Add pre-emptive guard entries for 3 CLI write operations missing from WRITE_OPERATIONS (#3609)

lpcox · web-flow · commit 4c7872d651b3 · 2026-04-11T14:24:11.000-07:00
Three GitHub CLI write operations had no guard coverage — meaning if a corresponding MCP tool lands in github-mcp-server, it would pass through unclassified. All three are high/medium risk operations involving repo settings, PR reversion, and SSH key grants. ### `tools.rs` — WRITE_OPERATIONS additions - `edit_repository` — `PATCH /repos/{owner}/{repo}`; can flip visibility private→public - `revert_pull_request` — GraphQL `revertPullRequest`; creates branch + PR - `add_deploy_key` / `delete_deploy_key` — `POST/DELETE /repos/{owner}/{repo}/keys`; grants persistent SSH access ### `tool_rules.rs` — DIFC label rules ```rust "edit_repository" => { secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx); integrity = writer_integrity(repo_id, ctx); } "revert_pull_request" => { secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx); integrity = writer_integrity(repo_id, ctx); } "add_deploy_key" | "delete_deploy_key" => { // Always private regardless of repo visibility — deploy key secrets are sensitive secrecy = policy_private_scope_label(&owner, &repo, repo_id, ctx); integrity = writer_integrity(repo_id, ctx); } ``` Deploy key operations use `policy_private_scope_label` unconditionally (not `apply_repo_visibility_secrecy`) since the key material itself is always sensitive regardless of whether the repo is public. > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build3092088994/b514/launcher.test /tmp/go-build3092088994/b514/launcher.test -test.testlogfile=/tmp/go-build3092088994/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg Bmen/MKrSXkkW-_Q-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet 9006�� .cfg olang.org/grpc@v1.80.0/internal/transport/client_stream.go x_amd64/vet --gdwarf-5 g/grpc/attribute-qE -o x_amd64/vet` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3092088994/b496/config.test /tmp/go-build3092088994/b496/config.test -test.testlogfile=/tmp/go-build3092088994/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build3092088994/b323/vet.cfg 5.0/deviceauth.g-errorsas 5.0/oauth2.go x_amd64/vet --gdwarf-5 nal/protolazy -o x_amd64/vet -I g_.a -I x_amd64/vet --gdwarf-5 go-sdk/auth -o x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build3092088994/b514/launcher.test /tmp/go-build3092088994/b514/launcher.test -test.testlogfile=/tmp/go-build3092088994/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg Bmen/MKrSXkkW-_Q-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet 9006�� .cfg olang.org/grpc@v1.80.0/internal/transport/client_stream.go x_amd64/vet --gdwarf-5 g/grpc/attribute-qE -o x_amd64/vet` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build3092088994/b514/launcher.test /tmp/go-build3092088994/b514/launcher.test -test.testlogfile=/tmp/go-build3092088994/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s -W .cfg Bmen/MKrSXkkW-_Q-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet 9006�� .cfg olang.org/grpc@v1.80.0/internal/transport/client_stream.go x_amd64/vet --gdwarf-5 g/grpc/attribute-qE -o x_amd64/vet` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build3092088994/b523/mcp.test /tmp/go-build3092088994/b523/mcp.test -test.testlogfile=/tmp/go-build3092088994/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build3092088994/b517/_pkg_.a elemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.43.0/internal/otlpconfig/envconfig.go/usr/bin/runc.original elemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp@v1.43.0/internal/otlpconfig/options.go x_amd64/vet --gdwarf-5 g/grpc/internal -o x_amd64/vet -obj�� .cfg -importpath x_amd64/vet -ldflags=&#34;-O2&#34; &#34;/usr/libexec/docker/docker-init ecosystem/grpc-g--version -I x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/guards/github-guard/rust-guard/src/labels/mod.rs b/guards/github-guard/rust-guard/src/labels/mod.rs
@@ -4712,4 +4712,84 @@ mod tests {
 
         assert_eq!(integrity, writer_integrity(repo_id, &ctx), "fork_repository should have writer integrity");
     }
+
+    #[test]
+    fn test_apply_tool_labels_edit_repository_writer_integrity() {
+        let ctx = default_ctx();
+        let repo_id = "github/copilot";
+        let tool_args = json!({
+            "owner": "github",
+            "repo": "copilot",
+        });
+
+        let (_secrecy, integrity, _desc) = apply_tool_labels(
+            "edit_repository",
+            &tool_args,
+            repo_id,
+            vec![],
+            vec![],
+            String::new(),
+            &ctx,
+        );
+
+        assert_eq!(integrity, writer_integrity(repo_id, &ctx), "edit_repository should have writer integrity");
+    }
+
+    #[test]
+    fn test_apply_tool_labels_revert_pull_request_writer_integrity() {
+        let ctx = default_ctx();
+        let repo_id = "github/copilot";
+        let tool_args = json!({
+            "owner": "github",
+            "repo": "copilot",
+            "pullNumber": 42,
+        });
+
+        let (_secrecy, integrity, _desc) = apply_tool_labels(
+            "revert_pull_request",
+            &tool_args,
+            repo_id,
+            vec![],
+            vec![],
+            String::new(),
+            &ctx,
+        );
+
+        assert_eq!(integrity, writer_integrity(repo_id, &ctx), "revert_pull_request should have writer integrity");
+    }
+
+    #[test]
+    fn test_apply_tool_labels_deploy_key_operations_private_secrecy() {
+        let ctx = default_ctx();
+        let repo_id = "github/copilot";
+        let tool_args = json!({
+            "owner": "github",
+            "repo": "copilot",
+        });
+
+        for tool_name in &["add_deploy_key", "delete_deploy_key"] {
+            let (secrecy, integrity, _desc) = apply_tool_labels(
+                tool_name,
+                &tool_args,
+                repo_id,
+                vec![],
+                vec![],
+                String::new(),
+                &ctx,
+            );
+
+            assert_eq!(
+                secrecy,
+                super::helpers::policy_private_scope_label("github", "copilot", repo_id, &ctx),
+                "{} should have private-scoped secrecy",
+                tool_name
+            );
+            assert_eq!(
+                integrity,
+                writer_integrity(repo_id, &ctx),
+                "{} should have writer integrity",
+                tool_name
+            );
+        }
+    }
 }
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -644,6 +644,31 @@ pub fn apply_tool_labels(
             integrity = writer_integrity(repo_id, ctx);
         }
 
+        // === Repository settings edit (can change visibility) ===
+        "edit_repository" => {
+            // Can change repo visibility, security settings, default branch.
+            // S = S(repo); I = writer (requires admin access)
+            secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
+            integrity = writer_integrity(repo_id, ctx);
+        }
+
+        // === PR revert (creates revert branch + PR) ===
+        "revert_pull_request" => {
+            // Creates a new branch + PR reverting a merged PR.
+            // S = S(repo); I = writer
+            secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
+            integrity = writer_integrity(repo_id, ctx);
+        }
+
+        // === Deploy key management (SSH key with optional write access) ===
+        "add_deploy_key" | "delete_deploy_key" => {
+            // Manages SSH deploy keys — `add_deploy_key` may grant persistent write access.
+            // S = at least private; scope is policy-dependent (may be unscoped, owner-scoped, or repo-scoped)
+            // I = writer (requires admin access)
+            secrecy = policy_private_scope_label(&owner, &repo, repo_id, ctx);
+            integrity = writer_integrity(repo_id, ctx);
+        }
+
         // === Star/unstar operations (public metadata) ===
         "star_repository" | "unstar_repository" => {
             // Starring is a public action; response is minimal metadata.
diff --git a/guards/github-guard/rust-guard/src/tools.rs b/guards/github-guard/rust-guard/src/tools.rs
@@ -51,6 +51,13 @@ pub const WRITE_OPERATIONS: &[&str] = &[
     "rerun_workflow_run",  // gh run rerun        — reruns a completed workflow run
     "rerun_failed_jobs",   // gh run rerun --failed — reruns only failed jobs
     "rerun_workflow_job",  // gh run rerun --job  — reruns a specific job
+    // Pre-emptive: gh repo edit (PATCH /repos/{owner}/{repo}) — can change visibility, security settings
+    "edit_repository",
+    // Pre-emptive: gh pr revert (GraphQL revertPullRequest) — creates revert branch + PR
+    "revert_pull_request",
+    // Pre-emptive: gh repo deploy-key add/delete — SSH key with optional write access
+    "add_deploy_key",
+    "delete_deploy_key",
 ];
 
 /// Read-write operations that both read and modify data
@@ -210,6 +217,22 @@ mod tests {
         }
     }
 
+    #[test]
+    fn test_cli_gap_operations_are_write_operations() {
+        for op in &[
+            "edit_repository",
+            "revert_pull_request",
+            "add_deploy_key",
+            "delete_deploy_key",
+        ] {
+            assert!(
+                is_write_operation(op),
+                "{} must be classified as a write operation",
+                op
+            );
+        }
+    }
+
     #[test]
     fn test_create_agent_task_is_read_write_and_blocked() {
         assert!(
