Add ifc label for issue_read tool

[gokhanarkan]

Emits an IFC SecurityLabel on the issue_read tool result when the InsidersMode flag is enabled, mirroring the pattern landed for get_me in #2432, list_issues in #2453, get_file_contents in #2454, and search_issues in #2456.

Refs github/copilot-mcp-core#1623, github/copilot-mcp-core#1389. One of the ingress tools listed in #1623's tool table.

Chained on #2456 (which is itself chained on #2454). Base is currently gokhanarkan/fides-search-issues because this PR reuses FetchRepoIsPrivate and FetchRepoCollaborators. GitHub will auto-retarget the base to main as the upstream PRs merge.

What this PR does

• Wires _meta.ifc onto the issue_read CallToolResult when deps.GetFlags(ctx).InsidersMode is true. No behaviour change when the flag is off.
• issue_read operates on a single issue in a single repository, so the label has the same per-repo semantics as list_issues: integrity always untrusted; public repos → PublicUntrusted; private repos → PrivateUntrusted(collaborators) with [owner] fallback if the collaborators lookup fails. ifc.LabelListIssues is reused directly — no new pkg/ifc constructor.
• The IssueRead handler dispatches to four sub-functions (GetIssue, GetIssueComments, GetSubIssues, GetIssueLabels). The IFC label is attached at the dispatch site via a single attachIFC closure, so all four method= branches emit the label without modifying the underlying helpers.
• Visibility-lookup failures cause the label to be omitted entirely (consistent with get_file_contents and search_issues) to avoid misclassifying the result.

Suggested follow-up (not in this PR)

After this lands, three handlers (get_file_contents, search_issues, issue_read) carry near-identical attachIFC closures (~25 lines each). A small follow-up PR could extract them into a single shared helper (e.g. AttachRepoIFC(ctx, deps, client, owner, repo, labelFn) in pkg/github/ifc_attach.go), saving ~60 lines and keeping the pattern consistent across tools. Intentionally not bundled here to keep this PR minimal and easy to review.

Tests

Test_IssueRead_IFC_InsidersMode in pkg/github/issues_test.go with 4 subtests:

1. Insiders off → result.Meta == nil.
2. Insiders on, public repo, method=get → integrity=untrusted, confidentiality=["public"].
3. Insiders on, private repo, method=get_comments → untrusted/collaborator list (proves the wrapper applies to non-get dispatch branches).
4. Insiders on, visibility lookup fails (500) → no ifc meta.

get_labels (GraphQL) gets the same wrapper coverage but isn't separately tested for IFC — the wrapper sits outside the dispatch and is method-agnostic.

Validation

• go test -race ./... — green.
• gofmt -s clean; go vet ./... clean.
• (./script/lint itself fails locally with a pre-existing golangci-lint Go-version mismatch unrelated to this change.)
• No tool schema/annotation changes → no toolsnap or README regeneration needed.

[Copilot]

Pull request overview

Adds best-effort IFC SecurityLabel metadata to the issue_read MCP tool output when InsidersMode is enabled, aligning issue_read with the existing IFC-labeling pattern used by other ingress tools in this codebase.

Changes:

• Attach _meta.ifc to successful issue_read results behind InsidersMode, using per-repo visibility + collaborators to compute a LabelListIssues-semantics label.
• Apply IFC attachment uniformly across all issue_read dispatch methods (get, get_comments, get_sub_issues, get_labels) via a single wrapper closure.
• Add unit tests covering insiders on/off, public/private repo labeling, and “visibility lookup fails → omit label” behavior.

Show a summary per file

File	Description
pkg/github/issues.go	Wraps IssueRead dispatch returns with an attachIFC helper that lazily computes and attaches _meta.ifc in insiders mode.
pkg/github/issues_test.go	Adds Test_IssueRead_IFC_InsidersMode to validate IFC metadata behavior for issue_read across key scenarios.

Copilot's findings

• Files reviewed: 2/2 changed files
• Comments generated: 0