get_file_contents: address Copilot review findings

- FetchRepoIsPrivate: tighten doc to 'returns whether a repository is
  private' and close the underlying *github.Response body.
- attachIFC: skip emitting the ifc label when the repository visibility
  lookup fails, instead of falling through to PublicUntrusted (which
  would mislabel a private or unknown-visibility repo as public). The
  failure is no longer cached so a subsequent return path can retry.
- Add a test asserting the tool still succeeds and omits result.Meta  ["ifc"] when the visibility lookup returns 500.

Author: gokhanarkan

pkg/github/repositories.go

@@ -682,11 +682,14 @@ func FetchRepoCollaborators(ctx context.Context, client *github.Client, owner, r
 	return logins, nil
 }
 
-// FetchRepoIsPrivate returns the visibility of a repository. It is a thin
+// FetchRepoIsPrivate returns whether a repository is private. It is a thin
 // wrapper around the GitHub Repositories.Get endpoint provided as a shared
 // helper for IFC label computation across tools.
 func FetchRepoIsPrivate(ctx context.Context, client *github.Client, owner, repo string) (bool, error) {
-	r, _, err := client.Repositories.Get(ctx, owner, repo)
+	r, resp, err := client.Repositories.Get(ctx, owner, repo)
+	if resp != nil {
+		defer func() { _ = resp.Body.Close() }()
+	}
 	if err != nil {
 		return false, err
 	}
@@ -768,22 +771,26 @@ func GetFileContents(t translations.TranslationHelperFunc) inventory.ServerTool
 			// attachIFC adds the IFC label to a successful tool result when
 			// InsidersMode is enabled. The visibility and (for private
 			// repositories) collaborators lookups are performed lazily on
-			// first use and are best-effort: if they fail we still attach
-			// the label, falling back to the repository owner so the reader
-			// set is never empty for a private repo.
+			// first use. If the visibility lookup fails we skip the label
+			// rather than misclassify the result; the failure is not cached
+			// so a later return path can retry. If only the collaborators
+			// lookup fails for a private repo we fall back to the owner so
+			// the reader set is never empty.
 			var (
-				ifcLabelLoaded bool
-				ifcIsPrivate   bool
-				ifcReaders     []string
+				ifcLabelKnown bool
+				ifcIsPrivate  bool
+				ifcReaders    []string
 			)
 			attachIFC := func(r *mcp.CallToolResult) *mcp.CallToolResult {
 				if r == nil || r.IsError || !deps.GetFlags(ctx).InsidersMode {
 					return r
 				}
-				if !ifcLabelLoaded {
-					if isPrivate, err := FetchRepoIsPrivate(ctx, client, owner, repo); err == nil {
-						ifcIsPrivate = isPrivate
+				if !ifcLabelKnown {
+					isPrivate, err := FetchRepoIsPrivate(ctx, client, owner, repo)
+					if err != nil {
+						return r
 					}
+					ifcIsPrivate = isPrivate
 					if ifcIsPrivate {
 						if collaborators, err := FetchRepoCollaborators(ctx, client, owner, repo); err == nil {
 							ifcReaders = collaborators
@@ -792,7 +799,7 @@ func GetFileContents(t translations.TranslationHelperFunc) inventory.ServerTool
 							ifcReaders = []string{owner}
 						}
 					}
-					ifcLabelLoaded = true
+					ifcLabelKnown = true
 				}
 				if r.Meta == nil {
 					r.Meta = mcp.Meta{}

pkg/github/repositories_test.go

@@ -590,6 +590,43 @@ func Test_GetFileContents_IFC_InsidersMode(t *testing.T) {
 		require.True(t, ok, "confidentiality should be a list")
 		assert.Equal(t, []any{"octocat", "alice"}, confList)
 	})
+
+	t.Run("insiders mode skips ifc label when visibility lookup fails", func(t *testing.T) {
+		mockedClient := MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+			GetReposGitRefByOwnerByRepoByRef: mockResponse(t, http.StatusOK, "{\"ref\": \"refs/heads/main\", \"object\": {\"sha\": \"\"}}"),
+			GetReposByOwnerByRepo:            mockResponse(t, http.StatusInternalServerError, "boom"),
+			GetReposContentsByOwnerByRepoByPath: func(w http.ResponseWriter, _ *http.Request) {
+				w.WriteHeader(http.StatusOK)
+				encodedContent := base64.StdEncoding.EncodeToString(mockRawContent)
+				fileContent := &github.RepositoryContent{
+					Name:     github.Ptr("README.md"),
+					Path:     github.Ptr("README.md"),
+					SHA:      github.Ptr("abc123"),
+					Type:     github.Ptr("file"),
+					Content:  github.Ptr(encodedContent),
+					Size:     github.Ptr(len(mockRawContent)),
+					Encoding: github.Ptr("base64"),
+				}
+				contentBytes, _ := json.Marshal(fileContent)
+				_, _ = w.Write(contentBytes)
+			},
+		})
+		deps := BaseDeps{
+			Client: github.NewClient(mockedClient),
+			Flags:  FeatureFlags{InsidersMode: true},
+		}
+		handler := serverTool.Handler(deps)
+
+		request := createMCPRequest(reqParams)
+		result, err := handler(ContextWithDeps(context.Background(), deps), &request)
+		require.NoError(t, err)
+		require.False(t, result.IsError, "tool call should still succeed when visibility lookup fails")
+
+		if result.Meta != nil {
+			_, hasIFC := result.Meta["ifc"]
+			assert.False(t, hasIFC, "ifc label should be omitted when visibility lookup fails")
+		}
+	})
 }
 
 func Test_ForkRepository(t *testing.T) {