Reduce duplication in write-op integrity classification and MinIntegrity conversion (#3534)

`label_resource` had four `if/else if` branches where the first two
(merge/delete) were identical and the last two (update/create +
catch-all) were identical. `MinIntegrity` lacked a string conversion
method, forcing callers to maintain parallel match arms.

- **Collapse integrity branches** in `lib.rs`: merge/delete →
`writer_integrity`, everything else → `reader_integrity`. Single
`!repo_id.is_empty()` guard wrapping a conditional.
- **Add `MinIntegrity::as_str()`** in `helpers.rs`: canonical `&'static
str` conversion using `policy_integrity` constants. Replaces the 5-line
match block in `label_agent` with
`integrity_floor.as_str().to_string()`.
- **Unit test** for `as_str()` covering all four variants.

```rust
// Before: 4 branches, 2 pairs of duplicates
if tools::is_merge_operation(&input.tool_name) {
    if !repo_id.is_empty() { integrity = labels::writer_integrity(&repo_id, &ctx); }
} else if tools::is_delete_operation(&input.tool_name) {
    if !repo_id.is_empty() { integrity = labels::writer_integrity(&repo_id, &ctx); }
} else if tools::is_update_operation(&input.tool_name) || tools::is_create_operation(&input.tool_name) {
    if !repo_id.is_empty() { integrity = labels::reader_integrity(&repo_id, &ctx); }
} else if !repo_id.is_empty() {
    integrity = labels::reader_integrity(&repo_id, &ctx);
}

// After
if !repo_id.is_empty() {
    integrity = if tools::is_merge_operation(&input.tool_name)
        || tools::is_delete_operation(&input.tool_name)
    {
        labels::writer_integrity(&repo_id, &ctx)
    } else {
        labels::reader_integrity(&repo_id, &ctx)
    };
}
```

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build1833741381/b514/launcher.test
/tmp/go-build1833741381/b514/launcher.test
-test.testlogfile=/tmp/go-build1833741381/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -W .cfg
olang.org/grpc@v-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet
.cfg�� 2245169/b376/_pkg_.a -I x_amd64/vet --gdwarf-5
g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1833741381/b496/config.test
/tmp/go-build1833741381/b496/config.test
-test.testlogfile=/tmp/go-build1833741381/b496/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build1833741381/b394/vet.cfg @v1.1.3/cpu/arm/-errorsas -trimpath
x_amd64/vet -p nal/encoding/tex-atomic -lang=go1.25 x_amd64/vet -I g_.a
-I x_amd64/vet --gdwarf-5 64 -o x_amd64/vet` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build1833741381/b514/launcher.test
/tmp/go-build1833741381/b514/launcher.test
-test.testlogfile=/tmp/go-build1833741381/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -W .cfg
olang.org/grpc@v-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet
.cfg�� 2245169/b376/_pkg_.a -I x_amd64/vet --gdwarf-5
g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build1833741381/b514/launcher.test
/tmp/go-build1833741381/b514/launcher.test
-test.testlogfile=/tmp/go-build1833741381/b514/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -W .cfg
olang.org/grpc@v-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet
.cfg�� 2245169/b376/_pkg_.a -I x_amd64/vet --gdwarf-5
g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build1833741381/b523/mcp.test
/tmp/go-build1833741381/b523/mcp.test
-test.testlogfile=/tmp/go-build1833741381/b523/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 2245�� .cfg
ache/go/1.25.8/x64/src/database/sql/driver/driver.go x_amd64/vet
--gdwarf-5 --64 -o x_amd64/vet .cfg��
/tmp/go-build4122245169/b223/_pk-errorsas uxII/pTQM0yfdla9bshGWuxII
x_amd64/vet -p 2245169/b468/ -lang=go1.24 x_amd64/vet` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -83,6 +83,19 @@ pub enum MinIntegrity {
     Merged,
 }
 
+impl MinIntegrity {
+    /// Returns the canonical policy-facing string for this integrity level.
+    pub fn as_str(self) -> &'static str {
+        use super::constants::policy_integrity;
+        match self {
+            MinIntegrity::None => policy_integrity::NONE,
+            MinIntegrity::Unapproved => policy_integrity::UNAPPROVED,
+            MinIntegrity::Approved => policy_integrity::APPROVED,
+            MinIntegrity::Merged => policy_integrity::MERGED,
+        }
+    }
+}
+
 #[derive(Debug, Clone, Default)]
 pub struct PolicyContext {
     pub scopes: Vec<PolicyScopeEntry>,
@@ -1427,4 +1440,13 @@ mod tests {
         let assoc_result = author_association_floor_from_str("owner/repo", Some("CONTRIBUTOR"), &ctx);
         assert_eq!(perm_result, assoc_result, "read permission and CONTRIBUTOR association should produce same integrity");
     }
+
+    #[test]
+    fn test_min_integrity_as_str() {
+        use super::super::constants::policy_integrity;
+        assert_eq!(MinIntegrity::None.as_str(), policy_integrity::NONE);
+        assert_eq!(MinIntegrity::Unapproved.as_str(), policy_integrity::UNAPPROVED);
+        assert_eq!(MinIntegrity::Approved.as_str(), policy_integrity::APPROVED);
+        assert_eq!(MinIntegrity::Merged.as_str(), policy_integrity::MERGED);
+    }
 }

guards/github-guard/rust-guard/src/lib.rs

@@ -531,12 +531,7 @@ pub extern "C" fn label_agent(
 
     let normalized_policy = NormalizedPolicy {
         scope_kind: normalized_scope_kind(&scopes),
-        min_integrity: match integrity_floor {
-            MinIntegrity::None => policy_integrity::NONE.to_string(),
-            MinIntegrity::Unapproved => policy_integrity::UNAPPROVED.to_string(),
-            MinIntegrity::Approved => policy_integrity::APPROVED.to_string(),
-            MinIntegrity::Merged => policy_integrity::MERGED.to_string(),
-        },
+        min_integrity: integrity_floor.as_str().to_string(),
     };
 
     let output = LabelAgentOutput {
@@ -619,25 +614,14 @@ pub extern "C" fn label_resource(
     // Classify operation with scoped integrity tags
     if tools::is_write_operation(&input.tool_name) {
         operation = "write";
-        if tools::is_merge_operation(&input.tool_name) {
-            // Writer-level baseline for merge operations
-            if !repo_id.is_empty() {
-                integrity = labels::writer_integrity(&repo_id, &ctx);
-            }
-        } else if tools::is_delete_operation(&input.tool_name) {
-            // Writer-level baseline
-            if !repo_id.is_empty() {
-                integrity = labels::writer_integrity(&repo_id, &ctx);
-            }
-        } else if tools::is_update_operation(&input.tool_name)
-            || tools::is_create_operation(&input.tool_name)
-        {
-            // Contributor level
-            if !repo_id.is_empty() {
-                integrity = labels::reader_integrity(&repo_id, &ctx);
-            }
-        } else if !repo_id.is_empty() {
-            integrity = labels::reader_integrity(&repo_id, &ctx);
+        if !repo_id.is_empty() {
+            integrity = if tools::is_merge_operation(&input.tool_name)
+                || tools::is_delete_operation(&input.tool_name)
+            {
+                labels::writer_integrity(&repo_id, &ctx)
+            } else {
+                labels::reader_integrity(&repo_id, &ctx)
+            };
         }
     }
 

guards/github-guard/rust-guard/src/tools.rs

@@ -89,16 +89,6 @@ pub fn is_delete_operation(tool_name: &str) -> bool {
     tool_name.starts_with("delete_")
 }
 
-/// Check if a tool is an update operation
-pub fn is_update_operation(tool_name: &str) -> bool {
-    tool_name.starts_with("update_")
-}
-
-/// Check if a tool is a create operation
-pub fn is_create_operation(tool_name: &str) -> bool {
-    tool_name.starts_with("create_")
-}
-
 /// Check if a tool is a lock operation
 pub fn is_lock_operation(tool_name: &str) -> bool {
     tool_name.starts_with("lock_")