diff --git a/pkg/workflow/copilot_github_mcp_test.go b/pkg/workflow/copilot_github_mcp_test.go
index 387351aab4..7fbdc2458b 100644
--- a/pkg/workflow/copilot_github_mcp_test.go
+++ b/pkg/workflow/copilot_github_mcp_test.go
@@ -25,6 +25,10 @@ func TestRenderGitHubCopilotMCPConfig_AllowedTools(t *testing.T) {
 				`"github": {`,
 				`"type": "stdio"`,
 				`"container": "ghcr.io/github/github-mcp-server:v0.30.3"`,
+				`"tools": [`,
+				`"list_workflows"`,
+				`"list_workflow_runs"`,
+				`"list_workflow_run_artifacts"`,
 				`"env": {`,
 				`"GITHUB_PERSONAL_ACCESS_TOKEN": "\${GITHUB_MCP_SERVER_TOKEN}"`,
 			},
@@ -40,7 +44,9 @@ func TestRenderGitHubCopilotMCPConfig_AllowedTools(t *testing.T) {
 				`"container": "ghcr.io/github/github-mcp-server:v0.30.3"`,
 				`"env": {`,
 			},
-			unexpectedContent: []string{},
+			unexpectedContent: []string{
+				`"tools":`, // Should not include tools field when no allowed tools specified
+			},
 		},
 		{
 			name: "GitHub with empty allowed array (defaults to all)",
@@ -54,7 +60,9 @@ func TestRenderGitHubCopilotMCPConfig_AllowedTools(t *testing.T) {
 				`"container": "ghcr.io/github/github-mcp-server:v0.30.3"`,
 				`"env": {`,
 			},
-			unexpectedContent: []string{},
+			unexpectedContent: []string{
+				`"tools":`, // Should not include tools field when allowed array is empty
+			},
 		},
 		{
 			name: "GitHub remote mode with specific allowed tools",
@@ -67,6 +75,9 @@ func TestRenderGitHubCopilotMCPConfig_AllowedTools(t *testing.T) {
 				`"github": {`,
 				`"type": "http"`,
 				`"url": "https://api.githubcopilot.com/mcp/"`,
+				`"tools": [`,
+				`"get_repository"`,
+				`"list_commits"`,
 			},
 			unexpectedContent: []string{},
 		},
@@ -81,7 +92,9 @@ func TestRenderGitHubCopilotMCPConfig_AllowedTools(t *testing.T) {
 				`"type": "http"`,
 				`"url": "https://api.githubcopilot.com/mcp/"`,
 			},
-			unexpectedContent: []string{},
+			unexpectedContent: []string{
+				`"tools":`, // Should not include tools field when no allowed tools specified
+			},
 		},
 	}
 
diff --git a/pkg/workflow/mcp_renderer.go b/pkg/workflow/mcp_renderer.go
index ac89743a75..0eab1184f0 100644
--- a/pkg/workflow/mcp_renderer.go
+++ b/pkg/workflow/mcp_renderer.go
@@ -710,9 +710,21 @@ func RenderGitHubMCPDockerConfig(yaml *strings.Builder, options GitHubMCPDockerO
 		yaml.WriteString("                ],\n")
 	}
 
-	// Note: tools field is NOT included here - the converter script adds it back
-	// for Copilot (see convert_gateway_config_copilot.sh). This keeps the gateway
-	// config compatible with the schema which doesn't have the tools field.
+	// Add tools field if requested (Copilot needs it to specify allowed tools)
+	// This prevents the converter script from adding a wildcard ["*"] when specific tools are configured
+	if options.IncludeTypeField && len(options.AllowedTools) > 0 {
+		yaml.WriteString("                \"tools\": [\n")
+		for i, tool := range options.AllowedTools {
+			yaml.WriteString("                  \"")
+			yaml.WriteString(tool)
+			yaml.WriteString("\"")
+			if i < len(options.AllowedTools)-1 {
+				yaml.WriteString(",")
+			}
+			yaml.WriteString("\n")
+		}
+		yaml.WriteString("                ],\n")
+	}
 
 	// Add env section for GitHub MCP server environment variables
 	yaml.WriteString("                \"env\": {\n")