tool/linu--jq /usr/bin/git 3JNRREtYX GO111MODULE ache/go/1.25.8/x/tmp/gh-aw/aw-master.patch git rev-�� --show-toplevel ache/go/1.25.8/x^remote\..*\.gh-resolved$ /usr/bin/git 8078043/b168/_pkgit rg/x/text@v0.36.rev-parse ache/go/1.25.8/x--show-toplevel git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v9
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -goversion go1.25.8 -c=4 -nolocalimports -importcfg /tmp/go-build2588078043/b222/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json sonrpc2/conn.go es/.bin/node GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq .object.sha -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go ode_�� -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha --get remote.origin.url /usr/bin/git 35/001 GO111MODULE x_amd64/vet git rev-�� --git-dir x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node .js' --ignore-pagit GO111MODULE 64/pkg/tool/linu--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha add origin /usr/bin/git 677305/001 GO111MODULE ache/go/1.25.8/x--show-toplevel git rev-�� --show-toplevel go /opt/hostedtoolcache/node/24.14.1/x64/bin/node .js' --ignore-pagit GO111MODULE 64/pkg/tool/linu--show-toplevel node (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq .object.sha -test.paniconexit0 -test.v=true /usr/bin/infocmp -test.timeout=10git -test.run=^Test -test.short=true--show-toplevel infocmp -1 r-test3382308239/existing.md -pack 4935403/b431/vet.cfg -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v7
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 5937-41276/test-test-logs/run-1 rg/x/text@v0.36.0/internal/tag/tag.go ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE hlite 8078043/b013/sym--show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /hom�� /ref/tags/v9 _zAe/m6K4S-499xrKjIdi_zAe 8078043/b241=> **/*.json t/internal/langurev-parse ../../../.pretti--show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 8078043/b170/_pkg_.a --check verutil.test **/*.ts 8078043/b011/memrev-parse ache/go/1.25.8/x--show-toplevel verutil.test 6249�� 4935403/b405/_pkg_.a i3Dw/UIwGdW4V3M93Js0Ri3Dw e/git tierignore b/gh-aw/pkg/consrev-parse 64/bin/go e/git (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v7 --jq .object.sha 5937-41276/test-3291995582 g/logger/logger.go (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq .object.sha --get remote.origin.url /usr/bin/git rity3218696345/0git GO111MODULE 1/x64/bin/sh git rev-�� --show-toplevel r_wasm.s 4935403/b451/vet.cfg .js' --ignore-pagit GO111MODULE 64/pkg/tool/linu--show-toplevel git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq .object.sha --show-toplevel eDvIxLANZ0cGFI5vTWRl/eDvIxLANZ0cGFI5vTWRl ache/node/24.14.1/x64/bin/node -goversion go1.25.8 -c=4 git t-31�� bility_SameInputSameOutput3347992651/001/stability-test.md -pack /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq .object.sha --show-toplevel 78ByPuFdRyAS-MkVro-o/78ByPuFdRyAS-MkVro-o /usr/bin/git -goversion go1.25.8 -c=4 git rev-�� ithub-script/git/ref/tags/v9 -pack /usr/bin/git -json GO111MODULE 64/bin/go git (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a h00yucQ7c 64/pkg/tool/linux_amd64/vet GOINSECURE a20poly1305 GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 0/internal/tag/tag.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile k/gh�� g_.a KjIdi_zAe ache/go/1.25.8/x64/pkg/tool/linu-nilfunc GOINSECURE age erignore ache/go/1.25.8/x64/pkg/tool/linu-tests (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name rotocol/go-sdk@v1.5.0/internal/util/net.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ithub/workflows Cy4PJHJpH x_amd64/link GOINSECURE GOMOD GOMODCACHE x_amd64/link (http block)
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 816254005 6D-KwQuTc 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env ithub/workflows o 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a Fs27lbYse 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 4184344471 GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/asm GOINSECURE GOMOD abis 64/src/reflect/asm_wasm.s (http block)
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 0/internal/stringset/set.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD abis 64/pkg/tool/linux_amd64/compile 64/s�� g_.a sNGC5r73k ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD erignore ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env 4184344471 hOYFQ3cxW ache/go/1.25.8/x64/pkg/tool/linux_amd64/cgo GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 rotocol/go-sdk@v-nolocalimports 64/pkg/tool/linu-importcfg GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu/home/REDACTED/work/gh-aw/gh-aw/pkg/typeutil/convert_test.go k/gh�� 1678717675/.github/workflows LamLkoYmy k GOINSECURE GOMOD erignore ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env 4184344471 06SIChxms 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 0/internal/language/common.go 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile k/gh�� g_.a GO111MODULE ache/go/1.25.8/x64/pkg/tool/linu-lang=go1.25 GOINSECURE gset erignore ache/go/1.25.8/x64/pkg/tool/linu-dwarf=false (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com env g_.a GO111MODULE /opt/hostedtoolcache/go/1.25.8/x64/bin/go GOINSECURE rm abis go (http block)
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 _56Gjvce9 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile k/gh�� 1678717675/.github/workflows dq87ptaK6 ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe GOINSECURE go-sdk/jsonrpc erignore ache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path -c=4 -nolocalimports -importcfg /tmp/go-build1624935403/b411/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/fileutil.go /home/REDACTED/work/gh-aw/gh-aw/pkg/fileutil/tar.go env -json GO111MODULE node GOINSECURE GOMOD GOMODCACHE s not exist yet"-trimpath (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 obyte/asn1 GOMODCACHE 64/pkg/tool/linuremote1 ache�� edOutput3498647493/001 i0dFibft1 64/pkg/tool/linux_amd64/compile GOINSECURE ngutil GOMODCACHE 64/pkg/tool/linutest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq .object.sha --show-toplevel 64/pkg/tool/linux_amd64/vet /usr/bin/git bDdQ2fq9m GO111MODULE x_amd64/link git rev-�� --show-toplevel x_amd64/link /usr/bin/git sRemoteWithRealG/bin/sh sRemoteWithRealG-c .cfg git (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha edOutput3498647493/001 YGaDW_VvF 64/pkg/tool/linux_amd64/vet GOINSECURE ole GOMODCACHE 64/pkg/tool/linuTest User m/_n�� AsxZxLib9 GO111MODULE k GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x--json (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq .object.sha on' --ignore-pat-test.timeout=10m0s GO111MODULE x_amd64/compile N files are not /bin/sh GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha on' --ignore-pat-s GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE iE8t3kR/vbNrLVZ2rev-parse (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq .object.sha -json GO111MODULE x_amd64/asm GOINSECURE GOMOD GOMODCACHE x_amd64/asm env -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq .object.sha -json GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env 036837/001 036837/002/work x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha g_.a lNGu_38wk 64/pkg/tool/linux_amd64/vet GOINSECURE util GOMODCACHE 64/pkg/tool/linux_amd64/vet m/_n�� DseGpepMC GO111MODULE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile env g_.a deRMpwyMD ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE ache/go/1.25.8/x64/pkg/tool/linuremote (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo -nolocalimports -importcfg /tmp/go-build1624935403/b415/importcfg -pack /tmp/go-build1624935403/b415/_testmain.go env -json GO111MODULE odules/npm/node_-lang=go1.25 GOINSECURE GOMOD GOMODCACHE wasm.s (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1624935403/b397/cli.test /tmp/go-build1624935403/b397/cli.test -test.testlogfile=/tmp/go-build1624935403/b397/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true -nolocalimports -importcfg /tmp/go-build2588078043/b192/importcfg -pack env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull request overview

Updates the MCP “logs” and “audit” tools to pass GITHUB_REPOSITORY via --repo, avoiding gh falling back to git-based repository detection in sandboxed environments.

Changes:

• Append --repo <owner/repo> to the subprocess args in registerLogsTool when GITHUB_REPOSITORY is set.
• Append --repo <owner/repo> to the subprocess args in registerAuditTool when GITHUB_REPOSITORY is set.
• Add unit tests using in-memory MCP transports and a mocked execCmd to assert --repo propagation.

Show a summary per file

File	Description
pkg/cli/mcp_tools_privileged.go	Adds GITHUB_REPOSITORY→--repo propagation for logs/audit MCP tools to avoid git dependency.
pkg/cli/mcp_tools_privileged_test.go	Adds MCP in-memory client/server tests verifying --repo is included/omitted based on GITHUB_REPOSITORY.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (1)

pkg/cli/mcp_tools_privileged.go:317

• Same as above: this "append --repo from GITHUB_REPOSITORY" logic is duplicated. A shared helper would make it easier to keep the flags/ordering/normalization consistent across tools.

		// Pass --repo from GITHUB_REPOSITORY to avoid git dependency in restricted environments
		// (e.g., MCP server containers where git is not installed).
		// Only needed when the input is a bare numeric run ID (not a URL with embedded owner/repo),
		// but passing it is safe since the audit command ignores --repo when owner/repo is in the URL.
		if repo := os.Getenv("GITHUB_REPOSITORY"); repo != "" {

• Files reviewed: 2/2 changed files
• Comments generated: 2

[github-actions]

Commit pushed: 5ad5aab

🏗️ ADR gate enforced by Design Decision Gate 🏗️

[github-actions]

🏗️ Design Decision Gate — ADR Required

This PR makes significant changes to core business logic (pkg/cli/) with 173 new lines of code (>100 threshold) but does not have a linked Architecture Decision Record (ADR).

AI has analyzed the PR diff and generated a draft ADR to help you get started:

📄 Draft ADR: docs/adr/26377-use-github-repository-env-var-for-mcp-subprocess-repo-resolution.md

What to do next

1. Review the draft ADR committed to your branch — it was generated from the PR diff
2. Complete the missing sections — add context the AI couldn't infer, refine the decision rationale, and list real alternatives you considered
3. Commit the finalized ADR to docs/adr/ on your branch
4. Reference the ADR in this PR body by adding a line such as:

   ADR: ADR-26377: Use GITHUB_REPOSITORY Env Var for MCP Subprocess Repo Resolution

Once an ADR is linked in the PR body, this gate will re-run and verify the implementation matches the decision.

Why ADRs Matter

"AI made me procrastinate on key design decisions. Because refactoring was cheap, I could always say 'I'll deal with this later.' Deferring decisions corroded my ability to think clearly."

ADRs create a searchable, permanent record of why the codebase looks the way it does. Future contributors (and your future self) will thank you.

---

📋 Michael Nygard ADR Format Reference

An ADR must contain these four sections to be considered complete:

• Context — What is the problem? What forces are at play?
• Decision — What did you decide? Why?
• Alternatives Considered — What else could have been done?
• Consequences — What are the trade-offs (positive and negative)?

All ADRs are stored in docs/adr/ as Markdown files numbered by PR number (e.g., 26377-use-github-repository-env-var-for-mcp-subprocess-repo-resolution.md for PR #26377).

🔒 This PR cannot merge until an ADR is linked in the PR body.

References: §24439752420

Note

🔒 Integrity filter blocked 1 item

The following item were blocked because they don't meet the GitHub integrity level.

• fix: pass GITHUB_REPOSITORY as --repo in MCP logs and audit tools to avoid git dependency #26377 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🏗️ ADR gate enforced by Design Decision Gate 🏗️ · ● 147.3K · ◷

[github-actions]

🧪 Test Quality Sentinel Report

Test Quality Score: 90/100

✅ Excellent test quality

Metric	Value
New/modified tests analyzed	2
✅ Design tests (behavioral contracts)	2 (100%)
⚠️ Implementation tests (low value)	0 (0%)
Tests with error/edge cases	2 (100%)
Duplicate test clusters	0
Test inflation detected	Yes (156 test lines / 17 production lines ≈ 9:1)
🚨 Coding-guideline violations	None

---

Test Classification Details

View All Test Results (2 tests)

Test	File	Classification	Issues Detected
TestLogsToolPassesGithubRepositoryAsRepoFlag	pkg/cli/mcp_tools_privileged_test.go	✅ Design	None — covers both set and empty GITHUB_REPOSITORY
TestAuditToolPassesGithubRepositoryAsRepoFlag	pkg/cli/mcp_tools_privileged_test.go	✅ Design	None — covers both set and empty GITHUB_REPOSITORY

---

Detailed Analysis

TestLogsToolPassesGithubRepositoryAsRepoFlag — Table-driven (2 sub-cases). Uses an injected mockExecCmd function closure (dependency injection, not a mock library) to capture the cmdArgs slice actually constructed by registerLogsTool. Verifies the observable contract: when GITHUB_REPOSITORY is set, --repo <value> appears in the subprocess arguments; when it is empty, the flag is absent. Both assert.* calls include descriptive context strings. Build tag //go:build !integration is present. ✅

TestAuditToolPassesGithubRepositoryAsRepoFlag — Identical pattern for registerAuditTool. Tests the same behavioral contract on the audit tool path. All assertions include descriptive messages. ✅

Helper connectInMemory — A reusable test helper that establishes an in-memory MCP client/server pair. Not itself a test but enables end-to-end MCP tool invocation in the tests above. Well-documented with a comment. ✅

---

Test Inflation Note

The test file grew 156 lines against 17 production lines (~9:1 ratio), triggering the inflation detection threshold. In this case the ratio is expected: the tests require an in-memory MCP client/server setup (connectInMemory helper, mcp.NewInMemoryTransports, client connect, tool call) which is significantly more boilerplate than the two 8-line os.Getenv guards added in production. The tests are end-to-end for the MCP tool layer, so the extra test code is justified. No quality points were awarded for this component under the rubric.

---

Language Support

Tests analyzed:

• 🐹 Go (*_test.go): 2 tests — unit (//go:build !integration)
• 🟨 JavaScript (*.test.cjs, *.test.js): 0 tests

---

Verdict

✅ Check passed. 0% of new tests are implementation tests (threshold: 30%). Both new tests verify behavioral contracts directly: they assert on the observable subprocess arguments produced by the tools, cover the empty-env-var edge case, and use proper assertion messages throughout.

---

📖 Understanding Test Classifications

Design Tests (High Value) verify what the system does:

• Assert on observable outputs, return values, or state changes
• Cover error paths and boundary conditions
• Would catch a behavioral regression if deleted
• Remain valid even after internal refactoring

Implementation Tests (Low Value) verify how the system does it:

• Assert on internal function calls (mocking internals)
• Only test the happy path with typical inputs
• Break during legitimate refactoring even when behavior is correct
• Give false assurance: they pass even when the system is wrong

Goal: Shift toward tests that describe the system's behavioral contract — the promises it makes to its users and collaborators.

References: §24439752431

🧪 Test quality analysis by Test Quality Sentinel · ● 592.8K · ◷

[github-actions]

✅ Test Quality Sentinel: 90/100. Test quality is excellent — 0% of new tests are implementation tests (threshold: 30%). Both new tests verify the --repo flag behavioral contract end-to-end using in-memory MCP transport, cover the empty-env-var edge case, and include descriptive assertion messages.

[pelikhan]

@copilot review comments

[Copilot]

@copilot review comments

Addressed both review comments in 53ca779:

1. Extracted appendRepoFlagFromEnv() helper — both registerLogsTool and registerAuditTool now call it instead of inlining the env-var check.
2. Fixed the connectInMemory comment to say the session is closed via t.Cleanup rather than incorrectly saying the caller is responsible.