AllowOnly Guard Smoke Test Results
Policy: repos=["github/gh-aw*"], min-integrity=approved
Run: https://github.com/github/gh-aw-mcpg/actions/runs/27185330147
In-Scope Access (github/gh-aw*)
| Tool |
Target |
Result |
Status |
| list_issues |
gh-aw-mcpg |
3 issues returned (github-actions[bot]) |
✅ |
| list_pull_requests |
gh-aw-mcpg |
3 PRs returned |
✅ |
| list_commits |
gh-aw-mcpg |
3 commits returned |
✅ |
| get_file_contents |
gh-aw-mcpg |
README.md content returned |
✅ |
| list_branches |
gh-aw-mcpg |
5 branches returned |
✅ |
| search_code |
gh-aw-mcpg |
3 results returned |
✅ |
| list_issues |
gh-aw |
Access allowed; 3 items filtered by integrity (none-level) |
✅ |
| get_file_contents |
gh-aw |
Access allowed; filtered by integrity (none-level) |
✅ |
Out-of-Scope Access (octocat/Hello-World)
| Tool |
Result |
Status |
| list_issues |
Empty — 3 items filtered by integrity policy |
✅ |
| list_pull_requests |
Empty — 3 items filtered by integrity policy |
✅ |
| list_commits |
Empty — 3 items filtered by integrity policy |
✅ |
| get_file_contents |
Filtered by integrity policy |
✅ |
| search_code |
Empty — 1 item filtered by integrity policy |
✅ |
Global APIs
| Tool |
Result |
Status |
| search_repositories |
Empty — 3 items filtered by integrity policy |
✅ |
| search_users |
Tool not available in GitHub MCP server |
⚠️ N/A |
Integrity Filtering
| Observation |
Status |
| gh-aw-mcpg list_issues (20): only github-actions[bot] items visible |
✅ |
| gh-aw-mcpg list_pull_requests (20): only github-actions[bot]/Copilot items visible |
✅ |
| Out-of-scope (octocat/Hello-World) content filtered via integrity policy — all items had integrity below "approved", resulting in empty responses |
✅ |
| gh-aw items (list_issues + get_file_contents) filtered by integrity — access was allowed (in-scope), content removed by integrity filter |
✅ |
Note: Out-of-scope repository access is enforced via integrity filtering rather than hard-blocking. Items from octocat/Hello-World and global searches carry integrity below "approved" and are removed by the DIFC guard. The net result is correct (empty responses), matching expected BLOCKED behavior.
Summary
- In-Scope Access: 8/8 ✅
- Out-of-Scope Blocked: 5/5 ✅
- Global APIs Blocked: 1/1 ✅ (search_users unavailable — N/A)
- Integrity Filtering: ✅
- Overall: PASS
🛡️ AllowOnly guard smoke test by Smoke AllowOnly
AllowOnly Guard Smoke Test Results
Policy: repos=["github/gh-aw*"], min-integrity=approved
Run: https://github.com/github/gh-aw-mcpg/actions/runs/27185330147
In-Scope Access (github/gh-aw*)
Out-of-Scope Access (octocat/Hello-World)
Global APIs
Integrity Filtering
Summary