Close GitHub guard DIFC gaps for search_commits and FF list_issues variant

[Copilot]

The guard was missing explicit DIFC labeling for two newly observed repo-scoped read tools, causing fallback/default handling instead of repo-aware secrecy/integrity labeling. This PR adds explicit coverage so both operations align with existing guard semantics for equivalent tools.

• Tool labeling updates (tool_rules.rs)

  • Added explicit apply_tool_labels arm for search_commits:
    • resolves effective repo scope via resolve_search_scope(...)
    • applies repo-visibility secrecy at resolved scope
    • applies writer-level integrity at resolved scope
    • sets scoped description/baseline (search_commits:<owner/repo>) when query-scoped repo is present
  • Extended existing issues arm to include list_issues_ff_remote_mcp_issue_fields, matching list_issues behavior exactly.

• Coverage tests (labels/mod.rs)

  • Added test_apply_tool_labels_search_commits to assert scoped description, secrecy, and integrity behavior for repo-qualified commit search.
  • Added test_apply_tool_labels_list_issues_ff_matches_list_issues to verify the FF issue-fields variant produces identical labels/desc as list_issues and retains expected repo-scoped defaults.

• Illustrative change

  "get_issue" | "issue_read" | "list_issues" | "list_issues_ff_remote_mcp_issue_fields" => { ... }
  
  "search_commits" => {
      let (s_owner, s_repo, s_repo_id) = resolve_search_scope(tool_args, &owner, &repo);
      if !s_repo_id.is_empty() {
          desc = format!("search_commits:{}", s_repo_id);
          secrecy = apply_repo_visibility_secrecy(&s_owner, &s_repo, &s_repo_id, secrecy, ctx);
          integrity = writer_integrity(&s_repo_id, ctx);
          baseline_scope = Cow::Owned(s_repo_id);
      } else {
          secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
          integrity = writer_integrity(repo_id, ctx);
      }
  }

[Copilot]

Pull request overview

This PR updates the GitHub guard’s DIFC labeling rules to explicitly cover two repo-scoped read tools that were previously falling back to default labeling, ensuring secrecy/integrity labels align with existing repo-aware semantics.

Changes:

• Add explicit apply_tool_labels handling for search_commits, including repo-scope resolution from the search query and repo-scoped secrecy/integrity labeling.
• Treat list_issues_ff_remote_mcp_issue_fields identically to list_issues in tool labeling rules.
• Add unit tests covering search_commits labeling and ensuring the FF list_issues variant matches list_issues.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Adds explicit labeling coverage for search_commits and extends issues labeling to include the FF tool variant.
guards/github-guard/rust-guard/src/labels/mod.rs	Adds tests for search_commits tool labeling and for parity between list_issues and the FF issue-fields variant.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 2

[lpcox]

@copilot fix this failing ci check https://github.com/github/gh-aw-mcpg/actions/runs/26381246169/job/77650770976?pr=6432

[Copilot]

@copilot fix this failing ci check https://github.com/github/gh-aw-mcpg/actions/runs/26381246169/job/77650770976?pr=6432

Fixed the failing CI check in commit a9e7fc7. Root cause was a Rust test/build break around infer_scope_for_baseline usage/signature and missing search_commits baseline inference coverage. I updated baseline scope inference to include search_commits, fixed the test assertion/signature, and added a regression test. make agent-finished now passes, and parallel validation (Code Review + CodeQL) is clean.