Remove dead is_bot function and eliminate format! allocation in check_file_secrecy

Copilot · lpcox · web-flow · commit 02fea7e7b6aa · 2026-04-06T15:38:40.000Z
Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/beff37b6-0877-4d2c-960a-a2b7b5cd165b Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
diff --git a/guards/github-guard/rust-guard/src/labels/README.md b/guards/github-guard/rust-guard/src/labels/README.md
@@ -29,7 +29,7 @@ Common utility functions including:
 - Label generation helpers (secret_label, writer_integrity, etc.)
 - JSON extraction functions (get_string_field, extract_repo_info, etc.)
 - Integrity determination (pr_integrity, issue_integrity)
-- User classification (is_bot)
+- User classification (is_blocked_user, is_trusted_user)
 
 ### backend.rs (92 lines)
 Backend API calls for verifying user status:
diff --git a/guards/github-guard/rust-guard/src/labels/helpers.rs b/guards/github-guard/rust-guard/src/labels/helpers.rs
@@ -1323,20 +1323,6 @@ pub fn is_trusted_user(username: &str, ctx: &PolicyContext) -> bool {
     username_in_list(username, &ctx.trusted_users)
 }
 
-/// Check if a user appears to be a bot (broad detection).
-///
-/// This is a broader check that includes third-party bots.
-/// For integrity elevation, use is_trusted_first_party_bot() instead.
-#[allow(dead_code)]
-pub fn is_bot(username: &str) -> bool {
-    let lower = username.to_lowercase();
-    lower.ends_with("[bot]")
-        || lower.ends_with("-bot")
-        || lower == "dependabot"
-        || lower == "renovate"
-        || lower == "github-actions"
-        || lower == "copilot"
-}
 
 #[cfg(test)]
 mod tests {
diff --git a/guards/github-guard/rust-guard/src/labels/mod.rs b/guards/github-guard/rust-guard/src/labels/mod.rs
@@ -47,7 +47,7 @@ pub use helpers::{
     extract_graphql_single_object, extract_items_array,
     extract_number_as_string, extract_repo_from_item, extract_repo_info,
     extract_repo_info_from_search_query, get_bool_or, get_nested_str, get_str_or,
-    has_author_association, is_blocked_user, is_bot, is_graphql_wrapper, is_mcp_text_wrapper,
+    has_author_association, is_blocked_user, is_graphql_wrapper, is_mcp_text_wrapper,
     is_search_result_wrapper, issue_integrity, limit_items_with_log, make_item_path,
     merged_integrity, none_integrity, pr_integrity, private_scope_label, private_user_label,
     project_github_label, reader_integrity, search_result_total_count,
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -682,7 +682,7 @@ fn check_file_secrecy(
 
     // Check for sensitive file extensions/names
     for pattern in SENSITIVE_FILE_PATTERNS {
-        if path_lower.ends_with(pattern) || path_lower.contains(&format!("/{}", pattern)) {
+        if path_lower.ends_with(pattern) || path_lower.split('/').any(|seg| seg == *pattern) {
             return policy_private_scope_label(owner, repo, repo_id, ctx);
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -682,7 +682,7 @@ fn check_file_secrecy(`
`682`	`682`
`683`	`683`	`// Check for sensitive file extensions/names`
`684`	`684`	`for pattern in SENSITIVE_FILE_PATTERNS {`
`685`		`- if path_lower.ends_with(pattern) \|\| path_lower.contains(&format!("/{}", pattern)) {`
	`685`	`+ if path_lower.ends_with(pattern) \|\| path_lower.split('/').any(\|seg\| seg == *pattern) {`
`686`	`686`	`return policy_private_scope_label(owner, repo, repo_id, ctx);`
`687`	`687`	`}`
`688`	`688`	`}`