fix: correct ifc private labels

Author: RossTarrant

pkg/github/issues_test.go

@@ -355,7 +355,7 @@ func Test_IssueRead_IFC_InsidersMode(t *testing.T) {
 		assert.Equal(t, "public", ifcMap["confidentiality"])
 	})
 
-	t.Run("insiders mode enabled on private repo with get_comments emits private untrusted", func(t *testing.T) {
+	t.Run("insiders mode enabled on private repo with get_comments emits private trusted", func(t *testing.T) {
 		deps := BaseDeps{
 			Client:         mustNewGHClient(t, makeMockClient(true, 0)),
 			featureChecker: featureCheckerFor(FeatureFlagIFCLabels),
@@ -369,7 +369,7 @@ func Test_IssueRead_IFC_InsidersMode(t *testing.T) {
 
 		require.NotNil(t, result.Meta)
 		ifcMap := unmarshalIFC(t, result.Meta["ifc"])
-		assert.Equal(t, "untrusted", ifcMap["integrity"])
+		assert.Equal(t, "trusted", ifcMap["integrity"])
 		assert.Equal(t, "private", ifcMap["confidentiality"])
 	})
 
@@ -1106,7 +1106,7 @@ func Test_SearchIssues_IFC_InsidersMode(t *testing.T) {
 		assert.Equal(t, "public", ifcMap["confidentiality"])
 	})
 
-	t.Run("insiders mode mixed public and private emits private untrusted", func(t *testing.T) {
+	t.Run("insiders mode mixed public and private emits private trusted", func(t *testing.T) {
 		searchResult := &github.IssuesSearchResult{Issues: []*github.Issue{
 			makeIssue("octocat", "private-repo", 1),
 			makeIssue("octocat", "public-repo", 2),
@@ -1127,7 +1127,7 @@ func Test_SearchIssues_IFC_InsidersMode(t *testing.T) {
 
 		require.NotNil(t, result.Meta)
 		ifcMap := unmarshalIFC(t, result.Meta["ifc"])
-		assert.Equal(t, "untrusted", ifcMap["integrity"])
+		assert.Equal(t, "trusted", ifcMap["integrity"])
 		assert.Equal(t, "private", ifcMap["confidentiality"])
 	})
 
@@ -2719,7 +2719,7 @@ func Test_ListIssues_IFC_InsidersMode(t *testing.T) {
 		assert.Equal(t, "public", ifcMap["confidentiality"])
 	})
 
-	t.Run("insiders mode enabled on private repo emits private untrusted label", func(t *testing.T) {
+	t.Run("insiders mode enabled on private repo emits private trusted label", func(t *testing.T) {
 		matcher := githubv4mock.NewQueryMatcher(query, vars, makeResponse(true))
 		gqlClient := githubv4.NewClient(githubv4mock.NewMockedHTTPClient(matcher))
 		deps := BaseDeps{
@@ -2742,7 +2742,7 @@ func Test_ListIssues_IFC_InsidersMode(t *testing.T) {
 		var ifcMap map[string]any
 		require.NoError(t, json.Unmarshal(ifcJSON, &ifcMap))
 
-		assert.Equal(t, "untrusted", ifcMap["integrity"])
+		assert.Equal(t, "trusted", ifcMap["integrity"])
 		assert.Equal(t, "private", ifcMap["confidentiality"])
 	})
 }

pkg/github/repositories.go

@@ -2121,9 +2121,9 @@ func ListStarredRepositories(t translations.TranslationHelperFunc) inventory.Ser
 			result := utils.NewToolResultText(string(r))
 			// A starred-repository listing exposes repository data across many
 			// repos; reuse the multi-repo join shared with search_repositories
-			// (untrusted integrity; confidentiality private if any matched repo
-			// is private). Visibility is read directly from the response, so no
-			// extra API call is needed.
+			// (public-only results stay public-untrusted; any private repo makes
+			// the joined result private-trusted). Visibility is read directly
+			// from the response, so no extra API call is needed.
 			visibilities := make([]bool, 0, len(minimalRepos))
 			for _, mr := range minimalRepos {
 				visibilities = append(visibilities, mr.Private)

pkg/github/search.go

@@ -173,8 +173,8 @@ func SearchRepositories(t translations.TranslationHelperFunc) inventory.ServerTo
 // every matched repository and attaches the result to callResult when IFC
 // labels are enabled. Visibility is read directly from the search response —
 // no extra API call. The join math is shared with search_issues via
-// ifc.LabelSearchIssues: integrity is always untrusted; confidentiality is
-// private if any matched repository is private, otherwise public. The
+// ifc.LabelSearchIssues: public-only results stay public-untrusted, while any
+// private matched repository makes the joined result private-trusted. The
 // feature-flag check is centralized here (mirroring the attach* helpers in
 // ifc_labels.go) so the handler can call this unconditionally.
 func attachSearchRepositoriesIFCLabel(ctx context.Context, deps ToolDependencies, repos []*github.Repository, callResult *mcp.CallToolResult) {
@@ -302,9 +302,9 @@ func SearchCode(t translations.TranslationHelperFunc) inventory.ServerTool {
 			}
 
 			callResult := utils.NewToolResultText(string(r))
-			// Code search spans repositories and exposes file contents
-			// (untrusted). Confidentiality is the IFC join across every matched
-			// repository's visibility, read directly from the search response.
+			// Code search spans repositories; the IFC label is the join across
+			// every matched repository's visibility, read directly from the
+			// search response.
 			visibilities := make([]bool, 0, len(result.CodeResults))
 			for _, code := range result.CodeResults {
 				if code.Repository != nil {
@@ -593,9 +593,9 @@ func SearchCommits(t translations.TranslationHelperFunc) inventory.ServerTool {
 			}
 
 			callResult := utils.NewToolResultText(string(r))
-			// Commit search spans repositories and exposes commit content
-			// (untrusted). Confidentiality is the IFC join across every matched
-			// repository's visibility, read directly from the search response.
+			// Commit search spans repositories; the IFC label is the join across
+			// every matched repository's visibility, read directly from the
+			// search response.
 			visibilities := make([]bool, 0, len(result.Commits))
 			for _, commit := range result.Commits {
 				if commit.Repository != nil {

pkg/github/search_test.go

@@ -238,7 +238,7 @@ func Test_SearchRepositories_IFC_InsidersMode(t *testing.T) {
 		assert.Equal(t, "public", ifcMap["confidentiality"])
 	})
 
-	t.Run("insiders mode any private match emits private untrusted", func(t *testing.T) {
+	t.Run("insiders mode any private match emits private trusted", func(t *testing.T) {
 		deps := BaseDeps{
 			Client: mustNewGHClient(t, makeMockClient([]repoFixture{
 				{owner: "octocat", name: "private-repo", isPrivate: true},
@@ -255,7 +255,7 @@ func Test_SearchRepositories_IFC_InsidersMode(t *testing.T) {
 
 		require.NotNil(t, result.Meta)
 		ifcMap := unmarshalIFC(t, result.Meta["ifc"])
-		assert.Equal(t, "untrusted", ifcMap["integrity"])
+		assert.Equal(t, "trusted", ifcMap["integrity"])
 		assert.Equal(t, "private", ifcMap["confidentiality"])
 	})
 

pkg/ifc/ifc.go

@@ -76,10 +76,11 @@ func LabelGetMe() SecurityLabel {
 // LabelListIssues returns the IFC label for a list_issues result.
 // Public repositories are universally readable; private repositories are
 // restricted to their collaborators (resolved client-side from the marker).
-// Issue contents are attacker-controllable, so integrity is always untrusted.
+// Public repository issue contents are attacker-controllable, while private
+// repository issues are treated as trusted collaborator-authored data.
 func LabelListIssues(isPrivate bool) SecurityLabel {
 	if isPrivate {
-		return PrivateUntrusted()
+		return PrivateTrusted()
 	}
 	return PublicUntrusted()
 }
@@ -99,12 +100,11 @@ func LabelGetFileContents(isPrivate bool) SecurityLabel {
 // result, joining per-repository labels across all matched repositories.
 // Used by both search_issues and search_repositories.
 //
-// Integrity is always untrusted because results expose user-authored content.
-//
-// Confidentiality follows the IFC meet (greatest lower bound): if any matched
-// repository is private the joined label is private; otherwise public. The
-// reader set is opaque (the "private" marker); the client engine resolves
-// concrete readers on demand at egress decision time.
+// Public-only results are untrusted and public. If any matched repository is
+// private, the joined label is trusted and private because private repository
+// content is treated as trusted collaborator-authored data. The reader set is
+// opaque (the "private" marker); the client engine resolves concrete readers
+// on demand at egress decision time.
 //
 // An empty result set is treated as public-untrusted (no repository data is
 // leaked).
@@ -121,7 +121,7 @@ func LabelGetFileContents(isPrivate bool) SecurityLabel {
 func LabelSearchIssues(repoVisibilities []bool) SecurityLabel {
 	for _, isPrivate := range repoVisibilities {
 		if isPrivate {
-			return PrivateUntrusted()
+			return PrivateTrusted()
 		}
 	}
 	return PublicUntrusted()

pkg/ifc/ifc_test.go

@@ -6,36 +6,60 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+func TestLabelListIssues(t *testing.T) {
+	t.Parallel()
+
+	t.Run("public repo issues are untrusted and public", func(t *testing.T) {
+		t.Parallel()
+		label := LabelListIssues(false)
+		assert.Equal(t, IntegrityUntrusted, label.Integrity)
+		assert.Equal(t, ConfidentialityPublic, label.Confidentiality)
+	})
+
+	t.Run("private repo issues are trusted and private", func(t *testing.T) {
+		t.Parallel()
+		label := LabelListIssues(true)
+		assert.Equal(t, IntegrityTrusted, label.Integrity)
+		assert.Equal(t, ConfidentialityPrivate, label.Confidentiality)
+	})
+}
+
 func TestLabelSearchIssues(t *testing.T) {
 	t.Parallel()
 
 	tests := []struct {
 		name             string
 		visibilities     []bool
+		wantIntegrity    Integrity
 		wantConfidential Confidentiality
 	}{
 		{
 			name:             "empty result is treated as public",
+			wantIntegrity:    IntegrityUntrusted,
 			wantConfidential: ConfidentialityPublic,
 		},
 		{
 			name:             "single public repo",
 			visibilities:     []bool{false},
+			wantIntegrity:    IntegrityUntrusted,
 			wantConfidential: ConfidentialityPublic,
 		},
 		{
 			name:             "all public repos stay public",
 			visibilities:     []bool{false, false, false},
+			wantIntegrity:    IntegrityUntrusted,
 			wantConfidential: ConfidentialityPublic,
 		},
 		{
-			name:             "any private match flips to private",
+			name:             "any private match flips to trusted private",
 			visibilities:     []bool{false, true, false},
+			wantIntegrity:    IntegrityTrusted,
 			wantConfidential: ConfidentialityPrivate,
 		},
 		{
-			name:             "all private repos stay private",
+			name:             "all private repos stay trusted private",
 			visibilities:     []bool{true, true},
+			wantIntegrity:    IntegrityTrusted,
 			wantConfidential: ConfidentialityPrivate,
 		},
 	}
@@ -44,7 +68,7 @@ func TestLabelSearchIssues(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 			label := LabelSearchIssues(tc.visibilities)
-			assert.Equal(t, IntegrityUntrusted, label.Integrity)
+			assert.Equal(t, tc.wantIntegrity, label.Integrity)
 			assert.Equal(t, tc.wantConfidential, label.Confidentiality)
 		})
 	}