Summary
Add a new feature flag integrity-reactions that, when enabled, injects endorsement-reactions and disapproval-reactions fields into the MCPG allow-only integrity policy. This enables maintainer reaction-based integrity promotion and demotion as described in github/gh-aw-mcpg#3618.
Requires MCPG v0.2.18+ — the feature flag must be version-gated so the compiler only emits these fields when the resolved MCPG version is >= v0.2.18.
Background
MCPG v0.2.18 adds support for reaction-based integrity evaluation (gh-aw-mcpg#3618):
- Endorsement reactions (e.g., 👍, ❤️) from maintainers promote content integrity to
approved
- Disapproval reactions (e.g., 👎, 😕) from maintainers demote content integrity (default:
none)
- Disapproval overrides endorsement (safe default)
The compiler needs to support injecting these fields into the allow-only policy JSON that is passed to MCPG.
Proposed Frontmatter Syntax
features:
integrity-reactions: true
tools:
github:
min-integrity: approved
endorsement-reactions: ["THUMBS_UP", "HEART"]
disapproval-reactions: ["THUMBS_DOWN", "CONFUSED"]
disapproval-integrity: none # optional, default: none
endorser-min-integrity: approved # optional, default: approvedImplementation Plan
1. Add feature flag constant
In pkg/constants/feature_constants.go:
// IntegrityReactionsFeatureFlag enables reaction-based integrity
// promotion/demotion in the MCPG allow-only policy.
// Requires MCPG >= v0.2.18.
IntegrityReactionsFeatureFlag FeatureFlag = "integrity-reactions"
2. Add MCPG minimum version constant
In pkg/constants/version_constants.go:
// MCPGIntegrityReactionsMinVersion is the minimum MCPG version that supports
// endorsement-reactions and disapproval-reactions in the allow-only policy.
const MCPGIntegrityReactionsMinVersion Version = "v0.2.18"
3. Parse new fields from tools.github config
In pkg/workflow/tools_parser.go, parse the new fields from tools.github:
endorsement-reactions — []string (valid values: THUMBS_UP, THUMBS_DOWN, HEART, HOORAY, CONFUSED, ROCKET, EYES, LAUGH)disapproval-reactions — []string (same valid values)disapproval-integrity — string (valid values: none, unapproved, approved, merged)endorser-min-integrity — string (valid values: approved, unapproved, merged)
4. Inject into allow-only policy (both code paths)
When the feature flag is enabled AND MCPG version >= v0.2.18, inject the reaction fields into the allow-only policy object. This needs to happen in two places:
a. MCP Gateway path (pkg/workflow/mcp_github_config.go — getGitHubGuardPolicies()):
Add after the existing approval-labels line (~line 281):
if isFeatureEnabled(constants.IntegrityReactionsFeatureFlag, data) && mcpgSupportsIntegrityReactions(gatewayConfig) {
if endorsement, ok := toolConfig["endorsement-reactions"]; ok {
policy["endorsement-reactions"] = endorsement
}
if disapproval, ok := toolConfig["disapproval-reactions"]; ok {
policy["disapproval-reactions"] = disapproval
}
if disapprovalIntegrity, ok := toolConfig["disapproval-integrity"]; ok {
policy["disapproval-integrity"] = disapprovalIntegrity
}
if endorserMinIntegrity, ok := toolConfig["endorser-min-integrity"]; ok {
policy["endorser-min-integrity"] = endorserMinIntegrity
}
}b. DIFC proxy path (pkg/workflow/compiler_difc_proxy.go — buildDIFCProxyPolicy()):
Same injection logic for the proxy policy object (~line 190).
5. Add validation
In pkg/workflow/tools_validation.go:
- Validate that reaction values are valid GitHub
ReactionContent enum values
- Validate that
endorsement-reactions and disapproval-reactions require min-integrity to be set
- Validate that
disapproval-integrity and endorser-min-integrity use valid integrity levels
- Emit a validation error if
integrity-reactions feature flag is enabled but MCPG version < v0.2.18
6. Add version gate helper
func mcpgSupportsIntegrityReactions(gatewayConfig *MCPGatewayRuntimeConfig) bool {
version := gatewayConfig.Version
if version == "" {
version = string(constants.DefaultMCPGatewayVersion)
}
return semver.Compare(version, string(constants.MCPGIntegrityReactionsMinVersion)) >= 0
}7. Update schema
Add the new fields to the frontmatter JSON schema in pkg/parser/schemas/ so they pass validation. Rebuild with make build after schema changes.
Files to Modify
| File |
Change |
pkg/constants/feature_constants.go |
Add IntegrityReactionsFeatureFlag |
pkg/constants/version_constants.go |
Add MCPGIntegrityReactionsMinVersion = "v0.2.18" |
pkg/workflow/tools_parser.go |
Parse new reaction fields from tools.github |
pkg/workflow/tools_validation.go |
Validate reaction values and version gate |
pkg/workflow/mcp_github_config.go |
Inject reactions into gateway allow-only policy |
pkg/workflow/compiler_difc_proxy.go |
Inject reactions into proxy allow-only policy |
pkg/parser/schemas/ |
Add new fields to frontmatter schema |
| Tests for each modified file |
Unit tests for parsing, validation, and policy generation |
Acceptance Criteria
References
- MCPG implementation: github/gh-aw-mcpg#3618
- Existing feature flag pattern:
CliProxyFeatureFlag + AWFCliProxyMinVersion in pkg/constants/
- Existing allow-only policy generation:
getGitHubGuardPolicies() in mcp_github_config.go
Summary
Add a new feature flag
integrity-reactionsthat, when enabled, injectsendorsement-reactionsanddisapproval-reactionsfields into the MCPG allow-only integrity policy. This enables maintainer reaction-based integrity promotion and demotion as described in github/gh-aw-mcpg#3618.Requires MCPG v0.2.18+ — the feature flag must be version-gated so the compiler only emits these fields when the resolved MCPG version is >= v0.2.18.
Background
MCPG v0.2.18 adds support for reaction-based integrity evaluation (gh-aw-mcpg#3618):
approvednone)The compiler needs to support injecting these fields into the allow-only policy JSON that is passed to MCPG.
Proposed Frontmatter Syntax
Implementation Plan
1. Add feature flag constant
In
pkg/constants/feature_constants.go:2. Add MCPG minimum version constant
In
pkg/constants/version_constants.go:3. Parse new fields from tools.github config
In
pkg/workflow/tools_parser.go, parse the new fields fromtools.github:endorsement-reactions—[]string(valid values:THUMBS_UP,THUMBS_DOWN,HEART,HOORAY,CONFUSED,ROCKET,EYES,LAUGH)disapproval-reactions—[]string(same valid values)disapproval-integrity—string(valid values:none,unapproved,approved,merged)endorser-min-integrity—string(valid values:approved,unapproved,merged)4. Inject into allow-only policy (both code paths)
When the feature flag is enabled AND MCPG version >= v0.2.18, inject the reaction fields into the allow-only policy object. This needs to happen in two places:
a. MCP Gateway path (
pkg/workflow/mcp_github_config.go—getGitHubGuardPolicies()):Add after the existing
approval-labelsline (~line 281):b. DIFC proxy path (
pkg/workflow/compiler_difc_proxy.go—buildDIFCProxyPolicy()):Same injection logic for the proxy policy object (~line 190).
5. Add validation
In
pkg/workflow/tools_validation.go:ReactionContentenum valuesendorsement-reactionsanddisapproval-reactionsrequiremin-integrityto be setdisapproval-integrityandendorser-min-integrityuse valid integrity levelsintegrity-reactionsfeature flag is enabled but MCPG version < v0.2.186. Add version gate helper
7. Update schema
Add the new fields to the frontmatter JSON schema in
pkg/parser/schemas/so they pass validation. Rebuild withmake buildafter schema changes.Files to Modify
pkg/constants/feature_constants.goIntegrityReactionsFeatureFlagpkg/constants/version_constants.goMCPGIntegrityReactionsMinVersion = "v0.2.18"pkg/workflow/tools_parser.gotools.githubpkg/workflow/tools_validation.gopkg/workflow/mcp_github_config.gopkg/workflow/compiler_difc_proxy.gopkg/parser/schemas/Acceptance Criteria
features: integrity-reactions: true+ valid config → reactions appear in allow-only policy JSONmin-integrity→ validation errormake recompileproduces no changes for existing workflows (feature flag defaults to off)References
CliProxyFeatureFlag+AWFCliProxyMinVersioninpkg/constants/getGitHubGuardPolicies()inmcp_github_config.go