Copilot/document sink visibility field#44373
Conversation
…spec - Add Section 4.1.3.8 documenting the new `forcePublicRepos` gateway config field - Add `forcePublicRepos` to the gateway config fields table (Section 4.1.3) - Add Section 10.8 — Write-Sink Guard Policy with full `sink-visibility` field specification, enforcement model, DIFC semantics, runtime verification, and compiler behavior - Add Section 10.9 — Cross-Visibility Opt-Out documenting `private-to-public-flows: allow` frontmatter option, its constraints, compiler responsibilities, and interaction matrix - Add compliance test category 11.1.12 with T-WS-001 through T-WS-008 - Update compliance checklist with Write-Sink Guard Policy row - Add changelog entry for spec version 1.15.0 - Update both JSON schema files (docs/public and pkg/workflow) with: - New `writeSinkGuardPolicyConfig` definition with `accept` and `sink-visibility` fields - Typed `write-sink` property in `guard-policies` for both stdioServerConfig and httpServerConfig - New `forcePublicRepos` boolean field in `gatewayConfig` - Added `guard-policies` to `stdioServerConfig` in docs/public schema (was missing) Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
…nition Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
… net - Add sinkVisibilityExemptServers to gateway config fields table (section 4.1.3) - Add to JSON schemas in both docs/public and pkg/workflow - Document default sink-visibility="public" for non-safe-outputs (section 10.8.6) - Document safe-outputs runtime safety net (section 10.8.7) - Expand section 10.9 to support list form of private-to-public-flows - Add compiler responsibilities for list form (validation + config emission) - Update interaction matrix with list form compatibility Co-authored-by: Copilot App <223556219+Copilot@users.noreply.github.com>
|
@copilot resolve the merge conflicts in this pull request |
There was a problem hiding this comment.
Pull request overview
Updates the MCP Gateway specification and published JSON schemas to introduce DIFC-based output filtering via a write-sink guard policy (including sink-visibility), plus new gateway-level controls for public-repo safety behavior.
Changes:
- Extend
guard-policiesschema to include a typedwrite-sinkpolicy (writeSinkGuardPolicyConfig) for both stdio and HTTP MCP servers. - Add
gateway.forcePublicReposandgateway.sinkVisibilityExemptServersto the gateway config schema and document them in the spec. - Bump the spec document version to 1.15.0 and add new normative sections (10.8/10.9) and compliance tests (T-WS-*).
Show a summary per file
| File | Description |
|---|---|
| pkg/workflow/schemas/mcp-gateway-config.schema.json | Adds write-sink guard policy typing and new gateway config fields to the internal schema copy. |
| docs/src/content/docs/reference/mcp-gateway.md | Updates the MCP Gateway spec to v1.15.0 and documents forcePublicRepos, sink-visibility, and opt-out behavior. |
| docs/public/schemas/mcp-gateway-config.schema.json | Mirrors schema updates for the published docs schema copy (including new definitions/fields). |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 2
- Review effort level: Low
…-visibility-field # Conflicts: # docs/src/content/docs/reference/mcp-gateway.md Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
|
🚀 Smoke Pi MISSION COMPLETE! Pi delivered. 🥧 |
|
🚀 Smoke Gemini MISSION COMPLETE! Gemini has spoken. ✨ Smoke test completed. Summary: 4/5 tests passed. Build failed. |
|
✅ All tools validated successfully! Agent Container Smoke Test confirms agent container is ready. |
|
🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨ |
|
🚀 Smoke Antigravity MISSION COMPLETE! Antigravity has spoken. ✨ |
|
🌑 The shadows whisper... Smoke Codex failed to deliver outputs. The oracle requires further meditation... |
|
📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing... |
|
@copilot please run the
|
|
❌ Smoke Copilot Small failed. Please review the logs for details. |
|
📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing... |
|
📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing... |
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Smoke test
Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "proxy.golang.org"See Network Configuration for more information.
|
Agent Container Tool Check
Result: 12/12 tools available ✅ Overall Status: PASS Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "awmgmcpg"See Network Configuration for more information.
|
Smoke Test Results
Overall status: FAIL Warning Firewall blocked 1 domainThe following domain was blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "localhost"See Network Configuration for more information.
|
💥 Smoke Test: Claude — Run 28964631579Core #1-12: ✅ all passed Overall: PARTIAL — all executed tests nominal! 🚀 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
💥 Automated smoke test review - all systems nominal!
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
💥 [THE END] — Illustrated by Smoke Claude · 68.2 AIC · ⌖ 31.2 AIC · ⊞ 8.4K
Comment /smoke-claude to run again
Comments that could not be inline-anchored
docs/src/content/docs/reference/mcp-gateway.md:9
Smoke test: heading looks good here. 💥
docs/src/content/docs/reference/mcp-gateway.md:11
Smoke test: version metadata is clear. 👍
|
Copilot/document sink visibility field
Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
|
Smoke tests completed: PASS\nSee issue #44384 for details.
|
|
Smoke test results: 1-2 ✅, rest ❌. Overall FAIL. @lpcox
|
|
Smoke run 28964672291 Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
Comment MemoryNote This comment is managed by comment memory.It stores persistent context for this thread in the code block at the top of this comment. Warning Firewall blocked 6 domainsThe following domains were blocked by the firewall during workflow execution:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
|
There was a problem hiding this comment.
Smoke review done. Two inline pokes left.
Warning
Firewall blocked 6 domains
The following domains were blocked by the firewall during workflow execution:
accounts.google.comandroid.clients.google.comclients2.google.comcontentautofill.googleapis.comsafebrowsingohttpgateway.googleapis.comwww.google.com
To allow these domains, add them to the
network.allowedlist in your workflow frontmatter:
network:
allowed:
- defaults
- "accounts.google.com"
- "android.clients.google.com"
- "clients2.google.com"
- "contentautofill.googleapis.com"
- "safebrowsingohttpgateway.googleapis.com"
- "www.google.com"See Network Configuration for more information.
📰 BREAKING: Report filed by Smoke Copilot · 103.1 AIC · ⌖ 4.89 AIC · ⊞ 19.8K
Comment /smoke-copilot to run again
Add label smoke to run again
|
🎉 This pull request is included in a new release. Release: |
Summary
Documents the
sink-visibilityfield and related enforcement model in the MCP Gateway reference spec (docs/src/content/docs/reference/mcp-gateway.md).Changes
docs/src/content/docs/reference/mcp-gateway.md--force-public-reposenv var: Documented that the--force-public-reposCLI proxy flag defaults from theMCP_GATEWAY_FORCE_PUBLIC_REPOSenvironment variable.sink-visibilityomission semantics: Expanded the "Skipped whensink-visibilityis omitted" clause to cross-reference Sections 10.8.6 and 10.8.7 for defaulting behavior, replacing the previously ambiguous inline note.sinkVisibilityExemptServers: Added field documentation for the exemption list, default visibility values, and safety net behavior.opentelemetryConfig: Restored missingtypeanddescriptionfields in the definition.repos=publictorepos="public"for consistency with the quoted-string format used elsewhere.Scope
docsdocs/src/content/docs/reference/mcp-gateway.mdMotivation
The
sink-visibilityfield lacked complete documentation covering its default values, thesinkVisibilityExemptServersexemption list, runtime verification skip conditions, and cross-references to the relevant sections. These gaps could cause implementors to misapply or omit enforcement configuration.