Add AllowedGitHubOrganizations policy to gate chat features by org membership#302981
Draft
joshspicer wants to merge 1 commit intomainfrom
Draft
Add AllowedGitHubOrganizations policy to gate chat features by org membership#302981joshspicer wants to merge 1 commit intomainfrom
joshspicer wants to merge 1 commit intomainfrom
Conversation
…mbership Introduces a hidden, policy-backed setting `chat.allowedGitHubOrganizations` that allows enterprise IT admins to restrict policy-gated chat features (such as MCP) to users who are members of specified GitHub organizations. The setting is a comma-separated list of org login names, delivered via OS-level MDM policy (`AllowedGitHubOrganizations`). When set: - Features are blocked by default until the user's org membership is confirmed - If the user is not a member of any allowed org, features remain blocked - If the setting is empty/unset, no restriction applies (passthrough) Implementation: - New config key `chat.allowedGitHubOrganizations` with `included: false` and `AllowedGitHubOrganizations` policy (InteractiveSession category) - Org gate logic in ChatEntitlementContext compares allowed orgs setting against the user's resolved organizations from entitlements - New context key `chatGitHubOrgPolicySatisfied` for declarative UI gating - New `orgPolicySatisfied` property on IChatEntitlementService for code gating - MCP integration: McpRegistry, McpDiscovery, and McpWorkbenchService all check the org gate alongside existing McpAccessValue checks Other features can opt in by checking the context key in when clauses or reading chatEntitlementService.orgPolicySatisfied. Refs: microsoft/vscode-internalbacklog#6435 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new enterprise policy-backed configuration (chat.allowedGitHubOrganizations) that gates policy-controlled chat features (initially MCP) based on the signed-in user’s GitHub organization membership, exposing the result via a new entitlement context key and service property.
Changes:
- Introduces the hidden, policy-backed setting
chat.allowedGitHubOrganizationsand exports it into policy artifacts. - Computes and publishes org-policy satisfaction via
ChatEntitlementContext/chatGitHubOrgPolicySatisfiedandIChatEntitlementService.orgPolicySatisfied. - Gates MCP registry collections, discovery, and enablement status when the org policy is not satisfied; updates test mocks for the new interface member.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/vs/workbench/test/common/workbenchTestServices.ts | Updates test entitlement service mock to implement orgPolicySatisfied. |
| src/vs/workbench/services/chat/common/chatEntitlementService.ts | Adds org-policy context key + orgPolicySatisfied, and computes satisfaction from config + entitlements. |
| src/vs/workbench/contrib/mcp/common/mcpRegistry.ts | Filters MCP collections/lazy state when org policy gate is not satisfied. |
| src/vs/workbench/contrib/mcp/browser/mcpWorkbenchService.ts | Surfaces MCP disabled status/message when org policy gate is not satisfied. |
| src/vs/workbench/contrib/mcp/browser/mcpDiscovery.ts | Skips MCP discovery when org policy gate is not satisfied. |
| src/vs/workbench/contrib/chat/common/constants.ts | Adds ChatConfiguration.AllowedGitHubOrganizations constant. |
| src/vs/workbench/contrib/chat/common/actions/chatContextKeys.ts | Re-exports the new entitlement context key for declarative gating (when). |
| src/vs/workbench/contrib/chat/browser/chat.contribution.ts | Registers the hidden setting and associates it with the AllowedGitHubOrganizations policy. |
| src/vs/sessions/test/web.test.ts | Updates Sessions window mock entitlement service to implement orgPolicySatisfied. |
| build/lib/policies/policyData.jsonc | Adds the new policy entry to the exported policy data artifact. |
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+791
to
+795
| return { | ||
| state: McpServerEnablementState.DisabledByAccess, | ||
| message: { | ||
| severity: Severity.Warning, | ||
| text: new MarkdownString(localize('disabled - org policy', "This MCP server is disabled because the signed-in GitHub account is not a member of an allowed organization.")) |
| } | ||
|
|
||
| get orgPolicySatisfied(): boolean { | ||
| return this.contextKeyService.getContextKeyValue<boolean>(ChatEntitlementContextKeys.githubOrgPolicySatisfied.key) !== false; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Introduces a hidden, policy-backed setting
chat.allowedGitHubOrganizationsthat allows enterprise IT admins to restrict policy-gated chat features (such as MCP) to users who are members of specified GitHub organizations.Refs: https://github.com/microsoft/vscode-internalbacklog/issues/6435
Setting
chat.allowedGitHubOrganizationsstring(comma-separated org login names, e.g."microsoft,github")included: false— not visible in Settings UI, only set via MDM policyAllowedGitHubOrganizations, categoryInteractiveSession, OS-level MDM deliveryGate Logic
When
chat.allowedGitHubOrganizationsis configured (via MDM policy):organization_login_listfrom entitlements is compared against the allowed orgs listThe gate logic lives in
ChatEntitlementContext.computeOrgPolicySatisfied()and re-evaluates whenever:chat.allowedGitHubOrganizationsconfiguration changesHow Features Opt In
Context key (declarative, for UI)
Service property (programmatic)
Observable (reactive)
MCP Integration (first consumer)
MCP features check the org gate at three levels:
McpRegistry.collections— returns empty when gate not satisfiedMcpDiscovery— skips server discovery when gate not satisfiedMcpWorkbenchService.getEnablementStatus()— shows disabled status with org policy messageFiles Changed
chat/common/constants.tsAllowedGitHubOrganizationsconfig keychat/browser/chat.contribution.tschat/common/chatEntitlementService.tsorgPolicySatisfiedpropertychat/common/actions/chatContextKeys.tsmcp/common/mcpRegistry.tsmcp/browser/mcpDiscovery.tsmcp/browser/mcpWorkbenchService.tsbuild/lib/policies/policyData.jsoncorgPolicySatisfied = true