Conversation
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/70c367d1-6251-4a1a-9af4-37658ef8f89e Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
set_issue_fields to github-guard write classification and DIFC rules
There was a problem hiding this comment.
Pull request overview
Aligns the set_issue_fields MCP tool with existing write/mutation handling in the GitHub rust-guard by adding explicit operation classification and DIFC labeling coverage, and extending tests to prevent coverage drift.
Changes:
- Added
set_issue_fieldstoREAD_WRITE_OPERATIONSand extended classification tests. - Added
set_issue_fieldstoapply_tool_labelsgranular write match arm for repo-scoped secrecy + writer integrity. - Extended DIFC labeling tests to include
set_issue_fieldsalongside other granular issue update tools.
Show a summary per file
| File | Description |
|---|---|
guards/github-guard/rust-guard/src/tools.rs |
Classifies set_issue_fields as read-write and adds coverage in the granular issue update classification test. |
guards/github-guard/rust-guard/src/labels/tool_rules.rs |
Adds set_issue_fields to the granular write labeling arm (repo visibility secrecy + writer integrity). |
guards/github-guard/rust-guard/src/labels/mod.rs |
Extends the granular issue update DIFC test set to include set_issue_fields. |
Copilot's findings
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 2
| "update_issue_state", // PATCH — opens or closes an issue | ||
| "update_issue_title", // PATCH — modifies issue title | ||
| "update_issue_type", // PATCH — modifies issue type | ||
| "set_issue_fields", // GraphQL — sets org-level custom field values on an issue | ||
|
|
There was a problem hiding this comment.
The new set_issue_fields entry is described as setting org-level custom field values, but it’s grouped with repo-scoped granular issue PATCH tools. Please reconcile the scope in the comment/grouping (or move it near projects_write-related tooling) so future readers don’t assume it follows the same repo-scoped semantics as update_issue_* tools.
| | "update_issue_state" | ||
| | "update_issue_title" | ||
| | "update_issue_type" | ||
| | "set_issue_fields" | ||
| | "add_sub_issue" |
There was a problem hiding this comment.
set_issue_fields is added under the "Granular repo-scoped write operations" match arm, but its name/comment imply it may be an org-scoped Projects/custom-fields mutation. Please confirm the tool’s scope and argument shape and adjust labeling accordingly (e.g., if it’s truly org-scoped, it may need baseline_scope = owner / writer_integrity(owner, ...) similar to projects_write, rather than repo visibility secrecy + writer_integrity(repo_id, ...)).
|
@copilot address this review feedback #4049 (review) |
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/1aeeeede-3244-49df-a783-de344cbe4a72 Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Addressed in 20642f1. I clarified Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Guard coverage drifted after upstream added
set_issue_fields: it was not classified as a mutating MCP operation and had no explicit DIFC labeling path, so it fell through default handling.This PR adds classification and labeling coverage, and incorporates review feedback to clarify scope semantics (org-level field definitions vs repo-scoped issue mutation target).
Write-operation classification (
tools.rs)set_issue_fieldstoREAD_WRITE_OPERATIONS.set_issue_fields.DIFC labeling (
tool_rules.rs)set_issue_fieldsmatch arm inapply_tool_labels(separate from the generic granular issue PATCH group) with documented scope rationale.writer_integrity(repo_id, ...))Coverage hardening (
labels/mod.rs,tools.rstests)set_issue_fields.update_issue_*tools, withset_issue_fieldsvalidated independently to prevent scope ambiguity regressions.> [!WARNING]
>
>