[Repo Assist] test(rust-guard): add list_commits tests for default-branch vs feature-branch integrity (#6095)

🤖 *This PR was created by Repo Assist, an automated AI assistant.*

## Summary

Adds two unit tests to `response_paths.rs` for the `list_commits`
handler — the only response-path handler that had **zero test coverage**
(identified in issue #6086, Improvement 2).

## Why This Matters

The `sha` field in `list_commits` tool args drives
`is_default_branch_ref()` → merged-level integrity promotion. This is a
**security-relevant decision**: a regression that treats all commits as
default-branch would silently over-elevate integrity labels, allowing
feature-branch commits to be treated as if they had merged status.

## Tests Added

| Test | Scenario | Assertion |
|------|----------|-----------|
| `list_commits_default_branch_gets_merged_integrity` | `sha = "main"` |
`default_labels.integrity` contains `merged:octocat/hello-world`;
`items_path` is `None` (root array) |
| `list_commits_feature_branch_public_repo_has_no_merged_integrity` |
`sha = "feature/my-branch"` | `default_labels.integrity` has no
`merged:` prefix; `items_path` is `None` |

Both tests are self-contained and require no backend mocking (the
`is_repo_private` backend returns `None` → `false` in `#[cfg(test)]`).

## Test Status

```
running 413 tests
test result: ok. 413 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out
```

(411 pre-existing + 2 new)

Closes #6086 (Improvement 2)




> Generated by [Repo
Assist](https://github.com/github/gh-aw-mcpg/actions/runs/26165758577/agentic_workflow)
· ● 5.7M ·
[◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+repo-assist%22&type=pullrequests)
>
> To install this [agentic
workflow](https://github.com/githubnext/agentics/blob/851905c06e905bf362a9f6cc54f912e3df747d55/workflows/repo-assist.md),
run
> ```
> gh aw add
githubnext/agentics@851905c
> ```

<!-- gh-aw-agentic-workflow: Repo Assist, engine: copilot, version:
1.0.40, model: claude-sonnet-4.6, id: 26165758577, workflow_id:
repo-assist, run:
https://github.com/github/gh-aw-mcpg/actions/runs/26165758577 -->

<!-- gh-aw-workflow-id: repo-assist -->

Author: lpcox

guards/github-guard/rust-guard/src/labels/response_paths.rs

@@ -751,4 +751,92 @@ mod tests {
         let result = label_response_paths("unknown_tool", &json!({}), &json!({}), &ctx());
         assert!(result.is_none(), "unknown tool should produce no path labels");
     }
+
+    // === list_commits tests ===
+    // The sha field drives is_default_branch → merged-level integrity, which is a
+    // security-relevant decision. A regression here (e.g. treating all commits as
+    // default-branch) would over-elevate integrity labels. Both tests are self-contained
+    // and require no backend mocking.
+
+    #[test]
+    fn list_commits_default_branch_gets_merged_integrity() {
+        let tool_args = json!({"owner": "octocat", "repo": "hello-world", "sha": "main"});
+        let commit = json!({
+            "sha": "abc1234def5678",
+            "commit": {"message": "fix: a bug"},
+            "author": {"login": "octocat"},
+            "author_association": "OWNER"
+        });
+        let response = json!({
+            "content": [{
+                "type": "text",
+                "text": serde_json::to_string(&json!([commit])).expect("response should serialize")
+            }]
+        });
+
+        let result = label_response_paths("list_commits", &tool_args, &response, &ctx())
+            .expect("list_commits should produce path labels");
+
+        assert_eq!(result.labeled_paths.len(), 1);
+        assert_eq!(result.labeled_paths[0].path, "/0");
+        assert!(
+            result.items_path.is_none(),
+            "list_commits root array should have items_path = None, got {:?}",
+            result.items_path
+        );
+
+        // Default branch (main) → default_labels integrity must include a merged: label
+        let default_integrity = &result
+            .default_labels
+            .as_ref()
+            .expect("default_labels should be set")
+            .integrity;
+        let merged_label = format!("{}octocat/hello-world", label_constants::MERGED_PREFIX);
+        assert!(
+            default_integrity.contains(&merged_label),
+            "default-branch default_labels should have merged-level integrity; got {:?}",
+            default_integrity
+        );
+    }
+
+    #[test]
+    fn list_commits_feature_branch_public_repo_has_no_merged_integrity() {
+        let tool_args =
+            json!({"owner": "octocat", "repo": "hello-world", "sha": "feature/my-branch"});
+        let commit = json!({
+            "sha": "deadbeef12345678",
+            "commit": {"message": "wip: in progress"},
+            "author_association": "CONTRIBUTOR"
+        });
+        let response = json!({
+            "content": [{
+                "type": "text",
+                "text": serde_json::to_string(&json!([commit])).expect("response should serialize")
+            }]
+        });
+
+        let result = label_response_paths("list_commits", &tool_args, &response, &ctx())
+            .expect("list_commits should produce path labels");
+
+        assert_eq!(result.labeled_paths.len(), 1);
+        assert!(
+            result.items_path.is_none(),
+            "list_commits root array should have items_path = None"
+        );
+
+        // Non-default branch of public repo (is_repo_private returns None → false in
+        // test cfg) → default_labels integrity must NOT contain any merged: label.
+        let default_integrity = &result
+            .default_labels
+            .as_ref()
+            .expect("default_labels should be set")
+            .integrity;
+        assert!(
+            !default_integrity
+                .iter()
+                .any(|l| l.starts_with(label_constants::MERGED_PREFIX)),
+            "feature-branch commit on public repo should NOT have merged-level integrity; got {:?}",
+            default_integrity
+        );
+    }
 }