Use collision-resistant request/operation IDs for tool invocations #2099
Description
Problem
Tool invocation request/operation IDs can collide under concurrent load, making audit trails ambiguous and impairing incident analysis.
Why now
GitHub MCP server is increasingly used for operational automation where deterministic, unique correlation IDs are required for governance and debugging.
Evidence Packet
- Version/commit under test:
origin/mainatb222072346e3 - Runtime environment: macOS 26.3 (arm64), Go 1.25.7
- Minimal repro:
- Execute many concurrent tool invocations with similar request shapes.
- Inspect logged/requested operation identifiers.
- Detect ambiguous or reused IDs.
- Expected behavior: collision-resistant unique request/operation IDs per invocation.
- Actual behavior: current ID strategy is not explicit about collision resistance across all paths.
Why code change (not docs)
ID generation and propagation are runtime behavior contracts.
Scope / Codepaths
internal/ghmcppkg/contextpkg/log
Acceptance Criteria
- Request/operation IDs include collision-resistant component.
- IDs are propagated consistently through tool execution and logs.
- Tests prove uniqueness under concurrent invocation.
Validation Plan
- Add focused concurrent ID-generation tests.
- Verify deterministic schema/fields for audit extraction.