fix(repos): default create_repository to private when visibility omitted (#2694)

Previously, omitting the `private` parameter on create_repository
defaulted the new repository to public, an insecure default that could
unintentionally expose code, configuration, and history. Omission now
defaults to a private repository; public repositories are only created
when `private` is explicitly set to false.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: SamMorrowDrums

README.md

@@ -1204,7 +1204,7 @@ The following sets of tools are available:
   - `description`: Repository description (string, optional)
   - `name`: Repository name (string, required)
   - `organization`: Organization to create the repository in (omit to create in your personal account) (string, optional)
-  - `private`: Whether repo should be private (boolean, optional)
+  - `private`: Whether the repository should be private. Defaults to true (private) when omitted. (boolean, optional)
 
 - **delete_file** - Delete file
   - **Required OAuth Scopes**: `repo`

pkg/github/__toolsnaps__/create_repository.snap

@@ -22,7 +22,8 @@
         "type": "string"
       },
       "private": {
-        "description": "Whether repo should be private",
+        "default": true,
+        "description": "Whether the repository should be private. Defaults to true (private) when omitted.",
         "type": "boolean"
       }
     },

pkg/github/repositories.go

@@ -600,7 +600,8 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool
 					},
 					"private": {
 						Type:        "boolean",
-						Description: "Whether repo should be private",
+						Description: "Whether the repository should be private. Defaults to true (private) when omitted.",
+						Default:     json.RawMessage("true"),
 					},
 					"autoInit": {
 						Type:        "boolean",
@@ -624,7 +625,7 @@ func CreateRepository(t translations.TranslationHelperFunc) inventory.ServerTool
 			if err != nil {
 				return utils.NewToolResultError(err.Error()), nil, nil
 			}
-			private, err := OptionalParam[bool](args, "private")
+			private, err := OptionalBoolParamWithDefault(args, "private", true)
 			if err != nil {
 				return utils.NewToolResultError(err.Error()), nil, nil
 			}

pkg/github/repositories_test.go

@@ -2020,15 +2020,15 @@ func Test_CreateRepository(t *testing.T) {
 			expectedRepo: mockRepo,
 		},
 		{
-			name: "successful repository creation with minimal parameters",
+			name: "successful repository creation with minimal parameters defaults to private",
 			mockedClient: NewMockedHTTPClient(
 				WithRequestMatchHandler(
 					EndpointPattern("POST /user/repos"),
 					expectRequestBody(t, map[string]any{
 						"name":        "test-repo",
 						"auto_init":   false,
 						"description": "",
-						"private":     false,
+						"private":     true,
 					}).andThen(
 						mockResponse(t, http.StatusCreated, mockRepo),
 					),
@@ -2040,6 +2040,28 @@ func Test_CreateRepository(t *testing.T) {
 			expectError:  false,
 			expectedRepo: mockRepo,
 		},
+		{
+			name: "successful public repository creation when private is explicitly false",
+			mockedClient: NewMockedHTTPClient(
+				WithRequestMatchHandler(
+					EndpointPattern("POST /user/repos"),
+					expectRequestBody(t, map[string]any{
+						"name":        "test-repo",
+						"auto_init":   false,
+						"description": "",
+						"private":     false,
+					}).andThen(
+						mockResponse(t, http.StatusCreated, mockRepo),
+					),
+				),
+			),
+			requestArgs: map[string]any{
+				"name":    "test-repo",
+				"private": false,
+			},
+			expectError:  false,
+			expectedRepo: mockRepo,
+		},
 		{
 			name: "repository creation fails",
 			mockedClient: NewMockedHTTPClient(