Migrate security_advisories toolset to modelcontextprotocol/go-sdk

[Copilot]

Closes: Part of #1428

Migrates the security_advisories toolset from mark3labs/mcp-go to modelcontextprotocol/go-sdk.

Changes

Migrated 4 tools:

• list_global_security_advisories - List advisories with filtering by GHSA ID, CVE ID, ecosystem, severity, CWEs
• get_global_security_advisory - Get specific advisory by GHSA ID
• list_repository_security_advisories - List advisories for a repository
• list_org_repository_security_advisories - List advisories across an organization

Implementation updates:

• Function signatures: (mcp.Tool, server.ToolHandlerFunc) → (mcp.Tool, mcp.ToolHandlerFor[map[string]any, any])
• Handler signatures: func(ctx, request) (*result, error) → func(ctx, *request, args) (*result, any, error)
• Schema definitions: DSL-based → explicit jsonschema.Schema structs with proper json.RawMessage for defaults
• Parameter extraction: From request object → direct args map access
• Result helpers: mcp.NewToolResult* → utils.NewToolResult*

Testing:

• Updated handler invocation pattern to 3-param/3-return
• Added toolsnaps.Test() calls for schema validation
• Created 4 snapshot files

Example schema migration:

// Before (DSL)
mcp.WithString("type",
    mcp.Description("Advisory type."),
    mcp.Enum("reviewed", "malware", "unreviewed"),
    mcp.DefaultString("reviewed"),
)

// After (JSON Schema)
"type": {
    Type:        "string",
    Description: "Advisory type.",
    Enum:        []any{"reviewed", "malware", "unreviewed"},
    Default:     json.RawMessage(`"reviewed"`),
}

Original prompt

Migrate the security_advisories toolset to modelcontextprotocol/go-sdk.

This will be merged into the parent PR #1428, so reference that PR in the description to track the migration

Custom agent used: go-sdk-tool-migrator
Agent specializing in migrating MCP tools from mark3labs/mcp-go to modelcontextprotocol/go-sdk

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[LuluBeatson]

⚠️ list_org_repository_security_advisories was 404 for orgs I tried. But this is same as with the tool before migration. I don't have an example org with org-level security advisories to test this tool on.

Note: the list_* tools in this toolset do not support pagination (before & after migration)

[Copilot]

Pull Request Overview

This PR successfully migrates the security_advisories toolset from mark3labs/mcp-go to modelcontextprotocol/go-sdk, bringing 4 security advisory tools back into the active codebase.

Key Changes:

• Function signatures updated from DSL-based tool definitions to explicit JSON Schema structs
• Handler signatures migrated to 3-parameter/3-return pattern
• Result helpers changed from mcp.NewToolResult* to utils.NewToolResult*
• All 4 tools (list global, get global, list repository, list org) properly migrated and registered

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

File	Description
pkg/github/tools.go	Uncommented securityAdvisories toolset registration, adding 4 migrated tools back to the active toolset group
pkg/github/security_advisories.go	Migrated all 4 security advisory tools from mark3labs/mcp-go to modelcontextprotocol/go-sdk with explicit JSON schemas, updated handler signatures, and proper error handling
pkg/github/security_advisories_test.go	Updated test handlers to use new 3-param/3-return signature, added toolsnaps validation calls, but missing ReadOnlyHint assertions for all 4 tools
pkg/github/toolsnaps/*.snap	Created 4 new snapshot files capturing the JSON schema definitions for all security advisory tools, properly documenting the API surface