[guard-coverage] Close issue dependency guard gaps in tool classification and DIFC labeling by Copilot · Pull Request #8195 · github/gh-aw-mcpg · GitHub
Skip to content

[guard-coverage] Close issue dependency guard gaps in tool classification and DIFC labeling#8195

Merged
lpcox merged 3 commits into
mainfrom
copilot/guard-coverage-fix-operations
Jun 27, 2026
Merged

[guard-coverage] Close issue dependency guard gaps in tool classification and DIFC labeling#8195
lpcox merged 3 commits into
mainfrom
copilot/guard-coverage-fix-operations

Conversation

Copilot AI commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

The GitHub guard was missing explicit coverage for the upstream issue dependency capability, leaving one mutating tool unclassified and two issue-dependency tools without dedicated DIFC rule handling. This PR closes that gap by aligning classification and label application with existing issue-scoped behavior.

  • Tool classification (tools.rs)

    • Added issue_dependency_write to READ_WRITE_OPERATIONS so mutating dependency updates are treated as read-write operations.
  • DIFC rule coverage (tool_rules.rs)

    • Added explicit apply_tool_labels arms for:
      • issue_dependency_read: repo-visibility secrecy + issue-scoped description + private-repo baseline integrity behavior consistent with issue reads.
      • issue_dependency_write: repo-visibility secrecy + issue-scoped description + writer_integrity(repo) for dependency mutations.
  • Guard regression tests

    • Added focused tests to assert:
      • issue_dependency_write is classified as read-write (and not write-only).
      • issue_dependency_read label output matches issue_read for equivalent inputs.
      • issue_dependency_write produces writer integrity and expected issue description formatting.
"issue_dependency_write" => {
    if !owner.is_empty() && !repo.is_empty() {
        if let Some(issue_num) = extract_number_as_string(tool_args, field_names::ISSUE_NUMBER) {
            desc = format!("issue:{}/{}#{}", owner, repo, issue_num);
        }
    }
    secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
    integrity = writer_integrity(repo_id, ctx);
}

GitHub Advanced Security started work on behalf of lpcox June 27, 2026 15:50 View session
GitHub Advanced Security finished work on behalf of lpcox June 27, 2026 15:51
Copilot AI changed the title [WIP] Fix guard coverage gap for 2 operations [guard-coverage] Close issue dependency guard gaps in tool classification and DIFC labeling Jun 27, 2026
Copilot finished work on behalf of lpcox June 27, 2026 15:57
GitHub Advanced Security started work on behalf of lpcox June 27, 2026 15:57 View session
Copilot AI requested a review from lpcox June 27, 2026 15:57
GitHub Advanced Security finished work on behalf of lpcox June 27, 2026 15:57
@lpcox lpcox marked this pull request as ready for review June 27, 2026 16:30
Copilot AI review requested due to automatic review settings June 27, 2026 16:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR closes gaps in the GitHub guard’s coverage for issue dependency tools by (1) ensuring the mutating dependency tool is classified as read-write and (2) adding explicit DIFC label application rules (plus regression tests) so issue-dependency tools follow the same repo/issue scoping patterns as existing issue tools.

Changes:

  • Classified issue_dependency_write as a read-write operation in READ_WRITE_OPERATIONS and added a regression test for classification.
  • Added explicit apply_tool_labels handling for issue_dependency_read and issue_dependency_write, including issue-scoped descriptions and repo-visibility secrecy labeling.
  • Added focused label regression tests to compare issue_dependency_read with issue_read, and to validate issue_dependency_write integrity/secrecy/description.
Show a summary per file
File Description
guards/github-guard/rust-guard/src/tools.rs Adds issue_dependency_write to read-write classification and asserts it isn’t classified as write-only.
guards/github-guard/rust-guard/src/labels/tool_rules.rs Adds DIFC labeling rules and regression tests for issue dependency read/write tools.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Low

Comment thread guards/github-guard/rust-guard/src/labels/tool_rules.rs
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of lpcox June 27, 2026 16:37 View session
GitHub Advanced Security finished work on behalf of lpcox June 27, 2026 16:38
@lpcox lpcox merged commit 77c84b0 into main Jun 27, 2026
27 checks passed
@lpcox lpcox deleted the copilot/guard-coverage-fix-operations branch June 27, 2026 16:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants