fix: align advisory ecosystem enums and document array clear limits

Array Fleet · Array Fleet · commit 600b9f295af5 · 2026-06-10T20:16:59.000Z
Share advisoryPackageEcosystemEnum across read/write tools so swift is
available everywhere, and document that credits/cweIds cannot be cleared
via update (empty arrays are rejected by design).
diff --git a/pkg/github/__toolsnaps__/list_global_security_advisories.snap b/pkg/github/__toolsnaps__/list_global_security_advisories.snap
@@ -35,7 +35,8 @@
           "pip",
           "pub",
           "rubygems",
-          "rust"
+          "rust",
+          "swift"
         ],
         "type": "string"
       },
diff --git a/pkg/github/__toolsnaps__/update_repository_security_advisory.snap b/pkg/github/__toolsnaps__/update_repository_security_advisory.snap
@@ -4,11 +4,11 @@
     "openWorldHint": true,
     "title": "Update repository security advisory"
   },
-  "description": "Update a repository security advisory, including publishing it. Severity and cvssVectorString cannot both be set.",
+  "description": "Update a repository security advisory, including publishing it. Severity and cvssVectorString cannot both be set. Omit credits and cweIds to leave them unchanged; empty arrays are rejected and clearing these fields is not supported.",
   "inputSchema": {
     "properties": {
       "credits": {
-        "description": "Users credited for the advisory.",
+        "description": "Users credited for the advisory. Omit to leave unchanged; empty arrays are rejected and clearing this field is not supported.",
         "items": {
           "properties": {
             "login": {
@@ -49,7 +49,7 @@
         "type": "string"
       },
       "cweIds": {
-        "description": "Common Weakness Enumeration IDs (for example, [\"CWE-79\"]).",
+        "description": "Common Weakness Enumeration IDs (for example, [\"CWE-79\"]). Omit to leave unchanged; empty arrays are rejected and clearing this field is not supported.",
         "items": {
           "type": "string"
         },
diff --git a/pkg/github/security_advisories.go b/pkg/github/security_advisories.go
@@ -47,7 +47,7 @@ func ListGlobalSecurityAdvisories(t translations.TranslationHelperFunc) inventor
 					"ecosystem": {
 						Type:        "string",
 						Description: "Filter by package ecosystem.",
-						Enum:        []any{"actions", "composer", "erlang", "go", "maven", "npm", "nuget", "other", "pip", "pub", "rubygems", "rust"},
+						Enum:        advisoryPackageEcosystemEnum,
 					},
 					"severity": {
 						Type:        "string",
diff --git a/pkg/github/security_advisories_write.go b/pkg/github/security_advisories_write.go
@@ -19,6 +19,10 @@ import (
 	"github.com/modelcontextprotocol/go-sdk/mcp"
 )
 
+var advisoryPackageEcosystemEnum = []any{
+	"actions", "composer", "erlang", "go", "maven", "npm", "nuget", "other", "pip", "pub", "rubygems", "rust", "swift",
+}
+
 var validAdvisoryEcosystems = map[string]struct{}{
 	"actions": {}, "composer": {}, "erlang": {}, "go": {}, "maven": {}, "npm": {},
 	"nuget": {}, "other": {}, "pip": {}, "pub": {}, "rubygems": {}, "rust": {}, "swift": {},
@@ -63,7 +67,7 @@ var securityAdvisoryPackageSchema = &jsonschema.Schema{
 		"ecosystem": {
 			Type:        "string",
 			Description: "The package ecosystem.",
-			Enum:        []any{"actions", "composer", "erlang", "go", "maven", "npm", "nuget", "other", "pip", "pub", "rubygems", "rust", "swift"},
+			Enum:        advisoryPackageEcosystemEnum,
 		},
 		"name": {
 			Type:        "string",
@@ -484,7 +488,7 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 		ToolsetMetadataSecurityAdvisories,
 		mcp.Tool{
 			Name:        "update_repository_security_advisory",
-			Description: t("TOOL_UPDATE_REPOSITORY_SECURITY_ADVISORY_DESCRIPTION", "Update a repository security advisory, including publishing it. Severity and cvssVectorString cannot both be set."),
+			Description: t("TOOL_UPDATE_REPOSITORY_SECURITY_ADVISORY_DESCRIPTION", "Update a repository security advisory, including publishing it. Severity and cvssVectorString cannot both be set. Omit credits and cweIds to leave them unchanged; empty arrays are rejected and clearing these fields is not supported."),
 			Annotations: &mcp.ToolAnnotations{
 				Title:           t("TOOL_UPDATE_REPOSITORY_SECURITY_ADVISORY_USER_TITLE", "Update repository security advisory"),
 				ReadOnlyHint:    false,
@@ -525,7 +529,7 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 					},
 					"cweIds": {
 						Type:        "array",
-						Description: "Common Weakness Enumeration IDs (for example, [\"CWE-79\"]).",
+						Description: "Common Weakness Enumeration IDs (for example, [\"CWE-79\"]). Omit to leave unchanged; empty arrays are rejected and clearing this field is not supported.",
 						Items:       &jsonschema.Schema{Type: "string"},
 					},
 					"severity": {
@@ -539,7 +543,7 @@ func UpdateRepositorySecurityAdvisory(t translations.TranslationHelperFunc) inve
 					},
 					"credits": {
 						Type:        "array",
-						Description: "Users credited for the advisory.",
+						Description: "Users credited for the advisory. Omit to leave unchanged; empty arrays are rejected and clearing this field is not supported.",
 						Items:       securityAdvisoryCreditSchema,
 					},
 					"state": {
