Skip to content

feat(formal-spec): add PRECOND_BlockedUsersRequireMinIntegrity to access-control formal model#45103

Closed
pelikhan with Copilot wants to merge 2 commits into
mainfrom
copilot/github-mcp-access-control-compliance
Closed

feat(formal-spec): add PRECOND_BlockedUsersRequireMinIntegrity to access-control formal model#45103
pelikhan with Copilot wants to merge 2 commits into
mainfrom
copilot/github-mcp-access-control-compliance

Conversation

Copilot AI commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

The behavioral coverage map in specs/github-mcp-access-control-compliance/README.md was missing the PRECOND_BlockedUsersRequireMinIntegrity predicate — the validation rule that blocked-users requires min-integrity to be set — leaving the 15-predicate table from the issue incomplete and the precondition untested in the formal suite.

Changes

  • pkg/workflow/github_mcp_access_control_formal_test.go

    • Added formalValidateConfig — in-test mini-validator mirroring the compile-time precondition for formalToolConfig, consistent with the existing formalEvaluateAccess pattern
    • Added TestFormal_BlockedUsersRequireMinIntegrity covering three cases: missing min-integrity errors, valid config with both fields set, and empty blocked-users (guard inactive, no error)
  • specs/github-mcp-access-control-compliance/README.md

    • Added PRECOND_BlockedUsersRequireMinIntegrity row to the behavioral coverage map, completing the full 15-predicate table
func formalValidateConfig(cfg formalToolConfig) error {
    if len(cfg.BlockedUsers) > 0 && cfg.MinIntegrity == "" {
        return errors.New("invalid guard policy: blocked-users requires min-integrity to be set")
    }
    return nil
}

…rage

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Add formal model and test suite for access control compliance feat(formal-spec): add PRECOND_BlockedUsersRequireMinIntegrity to access-control formal model Jul 12, 2026
Copilot AI requested a review from pelikhan July 12, 2026 16:02
@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category test
Risk low
Priority Score 45/100
Score Breakdown impact: 20, urgency: 10, quality: 15
Action batch_review

Adds PRECOND_BlockedUsersRequireMinIntegrity formal test + spec README. 2 files, +37/-0. Draft, CI unknown. Additive test/docs. Candidate for batch review with other formal-spec test PRs.

Generated by 🔧 PR Triage Agent · 142.9 AIC · ⌖ 7.2 AIC · ⊞ 5.6K ·

@pelikhan pelikhan marked this pull request as ready for review July 13, 2026 06:46
Copilot AI review requested due to automatic review settings July 13, 2026 06:46
@pelikhan pelikhan closed this Jul 13, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds formal-model coverage for the blocked-users/min-integrity precondition.

Changes:

  • Adds a formal validator and three validation scenarios.
  • Adds the predicate to the compliance coverage map.
  • Requires reconciliation with the linked normative specification.
Show a summary per file
File Description
pkg/workflow/github_mcp_access_control_formal_test.go Adds precondition modeling and tests.
specs/github-mcp-access-control-compliance/README.md Documents the new predicate coverage.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Medium

| `INV2_ErrorCode` | `TestFormal_ErrorCodeFirstFailingGuard` | Deny error code matches first failing guard; table covers each guard as first failure |
| `SAFETY_BlockedUserAlwaysDenied` | `TestFormal_BlockedUserSafetyProperty` | Safety: blocked user always produces `-32005` when all earlier guards pass |
| `SAFETY_NoSpuriousAllow` | `TestFormal_NoSpuriousAllowInvariant` | Safety: no allow decision when any guard fails |
| `PRECOND_BlockedUsersRequireMinIntegrity` | `TestFormal_BlockedUsersRequireMinIntegrity` | Validation error when blocked-users set without min-integrity |
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[formal-spec] github-mcp-access-control-compliance/README.md — Formal model & test suite — 2026-07-12

3 participants