Refactor to use same consistent var naming

Author: RossTarrant

pkg/github/gists.go

@@ -101,13 +101,7 @@ func ListGists(t translations.TranslationHelperFunc) inventory.ServerTool {
 			}
 
 			result := utils.NewToolResultText(string(r))
-			// Gist contents are user-authored (untrusted); confidentiality is
-			// the IFC join of each gist's own public/secret flag.
-			visibilities := make([]bool, 0, len(gists))
-			for _, g := range gists {
-				visibilities = append(visibilities, g.GetPublic())
-			}
-			result = attachJoinedIFCLabel(ctx, deps, result, visibilities, ifc.LabelGistList)
+			result = attachStaticIFCLabel(ctx, deps, result, ifc.LabelGistList())
 			return result, nil, nil
 		},
 	)
@@ -167,9 +161,7 @@ func GetGist(t translations.TranslationHelperFunc) inventory.ServerTool {
 			}
 
 			result := utils.NewToolResultText(string(r))
-			// Gist contents are user-authored (untrusted); confidentiality
-			// derives from the gist's own public/secret flag.
-			result = attachStaticIFCLabel(ctx, deps, result, ifc.LabelGist(gist.GetPublic()))
+			result = attachStaticIFCLabel(ctx, deps, result, ifc.LabelGist())
 			return result, nil, nil
 		},
 	)

pkg/github/ifc_labels.go

@@ -97,12 +97,11 @@ func attachRepoVisibilityIFCLabelLazy(
 }
 
 // attachJoinedIFCLabel attaches an IFC label computed by joining a set of
-// per-item visibilities (true == private for repositories, true == public for
-// gists) when IFC labels are enabled. joinFn is the lattice join for the
-// relevant item kind (e.g. ifc.LabelSearchIssues or ifc.LabelGistList). The
-// visibility slice is cheap to build from an already-fetched response, so
-// callers may construct it unconditionally and let this helper own the
-// feature-flag gate.
+// per-item visibilities (true == private) when IFC labels are enabled. joinFn
+// is the lattice join for the relevant item kind (e.g. ifc.LabelSearchIssues or
+// ifc.LabelGistList). The visibility slice is cheap to build from an
+// already-fetched response, so callers may construct it unconditionally and let
+// this helper own the feature-flag gate.
 func attachJoinedIFCLabel(
 	ctx context.Context,
 	deps ToolDependencies,

pkg/github/projects.go

@@ -232,9 +232,9 @@ Use this tool to list projects for a user or organization, or list project field
 			// labels are enabled. Project titles, item content, field
 			// definitions, and status updates are user-authored free text
 			// (untrusted); confidentiality is conservatively private since the
-			// project's public flag is not available across every sub-result.
+			// project's privacy is not available across every sub-result.
 			attachIFC := func(r *mcp.CallToolResult) *mcp.CallToolResult {
-				return attachStaticIFCLabel(ctx, deps, r, ifc.LabelProject(false))
+				return attachStaticIFCLabel(ctx, deps, r, ifc.LabelProject(true))
 			}
 
 			switch method {
@@ -349,9 +349,9 @@ Use this tool to get details about individual projects, project fields, and proj
 			// attachIFC adds the IFC label to a successful result when IFC
 			// labels are enabled. Project data is user-authored free text
 			// (untrusted); confidentiality is conservatively private since the
-			// project's public flag is not available across every sub-result.
+			// project's privacy is not available across every sub-result.
 			attachIFC := func(r *mcp.CallToolResult) *mcp.CallToolResult {
-				return attachStaticIFCLabel(ctx, deps, r, ifc.LabelProject(false))
+				return attachStaticIFCLabel(ctx, deps, r, ifc.LabelProject(true))
 			}
 
 			// Handle get_project_status_update early — it only needs status_update_id

pkg/ifc/ifc.go

@@ -285,32 +285,21 @@ func LabelRepositorySecurityAdvisory(isPrivate bool, allPublished bool) Security
 // LabelGist returns the IFC label for gist content.
 //
 // Integrity is untrusted: gist contents are arbitrary user-authored text.
-// Confidentiality derives from the gist's own visibility rather than any
-// repository — public gists are universally readable, while secret gists are
-// restricted to those who hold the gist URL (modeled with the opaque "private"
-// marker).
-func LabelGist(isPublic bool) SecurityLabel {
-	if isPublic {
-		return PublicUntrusted()
-	}
-	return PrivateUntrusted()
+// Confidentiality is public because secret gists are URL-accessible and cannot
+// be modeled as private to a GitHub reader set.
+func LabelGist() SecurityLabel {
+	return PublicUntrusted()
 }
 
 // LabelGistList returns the IFC label for a list of gists belonging to a user,
 // joining the per-gist confidentiality across the result set.
 //
-// Integrity is untrusted (user-authored content). Confidentiality follows the
-// IFC meet: if any gist in the result is secret the joined label is private;
-// otherwise public. An empty result is treated as public-untrusted.
+// Integrity is untrusted (user-authored content). Confidentiality is public
+// because even secret gists are URL-accessible.
 //
 // See LabelSearchIssues for why list results carry a single joined label
 // rather than one label per item.
-func LabelGistList(gistVisibilities []bool) SecurityLabel {
-	for _, isPublic := range gistVisibilities {
-		if !isPublic {
-			return PrivateUntrusted()
-		}
-	}
+func LabelGistList() SecurityLabel {
 	return PublicUntrusted()
 }
 
@@ -319,13 +308,13 @@ func LabelGistList(gistVisibilities []bool) SecurityLabel {
 //
 // Integrity is untrusted: project titles, item content, and status update
 // bodies are user-authored free text. Confidentiality derives from the
-// project's own public flag — public projects are universally readable, while
-// private projects restrict the reader set.
-func LabelProject(isPublic bool) SecurityLabel {
-	if isPublic {
-		return PublicUntrusted()
+// project's own privacy — private projects restrict the reader set, while
+// public projects are universally readable.
+func LabelProject(isPrivate bool) SecurityLabel {
+	if isPrivate {
+		return PrivateUntrusted()
 	}
-	return PrivateUntrusted()
+	return PublicUntrusted()
 }
 
 // LabelTeam returns the IFC label for organization team membership data

pkg/ifc/ifc_test.go

@@ -47,7 +47,7 @@ func TestLabelSearchIssues(t *testing.T) {
 
 	tests := []struct {
 		name             string
-		visibilities     []bool
+		visibilities     []bool // true == private
 		wantIntegrity    Integrity
 		wantConfidential Confidentiality
 	}{
@@ -250,71 +250,40 @@ func TestLabelGist(t *testing.T) {
 
 	t.Run("public gist is untrusted and public", func(t *testing.T) {
 		t.Parallel()
-		label := LabelGist(true)
+		label := LabelGist()
 		assert.Equal(t, IntegrityUntrusted, label.Integrity)
 		assert.Equal(t, ConfidentialityPublic, label.Confidentiality)
 	})
 
-	t.Run("secret gist is untrusted and private", func(t *testing.T) {
+	t.Run("secret gist is untrusted and public", func(t *testing.T) {
 		t.Parallel()
-		label := LabelGist(false)
+		label := LabelGist()
 		assert.Equal(t, IntegrityUntrusted, label.Integrity)
-		assert.Equal(t, ConfidentialityPrivate, label.Confidentiality)
+		assert.Equal(t, ConfidentialityPublic, label.Confidentiality)
 	})
 }
 
 func TestLabelGistList(t *testing.T) {
 	t.Parallel()
 
-	tests := []struct {
-		name             string
-		visibilities     []bool // true == public
-		wantConfidential Confidentiality
-	}{
-		{
-			name:             "empty result is treated as public",
-			wantConfidential: ConfidentialityPublic,
-		},
-		{
-			name:             "all public gists stay public",
-			visibilities:     []bool{true, true},
-			wantConfidential: ConfidentialityPublic,
-		},
-		{
-			name:             "any secret gist flips to private",
-			visibilities:     []bool{true, false, true},
-			wantConfidential: ConfidentialityPrivate,
-		},
-		{
-			name:             "all secret gists stay private",
-			visibilities:     []bool{false, false},
-			wantConfidential: ConfidentialityPrivate,
-		},
-	}
-
-	for _, tc := range tests {
-		t.Run(tc.name, func(t *testing.T) {
-			t.Parallel()
-			label := LabelGistList(tc.visibilities)
-			assert.Equal(t, IntegrityUntrusted, label.Integrity)
-			assert.Equal(t, tc.wantConfidential, label.Confidentiality)
-		})
-	}
+	label := LabelGistList()
+	assert.Equal(t, IntegrityUntrusted, label.Integrity)
+	assert.Equal(t, ConfidentialityPublic, label.Confidentiality)
 }
 
 func TestLabelProject(t *testing.T) {
 	t.Parallel()
 
 	t.Run("public project is untrusted and public", func(t *testing.T) {
 		t.Parallel()
-		label := LabelProject(true)
+		label := LabelProject(false)
 		assert.Equal(t, IntegrityUntrusted, label.Integrity)
 		assert.Equal(t, ConfidentialityPublic, label.Confidentiality)
 	})
 
 	t.Run("private project is untrusted and private", func(t *testing.T) {
 		t.Parallel()
-		label := LabelProject(false)
+		label := LabelProject(true)
 		assert.Equal(t, IntegrityUntrusted, label.Integrity)
 		assert.Equal(t, ConfidentialityPrivate, label.Confidentiality)
 	})