[guard-coverage] Guard coverage gap: 6 operations from deprecated MCP tool aliases not fully covered

[github-actions]

Summary

The GitHub guard does not fully cover 6 operations: 5 deprecated MCP tool alias names that map to write operations are not classified as writes, and 1 write tool (enable_toolset) lacks an explicit DIFC labeling rule. When an agent invokes these deprecated names, the guard incorrectly classifies them as reads, bypassing write-level integrity checks.

• MCP tools scanned: 79 canonical (from __toolsnaps__) + 3 dynamic = 82 total
• CLI write commands scanned: Actions, Issues, PR, Projects, Gist, Release, Repo, Workflow, Label, Notification
• Guard-covered write tools (tools.rs): 47 in WRITE_OPERATIONS + 8 in READ_WRITE_OPERATIONS
• Tools with explicit DIFC rules (tool_rules.rs): 79/79 canonical tools have explicit match arms
• New gaps found this run: 6

---

MCP Tool Classification Gaps (tools.rs)

These are deprecated alias names from deprecated_tool_aliases.go that map to write operations (actions_run_trigger, projects_write). The proxy guard intercepts calls before the backend resolves the alias, so the guard sees the original deprecated name and (incorrectly) classifies it as a read operation.

Tool Name	Maps To	Operation Type	Suggested Classification	Notes
run_workflow	actions_run_trigger	write	WRITE_OPERATIONS	POST workflow dispatch event
delete_workflow_run_logs	actions_run_trigger	write	WRITE_OPERATIONS	DELETE workflow run logs
add_project_item	projects_write	write	WRITE_OPERATIONS	GraphQL addProjectV2ItemById
update_project_item	projects_write	read-write	READ_WRITE_OPERATIONS	GraphQL updateProjectV2ItemFieldValue
delete_project_item	projects_write	write	WRITE_OPERATIONS	GraphQL deleteProjectV2Item

Suggested fix for tools.rs

pub const WRITE_OPERATIONS: &[&str] = &[
    // ... existing entries ...

    // Deprecated alias coverage (guard sees alias name before backend resolves it)
    "run_workflow",              // deprecated alias for actions_run_trigger (POST workflow dispatch)
    "delete_workflow_run_logs",  // deprecated alias for actions_run_trigger (DELETE run logs)
    "add_project_item",          // deprecated alias for projects_write (addProjectV2ItemById)
    "delete_project_item",       // deprecated alias for projects_write (deleteProjectV2Item)
];

pub const READ_WRITE_OPERATIONS: &[&str] = &[
    // ... existing entries ...
    "update_project_item",       // deprecated alias for projects_write (updateProjectV2ItemFieldValue)
];

---

MCP Tool DIFC Labeling Gaps (tool_rules.rs)

This tool is in WRITE_OPERATIONS but has no explicit match arm in apply_tool_labels in guards/github-guard/rust-guard/src/labels/tool_rules.rs. It falls through to the default _ arm, receiving reader_integrity instead of a more appropriate writer_integrity. This allows agents at reader-integrity level to expand their own capability set.

Tool Name	Data Scope	Current Labels	Suggested Labels	Risk
enable_toolset	global / capability	reader_integrity (default write path)	writer_integrity	Medium — expands agent capability set at runtime

Suggested fix for tool_rules.rs

Add a match arm in apply_tool_labels for enable_toolset, following the pattern of other repo-write tools:

// === Dynamic toolset enablement (capability expansion) ===
"enable_toolset" => {
    // Enabling a toolset expands the agent's runtime capability set.
    // Requires writer-level integrity to prevent low-trust agents from
    // self-escalating by enabling additional tool groups.
    // S = public (empty — no repository-scoped data); I = writer (global)
    baseline_scope = "github".to_string();
    integrity = writer_integrity("github", ctx);
}

---

GitHub CLI-Only Gaps

Several GitHub CLI write operations have no equivalent MCP tool and no pre-emptive guard entry. These cannot be guarded today (no MCP tool to intercept), but pre-emptive entries would ensure they are classified correctly if/when MCP tools are added.

CLI Command	REST/GraphQL Endpoint	GitHub API Action	Risk
gh issue comment --edit	PATCH /repos/{owner}/{repo}/issues/comments/{id}	Edits an existing issue comment	Medium
gh pr comment --edit	PATCH /repos/{owner}/{repo}/issues/comments/{id}	Edits a PR comment	Medium
gh issue comment --delete	DELETE /repos/{owner}/{repo}/issues/comments/{id}	Deletes an issue comment	Medium
gh release create	POST /repos/{owner}/{repo}/releases	Creates a repository release	Medium
gh release edit	PATCH /repos/{owner}/{repo}/releases/{id}	Edits a release	Medium
gh release delete	DELETE /repos/{owner}/{repo}/releases/{id}	Deletes a release	Medium
gh gist delete	DELETE /gists/{gist_id}	Deletes a gist	Low

Suggested pre-emptive remediation for tools.rs

pub const WRITE_OPERATIONS: &[&str] = &[
    // ... existing entries ...

    // Pre-emptive: issue/PR comment editing/deletion (gh issue/pr comment --edit/--delete)
    "update_issue_comment",   // PATCH /repos/.../issues/comments/{id}
    "delete_issue_comment",   // DELETE /repos/.../issues/comments/{id}

    // Pre-emptive: release management (gh release create/edit/delete)
    "create_release",         // POST /repos/.../releases
    "edit_release",           // PATCH /repos/.../releases/{id}
    "delete_release",         // DELETE /repos/.../releases/{id}

    // Pre-emptive: gist deletion (gh gist delete)
    "delete_gist",            // DELETE /gists/{gist_id}
];

---

Stale Guard Entries

No stale entries found — all entries in WRITE_OPERATIONS/READ_WRITE_OPERATIONS either correspond to active upstream MCP tools or are explicitly documented as pre-emptive entries for anticipated future tools or deprecated aliases already covered.

---

References

• github-mcp-server tools
• github-mcp-server deprecated aliases
• guard tools.rs
• guard tool_rules.rs
• Run: §24364576904

Generated by GitHub Guard Coverage Checker (MCP + CLI) · ● 2.2M · ◷

• expires on Apr 27, 2026, 8:23 PM UTC

[lpcox]

Fixed in PR #3762 — added all 5 deprecated MCP tool aliases to write classification, added enable_toolset DIFC rule with writer-level integrity, added 6 pre-emptive CLI entries with DIFC rules, and added tests.