Summary
The MCP Gateway spec (v1.15.0, Section 10.9 — added in #44305) documents private-to-public-flows as a workflow frontmatter option that opts out of the Write-Sink Guard Policy's cross-visibility protections. The gateway already supports forcePublicRepos and sinkVisibilityExemptServers config fields. However, the compiler does not yet parse or emit this frontmatter field — it exists only in spec and schema descriptions.
This issue tracks implementing the field as a sub-key under tools.github so that workflows in public repos can access private repositories when the token permits it.
Proposed Frontmatter Syntax
tools:
github:
private-to-public-flows: allow
Or the list form for per-server exemptions:
tools:
github:
private-to-public-flows:
- github-mcp-server
- custom-server-id
Work Required
1. Workflow Schema (pkg/workflow/schemas/)
- Add
private-to-public-flows to the workflow frontmatter JSON schema under tools.github
- Accept either the string
"allow" (blanket opt-out) or an array of server ID strings (selective exemption)
- Add validation: field is only meaningful when
tools.github is configured
2. Workflow Parser (pkg/workflow/)
- Parse the new field from frontmatter into the workflow struct
- Add a
PrivateToPublicFlows field (or similar) to the GitHub tools config struct
3. Compiler Emission (pkg/workflow/)
- When
private-to-public-flows: allow → emit "forcePublicRepos": false in the MCP gateway JSON config
- When
private-to-public-flows: [server-ids...] → emit "sinkVisibilityExemptServers": [...] in the gateway config
- Record the opt-out in the compiled lock file audit trail
4. Docs Update (docs/src/content/docs/reference/github-tools.md)
- Add a section under "GitHub Cross-Repository Reading" documenting the new field
- Explain the security implications and when to use it
- Cross-reference the MCP Gateway spec Section 10.9
5. Tests
- Unit tests for parsing both forms (string and list)
- Compiler tests verifying correct gateway config emission
- Validation tests (e.g., invalid values rejected)
Context
Summary
The MCP Gateway spec (v1.15.0, Section 10.9 — added in #44305) documents
private-to-public-flowsas a workflow frontmatter option that opts out of the Write-Sink Guard Policy's cross-visibility protections. The gateway already supportsforcePublicReposandsinkVisibilityExemptServersconfig fields. However, the compiler does not yet parse or emit this frontmatter field — it exists only in spec and schema descriptions.This issue tracks implementing the field as a sub-key under
tools.githubso that workflows in public repos can access private repositories when the token permits it.Proposed Frontmatter Syntax
Or the list form for per-server exemptions:
Work Required
1. Workflow Schema (
pkg/workflow/schemas/)private-to-public-flowsto the workflow frontmatter JSON schema undertools.github"allow"(blanket opt-out) or an array of server ID strings (selective exemption)tools.githubis configured2. Workflow Parser (
pkg/workflow/)PrivateToPublicFlowsfield (or similar) to the GitHub tools config struct3. Compiler Emission (
pkg/workflow/)private-to-public-flows: allow→ emit"forcePublicRepos": falsein the MCP gateway JSON configprivate-to-public-flows: [server-ids...]→ emit"sinkVisibilityExemptServers": [...]in the gateway config4. Docs Update (
docs/src/content/docs/reference/github-tools.md)5. Tests
Context
forcePublicReposandsinkVisibilityExemptServers:pkg/workflow/schemas/mcp-gateway-config.schema.jsonsink-visibilityin compiled write-sink guard policies #44154 (sink-visibility emission), refactor: compute sink-visibility at runtime instead of compile time #44245 (runtime visibility detection)