Skip to content

fix(guard): cover 4 DIFC labeling gaps — get_code_quality_finding, ui_get, add_gpg_key, add_ssh_key#7765

Merged
lpcox merged 4 commits into
mainfrom
copilot/guard-coverage-fix
Jun 19, 2026
Merged

fix(guard): cover 4 DIFC labeling gaps — get_code_quality_finding, ui_get, add_gpg_key, add_ssh_key#7765
lpcox merged 4 commits into
mainfrom
copilot/guard-coverage-fix

Conversation

Copilot AI commented Jun 19, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Four operations from github-mcp-server and the GitHub CLI had no explicit DIFC rules in the guard, risking write operations bypassing classification or read operations missing secrecy/integrity labels.

tools.rs — new write operations

  • add_gpg_key — pre-emptive synthetic entry for gh gpg-key add (POST /user/gpg_keys)
  • add_ssh_key — pre-emptive synthetic entry for gh ssh-key add (POST /user/keys, /user/ssh_signing_keys)

Both inserted at sorted positions in WRITE_OPERATIONS.

tool_rules.rs — new DIFC match arms

get_code_quality_finding — repo-visibility secrecy + writer integrity, mirroring other repo-scoped read tools:

"get_code_quality_finding" => {
    secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
    integrity = writer_integrity(repo_id, ctx);
}

ui_get — method-dispatch mirroring existing standalone counterparts:

"ui_get" => {
    let method = tool_args.get("method").and_then(|v| v.as_str()).unwrap_or("");
    match method {
        "labels" | "milestones" | "branches" => { /* mirrors list_label / list_branches */ }
        "issue_types" | "issue_fields"       => { /* mirrors list_issue_types / list_issue_fields */ }
        "assignees" | "reviewers"            => { /* mirrors list_repository_collaborators */ }
        _ => {}
    }
}

add_gpg_key | add_ssh_key — user-scoped private secrecy + writer integrity, matching the pattern used by add_deploy_key and other pre-emptive CLI-only operations:

"add_gpg_key" | "add_ssh_key" => {
    secrecy = private_user_label();
    baseline_scope = Cow::Borrowed(scope_names::USER);
    integrity = writer_integrity(scope_names::USER, ctx);
}

Tests added for all four new rules.

GitHub Advanced Security started work on behalf of lpcox June 19, 2026 04:33 View session
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 04:35
GitHub Advanced Security started work on behalf of lpcox June 19, 2026 04:53 View session
Copilot AI changed the title [WIP] Fix guard coverage gaps for GitHub operations fix(guard): cover 4 DIFC labeling gaps — get_code_quality_finding, ui_get, add_gpg_key, add_ssh_key Jun 19, 2026
Copilot finished work on behalf of lpcox June 19, 2026 04:53
Copilot AI requested a review from lpcox June 19, 2026 04:53
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 04:54
@github-actions github-actions Bot mentioned this pull request Jun 19, 2026
Closed
@lpcox lpcox marked this pull request as ready for review June 19, 2026 13:49
Copilot AI review requested due to automatic review settings June 19, 2026 13:49
Copilot AI reviewed Jun 19, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR tightens DIFC guard coverage in the Rust GitHub guard by explicitly classifying and labeling four previously-unhandled operations (two repo-scoped reads and two account-scoped CLI writes), reducing the risk of unclassified reads/writes bypassing expected secrecy/inperity tagging.

Changes:

  • Add add_gpg_key and add_ssh_key to the guard’s write-operation classification list.
  • Add new apply_tool_labels match arms for get_code_quality_finding, ui_get (method-dispatch), and add_gpg_key/add_ssh_key.
  • Add unit tests covering the new tool rules.
Show a summary per file
File Description
guards/github-guard/rust-guard/src/tools.rs Adds two CLI key-management operations to WRITE_OPERATIONS and updates write-op classification tests.
guards/github-guard/rust-guard/src/labels/tool_rules.rs Adds DIFC labeling rules for the four operations plus unit tests for the new labeling behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 2

Comment thread guards/github-guard/rust-guard/src/labels/tool_rules.rs Outdated
Comment thread guards/github-guard/rust-guard/src/labels/tool_rules.rs Outdated
This was referenced Jun 19, 2026
Closed
Open
lpcox and others added 2 commits June 19, 2026 07:35
@lpcox
Potential fix for pull request finding
6c410ee 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@lpcox
Potential fix for pull request finding
9bde647 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
GitHub Advanced Security started work on behalf of lpcox June 19, 2026 14:36 View session
GitHub Advanced Security started work on behalf of lpcox June 19, 2026 14:36 View session
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 14:37
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 14:37
@lpcox lpcox merged commit e23c76d into main Jun 19, 2026
27 checks passed
@lpcox lpcox deleted the copilot/guard-coverage-fix branch June 19, 2026 14:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lpcox