feat(create-pr): align with gh-aw create-pull-request implementation

Closes the gap between ado-aw and gh-aw's create-pull-request safe output:

Security/Correctness:
- Add file protection system blocking manifests (package.json, go.mod,
  Cargo.toml, etc.), CI configs (.github/, .pipelines/), and agent
  instruction files (.agents/, .claude/, .copilot/) by default
- Add max-files limit per PR (default: 100, configurable)
- Add 3-way merge fallback when patch application fails on conflicts
- Replace predictable timestamp-based branch suffix with cryptographic
  random hex (rand crate)

Feature Parity:
- Add draft PR support (default: true, operator-enforced via isDraft)
- Add fallback-as-work-item: record branch info on PR creation failure
- Add excluded-files glob config to filter files from patches
- Add if-no-changes config (warn/error/ignore) for empty patches
- Add allowed-labels allowlist to restrict agent-provided labels
- Add title-prefix config for operator branding
- Add agent-provided labels parameter validated against allowed-labels

Patch Format:
- Migrate from raw git diff to git format-patch for proper commit
  metadata, rename detection, and binary file handling
- Stage 2 applies patches via git am --3way with git apply fallback
- Add collect_changes_from_diff_tree for committed patch changes
- Add git to default bash command allowlist so agents can commit
- Update tool description to encourage staging commits before PR creation

Other:
- Add provenance footer to PR body with timestamp and compiler version
- Add ExecutionResult::failure_with_data for structured error responses

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

Cargo.lock

@@ -30,6 +30,8 @@ terminal_size = "0.4.3"
 url = "2.5.8"
 axum = { version = "0.8.8", features = ["tokio"] }
 subtle = "2.6.1"
+rand = "0.10.1"
+glob-match = "0.2.1"
 
 [dev-dependencies]
 reqwest = { version = "0.12", features = ["blocking"] }

Cargo.toml

@@ -0,0 +1,72 @@
+# SafeOutputs Tool Filtering — Options
+
+## Problem
+
+SafeOutputs currently exposes **all** tools (noop, missing-tool, missing-data, create-work-item, create-pull-request) to every agent, regardless of `safe-outputs:` front matter configuration. This causes:
+
+1. **Unnecessary tool access** — agents can call tools they shouldn't need
+2. **Context pollution** — extra tool schemas waste agent context window
+
+## MCPG `tools` field — current status
+
+From [MCPG CONFIGURATION.md](https://github.com/github/gh-aw-mcpg/blob/main/docs/CONFIGURATION.md):
+
+> **`tools`** (optional): List of tool names intended to be exposed from this server
+>
+> **Note: This field is stored but not currently enforced at runtime; all tools from the backend are always exposed regardless of this value**
+
+**MCPG does NOT currently filter tools at the gateway level.** Setting `tools` on the safeoutputs entry will have no effect today.
+
+## Options
+
+### Option A: Set `tools` field in MCPG config only (forward-compatible)
+
+**What**: Set the `tools` field on the safeoutputs MCPG entry based on front matter.
+
+**Pros**: Zero risk, documents intent, will work when MCPG adds enforcement.
+**Cons**: Doesn't solve the problem today.
+
+**Files**: `src/compile/standalone.rs` only.
+
+### Option B: Filter tools at the SafeOutputs MCP server level
+
+**What**: Add a `--tools` CLI argument to `mcp-http` that controls which tools get registered in the `ToolRouter`. Only listed tools appear in `tools/list` and are callable.
+
+**Pros**: Actually enforces filtering today, regardless of MCPG.
+**Cons**: More invasive — changes to `mcp.rs`, `main.rs`, `base.yml` template.
+
+**Files**: `src/mcp.rs`, `src/main.rs`, `templates/base.yml`, `src/compile/standalone.rs`.
+
+### Option C: Both A and B (recommended)
+
+**What**: Set MCPG `tools` for documentation + forward-compat, AND filter at the server level for actual enforcement.
+
+**Pros**: Works today AND future-proofs for when MCPG adds enforcement.
+**Cons**: Most work, but straightforward.
+
+## Tool categories
+
+| Tool | Category | Availability |
+|------|----------|-------------|
+| `noop` | Baseline | Always available |
+| `missing-tool` | Baseline | Always available |
+| `missing-data` | Baseline | Always available |
+| `create-work-item` | Conditional | Only if `safe-outputs.create-work-item` configured |
+| `create-pull-request` | Conditional | Only if `safe-outputs.create-pull-request` configured |
+| `memory` | N/A | Not an MCP tool (filesystem-based) |
+
+## Implementation sketch (Option C)
+
+1. **`standalone.rs`** — In `generate_mcpg_config()`, build a `tools` list:
+   - Always: `["noop", "missing-tool", "missing-data"]`
+   - Add `"create-work-item"` if `front_matter.safe_outputs.contains_key("create-work-item")`
+   - Add `"create-pull-request"` if `front_matter.safe_outputs.contains_key("create-pull-request")`
+   - Set `tools: Some(list)` on the safeoutputs `McpgServerConfig`
+
+2. **`main.rs`** — Add `--tools` arg to `McpHttp` command (comma-separated list)
+
+3. **`mcp.rs`** — Accept tools filter in `run_http()`, conditionally register only matching `#[tool]` handlers
+
+4. **`base.yml`** — Pass `--tools` flag to SafeOutputs HTTP server step using a new `{{ safeoutputs_tools }}` marker
+
+5. **Tests** — Update MCPG config tests, HTTP integration tests, smoke script

docs/safeoutputs-tool-filtering.md

@@ -261,9 +261,9 @@ pub fn validate_checkout_list(repositories: &[Repository], checkout: &[String])
     Ok(())
 }
 
-/// Default bash commands allowed for agents (matches gh-aw defaults + yq)
+/// Default bash commands allowed for agents (matches gh-aw defaults + yq + git)
 const DEFAULT_BASH_COMMANDS: &[&str] = &[
-    "cat", "date", "echo", "grep", "head", "ls", "pwd", "sort", "tail", "uniq", "wc", "yq",
+    "cat", "date", "echo", "git", "grep", "head", "ls", "pwd", "sort", "tail", "uniq", "wc", "yq",
 ];
 
 /// Generate copilot CLI params from front matter configuration

src/compile/common.rs

@@ -52,15 +52,11 @@ fn slugify_title(title: &str) -> String {
     collapsed.chars().take(50).collect()
 }
 
-/// Generate a short random suffix for branch uniqueness
+/// Generate a short cryptographically random suffix for branch uniqueness
 fn generate_short_id() -> String {
-    use std::time::{SystemTime, UNIX_EPOCH};
-    let timestamp = SystemTime::now()
-        .duration_since(UNIX_EPOCH)
-        .unwrap_or_default()
-        .as_millis();
-    // Take last 6 hex digits of timestamp for short unique suffix
-    format!("{:06x}", (timestamp & 0xFFFFFF) as u32)
+    use rand::RngExt;
+    let value: u32 = rand::rng().random();
+    format!("{:08x}", value)
 }
 
 // ============================================================================
@@ -198,79 +194,80 @@ impl SafeOutputs {
             }
         };
 
-        // Run git diff against the target branch to capture all changes
-        // Try origin/main first (remote tracking), then main, then HEAD as fallback
-        let diff_targets = ["origin/main", "main", "HEAD"];
-        let mut last_error = String::new();
-        let mut diff_output = None;
-
-        for target in &diff_targets {
-            let output = Command::new("git")
-                .args(["diff", target])
-                .current_dir(&git_dir)
-                .output()
-                .await
-                .map_err(|e| {
-                    anyhow_to_mcp_error(anyhow::anyhow!("Failed to run git diff: {}", e))
-                })?;
+        // Generate patch using git format-patch for proper commit metadata,
+        // rename detection, and binary file handling.
+        //
+        // Steps:
+        // 1. Stage all changes (tracked + untracked)
+        // 2. Create a temporary commit
+        // 3. Generate format-patch output
+        // 4. Reset to undo the temporary commit (preserving working tree)
+
+        // Stage all changes including untracked files
+        let add_output = Command::new("git")
+            .args(["add", "-A"])
+            .current_dir(&git_dir)
+            .output()
+            .await
+            .map_err(|e| {
+                anyhow_to_mcp_error(anyhow::anyhow!("Failed to run git add -A: {}", e))
+            })?;
 
-            if output.status.success() {
-                diff_output = Some(output);
-                break;
-            }
-            last_error = String::from_utf8_lossy(&output.stderr).to_string();
+        if !add_output.status.success() {
+            return Err(anyhow_to_mcp_error(anyhow::anyhow!(
+                "git add -A failed: {}",
+                String::from_utf8_lossy(&add_output.stderr)
+            )));
         }
 
-        let mut patch = if let Some(output) = diff_output {
-            String::from_utf8_lossy(&output.stdout).to_string()
-        } else {
+        // Create a temporary commit with the staged changes
+        let commit_output = Command::new("git")
+            .args(["commit", "-m", "agent changes", "--allow-empty", "--no-verify"])
+            .current_dir(&git_dir)
+            .output()
+            .await
+            .map_err(|e| {
+                anyhow_to_mcp_error(anyhow::anyhow!("Failed to create temporary commit: {}", e))
+            })?;
+
+        if !commit_output.status.success() {
+            // Reset staging on failure
+            let _ = Command::new("git")
+                .args(["reset", "HEAD", "--quiet"])
+                .current_dir(&git_dir)
+                .output()
+                .await;
             return Err(anyhow_to_mcp_error(anyhow::anyhow!(
-                "git diff failed against all targets (origin/main, main, HEAD): {}",
-                last_error
+                "Failed to create temporary commit: {}",
+                String::from_utf8_lossy(&commit_output.stderr)
             )));
-        };
+        }
 
-        // Also include untracked files that have been added
-        let status_output = Command::new("git")
-            .args(["status", "--porcelain"])
+        // Generate format-patch for the last commit (the temporary one)
+        let format_patch_output = Command::new("git")
+            .args(["format-patch", "-1", "--stdout", "-M"])
             .current_dir(&git_dir)
             .output()
             .await
-            .map_err(|e| anyhow_to_mcp_error(anyhow::anyhow!("Failed to run git status: {}", e)))?;
+            .map_err(|e| {
+                anyhow_to_mcp_error(anyhow::anyhow!("Failed to run git format-patch: {}", e))
+            })?;
 
-        if !status_output.status.success() {
+        // Undo the temporary commit but keep changes in working tree
+        let _ = Command::new("git")
+            .args(["reset", "HEAD~1", "--mixed", "--quiet"])
+            .current_dir(&git_dir)
+            .output()
+            .await;
+
+        if !format_patch_output.status.success() {
             return Err(anyhow_to_mcp_error(anyhow::anyhow!(
-                "git status failed: {}",
-                String::from_utf8_lossy(&status_output.stderr)
+                "git format-patch failed: {}",
+                String::from_utf8_lossy(&format_patch_output.stderr)
             )));
         }
 
-        let status = String::from_utf8_lossy(&status_output.stdout);
-        for line in status.lines() {
-            if line.starts_with("?? ") {
-                // Untracked file - generate a diff for it
-                let file_path = line[3..].trim();
-                let file_full_path = git_dir.join(file_path);
-
-                if file_full_path.is_file() {
-                    if let Ok(content) = tokio::fs::read_to_string(&file_full_path).await {
-                        patch.push_str(&format!("diff --git a/{} b/{}\n", file_path, file_path));
-                        patch.push_str("new file mode 100644\n");
-                        patch.push_str("--- /dev/null\n");
-                        patch.push_str(&format!("+++ b/{}\n", file_path));
-
-                        let line_count = content.lines().count();
-                        patch.push_str(&format!("@@ -0,0 +1,{} @@\n", line_count));
-
-                        for line in content.lines() {
-                            patch.push('+');
-                            patch.push_str(line);
-                            patch.push('\n');
-                        }
-                    }
-                }
-            }
-        }
+        let patch = String::from_utf8_lossy(&format_patch_output.stdout).to_string();
 
         Ok(patch)
     }
@@ -407,7 +404,10 @@ fields you want to update."
 
     #[tool(
         name = "create-pull-request",
-        description = "Create a new pull request to propose code changes. Use this after making file edits to submit them for review and merging. The PR will be created from the current branch with your committed changes. Use 'self' for the pipeline's own repository, or a repository alias from the checkout list."
+        description = "Create a new pull request to propose code changes. Before calling this tool, \
+stage and commit your changes using git add and git commit — each logical change should be its \
+own commit with a descriptive message. The PR will be created from your committed changes. \
+Use 'self' for the pipeline's own repository, or a repository alias from the checkout list."
     )]
     async fn create_pr(
         &self,
@@ -464,6 +464,7 @@ fields you want to update."
             source_branch,
             patch_filename,
             repository.to_string(),
+            sanitized.labels,
         );
 
         // Write to safe outputs
@@ -1035,7 +1036,7 @@ mod tests {
     #[test]
     fn test_generate_short_id_format() {
         let id = generate_short_id();
-        assert_eq!(id.len(), 6);
+        assert_eq!(id.len(), 8);
         assert!(id.chars().all(|c| c.is_ascii_hexdigit()));
     }