Grant MCP only access to specific repo's within a project

[ThorkellHelgason96]

Replace the content with your actual issue making sure to keep similar style so that GitHub Copilot can generate this change for you!

Summary

Enhance the Azure DevOps MCP server to support repository-scoped access within a project.

Tools

Enable the MCP agent to restrict its scope to a single repository, rather than having access to all repositories in a project. This would allow safer automation and tighter enterprise security, even when the PAT used is project-wide.

• MCP server should accept a repository identifier parameter.
• All API calls from the agent (branches, commits, pull requests, etc.) are limited to the specified repository.
• Ensure fallback behavior if the repository does not exist or the PAT lacks access.

Rules

1. Adhere strictly to existing project standards and coding conventions.
2. Maintain compatibility with current PAT authentication flows.
3. Avoid exposing credentials in plaintext; environment variable support should still work.
4. Agent should fail gracefully when attempting actions outside the allowed repository.

Motivation/Benefits

• Many enterprises have strict policies: allowing an agent full project access is too permissive.
• PATs in Azure DevOps are project-wide, not repository-wide; this feature would narrow the blast radius of automated tools.
• Makes MCP usage safer for corporate environments with sensitive code.

Special treat

If you follow the rules, you'll get candy!

[danhellem]

Sorry, this is not going to be worked on.