Expand FGP annotations to repos, context, projects, issue-fields

Annotate the remaining clearly-mappable tools with RequiredPermissions and
regenerate the permissions docs table from the tool definitions:

- repos: create_repository, fork_repository (administration:write);
  list_repository_collaborators (administration:read)
- context: get_teams, get_team_members (members:read)
- projects: projects_get/list (organization_projects:read),
  projects_write (organization_projects:write)
- issues: list_issue_fields (issues:read)

list_issue_types stays ungated (org-level issue-type config has no clean
repo/org catalog permission). Docs table grows 50->58 rows and is idempotent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SamMorrowDrums

docs/permissions-filtering.md

@@ -57,6 +57,8 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `actions` | `get_job_logs` | `actions:read` |
 | `code_security` | `get_code_scanning_alert` | `security_events:read` |
 | `code_security` | `list_code_scanning_alerts` | `security_events:read` |
+| `context` | `get_team_members` | `members:read` |
+| `context` | `get_teams` | `members:read` |
 | `dependabot` | `get_dependabot_alert` | `vulnerability_alerts:read` |
 | `dependabot` | `list_dependabot_alerts` | `vulnerability_alerts:read` |
 | `discussions` | `discussion_comment_write` | `discussions:write` |
@@ -74,6 +76,9 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `labels` | `get_label` | `issues:read` |
 | `labels` | `label_write` | `issues:write` |
 | `labels` | `list_label` | `issues:read` |
+| `projects` | `projects_get` | `organization_projects:read` |
+| `projects` | `projects_list` | `organization_projects:read` |
+| `projects` | `projects_write` | `organization_projects:write` |
 | `pull_requests` | `add_comment_to_pending_review` | `pull_requests:write` |
 | `pull_requests` | `add_reply_to_pull_request_comment` | `pull_requests:write` |
 | `pull_requests` | `create_pull_request` | `pull_requests:write` |
@@ -85,7 +90,9 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `pull_requests` | `update_pull_request` | `pull_requests:write` |
 | `repos` | `create_branch` | `contents:write` |
 | `repos` | `create_or_update_file` | `contents:write` |
+| `repos` | `create_repository` | `administration:write` |
 | `repos` | `delete_file` | `contents:write` |
+| `repos` | `fork_repository` | `administration:write` |
 | `repos` | `get_commit` | `contents:read` |
 | `repos` | `get_file_contents` | `contents:read` |
 | `repos` | `get_latest_release` | `contents:read` |
@@ -94,6 +101,7 @@ The generated table below is produced by `script/generate-docs` and lists every
 | `repos` | `list_branches` | `contents:read` |
 | `repos` | `list_commits` | `contents:read` |
 | `repos` | `list_releases` | `contents:read` |
+| `repos` | `list_repository_collaborators` | `administration:read` |
 | `repos` | `list_tags` | `contents:read` |
 | `repos` | `push_files` | `contents:write` |
 | `secret_protection` | `get_secret_scanning_alert` | `secret_scanning_alerts:read` |

pkg/github/context_tools.go

@@ -8,6 +8,7 @@ import (
 	ghErrors "github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/ifc"
 	"github.com/github/github-mcp-server/pkg/inventory"
+	"github.com/github/github-mcp-server/pkg/permissions"
 	"github.com/github/github-mcp-server/pkg/scopes"
 	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/github/github-mcp-server/pkg/utils"
@@ -223,7 +224,7 @@ func GetTeams(t translations.TranslationHelperFunc) inventory.ServerTool {
 			result = attachStaticIFCLabel(ctx, deps, result, ifc.LabelTeam())
 			return result, nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Members.Read()))
 }
 
 func GetTeamMembers(t translations.TranslationHelperFunc) inventory.ServerTool {
@@ -299,5 +300,5 @@ func GetTeamMembers(t translations.TranslationHelperFunc) inventory.ServerTool {
 			result = attachStaticIFCLabel(ctx, deps, result, ifc.LabelTeam())
 			return result, nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Members.Read()))
 }

pkg/github/issue_fields.go

@@ -10,6 +10,7 @@ import (
 	ghErrors "github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/ifc"
 	"github.com/github/github-mcp-server/pkg/inventory"
+	"github.com/github/github-mcp-server/pkg/permissions"
 	"github.com/github/github-mcp-server/pkg/scopes"
 	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/github/github-mcp-server/pkg/utils"
@@ -169,7 +170,7 @@ func ListIssueFields(t translations.TranslationHelperFunc) inventory.ServerTool
 			return result, nil, nil
 		})
 	st.FeatureFlagEnable = FeatureFlagIssueFields
-	return st
+	return st.WithPermissions(permissions.Require(permissions.Issues.Read()))
 }
 
 // fetchIssueFields returns the issue field definitions for the given owner.

pkg/github/projects.go

@@ -12,6 +12,7 @@ import (
 	ghErrors "github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/ifc"
 	"github.com/github/github-mcp-server/pkg/inventory"
+	"github.com/github/github-mcp-server/pkg/permissions"
 	"github.com/github/github-mcp-server/pkg/scopes"
 	"github.com/github/github-mcp-server/pkg/translations"
 	"github.com/github/github-mcp-server/pkg/utils"
@@ -273,7 +274,7 @@ Use this tool to list projects for a user or organization, or list project field
 				}
 			}
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.OrganizationProjects.Read()))
 	return tool
 }
 
@@ -422,7 +423,7 @@ Use this tool to get details about individual projects, project fields, and proj
 				return utils.NewToolResultError(fmt.Sprintf("unknown method: %s", method)), nil, nil
 			}
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.OrganizationProjects.Read()))
 	return tool
 }
 
@@ -672,7 +673,7 @@ func ProjectsWrite(t translations.TranslationHelperFunc) inventory.ServerTool {
 				return utils.NewToolResultError(fmt.Sprintf("unknown method: %s", method)), nil, nil
 			}
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.OrganizationProjects.Write()))
 	return tool
 }
 

pkg/github/repositories.go

@@ -676,7 +676,7 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool
 
 			return utils.NewToolResultText(string(r)), nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Administration.Write()))
 }
 
 // FetchRepoIsPrivate returns whether a repository is private. It is a thin
@@ -986,7 +986,7 @@ func ForkRepository(t translations.TranslationHelperFunc) inventory.ServerTool {
 
 			return utils.NewToolResultText(string(r)), nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Administration.Write()))
 }
 
 // DeleteFile creates a tool to delete a file in a GitHub repository.
@@ -2795,5 +2795,5 @@ func ListRepositoryCollaborators(t translations.TranslationHelperFunc) inventory
 			callResult = attachStaticIFCLabel(ctx, deps, callResult, ifc.LabelCollaboratorRoster())
 			return callResult, nil, nil
 		},
-	)
+	).WithPermissions(permissions.Require(permissions.Administration.Read()))
 }