fix: address peer review for security advisory write tools

Validate ghsaId format before REST path interpolation, add MCP safety
annotations (OpenWorldHint/DestructiveHint), and drop unrelated #2605
confidence-parameter changes from this branch.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: Array Fleet

docs/feature-flags.md

@@ -198,7 +198,6 @@ runtime behavior (such as output formatting) won't appear here.
 
 - **update_issue_type** - Update Issue Type
   - **Required OAuth Scopes**: `repo`
-  - `confidence`: How confident you are in this choice. Use 'high' for clear signal or explicit user request, 'medium' for reasonable inference with some ambiguity, 'low' for best guess with limited signal. (string, optional)
   - `is_suggestion`: If true, this issue type change is sent to the API as a suggestion (suggest:true) rather than an applied value. Whether the type is applied or recorded as a proposal is determined by the API. (boolean, optional)
   - `issue_number`: The issue number to update (number, required)
   - `issue_type`: The issue type to set (string, required)
@@ -241,7 +240,7 @@ runtime behavior (such as output formatting) won't appear here.
   - `owner`: Repository owner (username or organization) (string, required)
   - `pullNumber`: The pull request number (number, required)
   - `repo`: Repository name (string, required)
-  - `reviewers`: GitHub usernames or ORG/team-slug team reviewers to request reviews from (string[], required)
+  - `reviewers`: GitHub usernames to request reviews from (string[], required)
 
 - **resolve_review_thread** - Resolve Review Thread
   - **Required OAuth Scopes**: `repo`

pkg/github/__toolsnaps__/create_repository_security_advisory.snap

@@ -1,8 +1,10 @@
 {
   "annotations": {
+    "destructiveHint": true,
+    "openWorldHint": true,
     "title": "Create repository security advisory"
   },
-  "description": "Create a draft repository security advisory.",
+  "description": "Create a draft repository security advisory. When startPrivateFork is true, a temporary private fork is created for collaborating on a fix.",
   "inputSchema": {
     "properties": {
       "credits": {

pkg/github/__toolsnaps__/request_cve_for_repository_security_advisory.snap

@@ -1,5 +1,6 @@
 {
   "annotations": {
+    "openWorldHint": true,
     "title": "Request CVE for repository security advisory"
   },
   "description": "Request a CVE ID from GitHub for a draft repository security advisory.",

pkg/github/__toolsnaps__/request_pull_request_reviewers.snap

@@ -37,4 +37,4 @@
     "type": "object"
   },
   "name": "request_pull_request_reviewers"
-}
+}

pkg/github/__toolsnaps__/set_issue_fields.snap

@@ -4,22 +4,13 @@
     "openWorldHint": true,
     "title": "Set Issue Fields"
   },
-  "description": "Set issue field values for an issue. Fields are organization-level custom fields (text, number, date, or single select). Use this to create or update field values on an issue. When setting values, include a confidence level (low, medium, or high) reflecting how certain you are about the choice.",
+  "description": "Set issue field values for an issue. Fields are organization-level custom fields (text, number, date, or single select). Use this to create or update field values on an issue.",
   "inputSchema": {
     "properties": {
       "fields": {
         "description": "Array of issue field values to set. Each element must have a 'field_id' (string, the GraphQL node ID of the field) and exactly one value field: 'text_value' for text fields, 'number_value' for number fields, 'date_value' (ISO 8601 date string) for date fields, or 'single_select_option_id' (the GraphQL node ID of the option) for single select fields. Set 'delete' to true to remove a field value.",
         "items": {
           "properties": {
-            "confidence": {
-              "description": "How confident you are in this choice. Use 'high' for clear signal or explicit user request, 'medium' for reasonable inference with some ambiguity, 'low' for best guess with limited signal.",
-              "enum": [
-                "low",
-                "medium",
-                "high"
-              ],
-              "type": "string"
-            },
             "date_value": {
               "description": "The value to set for a date field (ISO 8601 date string)",
               "type": "string"

pkg/github/__toolsnaps__/update_issue_labels.snap

@@ -4,7 +4,7 @@
     "openWorldHint": true,
     "title": "Update Issue Labels"
   },
-  "description": "Update the labels of an existing issue. This replaces the current labels with the provided list. When setting values, include a confidence level (low, medium, or high) reflecting how certain you are about the choice.",
+  "description": "Update the labels of an existing issue. This replaces the current labels with the provided list.",
   "inputSchema": {
     "properties": {
       "issue_number": {
@@ -22,15 +22,6 @@
             },
             {
               "properties": {
-                "confidence": {
-                  "description": "How confident you are in this choice. Use 'high' for clear signal or explicit user request, 'medium' for reasonable inference with some ambiguity, 'low' for best guess with limited signal.",
-                  "enum": [
-                    "low",
-                    "medium",
-                    "high"
-                  ],
-                  "type": "string"
-                },
                 "is_suggestion": {
                   "description": "If true, this label is sent to the API as a suggestion (suggest:true) rather than an applied label. Whether the label is applied or recorded as a proposal is determined by the API.",
                   "type": "boolean"

pkg/github/__toolsnaps__/update_issue_type.snap

@@ -4,18 +4,9 @@
     "openWorldHint": true,
     "title": "Update Issue Type"
   },
-  "description": "Update the type of an existing issue (e.g. 'bug', 'feature'). When setting values, include a confidence level (low, medium, or high) reflecting how certain you are about the choice.",
+  "description": "Update the type of an existing issue (e.g. 'bug', 'feature').",
   "inputSchema": {
     "properties": {
-      "confidence": {
-        "description": "How confident you are in this choice. Use 'high' for clear signal or explicit user request, 'medium' for reasonable inference with some ambiguity, 'low' for best guess with limited signal.",
-        "enum": [
-          "low",
-          "medium",
-          "high"
-        ],
-        "type": "string"
-      },
       "is_suggestion": {
         "description": "If true, this issue type change is sent to the API as a suggestion (suggest:true) rather than an applied value. Whether the type is applied or recorded as a proposal is determined by the API.",
         "type": "boolean"

pkg/github/__toolsnaps__/update_pull_request.snap

@@ -61,4 +61,4 @@
     "type": "object"
   },
   "name": "update_pull_request"
-}
+}

pkg/github/__toolsnaps__/update_repository_security_advisory.snap

@@ -1,5 +1,7 @@
 {
   "annotations": {
+    "destructiveHint": true,
+    "openWorldHint": true,
     "title": "Update repository security advisory"
   },
   "description": "Update a repository security advisory, including publishing it.",