Add lockdown mode support for HTTP server

[kerobbi]

Summary

Adds lockdown mode support to the HTTP server, enabling per-request lockdown via the X-MCP-Lockdown header.

Why

Stacked on #1858

What changed

• Added WithLockdownMode and IsLockdownMode context helpers
• Parsed lockdown header in WithRequestConfig middleware
• Changed GetFlags() to accept context for per-request feature flags (i.e., enabling ability to derive lockdown mode from server config and request ctx)
• Added server-side lockdown mode and repo access cache ttl args to HTTP server config
• Removed static FeatureFlags from NewRequestDeps

MCP impact

• No tool or API changes
• Tool schema or behavior changed
• New tool added

Prompts tested (tool changes only)

Security / limits

• No security or limits impact
• Auth / permissions considered
• Data exposure, filtering, or token/size limits considered

Tool renaming

• I am renaming tools as part of this PR (e.g. a part of a consolidation effort)
  • I have added the new tool aliases in deprecated_tool_aliases.go
• I am not renaming tools as part of this PR

Note: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.

Lint & tests

• Linted locally with ./script/lint
• Tested locally with ./script/test

Docs

• Not needed
• Updated (README / docs / examples)

[Copilot]

Pull request overview

This PR adds lockdown mode support to the HTTP server, enabling per-request lockdown control via the X-MCP-Lockdown header. It builds on PR #1858 which added readonly and toolset request handlers.

Changes:

• Modified GetFlags() to accept context parameter for dynamic per-request feature flag resolution
• Added context helpers for lockdown mode state management
• Integrated lockdown mode configuration into HTTP server setup with server-level and request-level controls
• Updated all tool implementations to pass context to GetFlags() calls

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
pkg/github/dependencies.go	Changed GetFlags() signature to accept context, removed static FeatureFlags parameter from NewRequestDeps, implemented dynamic lockdown flag resolution
pkg/context/request.go	Added WithLockdownMode and IsLockdownMode context helpers following existing patterns
pkg/http/middleware/request_config.go	Added parsing of X-MCP-Lockdown header to set lockdown context
pkg/http/headers/headers.go	Added MCPLockdownHeader constant
pkg/http/server.go	Removed static FeatureFlags from NewRequestDeps call, added LockdownMode and RepoAccessCacheTTL to server config
pkg/github/server_test.go	Updated test stub to match new GetFlags() signature
pkg/github/pullrequests.go	Updated GetFlags() calls to pass context
pkg/github/issues.go	Updated GetFlags() calls to pass context
pkg/github/feature_flags_test.go	Updated GetFlags() call to pass context
cmd/github-mcp-server/main.go	Added lockdown mode and repo access cache TTL configuration to HTTP command

Comments suppressed due to low confidence (1)

pkg/github/dependencies.go:384

• The GetFlags method now has context-dependent behavior that combines server-level lockdown configuration with per-request context. This new logic should be covered by tests to ensure it works as expected. Consider adding tests that verify the behavior when: 1) server has lockdown enabled and context has lockdown set, 2) server has lockdown enabled but context doesn't, 3) server doesn't have lockdown enabled but context does, and 4) neither has lockdown enabled.

func (d *RequestDeps) GetFlags(ctx context.Context) FeatureFlags {
	return FeatureFlags{
		LockdownMode: d.lockdownMode && ghcontext.IsLockdownMode(ctx),
	}
}