Merge branch 'main' into kerobbi/response-optimisation

kerobbi · web-flow · commit 2791676258d1 · 2026-02-19T15:28:04.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20-alpine AS ui-build
+FROM node:20-alpine@sha256:09e2b3d9726018aecf269bd35325f46bf75046a643a66d28360ec71132750ec8 AS ui-build
 WORKDIR /app
 COPY ui/package*.json ./ui/
 RUN cd ui && npm ci
@@ -7,7 +7,7 @@ COPY ui/ ./ui/
 RUN mkdir -p ./pkg/github/ui_dist && \
     cd ui && npm run build
 
-FROM golang:1.25.7-alpine AS build
+FROM golang:1.25.7-alpine@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS build
 ARG VERSION="dev"
 
 # Set the working directory
@@ -30,7 +30,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
     -o /bin/github-mcp-server ./cmd/github-mcp-server
 
 # Make a stage to run the app
-FROM gcr.io/distroless/base-debian12
+FROM gcr.io/distroless/base-debian12@sha256:937c7eaaf6f3f2d38a1f8c4aeff326f0c56e4593ea152e9e8f74d976dde52f56
 
 # Add required MCP server annotation
 LABEL io.modelcontextprotocol.server.name="io.github.github/github-mcp-server"
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -61,6 +61,14 @@ var (
 				}
 			}
 
+			// Parse excluded tools (similar to tools)
+			var excludeTools []string
+			if viper.IsSet("exclude_tools") {
+				if err := viper.UnmarshalKey("exclude_tools", &excludeTools); err != nil {
+					return fmt.Errorf("failed to unmarshal exclude-tools: %w", err)
+				}
+			}
+
 			// Parse enabled features (similar to toolsets)
 			var enabledFeatures []string
 			if viper.IsSet("features") {
@@ -85,6 +93,7 @@ var (
 				ContentWindowSize:    viper.GetInt("content-window-size"),
 				LockdownMode:         viper.GetBool("lockdown-mode"),
 				InsidersMode:         viper.GetBool("insiders"),
+				ExcludeTools:         excludeTools,
 				RepoAccessCacheTTL:   &ttl,
 			}
 			return ghmcp.RunStdioServer(stdioServerConfig)
@@ -126,6 +135,7 @@ func init() {
 	// Add global flags that will be shared by all commands
 	rootCmd.PersistentFlags().StringSlice("toolsets", nil, github.GenerateToolsetsHelp())
 	rootCmd.PersistentFlags().StringSlice("tools", nil, "Comma-separated list of specific tools to enable")
+	rootCmd.PersistentFlags().StringSlice("exclude-tools", nil, "Comma-separated list of tool names to disable regardless of other settings")
 	rootCmd.PersistentFlags().StringSlice("features", nil, "Comma-separated list of feature flags to enable")
 	rootCmd.PersistentFlags().Bool("dynamic-toolsets", false, "Enable dynamic toolsets")
 	rootCmd.PersistentFlags().Bool("read-only", false, "Restrict the server to read-only operations")
@@ -147,6 +157,7 @@ func init() {
 	// Bind flag to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
 	_ = viper.BindPFlag("tools", rootCmd.PersistentFlags().Lookup("tools"))
+	_ = viper.BindPFlag("exclude_tools", rootCmd.PersistentFlags().Lookup("exclude-tools"))
 	_ = viper.BindPFlag("features", rootCmd.PersistentFlags().Lookup("features"))
 	_ = viper.BindPFlag("dynamic_toolsets", rootCmd.PersistentFlags().Lookup("dynamic-toolsets"))
 	_ = viper.BindPFlag("read-only", rootCmd.PersistentFlags().Lookup("read-only"))
diff --git a/docs/server-configuration.md b/docs/server-configuration.md
@@ -9,6 +9,7 @@ We currently support the following ways in which the GitHub MCP Server can be co
 |---------------|---------------|--------------|
 | Toolsets | `X-MCP-Toolsets` header or `/x/{toolset}` URL | `--toolsets` flag or `GITHUB_TOOLSETS` env var |
 | Individual Tools | `X-MCP-Tools` header | `--tools` flag or `GITHUB_TOOLS` env var |
+| Exclude Tools | `X-MCP-Exclude-Tools` header | `--exclude-tools` flag or `GITHUB_EXCLUDE_TOOLS` env var |
 | Read-Only Mode | `X-MCP-Readonly` header or `/readonly` URL | `--read-only` flag or `GITHUB_READ_ONLY` env var |
 | Dynamic Mode | Not available | `--dynamic-toolsets` flag or `GITHUB_DYNAMIC_TOOLSETS` env var |
 | Lockdown Mode | `X-MCP-Lockdown` header | `--lockdown-mode` flag or `GITHUB_LOCKDOWN_MODE` env var |
@@ -20,10 +21,12 @@ We currently support the following ways in which the GitHub MCP Server can be co
 
 ## How Configuration Works
 
-All configuration options are **composable**: you can combine toolsets, individual tools, dynamic discovery, read-only mode and lockdown mode in any way that suits your workflow.
+All configuration options are **composable**: you can combine toolsets, individual tools, excluded tools, dynamic discovery, read-only mode and lockdown mode in any way that suits your workflow.
 
 Note: **read-only** mode acts as a strict security filter that takes precedence over any other configuration, by disabling write tools even when explicitly requested.
 
+Note: **excluded tools** takes precedence over toolsets and individual tools — listed tools are always excluded, even if their toolset is enabled or they are explicitly added via `--tools` / `X-MCP-Tools`.
+
 ---
 
 ## Configuration Examples
@@ -170,6 +173,56 @@ Enable entire toolsets, then add individual tools from toolsets you don't want f
 
 ---
 
+### Excluding Specific Tools
+
+**Best for:** Users who want to enable a broad toolset but need to exclude specific tools for security, compliance, or to prevent undesired behavior.
+
+Listed tools are removed regardless of any other configuration — even if their toolset is enabled or they are individually added.
+
+<table>
+<tr><th>Remote Server</th><th>Local Server</th></tr>
+<tr valign="top">
+<td>
+
+```json
+{
+  "type": "http",
+  "url": "https://api.githubcopilot.com/mcp/",
+  "headers": {
+    "X-MCP-Toolsets": "pull_requests",
+    "X-MCP-Exclude-Tools": "create_pull_request,merge_pull_request"
+  }
+}
+```
+
+</td>
+<td>
+
+```json
+{
+  "type": "stdio",
+  "command": "go",
+  "args": [
+    "run",
+    "./cmd/github-mcp-server",
+    "stdio",
+    "--toolsets=pull_requests",
+    "--exclude-tools=create_pull_request,merge_pull_request"
+  ],
+  "env": {
+    "GITHUB_PERSONAL_ACCESS_TOKEN": "${input:github_token}"
+  }
+}
+```
+
+</td>
+</tr>
+</table>
+
+**Result:** All pull request tools except `create_pull_request` and `merge_pull_request` — the user gets read and review tools only.
+
+---
+
 ### Read-Only Mode
 
 **Best for:** Security conscious users who want to ensure the server won't allow operations that modify issues, pull requests, repositories etc.
diff --git a/internal/ghmcp/server.go b/internal/ghmcp/server.go
@@ -135,6 +135,7 @@ func NewStdioMCPServer(ctx context.Context, cfg github.MCPServerConfig) (*mcp.Se
 		WithReadOnly(cfg.ReadOnly).
 		WithToolsets(github.ResolvedEnabledToolsets(cfg.DynamicToolsets, cfg.EnabledToolsets, cfg.EnabledTools)).
 		WithTools(github.CleanTools(cfg.EnabledTools)).
+		WithExcludeTools(cfg.ExcludeTools).
 		WithServerInstructions().
 		WithFeatureChecker(featureChecker).
 		WithInsidersMode(cfg.InsidersMode)
@@ -214,6 +215,11 @@ type StdioServerConfig struct {
 	// InsidersMode indicates if we should enable experimental features
 	InsidersMode bool
 
+	// ExcludeTools is a list of tool names to disable regardless of other settings.
+	// These tools will be excluded even if their toolset is enabled or they are
+	// explicitly listed in EnabledTools.
+	ExcludeTools []string
+
 	// RepoAccessCacheTTL overrides the default TTL for repository access cache entries.
 	RepoAccessCacheTTL *time.Duration
 }
@@ -271,6 +277,7 @@ func RunStdioServer(cfg StdioServerConfig) error {
 		ContentWindowSize: cfg.ContentWindowSize,
 		LockdownMode:      cfg.LockdownMode,
 		InsidersMode:      cfg.InsidersMode,
+		ExcludeTools:      cfg.ExcludeTools,
 		Logger:            logger,
 		RepoAccessTTL:     cfg.RepoAccessCacheTTL,
 		TokenScopes:       tokenScopes,
diff --git a/pkg/buffer/buffer.go b/pkg/buffer/buffer.go
@@ -32,6 +32,9 @@ const maxLineSize = 10 * 1024 * 1024
 // If the response contains more lines than maxJobLogLines, only the most recent lines are kept.
 // Lines exceeding maxLineSize are truncated with a marker.
 func ProcessResponseAsRingBufferToEnd(httpResp *http.Response, maxJobLogLines int) (string, int, *http.Response, error) {
+	if maxJobLogLines <= 0 {
+		maxJobLogLines = 500
+	}
 	if maxJobLogLines > 100000 {
 		maxJobLogLines = 100000
 	}
diff --git a/pkg/context/request.go b/pkg/context/request.go
@@ -82,6 +82,22 @@ func IsInsidersMode(ctx context.Context) bool {
 	return false
 }
 
+// excludeToolsCtxKey is a context key for excluded tools
+type excludeToolsCtxKey struct{}
+
+// WithExcludeTools adds the excluded tools to the context
+func WithExcludeTools(ctx context.Context, tools []string) context.Context {
+	return context.WithValue(ctx, excludeToolsCtxKey{}, tools)
+}
+
+// GetExcludeTools retrieves the excluded tools from the context
+func GetExcludeTools(ctx context.Context) []string {
+	if tools, ok := ctx.Value(excludeToolsCtxKey{}).([]string); ok {
+		return tools
+	}
+	return nil
+}
+
 // headerFeaturesCtxKey is a context key for raw header feature flags
 type headerFeaturesCtxKey struct{}
 
diff --git a/pkg/github/actions.go b/pkg/github/actions.go
@@ -702,8 +702,8 @@ For single job logs, provide job_id. For all failed jobs in a run, provide run_i
 			if err != nil {
 				return utils.NewToolResultError(err.Error()), nil, nil
 			}
-			// Default to 500 lines if not specified
-			if tailLines == 0 {
+			// Default to 500 lines if not specified or invalid
+			if tailLines <= 0 {
 				tailLines = 500
 			}
 
diff --git a/pkg/github/server.go b/pkg/github/server.go
@@ -62,6 +62,11 @@ type MCPServerConfig struct {
 	// RepoAccessTTL overrides the default TTL for repository access cache entries.
 	RepoAccessTTL *time.Duration
 
+	// ExcludeTools is a list of tool names that should be disabled regardless of
+	// other configuration. These tools will be excluded even if their toolset is enabled
+	// or they are explicitly listed in EnabledTools.
+	ExcludeTools []string
+
 	// TokenScopes contains the OAuth scopes available to the token.
 	// When non-nil, tools requiring scopes not in this list will be hidden.
 	// This is used for PAT scope filtering where we can't issue scope challenges.
@@ -73,7 +78,7 @@ type MCPServerConfig struct {
 
 type MCPServerOption func(*mcp.ServerOptions)
 
-func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependencies, inv *inventory.Inventory) (*mcp.Server, error) {
+func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependencies, inv *inventory.Inventory, middleware ...mcp.Middleware) (*mcp.Server, error) {
 	// Create the MCP server
 	serverOpts := &mcp.ServerOptions{
 		Instructions:      inv.Instructions(),
@@ -98,9 +103,11 @@ func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependenci
 
 	ghServer := NewServer(cfg.Version, serverOpts)
 
-	// Add middlewares
-	ghServer.AddReceivingMiddleware(addGitHubAPIErrorToContext)
+	// Add middlewares. Order matters - for example, the error context middleware should be applied last so that it runs FIRST (closest to the handler) to ensure all errors are captured,
+	// and any middleware that needs to read or modify the context should be before it.
+	ghServer.AddReceivingMiddleware(middleware...)
 	ghServer.AddReceivingMiddleware(InjectDepsMiddleware(deps))
+	ghServer.AddReceivingMiddleware(addGitHubAPIErrorToContext)
 
 	if unrecognized := inv.UnrecognizedToolsets(); len(unrecognized) > 0 {
 		cfg.Logger.Warn("Warning: unrecognized toolsets ignored", "toolsets", strings.Join(unrecognized, ", "))
diff --git a/pkg/http/handler.go b/pkg/http/handler.go
@@ -19,6 +19,9 @@ import (
 )
 
 type InventoryFactoryFunc func(r *http.Request) (*inventory.Inventory, error)
+
+// GitHubMCPServerFactoryFunc is a function type for creating a new MCP Server instance.
+// middleware are applied AFTER the default GitHub MCP Server middlewares (like error context injection)
 type GitHubMCPServerFactoryFunc func(r *http.Request, deps github.ToolDependencies, inventory *inventory.Inventory, cfg *github.MCPServerConfig) (*mcp.Server, error)
 
 type Handler struct {
@@ -272,6 +275,10 @@ func InventoryFiltersForRequest(r *http.Request, builder *inventory.Builder) *in
 		builder = builder.WithTools(github.CleanTools(tools))
 	}
 
+	if excluded := ghcontext.GetExcludeTools(ctx); len(excluded) > 0 {
+		builder = builder.WithExcludeTools(excluded)
+	}
+
 	return builder
 }
 
diff --git a/pkg/http/handler_test.go b/pkg/http/handler_test.go
@@ -104,6 +104,31 @@ func TestInventoryFiltersForRequest(t *testing.T) {
 			},
 			expectedTools: []string{"get_file_contents", "create_repository", "list_issues"},
 		},
+		{
+			name: "excluded tools removes specific tools",
+			contextSetup: func(ctx context.Context) context.Context {
+				return ghcontext.WithExcludeTools(ctx, []string{"create_repository", "issue_write"})
+			},
+			expectedTools: []string{"get_file_contents", "list_issues"},
+		},
+		{
+			name: "excluded tools overrides explicit tools",
+			contextSetup: func(ctx context.Context) context.Context {
+				ctx = ghcontext.WithTools(ctx, []string{"list_issues", "create_repository"})
+				ctx = ghcontext.WithExcludeTools(ctx, []string{"create_repository"})
+				return ctx
+			},
+			expectedTools: []string{"list_issues"},
+		},
+		{
+			name: "excluded tools combines with readonly",
+			contextSetup: func(ctx context.Context) context.Context {
+				ctx = ghcontext.WithReadonly(ctx, true)
+				ctx = ghcontext.WithExcludeTools(ctx, []string{"list_issues"})
+				return ctx
+			},
+			expectedTools: []string{"get_file_contents"},
+		},
 	}
 
 	for _, tt := range tests {
@@ -267,6 +292,40 @@ func TestHTTPHandlerRoutes(t *testing.T) {
 			},
 			expectedTools: []string{"get_file_contents", "create_repository", "list_issues", "create_issue", "list_pull_requests", "create_pull_request", "hidden_by_holdback"},
 		},
+		{
+			name: "X-MCP-Exclude-Tools header removes specific tools",
+			path: "/",
+			headers: map[string]string{
+				headers.MCPExcludeToolsHeader: "create_issue,create_pull_request",
+			},
+			expectedTools: []string{"get_file_contents", "create_repository", "list_issues", "list_pull_requests", "hidden_by_holdback"},
+		},
+		{
+			name: "X-MCP-Exclude-Tools with toolset header",
+			path: "/",
+			headers: map[string]string{
+				headers.MCPToolsetsHeader:     "issues",
+				headers.MCPExcludeToolsHeader: "create_issue",
+			},
+			expectedTools: []string{"list_issues"},
+		},
+		{
+			name: "X-MCP-Exclude-Tools overrides X-MCP-Tools",
+			path: "/",
+			headers: map[string]string{
+				headers.MCPToolsHeader:        "list_issues,create_issue",
+				headers.MCPExcludeToolsHeader: "create_issue",
+			},
+			expectedTools: []string{"list_issues"},
+		},
+		{
+			name: "X-MCP-Exclude-Tools with readonly path",
+			path: "/readonly",
+			headers: map[string]string{
+				headers.MCPExcludeToolsHeader: "list_issues",
+			},
+			expectedTools: []string{"get_file_contents", "list_pull_requests", "hidden_by_holdback"},
+		},
 	}
 
 	for _, tt := range tests {
diff --git a/pkg/http/headers/headers.go b/pkg/http/headers/headers.go
@@ -41,6 +41,9 @@ const (
 	MCPLockdownHeader = "X-MCP-Lockdown"
 	// MCPInsidersHeader indicates whether insiders mode is enabled for early access features.
 	MCPInsidersHeader = "X-MCP-Insiders"
+	// MCPExcludeToolsHeader is a comma-separated list of MCP tools that should be
+	// disabled regardless of other settings or header values.
+	MCPExcludeToolsHeader = "X-MCP-Exclude-Tools"
 	// MCPFeaturesHeader is a comma-separated list of feature flags to enable.
 	MCPFeaturesHeader = "X-MCP-Features"
 
diff --git a/pkg/http/middleware/request_config.go b/pkg/http/middleware/request_config.go
@@ -35,6 +35,11 @@ func WithRequestConfig(next http.Handler) http.Handler {
 			ctx = ghcontext.WithLockdownMode(ctx, true)
 		}
 
+		// Excluded tools
+		if excludeTools := headers.ParseCommaSeparated(r.Header.Get(headers.MCPExcludeToolsHeader)); len(excludeTools) > 0 {
+			ctx = ghcontext.WithExcludeTools(ctx, excludeTools)
+		}
+
 		// Insiders mode
 		if relaxedParseBool(r.Header.Get(headers.MCPInsidersHeader)) {
 			ctx = ghcontext.WithInsidersMode(ctx, true)
diff --git a/pkg/inventory/builder.go b/pkg/inventory/builder.go
diff --git a/pkg/inventory/registry_test.go b/pkg/inventory/registry_test.go

Original file line number	Diff line number	Diff line change
`@@ -702,8 +702,8 @@ For single job logs, provide job_id. For all failed jobs in a run, provide run_i`
`702`	`702`	`if err != nil {`
`703`	`703`	`return utils.NewToolResultError(err.Error()), nil, nil`
`704`	`704`	`}`
`705`		`- // Default to 500 lines if not specified`
`706`		`- if tailLines == 0 {`
	`705`	`+ // Default to 500 lines if not specified or invalid`
	`706`	`+ if tailLines <= 0 {`
`707`	`707`	`tailLines = 500`
`708`	`708`	`}`
`709`	`709`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,9 @@ import (`
`19`	`19`	`)`
`20`	`20`
`21`	`21`	`type InventoryFactoryFunc func(r http.Request) (inventory.Inventory, error)`
	`22`	`+`
	`23`	`+// GitHubMCPServerFactoryFunc is a function type for creating a new MCP Server instance.`
	`24`	`+// middleware are applied AFTER the default GitHub MCP Server middlewares (like error context injection)`
`22`	`25`	`type GitHubMCPServerFactoryFunc func(r http.Request, deps github.ToolDependencies, inventory inventory.Inventory, cfg github.MCPServerConfig) (mcp.Server, error)`
`23`	`26`
`24`	`27`	`type Handler struct {`
`@@ -272,6 +275,10 @@ func InventoryFiltersForRequest(r http.Request, builder inventory.Builder) *in`
`272`	`275`	`builder = builder.WithTools(github.CleanTools(tools))`
`273`	`276`	`}`
`274`	`277`
	`278`	`+ if excluded := ghcontext.GetExcludeTools(ctx); len(excluded) > 0 {`
	`279`	`+ builder = builder.WithExcludeTools(excluded)`
	`280`	`+ }`
	`281`	`+`
`275`	`282`	`return builder`
`276`	`283`	`}`
`277`	`284`