rust-guard/tools.rs: add BLOCKED_TOOLS const and predicate test coverage (#4943)

lpcox · web-flow · commit 5c065caa5f42 · 2026-05-01T09:38:27.000-07:00
`is_blocked_tool()` inlined its list in a `matches!()` expression, inconsistent with the discoverable `WRITE_OPERATIONS`/`READ_WRITE_OPERATIONS` const arrays and invisible to any caller wanting to enumerate blocked tools. Four predicate functions (`is_merge_operation`, `is_delete_operation`, `is_lock_operation`, `is_unlock_operation`) had zero test coverage despite being security-critical paths in `labels/tool_rules.rs`. ## Changes - **`BLOCKED_TOOLS` const array** — extracted from `is_blocked_tool()`'s `matches!()` body into a `pub const &[&str]` parallel to `WRITE_OPERATIONS`/`READ_WRITE_OPERATIONS`, with per-entry comments: ```rust pub const BLOCKED_TOOLS: &[&str] = &[ "transfer_repository", // irreversible ownership transfer "archive_repository", // repo settings change; unsupported "unarchive_repository", // symmetric to archive_repository "rename_repository", // breaks clone URLs and integrations "create_agent_task", // unsupported agent-task creation ]; pub fn is_blocked_tool(tool_name: &str) -> bool { BLOCKED_TOOLS.contains(&tool_name) } ``` - **Predicate test coverage** — added `test_is_merge_operation`, `test_is_delete_operation`, `test_is_lock_operation`, `test_is_unlock_operation` (each with positive, negative, and empty-string cases), plus `test_lock_and_unlock_contribute_to_write_operations` to verify `is_write_operation`'s delegation to the lock/unlock predicates. > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build2801713912/b513/launcher.test /tmp/go-build2801713912/b513/launcher.test -test.testlogfile=/tmp/go-build2801713912/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s ortc�� .cfg 64/src/html/enti-ifaceassert x_amd64/vet . ions =0 x_amd64/vet .cfg�� 0430085/b366/_pkg_.a 0430085/b314/ x_amd64/vet --gdwarf-5 rse p=/opt/hostedtoo--format x_amd64/vet` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2801713912/b495/config.test /tmp/go-build2801713912/b495/config.test -test.testlogfile=/tmp/go-build2801713912/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s 0430�� 1.80.0/encoding/gzip/gzip.go aw-mcpg/internal/difc/capabilities.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -I g_.a -I x_amd64/vet --gdwarf-5 telabs/wazero/ap-atomic -o x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build2801713912/b513/launcher.test /tmp/go-build2801713912/b513/launcher.test -test.testlogfile=/tmp/go-build2801713912/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s ortc�� .cfg 64/src/html/enti-ifaceassert x_amd64/vet . ions =0 x_amd64/vet .cfg�� 0430085/b366/_pkg_.a 0430085/b314/ x_amd64/vet --gdwarf-5 rse p=/opt/hostedtoo--format x_amd64/vet` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build2801713912/b513/launcher.test /tmp/go-build2801713912/b513/launcher.test -test.testlogfile=/tmp/go-build2801713912/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s ortc�� .cfg 64/src/html/enti-ifaceassert x_amd64/vet . ions =0 x_amd64/vet .cfg�� 0430085/b366/_pkg_.a 0430085/b314/ x_amd64/vet --gdwarf-5 rse p=/opt/hostedtoo--format x_amd64/vet` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2801713912/b522/mcp.test /tmp/go-build2801713912/b522/mcp.test -test.testlogfile=/tmp/go-build2801713912/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg k/gh-aw-mcpg/gh--w x_amd64/vet . --gdwarf2 --64 x_amd64/vet .cfg�� 0430085/b400/_pkg_.a pkg/mod/go.opentelemetry.io/otel/sdk@v1.43.0/internal/x/x.go x_amd64/vet --gdwarf-5 g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/guards/github-guard/rust-guard/src/tools.rs b/guards/github-guard/rust-guard/src/tools.rs
@@ -156,6 +156,19 @@ pub fn is_unlock_operation(tool_name: &str) -> bool {
     tool_name.starts_with("unlock_")
 }
 
+/// Tools that are unconditionally blocked regardless of agent integrity.
+///
+/// These operations are too dangerous or unsupported to ever permit via an agent.
+/// Entries here should also appear in `WRITE_OPERATIONS` or `READ_WRITE_OPERATIONS`
+/// so the tool is still subject to all normal write-path checks before being denied.
+pub const BLOCKED_TOOLS: &[&str] = &[
+    "transfer_repository",  // irreversible ownership transfer
+    "archive_repository",   // repo settings change; unsupported
+    "unarchive_repository", // symmetric to archive_repository
+    "rename_repository",    // breaks clone URLs and integrations
+    "create_agent_task",    // unsupported agent-task creation
+];
+
 /// Check if a tool is unconditionally blocked (always denied regardless of agent integrity).
 ///
 /// Blocked tools are listed here when the operation is considered too dangerous
@@ -174,20 +187,23 @@ pub fn is_unlock_operation(tool_name: &str) -> bool {
 /// - `create_agent_task`: creates a Copilot coding-agent job that opens a branch and PR;
 ///   unsupported as a directly invocable agent operation.
 pub fn is_blocked_tool(tool_name: &str) -> bool {
-    matches!(
-        tool_name,
-        "transfer_repository"
-            | "archive_repository"
-            | "unarchive_repository"
-            | "rename_repository"
-            | "create_agent_task"
-    )
+    BLOCKED_TOOLS.contains(&tool_name)
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
 
+    #[test]
+    fn blocked_tools_are_classified_as_write_or_read_write() {
+        for &tool in BLOCKED_TOOLS {
+            assert!(
+                WRITE_OPERATIONS.contains(&tool) || READ_WRITE_OPERATIONS.contains(&tool),
+                "blocked tool `{tool}` must also be classified in WRITE_OPERATIONS or READ_WRITE_OPERATIONS"
+            );
+        }
+    }
+
     #[test]
     fn test_is_blocked_tool_transfer_repository() {
         assert!(
@@ -420,6 +436,49 @@ mod tests {
         }
     }
 
+    #[test]
+    fn test_is_merge_operation() {
+        assert!(is_merge_operation("merge_pull_request"));
+        assert!(is_merge_operation("merge_upstream"));
+        assert!(!is_merge_operation("create_pull_request"));
+        assert!(!is_merge_operation("update_pull_request"));
+        assert!(!is_merge_operation(""));
+    }
+
+    #[test]
+    fn test_is_delete_operation() {
+        assert!(is_delete_operation("delete_file"));
+        assert!(is_delete_operation("delete_branch"));
+        assert!(is_delete_operation("delete_release"));
+        assert!(!is_delete_operation("create_repository"));
+        assert!(!is_delete_operation(""));
+    }
+
+    #[test]
+    fn test_is_lock_operation() {
+        assert!(is_lock_operation("lock_issue"));
+        assert!(is_lock_operation("lock_pull_request"));
+        assert!(!is_lock_operation("unlock_issue"));
+        assert!(!is_lock_operation("create_issue"));
+        assert!(!is_lock_operation(""));
+    }
+
+    #[test]
+    fn test_is_unlock_operation() {
+        assert!(is_unlock_operation("unlock_issue"));
+        assert!(is_unlock_operation("unlock_pull_request"));
+        assert!(!is_unlock_operation("lock_issue"));
+        assert!(!is_unlock_operation("create_issue"));
+        assert!(!is_unlock_operation(""));
+    }
+
+    #[test]
+    fn test_lock_and_unlock_contribute_to_write_operations() {
+        // is_write_operation delegates to is_lock_operation and is_unlock_operation
+        assert!(is_write_operation("lock_issue"));
+        assert!(is_write_operation("unlock_issue"));
+    }
+
     #[test]
     fn test_granular_pr_update_tools_are_read_write_operations() {
         for op in &[
