list_issues: populate readers with repo collaborators

Addresses Joanna's review feedback: for private repositories, populate
the IFC confidentiality reader set with the repository's collaborator
logins instead of the [owner] placeholder.

Adds an exported FetchRepoCollaborators helper in pkg/github/repositories.go
that paginates through Repositories.ListCollaborators. Mirrors the helper
in github-mcp-server-remote (without the cache for now; cache can land in
a follow-up).

The lookup is invoked only for private repos under InsidersMode; if it
fails we fall back to [owner] so the reader set is never empty for a
private repo.

Author: gokhanarkan

pkg/github/helper_test.go

@@ -31,6 +31,7 @@ const (
 	GetReposByOwnerByRepo                = "GET /repos/{owner}/{repo}"
 	GetReposBranchesByOwnerByRepo        = "GET /repos/{owner}/{repo}/branches"
 	GetReposTagsByOwnerByRepo            = "GET /repos/{owner}/{repo}/tags"
+	GetReposCollaboratorsByOwnerByRepo   = "GET /repos/{owner}/{repo}/collaborators"
 	GetReposCommitsByOwnerByRepo         = "GET /repos/{owner}/{repo}/commits"
 	GetReposCommitsByOwnerByRepoByRef    = "GET /repos/{owner}/{repo}/commits/{ref}"
 	GetReposContentsByOwnerByRepoByPath  = "GET /repos/{owner}/{repo}/contents/{path}"

pkg/github/issues.go

@@ -1595,13 +1595,20 @@ func ListIssues(t translations.TranslationHelperFunc) inventory.ServerTool {
 				if result.Meta == nil {
 					result.Meta = mcp.Meta{}
 				}
-				// TODO(fides): for private repos, populate readers with the
-				// repository's collaborator logins. Using [owner] as a
-				// placeholder until a shared visibility/collaborators helper
-				// lands (tracked under copilot-mcp-core#1623).
 				var readers []string
 				if isPrivate {
-					readers = []string{owner}
+					restClient, err := deps.GetClient(ctx)
+					if err == nil {
+						if collaborators, err := FetchRepoCollaborators(ctx, restClient, owner, repo); err == nil {
+							readers = collaborators
+						}
+					}
+					// Fall back to the repository owner so the reader set is
+					// never empty for a private repository even if the
+					// collaborators lookup fails.
+					if len(readers) == 0 {
+						readers = []string{owner}
+					}
 				}
 				result.Meta["ifc"] = ifc.LabelListIssues(isPrivate, readers)
 			}

pkg/github/issues_test.go

@@ -1453,10 +1453,18 @@ func Test_ListIssues_IFC_InsidersMode(t *testing.T) {
 		assert.Equal(t, "public", confList[0])
 	})
 
-	t.Run("insiders mode enabled on private repo emits private untrusted label", func(t *testing.T) {
+	t.Run("insiders mode enabled on private repo emits private untrusted label with collaborators", func(t *testing.T) {
 		matcher := githubv4mock.NewQueryMatcher(query, vars, makeResponse(true))
 		gqlClient := githubv4.NewClient(githubv4mock.NewMockedHTTPClient(matcher))
+		restClient := github.NewClient(MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+			GetReposCollaboratorsByOwnerByRepo: mockResponse(t, http.StatusOK, []*github.User{
+				{Login: github.Ptr("octocat")},
+				{Login: github.Ptr("alice")},
+				{Login: github.Ptr("bob")},
+			}),
+		}))
 		deps := BaseDeps{
+			Client:    restClient,
 			GQLClient: gqlClient,
 			Flags:     FeatureFlags{InsidersMode: true},
 		}
@@ -1479,8 +1487,34 @@ func Test_ListIssues_IFC_InsidersMode(t *testing.T) {
 		assert.Equal(t, "untrusted", ifcMap["integrity"])
 		confList, ok := ifcMap["confidentiality"].([]any)
 		require.True(t, ok, "confidentiality should be a list")
-		require.Len(t, confList, 1)
-		assert.Equal(t, "octocat", confList[0])
+		assert.Equal(t, []any{"octocat", "alice", "bob"}, confList)
+	})
+
+	t.Run("insiders mode enabled on private repo falls back to owner when collaborators lookup fails", func(t *testing.T) {
+		matcher := githubv4mock.NewQueryMatcher(query, vars, makeResponse(true))
+		gqlClient := githubv4.NewClient(githubv4mock.NewMockedHTTPClient(matcher))
+		restClient := github.NewClient(MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+			GetReposCollaboratorsByOwnerByRepo: mockResponse(t, http.StatusInternalServerError, "boom"),
+		}))
+		deps := BaseDeps{
+			Client:    restClient,
+			GQLClient: gqlClient,
+			Flags:     FeatureFlags{InsidersMode: true},
+		}
+		handler := serverTool.Handler(deps)
+
+		request := createMCPRequest(reqParams)
+		result, err := handler(ContextWithDeps(context.Background(), deps), &request)
+		require.NoError(t, err)
+		require.False(t, result.IsError)
+
+		require.NotNil(t, result.Meta)
+		ifcJSON, err := json.Marshal(result.Meta["ifc"])
+		require.NoError(t, err)
+		var ifcMap map[string]any
+		require.NoError(t, json.Unmarshal(ifcJSON, &ifcMap))
+
+		assert.Equal(t, []any{"octocat"}, ifcMap["confidentiality"])
 	})
 }
 

pkg/github/repositories.go

@@ -653,6 +653,34 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool
 	)
 }
 
+// FetchRepoCollaborators returns the login names of all collaborators on a
+// repository. It is provided as a shared helper for IFC label computation so
+// tools can populate the reader set for private repositories. The full list
+// is fetched eagerly via pagination; callers are expected to invoke this only
+// when needed (e.g. private repos under InsidersMode).
+func FetchRepoCollaborators(ctx context.Context, client *github.Client, owner, repo string) ([]string, error) {
+	opts := &github.ListCollaboratorsOptions{
+		ListOptions: github.ListOptions{PerPage: 100},
+	}
+	var logins []string
+	for {
+		page, resp, err := client.Repositories.ListCollaborators(ctx, owner, repo, opts)
+		if err != nil {
+			return nil, err
+		}
+		for _, c := range page {
+			if login := c.GetLogin(); login != "" {
+				logins = append(logins, login)
+			}
+		}
+		if resp == nil || resp.NextPage == 0 {
+			break
+		}
+		opts.Page = resp.NextPage
+	}
+	return logins, nil
+}
+
 // GetFileContents creates a tool to get the contents of a file or directory from a GitHub repository.
 func GetFileContents(t translations.TranslationHelperFunc) inventory.ServerTool {
 	return NewTool(