Skip to content

Propagate MCP request context into checkActorPermission#18281

Merged
pelikhan merged 2 commits intomainfrom
copilot/propagate-mcp-request-context
Feb 25, 2026
Merged

Propagate MCP request context into checkActorPermission#18281
pelikhan merged 2 commits intomainfrom
copilot/propagate-mcp-request-context

Conversation

Copy link
Contributor

Copilot AI commented Feb 25, 2026
edited
Loading

checkActorPermission was creating its own 5-second timeout from context.Background(), ignoring the live MCP request context. This meant client disconnects and server shutdowns would not cancel the in-flight GitHub API call — it would always run to completion or timeout independently.

Changes

  • mcp_server_helpers.go: Added ctx context.Context as the first parameter to checkActorPermission; derive the 5-second timeout from the incoming context instead of context.Background()
  • mcp_tools_privileged.go: Updated both call sites (logs, audit tools) to pass the request ctx
// Before
func checkActorPermission(actor, validateActor, toolName string) error {
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)

// After
func checkActorPermission(ctx context.Context, actor string, validateActor bool, toolName string) error {
    ctx, cancel := context.WithTimeout(ctx, 5*time.Second)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq .object.sha ry=1 /tmp/go-build3639157524/b125/vet.cfg 9157524/b390/_pkg_.a da8801038fe2244dgit GO111MODULE 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linu--json -uns�� -unreachable=false (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha 99/001/test-complex-frontmatter-with-tools.md GO111MODULE ortcfg.link GOINSECURE 469dad0a63f535f2rev-parse GOMODCACHE 4Op_icumgo8EKdHzMg/WeGoJ5R4ikM6s7pdmN96/_8xLjeqCONyefbdQxIo6 (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha g_.a GO111MODULE /opt/hostedtoolcache/go/1.25.0/x-buildmode=exe GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x-extld=gcc -uns�� bQ29M6A5H /tmp/go-build3639157524/b036/vet.cfg 9157524/b308/vet.cfg l GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link -uns�� tutil.test /tmp/go-build3639157524/b048/vet.cfg ortcfg.link GOSUMDB GOWORK 64/bin/go _hV3O2Cg4KalLpCxFj/loOf-cgjR6MKz0XVD7GS/mRL0tEU7JbrieQ94-F8q (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 1095388394/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha -bool (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha npx prettier --cGOSUMDB GOPROXY 64/bin/go GOSUMDB GOWORK 64/bin/go node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha prettier --check 64/bin/go --ignore-path .prettierignore 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha "prettier" --check 'scripts/**/*GOINSECURE node 64/bin/go --write ../../../pkg/wor-atomic 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha blog-auditor.md GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet -uns�� -unreachable=false /tmp/go-build3639157524/b051/vet.cfg 9157524/b343/vet.cfg GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha se 9157524/b360/vet.cfg /opt/hostedtoolcache/go/1.25.0/x-test.short=true GOINSECURE GOMOD GOMODCACHE /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet -uns�� runs/20260225-063529-29312/test-174386760/.github/workflows /tmp/go-build3639157524/b067/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet GOSUMDB GOWORK 64/bin/go /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 GO111MODULE 64/pkg/tool/linux_amd64/compile GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/compile estl�� g_.a GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linutest@example.com estl�� -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuremote.origin.url (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/link env aw.test GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 GO111MODULE 64/pkg/tool/linux_amd64/link GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linuTest User env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 GO111MODULE x_amd64/compile GOINSECURE GOMOD GOMODCACHE x_amd64/compile env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linu-buildtags (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path prettier --check 64/bin/go **/*.ts **/*.json --ignore-path /bin/sh -c GOPATH=$(go env -errorsas sh 64/bin/go tierignore (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 **/*.cjs 64/bin/go go env -json GO111MODULE 64/bin/go GOINSECURE GOMOD GOMODCACHE go (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 GOMOD GOMODCACHE x_amd64/compile env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet env 1712190982/.github/workflows .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -json rty 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE QgP2YYC/SYVWI1Pjb7L_MWnrvwk8 env -json .cfg 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion GOINSECURE GOMOD GOMODCACHE x_amd64/link env -json GO111MODULE 64/pkg/tool/linux_amd64/vet GOINSECURE GOMOD GOMODCACHE HC/wPHmRHH07drGotDxh6_4/9rUbv3kNremote.origin.url (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go git for-�� --format %(refname) 64/bin/go -d c8acad5bf1682e36-atomic 64/bin/go go (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/bin/go GOSUMDB GOWORK 64/bin/go /opt/hostedtoolc-buildtags -o /tmp/go-build298-errorsas -trimpath 64/bin/go -p github.com/githu-atomic -lang=go1.25 go (http block)
  • https://api.github.com/repos/owner/repo/contents/file.md
    • Triggering command: /tmp/go-build3639157524/b381/cli.test /tmp/go-build3639157524/b381/cli.test -test.testlogfile=/tmp/go-build3639157524/b381/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true GOSUMDB GOWORK 64/bin/go sh -c "prettier" --che-errorsas node 64/bin/go --write ../../../pkg/wor-atomic 64/bin/go go (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name prettier --check 64/bin/go **/*.ts **/*.json --ignore-path node /hom�� --check scripts/**/*.js 64/bin/go .prettierignore format:cjs 64/bin/go go (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Propagate MCP request context into checkActorPermission</issue_title>
<issue_description>## Objective

Propagate the caller-provided context.Context into checkActorPermission instead of creating an independent context.Background()-derived context, so that MCP client disconnection and server shutdown are respected.

Context

From Sergo analysis run §22372431560 (discussion #18227).

checkActorPermission in pkg/cli/mcp_server_helpers.go creates its own 5-second timeout context from context.Background(), ignoring the live MCP request context passed by its callers. If the MCP client disconnects or the server shuts down, the parent context will be cancelled — but the GitHub API call inside checkActorPermission will continue for up to 5 seconds.

Current Code

// pkg/cli/mcp_server_helpers.go:205
func checkActorPermission(actor, validateActor, toolName string) error {
    ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
    defer cancel()
    permission, err := queryActorRole(ctx, actor, repo)
    ...
}

Callers pass a live ctx but do not thread it through:

// pkg/cli/mcp_tools_privileged.go:72
}, func(ctx context.Context, req *mcp.CallToolRequest, args logsArgs) (*mcp.CallToolResult, any, error) {
    if err := checkActorPermission(actor, validateActor, "logs"); err != nil { // ctx not passed

Approach

  1. Add ctx context.Context as the first parameter to checkActorPermission
  2. Derive the timeout context from the incoming ctx rather than context.Background(): 
    func checkActorPermission(ctx context.Context, actor, validateActor, toolName string) error {
    ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
    defer cancel()
    ...
}
  3. Update all call sites in pkg/cli/mcp_tools_privileged.go to pass ctx
  4. Update any tests for checkActorPermission

Files to Modify

  • pkg/cli/mcp_server_helpers.go — update checkActorPermission signature
  • pkg/cli/mcp_tools_privileged.go — update call sites to pass ctx
  • Any test files covering these functions

Acceptance Criteria

  • checkActorPermission accepts context.Context as its first parameter
  • The 5-second timeout is derived from the incoming context (not context.Background())
  • All call sites pass the live request ctx
  • MCP client cancellation propagates into the permission check
  • Existing tests pass; add a test verifying context cancellation is respected if feasible

Generated by Plan Command for issue #discussion #18227

  • expires on Feb 27, 2026, 6:22 AM UTC

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@pelikhan
fix: propagate MCP request context into checkActorPermission
79f1738 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Propagate MCP request context into checkActorPermission Propagate MCP request context into checkActorPermission Feb 25, 2026
@pelikhan pelikhan marked this pull request as ready for review February 25, 2026 06:37
Copilot AI review requested due to automatic review settings February 25, 2026 06:37
Copilot AI reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes context propagation in the MCP server's actor permission checks to respect client disconnections and server shutdowns. Previously, checkActorPermission created an independent 5-second timeout from context.Background(), causing GitHub API calls to run to completion even when the MCP request was cancelled.

Changes:

  • Added ctx context.Context parameter to checkActorPermission and derived timeouts from the incoming context
  • Updated both call sites in the logs and audit MCP tools to pass the request context

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
pkg/cli/mcp_server_helpers.go Modified checkActorPermission to accept context parameter and derive timeout from it instead of context.Background()
pkg/cli/mcp_tools_privileged.go Updated logs and audit tool handlers to pass request context to checkActorPermission

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@pelikhan pelikhan merged commit 7411bba into main Feb 25, 2026
110 checks passed
@pelikhan pelikhan deleted the copilot/propagate-mcp-request-context branch February 25, 2026 06:45
@github-actions github-actions bot mentioned this pull request Feb 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Propagate MCP request context into checkActorPermission

3 participants

@pelikhan