feat: add org membership lookup tool

Author: cbartz

README.md

@@ -974,6 +974,12 @@ The following sets of tools are available:
 
 <summary><picture><source media="(prefers-color-scheme: dark)" srcset="pkg/octicons/icons/organization-dark.png"><source media="(prefers-color-scheme: light)" srcset="pkg/octicons/icons/organization-light.png"><img src="pkg/octicons/icons/organization-light.png" width="20" height="20" alt="organization"></picture> Organizations</summary>
 
+- **check_org_membership** - Check organization membership
+  - **Required OAuth Scopes**: `read:org`
+  - **Accepted OAuth Scopes**: `admin:org`, `read:org`, `write:org`
+  - `org`: GitHub organization login (string, required)
+  - `username`: GitHub username to check (string, required)
+
 - **search_orgs** - Search organizations
   - **Required OAuth Scopes**: `read:org`
   - **Accepted OAuth Scopes**: `admin:org`, `read:org`, `write:org`

docs/server-configuration.md

@@ -10,6 +10,7 @@ We currently support the following ways in which the GitHub MCP Server can be co
 | Toolsets | `X-MCP-Toolsets` header or `/x/{toolset}` URL | `--toolsets` flag or `GITHUB_TOOLSETS` env var |
 | Individual Tools | `X-MCP-Tools` header | `--tools` flag or `GITHUB_TOOLS` env var |
 | Exclude Tools | `X-MCP-Exclude-Tools` header | `--exclude-tools` flag or `GITHUB_EXCLUDE_TOOLS` env var |
+| Organization Membership Lookup | Enable `orgs` toolset or `check_org_membership` tool | Enable `orgs` toolset or `check_org_membership` tool |
 | Read-Only Mode | `X-MCP-Readonly` header or `/readonly` URL | `--read-only` flag or `GITHUB_READ_ONLY` env var |
 | Dynamic Mode | Not available | `--dynamic-toolsets` flag or `GITHUB_DYNAMIC_TOOLSETS` env var |
 | Lockdown Mode | `X-MCP-Lockdown` header | `--lockdown-mode` flag or `GITHUB_LOCKDOWN_MODE` env var |

pkg/github/__toolsnaps__/check_org_membership.snap

@@ -0,0 +1,25 @@
+{
+  "annotations": {
+    "readOnlyHint": true,
+    "title": "Check organization membership"
+  },
+  "description": "Check whether a GitHub user is a member of an organization, and report whether that membership is public, private, or not visible.",
+  "inputSchema": {
+    "properties": {
+      "org": {
+        "description": "GitHub organization login",
+        "type": "string"
+      },
+      "username": {
+        "description": "GitHub username to check",
+        "type": "string"
+      }
+    },
+    "required": [
+      "org",
+      "username"
+    ],
+    "type": "object"
+  },
+  "name": "check_org_membership"
+}

pkg/github/helper_test.go

@@ -140,6 +140,11 @@ const (
 	GetSearchUsers        = "GET /search/users"
 	GetSearchRepositories = "GET /search/repositories"
 
+	// Organization endpoints
+	GetOrgsByOrg                        = "GET /orgs/{org}"
+	GetOrgsMembersByOrgByUsername       = "GET /orgs/{org}/members/{username}"
+	GetOrgsPublicMembersByOrgByUsername = "GET /orgs/{org}/public_members/{username}"
+
 	// Raw content endpoints (used for GitHub raw content API, not standard API)
 	// These are used with the raw content client that interacts with raw.githubusercontent.com
 	GetRawReposContentsByOwnerByRepoByPath         = "GET /{owner}/{repo}/HEAD/{path:.*}"

pkg/github/orgs.go

@@ -0,0 +1,141 @@
+package github
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+
+	ghErrors "github.com/github/github-mcp-server/pkg/errors"
+	"github.com/github/github-mcp-server/pkg/inventory"
+	"github.com/github/github-mcp-server/pkg/scopes"
+	"github.com/github/github-mcp-server/pkg/translations"
+	"github.com/github/github-mcp-server/pkg/utils"
+	"github.com/google/jsonschema-go/jsonschema"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+)
+
+const orgMembershipVisibilityNote = "result reflects caller visibility; private members of orgs you can't see appear as non-members."
+
+type CheckOrgMembershipInput struct {
+	Org      string `json:"org"`
+	Username string `json:"username"`
+}
+
+type CheckOrgMembershipOutput struct {
+	Org        string `json:"org"`
+	Username   string `json:"username"`
+	IsMember   bool   `json:"isMember"`
+	Visibility string `json:"visibility"`
+	Note       string `json:"note,omitempty"`
+}
+
+// CheckOrgMembership creates a tool to check whether a GitHub user is a member of an organization.
+func CheckOrgMembership(t translations.TranslationHelperFunc) inventory.ServerTool {
+	return NewTool[CheckOrgMembershipInput, CheckOrgMembershipOutput](
+		ToolsetMetadataOrgs,
+		mcp.Tool{
+			Name:        "check_org_membership",
+			Description: t("TOOL_CHECK_ORG_MEMBERSHIP_DESCRIPTION", "Check whether a GitHub user is a member of an organization, and report whether that membership is public, private, or not visible."),
+			Annotations: &mcp.ToolAnnotations{
+				Title:        t("TOOL_CHECK_ORG_MEMBERSHIP_USER_TITLE", "Check organization membership"),
+				ReadOnlyHint: true,
+			},
+			InputSchema: &jsonschema.Schema{
+				Type: "object",
+				Properties: map[string]*jsonschema.Schema{
+					"org": {
+						Type:        "string",
+						Description: "GitHub organization login",
+					},
+					"username": {
+						Type:        "string",
+						Description: "GitHub username to check",
+					},
+				},
+				Required: []string{"org", "username"},
+			},
+		},
+		[]scopes.Scope{scopes.ReadOrg},
+		func(ctx context.Context, deps ToolDependencies, _ *mcp.CallToolRequest, args CheckOrgMembershipInput) (*mcp.CallToolResult, CheckOrgMembershipOutput, error) {
+			if args.Org == "" {
+				return utils.NewToolResultError("missing required parameter: org"), CheckOrgMembershipOutput{}, nil
+			}
+			if args.Username == "" {
+				return utils.NewToolResultError("missing required parameter: username"), CheckOrgMembershipOutput{}, nil
+			}
+
+			client, err := deps.GetClient(ctx)
+			if err != nil {
+				return utils.NewToolResultErrorFromErr("failed to get GitHub client", err), CheckOrgMembershipOutput{}, nil
+			}
+
+			isMember, res, err := client.Organizations.IsMember(ctx, args.Org, args.Username)
+			if err != nil {
+				return ghErrors.NewGitHubAPIErrorResponse(ctx,
+					"failed to check organization membership",
+					res,
+					err,
+				), CheckOrgMembershipOutput{}, nil
+			}
+
+			isPublicMember, res, err := client.Organizations.IsPublicMember(ctx, args.Org, args.Username)
+			if err != nil {
+				return ghErrors.NewGitHubAPIErrorResponse(ctx,
+					"failed to check public organization membership",
+					res,
+					err,
+				), CheckOrgMembershipOutput{}, nil
+			}
+
+			output := CheckOrgMembershipOutput{
+				Org:      args.Org,
+				Username: args.Username,
+			}
+			switch {
+			case isPublicMember:
+				output.IsMember = true
+				output.Visibility = "public"
+			case isMember:
+				output.IsMember = true
+				output.Visibility = "private"
+			default:
+				if errResult := verifyOrganizationExists(ctx, args.Org, deps); errResult != nil {
+					return errResult, CheckOrgMembershipOutput{}, nil
+				}
+				output.Visibility = "none"
+				output.Note = orgMembershipVisibilityNote
+			}
+
+			r, err := json.Marshal(output)
+			if err != nil {
+				return nil, CheckOrgMembershipOutput{}, err
+			}
+			return utils.NewToolResultText(string(r)), output, nil
+		},
+	)
+}
+
+func verifyOrganizationExists(ctx context.Context, org string, deps ToolDependencies) *mcp.CallToolResult {
+	client, err := deps.GetClient(ctx)
+	if err != nil {
+		return utils.NewToolResultErrorFromErr("failed to get GitHub client", err)
+	}
+
+	_, res, err := client.Organizations.Get(ctx, org)
+	if err == nil {
+		return nil
+	}
+	if res != nil && res.Response != nil && res.Response.StatusCode == http.StatusNotFound {
+		return ghErrors.NewGitHubAPIErrorResponse(ctx,
+			"failed to get organization",
+			res,
+			err,
+		)
+	}
+
+	return ghErrors.NewGitHubAPIErrorResponse(ctx,
+		"failed to verify organization exists",
+		res,
+		err,
+	)
+}

pkg/github/orgs_test.go

@@ -0,0 +1,142 @@
+package github
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"testing"
+
+	"github.com/github/github-mcp-server/internal/toolsnaps"
+	"github.com/github/github-mcp-server/pkg/translations"
+	gogithub "github.com/google/go-github/v82/github"
+	"github.com/google/jsonschema-go/jsonschema"
+	"github.com/modelcontextprotocol/go-sdk/mcp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_CheckOrgMembership(t *testing.T) {
+	serverTool := CheckOrgMembership(translations.NullTranslationHelper)
+	tool := serverTool.Tool
+
+	require.NoError(t, toolsnaps.Test(tool.Name, tool))
+
+	assert.Equal(t, "check_org_membership", tool.Name)
+	assert.NotEmpty(t, tool.Description)
+
+	schema, ok := tool.InputSchema.(*jsonschema.Schema)
+	require.True(t, ok, "InputSchema should be *jsonschema.Schema")
+	assert.Contains(t, schema.Properties, "org")
+	assert.Contains(t, schema.Properties, "username")
+	assert.ElementsMatch(t, schema.Required, []string{"org", "username"})
+	assert.True(t, serverTool.IsReadOnly())
+	assert.ElementsMatch(t, []string{"read:org"}, serverTool.RequiredScopes)
+}
+
+func Test_CheckOrgMembership_PublicMember(t *testing.T) {
+	output := runCheckOrgMembership(t, MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+		GetOrgsMembersByOrgByUsername:       expectPath(t, "/orgs/canonical/members/octocat").andThen(mockStatus(http.StatusNoContent)),
+		GetOrgsPublicMembersByOrgByUsername: expectPath(t, "/orgs/canonical/public_members/octocat").andThen(mockStatus(http.StatusNoContent)),
+	}), false)
+
+	assert.Equal(t, CheckOrgMembershipOutput{
+		Org:        "canonical",
+		Username:   "octocat",
+		IsMember:   true,
+		Visibility: "public",
+	}, output)
+}
+
+func Test_CheckOrgMembership_PrivateMember(t *testing.T) {
+	output := runCheckOrgMembership(t, MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+		GetOrgsMembersByOrgByUsername:       expectPath(t, "/orgs/canonical/members/octocat").andThen(mockStatus(http.StatusNoContent)),
+		GetOrgsPublicMembersByOrgByUsername: expectPath(t, "/orgs/canonical/public_members/octocat").andThen(mockStatus(http.StatusNotFound)),
+	}), false)
+
+	assert.Equal(t, CheckOrgMembershipOutput{
+		Org:        "canonical",
+		Username:   "octocat",
+		IsMember:   true,
+		Visibility: "private",
+	}, output)
+}
+
+func Test_CheckOrgMembership_NotAMember(t *testing.T) {
+	output := runCheckOrgMembership(t, MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+		GetOrgsMembersByOrgByUsername:       expectPath(t, "/orgs/canonical/members/octocat").andThen(mockStatus(http.StatusNotFound)),
+		GetOrgsPublicMembersByOrgByUsername: expectPath(t, "/orgs/canonical/public_members/octocat").andThen(mockStatus(http.StatusNotFound)),
+		GetOrgsByOrg:                        expectPath(t, "/orgs/canonical").andThen(mockResponse(t, http.StatusOK, &gogithub.Organization{Login: gogithub.Ptr("canonical")})),
+	}), false)
+
+	assert.Equal(t, "canonical", output.Org)
+	assert.Equal(t, "octocat", output.Username)
+	assert.False(t, output.IsMember)
+	assert.Equal(t, "none", output.Visibility)
+	assert.Equal(t, "result reflects caller visibility; private members of orgs you can't see appear as non-members.", output.Note)
+}
+
+func Test_CheckOrgMembership_OrgNotFound(t *testing.T) {
+	text := runCheckOrgMembershipError(t, MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+		GetOrgsMembersByOrgByUsername:       expectPath(t, "/orgs/missing-org/members/octocat").andThen(mockStatus(http.StatusNotFound)),
+		GetOrgsPublicMembersByOrgByUsername: expectPath(t, "/orgs/missing-org/public_members/octocat").andThen(mockStatus(http.StatusNotFound)),
+		GetOrgsByOrg:                        expectPath(t, "/orgs/missing-org").andThen(mockResponse(t, http.StatusNotFound, map[string]string{"message": "Not Found"})),
+	}), map[string]any{"org": "missing-org", "username": "octocat"})
+
+	assert.Contains(t, text, "failed to get organization")
+	assert.Contains(t, text, "404")
+}
+
+func Test_CheckOrgMembership_ScopeError(t *testing.T) {
+	for _, status := range []int{http.StatusUnauthorized, http.StatusForbidden} {
+		t.Run(http.StatusText(status), func(t *testing.T) {
+			text := runCheckOrgMembershipError(t, MockHTTPClientWithHandlers(map[string]http.HandlerFunc{
+				GetOrgsMembersByOrgByUsername: expectPath(t, "/orgs/canonical/members/octocat").andThen(
+					mockResponse(t, status, map[string]string{"message": http.StatusText(status)}),
+				),
+			}), map[string]any{"org": "canonical", "username": "octocat"})
+
+			assert.Contains(t, text, "failed to check organization membership")
+			assert.Contains(t, text, http.StatusText(status))
+		})
+	}
+}
+
+func runCheckOrgMembership(t *testing.T, httpClient *http.Client, expectError bool) CheckOrgMembershipOutput {
+	t.Helper()
+
+	result := callCheckOrgMembership(t, httpClient, map[string]any{"org": "canonical", "username": "octocat"})
+	require.Equal(t, expectError, result.IsError)
+
+	textContent := getTextResult(t, result)
+	var output CheckOrgMembershipOutput
+	require.NoError(t, json.Unmarshal([]byte(textContent.Text), &output))
+	return output
+}
+
+func runCheckOrgMembershipError(t *testing.T, httpClient *http.Client, args map[string]any) string {
+	t.Helper()
+
+	result := callCheckOrgMembership(t, httpClient, args)
+	textContent := getErrorResult(t, result)
+	return textContent.Text
+}
+
+func callCheckOrgMembership(t *testing.T, httpClient *http.Client, args map[string]any) *mcp.CallToolResult {
+	t.Helper()
+
+	client := gogithub.NewClient(httpClient)
+	deps := BaseDeps{Client: client}
+	serverTool := CheckOrgMembership(translations.NullTranslationHelper)
+	handler := serverTool.Handler(deps)
+	request := createMCPRequest(args)
+
+	result, err := handler(ContextWithDeps(context.Background(), deps), &request)
+	require.NoError(t, err)
+	return result
+}
+
+func mockStatus(status int) http.HandlerFunc {
+	return func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(status)
+	}
+}

pkg/github/tools.go

@@ -217,6 +217,7 @@ func AllTools(t translations.TranslationHelperFunc) []inventory.ServerTool {
 
 		// Organization tools
 		SearchOrgs(t),
+		CheckOrgMembership(t),
 
 		// Pull request tools
 		PullRequestRead(t),