Summary
The GitHub guard pre-emptively covers many CLI write operations (e.g., enable_workflow, disable_workflow, sync_fork) but is missing entries for 5 write operations reachable via gh run cancel and gh run rerun. If the GitHub MCP server adds corresponding tools for these operations, they would not be automatically classified as write operations by the guard — falling through to default handling and potentially bypassing DIFC enforcement.
- MCP tools scanned: 80 (from github-mcp-server toolsnaps)
- CLI write commands scanned: ~58 (across pr, issue, repo, release, gist, workflow, label, project, secret, variable, run)
- Guard-covered write tools (tools.rs): 43 (36 WRITE_OPERATIONS + 7 READ_WRITE_OPERATIONS)
- Tools with explicit DIFC rules (tool_rules.rs): 80 (all upstream MCP tools have explicit match arms)
- New gaps found this run: 5 CLI-only operations (2 cancel variants, 3 rerun variants)
Note: All 80 current upstream MCP tools are fully covered — both classified in tools.rs and labeled in tool_rules.rs. These gaps are pre-emptive, identical in nature to existing pre-emptive entries like enable_workflow and disable_workflow.
MCP Tool Classification Gaps (tools.rs)
None — all 80 upstream MCP tools from github-mcp-server are present in WRITE_OPERATIONS, READ_WRITE_OPERATIONS, or covered by a prefix pattern (create_*, update_*, delete_*, merge_*, lock_*, unlock_*).
MCP Tool DIFC Labeling Gaps (tool_rules.rs)
None — all 80 upstream MCP tools have explicit match arms in apply_tool_labels.
GitHub CLI-Only Gaps
These write operations are reachable via the GitHub CLI but have no corresponding MCP tool and no pre-emptive guard entry. Unlike delete_workflow_run (which would be auto-covered by the delete_* pattern), neither cancel_* nor rerun_* is a recognized prefix pattern in tools.rs.
| CLI Command |
REST Endpoint |
MCP-style Tool Name |
Pattern Coverage |
Risk |
gh run cancel <run-id> |
POST /repos/{owner}/{repo}/actions/runs/{run_id}/cancel |
cancel_workflow_run |
❌ cancel_* not a pattern |
Medium |
gh run cancel --force <run-id> |
POST /repos/{owner}/{repo}/actions/runs/{run_id}/force-cancel |
force_cancel_workflow_run |
❌ force_cancel_* not a pattern |
Medium |
gh run rerun <run-id> |
POST /repos/{owner}/{repo}/actions/runs/{run_id}/rerun |
rerun_workflow_run |
❌ rerun_* not a pattern |
Medium |
gh run rerun --failed <run-id> |
POST /repos/{owner}/{repo}/actions/runs/{run_id}/rerun-failed-jobs |
rerun_failed_jobs |
❌ rerun_* not a pattern |
Medium |
gh run rerun --job <job-id> |
POST /repos/{owner}/{repo}/actions/jobs/{job_id}/rerun |
rerun_workflow_job |
❌ rerun_* not a pattern |
Medium |
Why these matter: Canceling or rerunning workflow runs are significant CI/CD operations. A malicious or compromised agent that invokes these through a future MCP tool (or directly via gh) would bypass write-operation DIFC classification if these names are not pre-emptively guarded.
Suggested fix for tools.rs
Add pre-emptive entries to WRITE_OPERATIONS, following the pattern of existing pre-emptive CLI entries:
pub const WRITE_OPERATIONS: &[&str] = &[
// ... existing entries ...
// Pre-emptive entries for anticipated future MCP tools (no equivalent tool today)
// gh run cancel / force-cancel
"cancel_workflow_run", // gh run cancel — cancels an in-progress workflow run
"force_cancel_workflow_run", // gh run cancel --force — force-cancels a workflow run
// gh run rerun
"rerun_workflow_run", // gh run rerun — reruns a completed workflow run
"rerun_failed_jobs", // gh run rerun --failed — reruns only failed jobs
"rerun_workflow_job", // gh run rerun --job — reruns a specific job
];Suggested fix for tool_rules.rs
Add match arms to apply_tool_labels so these tools get proper repo-scoped labeling when/if they are added to the MCP server. Following the pattern of actions_run_trigger:
// === Actions: Workflow run cancel/rerun ===
"cancel_workflow_run" | "force_cancel_workflow_run"
| "rerun_workflow_run" | "rerun_failed_jobs" | "rerun_workflow_job" => {
// These modify workflow run state; repo-scoped write.
// S = S(repo); I = writer
secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
integrity = writer_integrity(repo_id, ctx);
}
Stale Guard Entries
None — all pre-emptive entries in WRITE_OPERATIONS are documented with comments explaining their CLI equivalent and rationale. No entries were found without a corresponding CLI operation or reasonable pre-emptive justification.
References
Generated by GitHub Guard Coverage Checker (MCP + CLI) · ◷
Summary
The GitHub guard pre-emptively covers many CLI write operations (e.g.,
enable_workflow,disable_workflow,sync_fork) but is missing entries for 5 write operations reachable viagh run cancelandgh run rerun. If the GitHub MCP server adds corresponding tools for these operations, they would not be automatically classified as write operations by the guard — falling through to default handling and potentially bypassing DIFC enforcement.MCP Tool Classification Gaps (tools.rs)
None — all 80 upstream MCP tools from github-mcp-server are present in
WRITE_OPERATIONS,READ_WRITE_OPERATIONS, or covered by a prefix pattern (create_*,update_*,delete_*,merge_*,lock_*,unlock_*).MCP Tool DIFC Labeling Gaps (tool_rules.rs)
None — all 80 upstream MCP tools have explicit match arms in
apply_tool_labels.GitHub CLI-Only Gaps
These write operations are reachable via the GitHub CLI but have no corresponding MCP tool and no pre-emptive guard entry. Unlike
delete_workflow_run(which would be auto-covered by thedelete_*pattern), neithercancel_*norrerun_*is a recognized prefix pattern intools.rs.gh run cancel <run-id>POST /repos/{owner}/{repo}/actions/runs/{run_id}/cancelcancel_workflow_runcancel_*not a patterngh run cancel --force <run-id>POST /repos/{owner}/{repo}/actions/runs/{run_id}/force-cancelforce_cancel_workflow_runforce_cancel_*not a patterngh run rerun <run-id>POST /repos/{owner}/{repo}/actions/runs/{run_id}/rerunrerun_workflow_runrerun_*not a patterngh run rerun --failed <run-id>POST /repos/{owner}/{repo}/actions/runs/{run_id}/rerun-failed-jobsrerun_failed_jobsrerun_*not a patterngh run rerun --job <job-id>POST /repos/{owner}/{repo}/actions/jobs/{job_id}/rerunrerun_workflow_jobrerun_*not a patternWhy these matter: Canceling or rerunning workflow runs are significant CI/CD operations. A malicious or compromised agent that invokes these through a future MCP tool (or directly via
gh) would bypass write-operation DIFC classification if these names are not pre-emptively guarded.Suggested fix for tools.rs
Add pre-emptive entries to
WRITE_OPERATIONS, following the pattern of existing pre-emptive CLI entries:Suggested fix for tool_rules.rs
Add match arms to
apply_tool_labelsso these tools get proper repo-scoped labeling when/if they are added to the MCP server. Following the pattern ofactions_run_trigger:Stale Guard Entries
None — all pre-emptive entries in
WRITE_OPERATIONSare documented with comments explaining their CLI equivalent and rationale. No entries were found without a corresponding CLI operation or reasonable pre-emptive justification.References