Merge branch 'main' into mcp-ui-apps-advanced

Author: mattdholloway

.github/prompts/bug-report-review.prompt.yml

@@ -5,26 +5,38 @@ messages:
 
       Your job is to analyze bug reports and assess their completeness.
 
+      **CRITICAL: Detect unfilled templates**
+      - Flag issues containing unmodified template text like "A clear and concise description of what the bug is"
+      - Flag placeholder values like "Type this '...'" or "View the output '....'" that haven't been replaced
+      - Flag generic/meaningless titles (e.g., random words, test content)
+      - These are ALWAYS "Missing Details" even if the template structure is present
+
       Analyze the issue for these key elements:
-      1. Clear description of the problem
+      1. Clear description of the problem (not template text)
       2. Affected version (from running `docker run -i --rm ghcr.io/github/github-mcp-server ./github-mcp-server --version`)
-      3. Steps to reproduce the behavior
-      4. Expected vs actual behavior
+      3. Steps to reproduce the behavior (actual steps, not placeholders)
+      4. Expected vs actual behavior (real descriptions, not template text)
       5. Relevant logs (if applicable)
 
       Provide ONE of these assessments:
 
       ### AI Assessment: Ready for Review
-      Use when the bug report has most required information and can be triaged by a maintainer.
+      Use when the bug report has actual information in required fields and can be triaged by a maintainer.
 
       ### AI Assessment: Missing Details
-      Use when critical information is missing (no reproduction steps, no version info, unclear problem description).
+      Use when:
+      - Template text has not been replaced with actual content
+      - Critical information is missing (no reproduction steps, no version info, unclear problem description)
+      - The title is meaningless or spam-like
+      - Placeholder text remains in any section
+      
+      When marking as Missing Details, recommend adding the "waiting-for-reply" label.
 
       ### AI Assessment: Unsure
       Use when you cannot determine the completeness of the report.
 
       After your assessment header, provide a brief explanation of your rating.
-      If details are missing, note which specific sections need more information.
+      If details are missing, be specific about which sections contain template text or need actual information.
   - role: user
     content: "{{input}}"
 model: openai/gpt-4o-mini

.github/prompts/default-issue-review.prompt.yml

@@ -5,24 +5,47 @@ messages:
 
       Your job is to analyze new issues and help categorize them.
 
+      **CRITICAL: Detect invalid or incomplete submissions**
+      - Flag issues with unmodified template text (e.g., "A clear and concise description...")
+      - Flag placeholder values that haven't been replaced (e.g., "Type this '...'", "....", "XXX")
+      - Flag meaningless, spam-like, or test titles (e.g., random words, nonsensical content)
+      - Flag empty or nearly empty issues
+      - These are ALWAYS "Missing Details" or "Invalid" depending on severity
+
       Analyze the issue to determine:
-      1. Is this a bug report, feature request, question, or something else?
-      2. Is the issue clear and well-described?
+      1. Is this a bug report, feature request, question, documentation issue, or something else?
+      2. Is the issue clear and well-described with actual content (not template text)?
       3. Does it contain enough information for maintainers to act on?
+      4. Is this potentially spam, a test issue, or completely invalid?
 
       Provide ONE of these assessments:
 
       ### AI Assessment: Ready for Review
-      Use when the issue is clear, well-described, and contains enough context for maintainers to understand and act on it.
+      Use when the issue is clear, well-described with actual content, and contains enough context for maintainers to understand and act on it.
 
       ### AI Assessment: Missing Details
-      Use when the issue is unclear, lacks context, or needs more information to be actionable.
+      Use when:
+      - Template text has not been replaced with actual content
+      - The issue is unclear or lacks context
+      - Critical information is missing to make it actionable
+      - The title is vague but the issue seems legitimate
+      
+      When marking as Missing Details, recommend adding the "waiting-for-reply" label.
+
+      ### AI Assessment: Invalid
+      Use when:
+      - The issue appears to be spam or test content
+      - The title is completely meaningless and body has no useful information
+      - This doesn't relate to the GitHub MCP Server project at all
+      
+      When marking as Invalid, recommend adding the "invalid" label and consider closing.
 
       ### AI Assessment: Unsure
       Use when you cannot determine the nature or completeness of the issue.
 
       After your assessment header, provide a brief explanation including:
-      - What type of issue this appears to be (bug, feature request, question, etc.)
+      - What type of issue this appears to be (bug, feature request, question, invalid, etc.)
+      - Which specific sections contain template text or need actual information
       - What additional information might be helpful if any
   - role: user
     content: "{{input}}"

Dockerfile

@@ -1,4 +1,4 @@
-FROM node:20-alpine AS ui-build
+FROM node:20-alpine@sha256:09e2b3d9726018aecf269bd35325f46bf75046a643a66d28360ec71132750ec8 AS ui-build
 WORKDIR /app
 COPY ui/package*.json ./ui/
 RUN cd ui && npm ci
@@ -7,7 +7,7 @@ COPY ui/ ./ui/
 RUN mkdir -p ./pkg/github/ui_dist && \
     cd ui && npm run build
 
-FROM golang:1.25.7-alpine AS build
+FROM golang:1.25.7-alpine@sha256:f6751d823c26342f9506c03797d2527668d095b0a15f1862cddb4d927a7a4ced AS build
 ARG VERSION="dev"
 
 # Set the working directory
@@ -30,7 +30,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
     -o /bin/github-mcp-server ./cmd/github-mcp-server
 
 # Make a stage to run the app
-FROM gcr.io/distroless/base-debian12
+FROM gcr.io/distroless/base-debian12@sha256:937c7eaaf6f3f2d38a1f8c4aeff326f0c56e4593ea152e9e8f74d976dde52f56
 
 # Add required MCP server annotation
 LABEL io.modelcontextprotocol.server.name="io.github.github/github-mcp-server"

README.md

@@ -983,9 +983,10 @@ The following sets of tools are available:
   - `fields`: Specific list of field IDs to include in the response when getting a project item (e.g. ["102589", "985201", "169875"]). If not provided, only the title field is included. Only used for 'get_project_item' method. (string[], optional)
   - `item_id`: The item's ID. Required for 'get_project_item' method. (number, optional)
   - `method`: The method to execute (string, required)
-  - `owner`: The owner (user or organization login). The name is not case sensitive. (string, required)
+  - `owner`: The owner (user or organization login). The name is not case sensitive. (string, optional)
   - `owner_type`: Owner type (user or org). If not provided, will be automatically detected. (string, optional)
-  - `project_number`: The project's number. (number, required)
+  - `project_number`: The project's number. (number, optional)
+  - `status_update_id`: The node ID of the project status update. Required for 'get_project_status_update' method. (string, optional)
 
 - **projects_list** - List GitHub Projects resources
   - **Required OAuth Scopes**: `read:project`
@@ -997,11 +998,12 @@ The following sets of tools are available:
   - `owner`: The owner (user or organization login). The name is not case sensitive. (string, required)
   - `owner_type`: Owner type (user or org). If not provided, will automatically try both. (string, optional)
   - `per_page`: Results per page (max 50) (number, optional)
-  - `project_number`: The project's number. Required for 'list_project_fields' and 'list_project_items' methods. (number, optional)
+  - `project_number`: The project's number. Required for 'list_project_fields', 'list_project_items', and 'list_project_status_updates' methods. (number, optional)
   - `query`: Filter/query string. For list_projects: filter by title text and state (e.g. "roadmap is:open"). For list_project_items: advanced filtering using GitHub's project filtering syntax. (string, optional)
 
 - **projects_write** - Modify GitHub Project items
   - **Required OAuth Scopes**: `project`
+  - `body`: The body of the status update (markdown). Used for 'create_project_status_update' method. (string, optional)
   - `issue_number`: The issue number (use when item_type is 'issue' for 'add_project_item' method). Provide either issue_number or pull_request_number. (number, optional)
   - `item_id`: The project item ID. Required for 'update_project_item' and 'delete_project_item' methods. (number, optional)
   - `item_owner`: The owner (user or organization) of the repository containing the issue or pull request. Required for 'add_project_item' method. (string, optional)
@@ -1012,6 +1014,9 @@ The following sets of tools are available:
   - `owner_type`: Owner type (user or org). If not provided, will be automatically detected. (string, optional)
   - `project_number`: The project's number. (number, required)
   - `pull_request_number`: The pull request number (use when item_type is 'pull_request' for 'add_project_item' method). Provide either issue_number or pull_request_number. (number, optional)
+  - `start_date`: The start date of the status update in YYYY-MM-DD format. Used for 'create_project_status_update' method. (string, optional)
+  - `status`: The status of the project. Used for 'create_project_status_update' method. (string, optional)
+  - `target_date`: The target date of the status update in YYYY-MM-DD format. Used for 'create_project_status_update' method. (string, optional)
   - `updated_field`: Object consisting of the ID of the project field to update and the new value for the field. To clear the field, set value to null. Example: {"id": 123456, "value": "New Value"}. Required for 'update_project_item' method. (object, optional)
 
 </details>

cmd/github-mcp-server/main.go

@@ -61,6 +61,14 @@ var (
 				}
 			}
 
+			// Parse excluded tools (similar to tools)
+			var excludeTools []string
+			if viper.IsSet("exclude_tools") {
+				if err := viper.UnmarshalKey("exclude_tools", &excludeTools); err != nil {
+					return fmt.Errorf("failed to unmarshal exclude-tools: %w", err)
+				}
+			}
+
 			// Parse enabled features (similar to toolsets)
 			var enabledFeatures []string
 			if viper.IsSet("features") {
@@ -85,6 +93,7 @@ var (
 				ContentWindowSize:    viper.GetInt("content-window-size"),
 				LockdownMode:         viper.GetBool("lockdown-mode"),
 				InsidersMode:         viper.GetBool("insiders"),
+				ExcludeTools:         excludeTools,
 				RepoAccessCacheTTL:   &ttl,
 			}
 			return ghmcp.RunStdioServer(stdioServerConfig)
@@ -126,6 +135,7 @@ func init() {
 	// Add global flags that will be shared by all commands
 	rootCmd.PersistentFlags().StringSlice("toolsets", nil, github.GenerateToolsetsHelp())
 	rootCmd.PersistentFlags().StringSlice("tools", nil, "Comma-separated list of specific tools to enable")
+	rootCmd.PersistentFlags().StringSlice("exclude-tools", nil, "Comma-separated list of tool names to disable regardless of other settings")
 	rootCmd.PersistentFlags().StringSlice("features", nil, "Comma-separated list of feature flags to enable")
 	rootCmd.PersistentFlags().Bool("dynamic-toolsets", false, "Enable dynamic toolsets")
 	rootCmd.PersistentFlags().Bool("read-only", false, "Restrict the server to read-only operations")
@@ -147,6 +157,7 @@ func init() {
 	// Bind flag to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
 	_ = viper.BindPFlag("tools", rootCmd.PersistentFlags().Lookup("tools"))
+	_ = viper.BindPFlag("exclude_tools", rootCmd.PersistentFlags().Lookup("exclude-tools"))
 	_ = viper.BindPFlag("features", rootCmd.PersistentFlags().Lookup("features"))
 	_ = viper.BindPFlag("dynamic_toolsets", rootCmd.PersistentFlags().Lookup("dynamic-toolsets"))
 	_ = viper.BindPFlag("read-only", rootCmd.PersistentFlags().Lookup("read-only"))

docs/server-configuration.md

@@ -9,6 +9,7 @@ We currently support the following ways in which the GitHub MCP Server can be co
 |---------------|---------------|--------------|
 | Toolsets | `X-MCP-Toolsets` header or `/x/{toolset}` URL | `--toolsets` flag or `GITHUB_TOOLSETS` env var |
 | Individual Tools | `X-MCP-Tools` header | `--tools` flag or `GITHUB_TOOLS` env var |
+| Exclude Tools | `X-MCP-Exclude-Tools` header | `--exclude-tools` flag or `GITHUB_EXCLUDE_TOOLS` env var |
 | Read-Only Mode | `X-MCP-Readonly` header or `/readonly` URL | `--read-only` flag or `GITHUB_READ_ONLY` env var |
 | Dynamic Mode | Not available | `--dynamic-toolsets` flag or `GITHUB_DYNAMIC_TOOLSETS` env var |
 | Lockdown Mode | `X-MCP-Lockdown` header | `--lockdown-mode` flag or `GITHUB_LOCKDOWN_MODE` env var |
@@ -20,10 +21,12 @@ We currently support the following ways in which the GitHub MCP Server can be co
 
 ## How Configuration Works
 
-All configuration options are **composable**: you can combine toolsets, individual tools, dynamic discovery, read-only mode and lockdown mode in any way that suits your workflow.
+All configuration options are **composable**: you can combine toolsets, individual tools, excluded tools, dynamic discovery, read-only mode and lockdown mode in any way that suits your workflow.
 
 Note: **read-only** mode acts as a strict security filter that takes precedence over any other configuration, by disabling write tools even when explicitly requested.
 
+Note: **excluded tools** takes precedence over toolsets and individual tools — listed tools are always excluded, even if their toolset is enabled or they are explicitly added via `--tools` / `X-MCP-Tools`.
+
 ---
 
 ## Configuration Examples
@@ -170,6 +173,56 @@ Enable entire toolsets, then add individual tools from toolsets you don't want f
 
 ---
 
+### Excluding Specific Tools
+
+**Best for:** Users who want to enable a broad toolset but need to exclude specific tools for security, compliance, or to prevent undesired behavior.
+
+Listed tools are removed regardless of any other configuration — even if their toolset is enabled or they are individually added.
+
+<table>
+<tr><th>Remote Server</th><th>Local Server</th></tr>
+<tr valign="top">
+<td>
+
+```json
+{
+  "type": "http",
+  "url": "https://api.githubcopilot.com/mcp/",
+  "headers": {
+    "X-MCP-Toolsets": "pull_requests",
+    "X-MCP-Exclude-Tools": "create_pull_request,merge_pull_request"
+  }
+}
+```
+
+</td>
+<td>
+
+```json
+{
+  "type": "stdio",
+  "command": "go",
+  "args": [
+    "run",
+    "./cmd/github-mcp-server",
+    "stdio",
+    "--toolsets=pull_requests",
+    "--exclude-tools=create_pull_request,merge_pull_request"
+  ],
+  "env": {
+    "GITHUB_PERSONAL_ACCESS_TOKEN": "${input:github_token}"
+  }
+}
+```
+
+</td>
+</tr>
+</table>
+
+**Result:** All pull request tools except `create_pull_request` and `merge_pull_request` — the user gets read and review tools only.
+
+---
+
 ### Read-Only Mode
 
 **Best for:** Security conscious users who want to ensure the server won't allow operations that modify issues, pull requests, repositories etc.

internal/ghmcp/server.go

@@ -135,6 +135,7 @@ func NewStdioMCPServer(ctx context.Context, cfg github.MCPServerConfig) (*mcp.Se
 		WithReadOnly(cfg.ReadOnly).
 		WithToolsets(github.ResolvedEnabledToolsets(cfg.DynamicToolsets, cfg.EnabledToolsets, cfg.EnabledTools)).
 		WithTools(github.CleanTools(cfg.EnabledTools)).
+		WithExcludeTools(cfg.ExcludeTools).
 		WithServerInstructions().
 		WithFeatureChecker(featureChecker).
 		WithInsidersMode(cfg.InsidersMode)
@@ -214,6 +215,11 @@ type StdioServerConfig struct {
 	// InsidersMode indicates if we should enable experimental features
 	InsidersMode bool
 
+	// ExcludeTools is a list of tool names to disable regardless of other settings.
+	// These tools will be excluded even if their toolset is enabled or they are
+	// explicitly listed in EnabledTools.
+	ExcludeTools []string
+
 	// RepoAccessCacheTTL overrides the default TTL for repository access cache entries.
 	RepoAccessCacheTTL *time.Duration
 }
@@ -271,6 +277,7 @@ func RunStdioServer(cfg StdioServerConfig) error {
 		ContentWindowSize: cfg.ContentWindowSize,
 		LockdownMode:      cfg.LockdownMode,
 		InsidersMode:      cfg.InsidersMode,
+		ExcludeTools:      cfg.ExcludeTools,
 		Logger:            logger,
 		RepoAccessTTL:     cfg.RepoAccessCacheTTL,
 		TokenScopes:       tokenScopes,

pkg/buffer/buffer.go

@@ -32,6 +32,9 @@ const maxLineSize = 10 * 1024 * 1024
 // If the response contains more lines than maxJobLogLines, only the most recent lines are kept.
 // Lines exceeding maxLineSize are truncated with a marker.
 func ProcessResponseAsRingBufferToEnd(httpResp *http.Response, maxJobLogLines int) (string, int, *http.Response, error) {
+	if maxJobLogLines <= 0 {
+		maxJobLogLines = 500
+	}
 	if maxJobLogLines > 100000 {
 		maxJobLogLines = 100000
 	}

pkg/context/request.go

@@ -82,6 +82,22 @@ func IsInsidersMode(ctx context.Context) bool {
 	return false
 }
 
+// excludeToolsCtxKey is a context key for excluded tools
+type excludeToolsCtxKey struct{}
+
+// WithExcludeTools adds the excluded tools to the context
+func WithExcludeTools(ctx context.Context, tools []string) context.Context {
+	return context.WithValue(ctx, excludeToolsCtxKey{}, tools)
+}
+
+// GetExcludeTools retrieves the excluded tools from the context
+func GetExcludeTools(ctx context.Context) []string {
+	if tools, ok := ctx.Value(excludeToolsCtxKey{}).([]string); ok {
+		return tools
+	}
+	return nil
+}
+
 // headerFeaturesCtxKey is a context key for raw header feature flags
 type headerFeaturesCtxKey struct{}
 

pkg/github/__toolsnaps__/projects_get.snap

@@ -26,7 +26,8 @@
         "enum": [
           "get_project",
           "get_project_field",
-          "get_project_item"
+          "get_project_item",
+          "get_project_status_update"
         ],
         "type": "string"
       },
@@ -45,12 +46,14 @@
       "project_number": {
         "description": "The project's number.",
         "type": "number"
+      },
+      "status_update_id": {
+        "description": "The node ID of the project status update. Required for 'get_project_status_update' method.",
+        "type": "string"
       }
     },
     "required": [
-      "method",
-      "owner",
-      "project_number"
+      "method"
     ],
     "type": "object"
   },