Conversation
…and pre-emptive CLI entries - Add 5 deprecated MCP tool aliases to write classification: run_workflow, delete_workflow_run_logs, add_project_item, delete_project_item (WRITE_OPERATIONS), update_project_item (READ_WRITE_OPERATIONS) - Add DIFC labeling rules for deprecated aliases by extending existing match arms (projects_write, actions_run_trigger) - Add explicit enable_toolset DIFC rule with writer-level integrity to prevent low-trust agents from self-escalating - Add 6 pre-emptive CLI entries: update_issue_comment, delete_issue_comment, create_release, edit_release, delete_release, delete_gist - Add DIFC labeling rules for all pre-emptive CLI entries - Add tests for new classifications Fixes #3720 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Closes guard coverage gaps by ensuring deprecated MCP tool aliases and anticipated CLI-only tool names are classified as writes/read-writes and receive appropriate DIFC labeling, including adding an explicit rule for enable_toolset.
Changes:
- Extend write/read-write classification lists to cover deprecated aliases and pre-emptive CLI tool names.
- Expand DIFC labeling rules to include deprecated aliases,
enable_toolset, and pre-emptive CLI entries. - Add unit tests for the new tool classification entries in
tools.rs.
Show a summary per file
| File | Description |
|---|---|
| guards/github-guard/rust-guard/src/tools.rs | Adds deprecated alias + pre-emptive CLI entries to write/read-write classification and tests them. |
| guards/github-guard/rust-guard/src/labels/tool_rules.rs | Adds explicit DIFC match arms for deprecated aliases, enable_toolset, and pre-emptive CLI tool names. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 2/2 changed files
- Comments generated: 2
Comment on lines
+677
to
+685
| // === Dynamic toolset enablement (capability expansion) === | ||
| "enable_toolset" => { | ||
| // Enabling a toolset expands the agent's runtime capability set. | ||
| // Requires writer-level integrity to prevent low-trust agents from | ||
| // self-escalating by enabling additional tool groups. | ||
| // S = public (empty — no repository-scoped data); I = writer (global) | ||
| baseline_scope = "github".to_string(); | ||
| integrity = writer_integrity("github", ctx); | ||
| } |
There was a problem hiding this comment.
New DIFC rule for enable_toolset isn’t covered by existing apply_tool_labels tests. Since this tool controls runtime capability expansion, add a unit test (in labels/mod.rs test suite) asserting it returns writer-level integrity on the intended scope (and public secrecy) to prevent regressions.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Copilot AI
added a commit
that referenced
this pull request
Apr 14, 2026
Resolves review comment r3080468796: adds a test asserting that enable_toolset returns writer-level integrity on the github scope and empty (public) secrecy, preventing regressions on this capability-expansion guard rule. Also cherry-picks the underlying code changes from PR #3762 (commits 5110c2a and 0b4c9ba) which add the enable_toolset rule plus deprecated alias coverage to tool_rules.rs and tools.rs. Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/2b9cfc07-0be9-489a-afaf-cbe535fc52b8 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
lpcox
added a commit
that referenced
this pull request
Apr 14, 2026
…nges from #3762 (#3768) `enable_toolset` had no `apply_tool_labels` test coverage despite being a capability-expansion tool that requires writer-level integrity to prevent low-trust agent self-escalation. ## Changes - **Cherry-picked PR #3762 code changes** (`tool_rules.rs`, `tools.rs`): - Extended `projects_write` and `actions_run_trigger` match arms with deprecated aliases (`add_project_item`, `update_project_item`, `delete_project_item`, `run_workflow`, `delete_workflow_run_logs`) - Added explicit `enable_toolset` rule: `S = public (empty)`, `I = writer:github` - Added pre-emptive CLI rules for `update_issue_comment`, `delete_issue_comment`, `create_release`, `edit_release`, `delete_release`, `delete_gist` - Classified all of the above in `WRITE_OPERATIONS` / `READ_WRITE_OPERATIONS` - **Added unit test** (`labels/mod.rs`) for the `enable_toolset` rule: ```rust let (secrecy, integrity, _) = apply_tool_labels("enable_toolset", &tool_args, "", vec![], vec![], String::new(), &ctx); assert!(secrecy.is_empty()); // public — no repo-scoped data assert_eq!(integrity, writer_integrity("github", &ctx)); // writer:github scope ```
This was referenced Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3720
Problem
The guard has 6 coverage gaps:
run_workflow,delete_workflow_run_logs,add_project_item,update_project_item,delete_project_item) that map to write operations are not classified as writes. The guard sees the alias name before the backend resolves it, so the tools bypass write-level integrity checks.enable_toolsethas no explicit DIFC labeling rule and falls through to the default arm, receiving only baseline labels instead of writer-level integrity.Changes
tools.rs — Write classification
WRITE_OPERATIONS:run_workflow,delete_workflow_run_logs,add_project_item,delete_project_itemREAD_WRITE_OPERATIONS:update_project_itemupdate_issue_comment,delete_issue_comment,create_release,edit_release,delete_release,delete_gisttool_rules.rs — DIFC labeling
projects_writematch arm with deprecated aliasesactions_run_triggermatch arm with deprecated aliasesenable_toolsetrule with writer-level integrityTests