FilesExpand file tree

 main

/

scope_filter.go

Copy path

BlameMore file actions

BlameMore file actions

Latest commit

 

History

History

History

64 lines (59 loc) · 2.29 KB

 main

/

scope_filter.go

Top

File metadata and controls

• Code
• Blame

64 lines (59 loc) · 2.29 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

package github

import (

"context"

"github.com/github/github-mcp-server/pkg/inventory"

"github.com/github/github-mcp-server/pkg/scopes"

)

// repoScopesSet contains scopes that grant access to repository content.

// Tools requiring only these scopes work on public repos without any token scope,

// so we don't filter them out even if the token lacks repo/public_repo.

var repoScopesSet = map[string]bool{

string(scopes.Repo): true,

string(scopes.PublicRepo): true,

}

// onlyRequiresRepoScopes returns true if all of the tool's accepted scopes

// are repo-related scopes (repo, public_repo). Such tools work on public

// repositories without needing any scope.

func onlyRequiresRepoScopes(acceptedScopes []string) bool {

if len(acceptedScopes) == 0 {

return false

}

for _, scope := range acceptedScopes {

if !repoScopesSet[scope] {

return false

}

}

return true

}

// CreateToolScopeFilter creates an inventory.ToolFilter that filters tools

// based on the token's OAuth scopes.

//

// For PATs (Personal Access Tokens), we cannot issue OAuth scope challenges

// like we can with OAuth apps. Instead, we hide tools that require scopes

// the token doesn't have.

//

// This is the recommended way to filter tools for stdio servers where the

// token is known at startup and won't change during the session.

//

// The filter returns true (include tool) if:

// - The tool has no scope requirements (AcceptedScopes is empty)

// - The tool is read-only and only requires repo/public_repo scopes (works on public repos)

// - The token has at least one of the tool's accepted scopes

//

// Example usage:

//

// tokenScopes, err := scopes.FetchTokenScopes(ctx, token)

// if err != nil {

// // Handle error - maybe skip filtering

// }

// filter := github.CreateToolScopeFilter(tokenScopes)

// inventory := github.NewInventory(t).WithFilter(filter).Build()

func CreateToolScopeFilter(tokenScopes []string) inventory.ToolFilter {

return func(_ context.Context, tool *inventory.ServerTool) (bool, error) {

// Read-only tools requiring only repo/public_repo work on public repos without any scope

if tool.Tool.Annotations != nil && tool.Tool.Annotations.ReadOnlyHint && onlyRequiresRepoScopes(tool.AcceptedScopes) {

return true, nil

}

return scopes.HasRequiredScopes(tokenScopes, tool.AcceptedScopes), nil

}

}