Compiler: hardcoded min-integrity in tools.github generates incomplete guard policy (missing repos)

[PureWeen]

Problem

When min-integrity: approved is explicitly set in the workflow source:

tools:
  github:
    toolsets: [pull_requests, repos]
    min-integrity: approved

The compiler (v0.62.2, v0.69.3) generates a static guard policy in the lock file:

"guard-policies": {
  "allow-only": {
    "min-integrity": "approved"
  }
}

The MCP Gateway (v0.1.19) rejects this with:

MCPG Error: failed to create unified server: failed to register guard for server "github":
  invalid server guard policy: invalid guard policy JSON: allow-only must include repos

The gateway requires both min-integrity AND repos in an allow-only policy block. The compiler does not populate repos when min-integrity is hardcoded.

Workaround

Omit min-integrity from the source. The runtime determine-automatic-lockdown step correctly sets both min-integrity and repos via env vars:

"guard-policies": {
  "allow-only": {
    "min-integrity": "$GITHUB_MCP_GUARD_MIN_INTEGRITY",
    "repos": "$GITHUB_MCP_GUARD_REPOS"
  }
}

Expected

The compiler should either:

1. Also emit repos when min-integrity is hardcoded (e.g., repos: ["${{ github.repository }}"])
2. Or document that min-integrity in source is not supported and should be left to runtime lockdown

Discovered in

• dotnet/maui-labs PR Daily Test Coverage Improvement - File Watching and Compilation Functions #118 (4 failed runs before discovering the workaround)
• PureWeen/PolyPilot PR [Custom Engine Test] Test Pull Request - Custom Engine Safe Output #660 (same fix applied — /review was broken on main)