Close GitHub guard coverage gap for set_issue_fields by aligning DIFC rule grouping (#4104)

lpcox · web-flow · commit dfb0ef78d414 · 2026-04-18T10:03:37.000-07:00
The guard coverage report flagged `set_issue_fields` as a newly added GitHub MCP write operation needing explicit alignment with existing granular issue-write coverage. This change ensures the tool is represented in the same repo-scoped write rule set used for comparable issue mutation operations. - **Tool rule consolidation** - Added `set_issue_fields` to the **granular repo-scoped write operations** match arm in `labels/tool_rules.rs`. - Removed the standalone `set_issue_fields` branch to avoid fragmented coverage and keep equivalent issue-write tools co-located. - **DIFC behavior preserved, coverage clarity improved** - `set_issue_fields` continues to receive: - repo visibility secrecy (`S(repo)`) - writer integrity (`I=writer`) - The change is structural (rule organization), making guard-coverage mapping explicit and easier to maintain as upstream tools evolve. ```rust "update_issue_assignees" | "update_issue_body" | "update_issue_labels" | "update_issue_milestone" | "update_issue_state" | "update_issue_title" | "update_issue_type" | "set_issue_fields" | "add_sub_issue" ... => { secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx); integrity = writer_integrity(repo_id, ctx); } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build3396330012/b510/launcher.test /tmp/go-build3396330012/b510/launcher.test -test.testlogfile=/tmp/go-build3396330012/b510/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true rotocol/go-sdk@v1.5.0/auth/auth.go rotocol/go-sdk@v1.5.0/auth/authorization_code.go x_amd64/vet --gdwarf-5 ternal/engine/wa-atomic -o x_amd64/vet 7324�� _.a -trimpath x_amd64/vet -p go-sdk/internal/-atomic -lang=go1.24 x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build1988720064/b514/launcher.test /tmp/go-build1988720064/b514/launcher.test -test.testlogfile=/tmp/go-build1988720064/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /home/REDACTED/.cache/go-build/86/864e7add767bee1055b62b87c152f2f5091aed34c8c076ebbd249edf436dd574-d lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_/tmp/go-build2091820448/b497/vet.cfg -guard/target/debug/deps/rustc7PbeLv/symbols.o -guard/target/degit -guard/target/depush -guard/target/de-v -guard/target/deorigin -gua�� -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.05.rcgugrep -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.06.rcgu-qE -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.07.rcgu(create|run) -guard/target/de/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet .0k52ok5.rcgu.o .0k52ok5.rcgu.o .0k52ok5.rcgu.o` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3396330012/b492/config.test /tmp/go-build3396330012/b492/config.test -test.testlogfile=/tmp/go-build3396330012/b492/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true hema-go@v0.4.2/jsonschema/annotations.go hema-go@v0.4.2/jsonschema/doc.go x_amd64/vet --gdwarf-5 grpcsync -o x_amd64/vet 7324�� _.a pkg/mod/go.opent-ifaceassert x_amd64/vet --gdwarf-5` (dns block) > - Triggering command: `/tmp/go-build1988720064/b496/config.test /tmp/go-build1988720064/b496/config.test -test.testlogfile=/tmp/go-build1988720064/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s bug/�� bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.13.rcgu.o bug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.14.rcgu.o -guard/target/de-m 64/src/runtime/cbash o lib/rustlib/x86_--noprofile lib/rustlib/x86_-dynamic-linker rds/�� lib/rustlib/x86_-pie lib/rustlib/x86_-z -guard/target/debug/deps/rustc7PbeLv/symbols.o -guard/target/degit -guard/target/depush -guard/target/de-v -guard/target/deorigin` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build3396330012/b510/launcher.test /tmp/go-build3396330012/b510/launcher.test -test.testlogfile=/tmp/go-build3396330012/b510/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true rotocol/go-sdk@v1.5.0/auth/auth.go rotocol/go-sdk@v1.5.0/auth/authorization_code.go x_amd64/vet --gdwarf-5 ternal/engine/wa-atomic -o x_amd64/vet 7324�� _.a -trimpath x_amd64/vet -p go-sdk/internal/-atomic -lang=go1.24 x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build1988720064/b514/launcher.test /tmp/go-build1988720064/b514/launcher.test -test.testlogfile=/tmp/go-build1988720064/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /home/REDACTED/.cache/go-build/86/864e7add767bee1055b62b87c152f2f5091aed34c8c076ebbd249edf436dd574-d lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_/tmp/go-build2091820448/b497/vet.cfg -guard/target/debug/deps/rustc7PbeLv/symbols.o -guard/target/degit -guard/target/depush -guard/target/de-v -guard/target/deorigin -gua�� -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.05.rcgugrep -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.06.rcgu-qE -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.07.rcgu(create|run) -guard/target/de/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet .0k52ok5.rcgu.o .0k52ok5.rcgu.o .0k52ok5.rcgu.o` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build3396330012/b510/launcher.test /tmp/go-build3396330012/b510/launcher.test -test.testlogfile=/tmp/go-build3396330012/b510/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true rotocol/go-sdk@v1.5.0/auth/auth.go rotocol/go-sdk@v1.5.0/auth/authorization_code.go x_amd64/vet --gdwarf-5 ternal/engine/wa-atomic -o x_amd64/vet 7324�� _.a -trimpath x_amd64/vet -p go-sdk/internal/-atomic -lang=go1.24 x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build1988720064/b514/launcher.test /tmp/go-build1988720064/b514/launcher.test -test.testlogfile=/tmp/go-build1988720064/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /home/REDACTED/.cache/go-build/86/864e7add767bee1055b62b87c152f2f5091aed34c8c076ebbd249edf436dd574-d lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet lib/rustlib/x86_/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_/tmp/go-build2091820448/b497/vet.cfg -guard/target/debug/deps/rustc7PbeLv/symbols.o -guard/target/degit -guard/target/depush -guard/target/de-v -guard/target/deorigin -gua�� -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.05.rcgugrep -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.06.rcgu-qE -guard/target/debug/deps/serde_derive-bdc7cd22a58a5141.serde_derive.12123747d8da05ed-cgu.07.rcgu(create|run) -guard/target/de/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet .0k52ok5.rcgu.o .0k52ok5.rcgu.o .0k52ok5.rcgu.o` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3396330012/b519/mcp.test /tmp/go-build3396330012/b519/mcp.test -test.testlogfile=/tmp/go-build3396330012/b519/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true cfg olang.org/grpc@v-ifaceassert x_amd64/vet . g/protobuf/encod/usr/bin/runc --64 x_amd64/vet cfg 732430/b359/_pkg_.a /tmp/go-build711732430/b164/ x_amd64/vet . g/grpc/credentia--version --64 x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build1988720064/b523/mcp.test /tmp/go-build1988720064/b523/mcp.test -test.testlogfile=/tmp/go-build1988720064/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp��` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -533,25 +533,18 @@ pub fn apply_tool_labels(
             integrity = writer_integrity(repo_id, ctx);
         }
 
-        // === Issue custom fields mutation (repo-scoped write) ===
-        "set_issue_fields" => {
-            // Field definitions are organization-level, but the mutation targets a specific
-            // issue in owner/repo and returns issue-scoped metadata.
-            // S = S(repo); I = writer
-            secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
-            integrity = writer_integrity(repo_id, ctx);
-        }
-
         // === Granular repo-scoped write operations ===
-        // Covers granular issue PATCH tools, sub-issue management, granular PR PATCH tools,
-        // and PR review tools. All follow: S = S(repo), I = writer.
+        // Covers granular issue mutation tools (including custom field mutations),
+        // sub-issue management, granular PR mutation tools, and PR review tools.
+        // All follow: S = S(repo), I = writer.
         "update_issue_assignees"
         | "update_issue_body"
         | "update_issue_labels"
         | "update_issue_milestone"
         | "update_issue_state"
         | "update_issue_title"
         | "update_issue_type"
+        | "set_issue_fields"
         | "add_sub_issue"
         | "remove_sub_issue"
         | "reprioritize_sub_issue"
