Rust guard: remove list_commits secrecy clone and add project-item path labeling regressions

[Copilot]

This tightens two remaining weak spots in response_paths.rs: list_commits still deep-cloned secrecy labels on every call, and the list_project_items / projects_list path-labeling branch lacked direct regression coverage for its security-relevant edge cases.

• list_commits: eliminate the last Vec<String> deep clone

  • Convert repo secrecy to SharedLabels immediately.
  • Reuse it via cheap Arc clones for per-item labels.
  • Move the same shared value into default_labels on its final use.

  let default_secrecy: crate::SharedLabels =
      repo_visibility_secrecy(&arg_owner, &arg_repo, &default_repo, ctx).into();
  
  // per-item
  secrecy: default_secrecy.clone(),
  
  // default labels
  secrecy: default_secrecy,

• Project-item response-path regressions

  • Add coverage for the fail-secure branch when an ISSUE item has no repo context.
  • Assert DRAFT_ISSUE stays owner-writer integrity with empty secrecy.
  • Assert projects_list remains behaviorally identical to list_project_items.

• items_path contract

  • Add an explicit assertion that { "items": [...] } responses propagate items_path == Some("/items") and produce /items/{n} entry paths.

These changes keep the response-labeling behavior unchanged where already correct, while removing unnecessary allocation/copying in commit labeling and documenting the intended contract around heterogeneous project items.

[Copilot]

Pull request overview

This PR improves the Rust guard’s response path labeling in response_paths.rs by removing a remaining per-call deep clone in list_commits secrecy labels and by adding targeted regression tests for security-sensitive project-item path labeling edge cases.

Changes:

• Convert list_commits default secrecy labels to SharedLabels immediately and reuse via cheap Arc clones (eliminating the last Vec<String> deep clone in that path).
• Add regression tests for list_project_items/projects_list to ensure fail-secure behavior when repo context is missing, correct handling of DRAFT_ISSUE, and alias behavioral equivalence.
• Add an explicit test assertion that { "items": [...] } responses forward items_path == Some("/items") and produce /items/{n} entry paths.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/labels/response_paths.rs	Removes an unnecessary secrecy-label deep clone for list_commits and adds regression tests covering project-item labeling and items_path propagation.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 0