feat: add update-work-item safe output

[Copilot]

Adds an update-work-item safe output tool for modifying existing ADO work items, with fine-grained front matter controls mirroring the update-issue pattern from GitHub Agentic Workflows.

Configuration

Each updatable field must be explicitly opted-in. All default to false/disabled:

safe-outputs:
  update-work-item:
    status: true              # System.State
    title: true               # System.Title
    body: true                # System.Description
    markdown-body: false      # opt-in: store body as Markdown (ADO Services / Server 2022+ only)
    title-prefix: "[bot] "    # guard: only update items whose current title starts with this
    tag-prefix: "agent-"      # guard: only update items that have a tag starting with this prefix
    max: 3                    # max outputs per run (default: 1)
    target: "*"               # "*" (default) or a specific work item ID
    area-path: true           # System.AreaPath
    iteration-path: true      # System.IterationPath
    assignee: true            # System.AssignedTo
    tags: true                # System.Tags (full replacement)

Key design decisions

• target accepts "*" (any ID) or an integer (lock to one item) — rejects at execution time if the agent-supplied ID doesn't match; unrecognised pattern values emit a warn! log rather than silently blocking all updates
• title-prefix issues a GET before the PATCH to verify the current title; rejected if it doesn't match
• tag-prefix issues a GET before the PATCH to verify the current tags; rejected if no tag starts with the prefix. ADO tags are semicolon-separated and each is trimmed before comparison
• When both title-prefix and tag-prefix are configured, a single GET is issued and both checks are applied before the PATCH
• markdown-body is false by default for broad ADO Server compatibility. Set to true to emit the /multilineFieldsFormat/System.Description: "Markdown" patch op (requires ADO Services or Server 2022+)
• work_item_type is not supported — System.WorkItemType is read-only via the WIT PATCH API and the endpoint returns HTTP 400 if it is included
• max is enforced at Stage 2 by skipping excess update-work-item entries (adding a failure result per skipped entry) rather than aborting the entire batch — all other queued outputs (PRs, wiki pages, etc.) continue to execute
• Tag injection prevention — tags containing semicolons are rejected at validation time (Stage 1), since ADO uses semicolons as tag separators and allowing them would silently inject extra tags
• Disallowed fields return a failure result (not an error) with a clear message pointing to the missing config key
• Added to WRITE_REQUIRING_SAFE_OUTPUTS — compilation fails if no permissions.write service connection is configured

Agent parameters

Field	Type	Notes
id	u64	Required; must be > 0
title	Option<String>	Max 255 chars
body	Option<String>	Stored as HTML by default; set markdown-body: true in config for Markdown rendering
state	Option<String>	e.g. "Active", "Resolved"
area_path	Option<String>
iteration_path	Option<String>
assignee	Option<String>	Email or display name
tags	Option<Vec<String>>	Replaces all existing tags; values must not contain semicolons

At least one field must be non-null; validation enforced at Stage 1 (MCP) and sanitization runs at both Stage 1 and Stage 2.

---

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

[jamesadevine]

@copilot We should come up with a way e.g. tag-prefix which allows editing of work items with only tags in the list.

[Copilot]

@copilot We should come up with a way e.g. tag-prefix which allows editing of work items with only tags in the list.

Done in 8045891. Added tag-prefix to UpdateWorkItemConfig — before patching, the executor fetches the current work item and checks that at least one of its tags starts with the configured prefix (ADO tags are semicolon-separated, each trimmed before comparison). If no matching tag is found the update is rejected with a descriptive message.

safe-outputs:
  update-work-item:
    title: true
    tag-prefix: "agent-"   # only update work items that have a tag starting with "agent-"

When both title-prefix and tag-prefix are set, a single GET fetches the work item and both checks are applied before the PATCH is issued.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.github.com (HTTP Only)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com /lib64/ld-linux-x86-64.so.2 -pie -z now -fuse-ld=lld -z relro -o b lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/thiserror_impl-3723d82190d9318/usr/libexec/gcc/x86_64-linux-gnu/13/collect2 .rlib mbols.o res-29c722fcdd0c/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper res-29c722fcdd0c-plugin res-29c722fcdd0c/usr/libexec/gcc/x86_64-linux-gnu/13/liblto_plugin.so res-29c722fcdd0c-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper (packet block)
• dev.azure.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 --emit=dep-info,link -C prefer-dynamic -C embed-bitcode=no 0gm9bu44kjg0guvo0ok554wy.09b0mqx.rcgu.o exlzyjgsm82gg8lg8nf8td72.09b0mqx.rcgu.o mvo1is9m63x9f7dt29rlwwrk.09b0mqx.rcgu.o 2odb6ajuo4zrdnaasec910m1.09b0mqx.rcgu.o 3jyavcrshjb4p19y4uxetwvs.09b0mqx.rcgu.o 4ky8dyp6axhjtuv3guzwcot1.09b0mqx.rcgu.o 86ts56zqtyuqf4n0r91kt7t6.09b0mqx.rcgu.o kxwezc19jyhh7hzb5br2qd9g.09b0mqx.rcgu.o nkjjsz3wv2bnmq64y633lluc.09b0mqx.rcgu.o u920k80mfg2s198c7bj9lm5h.09b0mqx.rcgu.o uet2cs1tlmkolj5l6x6imla2.09b0mqx.rcgu.o 9dy4e5p3dy37hlgsg6p1ockr.09b0mqx.rcgu.o 9zb5tvlqb5tt29okd9ty3n8v.09b0mqx.rcgu.o gbp02zi6r6wah1ddwpeqlnpu.09b0mqx.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com -z relro -o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408 b lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/thiserror_impl-3723d82190d9318/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld .rlib mbols.o res-29c722fcdd0c/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper res-29c722fcdd0c-flavor res-29c722fcdd0cgnu res-29c722fcdd0c-plugin (dns block)
• msazuresphere.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com -z relro -o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408 b lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/thiserror_impl-3723d82190d9318/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld .rlib mbols.o res-29c722fcdd0c/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper res-29c722fcdd0c-flavor res-29c722fcdd0cgnu res-29c722fcdd0c-plugin (dns block)
• raw.github.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b947/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0kap0pflzgx6ry7ccfo5lsi4s.0i2s0sp.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b947/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0l4tkat54h55bdhrke0cy4zx1.0i2s0sp.rcgu.o b.05y3skou2n8gywnq1xg30s6nw.1u5xb3x.rcgu.o b.0a9mzns1w8h8hjt5t2ctpscqh.1u5xb3x.rcgu.o b.0dvg5p338ze4yo8sclenf881a.1u5xb3x.rcgu.o b.0dx997ws7aolj1y340bx0d6e5.1u5xb3x.rcgu.o b.0q4dyj2s5hiuc6j4v5i9q6jg7.1u5xb3x.rcgu.o b.0r3pe41pju7n15rf01z828jy9.1u5xb3x.rcgu.o b.0st8ftpil8vvr8aptfgk5l9d4.1u5xb3x.rcgu.o b.115rxut0y51w7elubrycm7rr6.1u5xb3x.rcgu.o b.18jyy94t4oev2upsdapziepnb.1u5xb3x.rcgu.o b.1a3v69ywrr870cv3s0my1xrqv.1u5xb3x.rcgu.o b.1n70h8mnc4lv6myvt7xv1774j.1u5xb3x.rcgu.o b.1rzfl8n5jj6pb28b4t6wqgpti.1u5xb3x.rcgu.o b.220a3tz1x7lsbsl14itqakolp.1u5xb3x.rcgu.o b.2b3v53f7x475pleph3cuavv68.1u5xb3x.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[jamesadevine]

/rust-review

[github-actions]

🔍 Rust PR Review

Summary: Looks good overall — well-structured, solid field-level permission checks, and good test coverage — but there are two correctness issues worth addressing before merge.

Findings

🐛 Bugs / Logic Issues

• src/tools/update_work_item.rs:435-436 — System.WorkItemType is read-only via the WIT PATCH API
  Setting System.WorkItemType in a JSON Patch document sent to PATCH /_apis/wit/workitems/{id} is not supported by the ADO REST API. The field is effectively immutable through this endpoint, and the call will return a 400 response ("The field 'System.WorkItemType' cannot be modified"). The error is handled gracefully (it becomes an ExecutionResult::failure rather than a panic), but the feature simply cannot work as documented. The work_item_type config flag and agent parameter should either be removed or the implementation should use the [ADO Work Item type-change endpoint]((learn.microsoft.com/redacted) with bypassRules=true (which requires elevated permissions).

• src/tools/update_work_item.rs:426-430 — /multilineFieldsFormat op breaks older ADO Server instances
  The extra patch operation that sets /multilineFieldsFormat/System.Description to "Markdown" is only recognised by Azure DevOps Services and Server 2022+. On older on-premises deployments this operation may cause the entire PATCH request to fail with a 400, meaning body/description updates won't work at all. Consider either omitting the multilineFieldsFormat op (the body will still be stored, just rendered as HTML) or guarding it behind a config flag.

⚠️ Suggestions

• src/tools/update_work_item.rs:308-318 — unknown TargetConfig::Pattern strings silently block all updates
  The _ => false arm means any Pattern value that isn't "*" (e.g. target: "all") silently rejects every update with a generic "not permitted" message. An operator who misreads the docs could be confused for a long time. Consider using _ => { warn!("Unknown target pattern '{}'; no updates will be permitted", p); false } or erroring at config-parse time with an explicit message.

• Missing integration test fixture — the PR adds unit tests but there's no fixture in tests/fixtures/ exercising a round-trip compilation of a markdown file that includes update-work-item in safe-outputs. At minimum a case verifying that permissions.write is required (exercising the validate_write_permissions path) would be valuable.

✅ What Looks Good

• Field-level permission gates (config.title, config.body, config.status, etc.) are checked before any network call — clean enforcement model.
• Pre-flight max count check in execute.rs (lines 83-98) aborts the entire run atomically before executing anything, which is the right security posture.
• All text fields sanitized both at the MCP layer (mcp.rs) and via Sanitize::sanitize_fields() — belt-and-suspenders is fine here.
• title_prefix / tag_prefix guards share a single GET fetch, not one per guard — efficient.
• tag_prefix unit tests are thorough, including edge cases for trimmed spaces and empty tag strings.
• update-work-item correctly added to WRITE_REQUIRING_SAFE_OUTPUTS, ensuring compile-time failure when permissions.write is absent.

Generated by Rust PR Reviewer for issue #65 · ◷

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• dev.azure.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "dev.azure.com"

See Network Configuration for more information.

[github-actions]

✅ Rust PR Reviewer completed successfully!

[github-actions]

🔍 Rust PR Review

Summary: Mostly well-implemented — good test coverage, proper sanitization, and field-level permission guards — but there is one correctness bug and a couple of minor concerns worth addressing.

Findings

🐛 Bugs / Logic Issues

• src/execute.rs:91 — Max-constraint violation does a hard return Err(...) which aborts the entire execute_safe_outputs run, including any unrelated safe outputs (e.g. create-work-item, noop) that were queued alongside the update entries. Every other pre-validation failure in this function uses ExecutionResult::failure pushed onto results — or individual per-entry Err handling at line ~149 — and continues processing. The max check should follow the same pattern: collect excess entries as failures rather than returning an Err that kills the whole batch. Concretely, the fix is to iterate entries in order, push ExecutionResult::failure(...) for each entry beyond the limit, and continue with the rest of the safe outputs.

  // Suggested approach: soft-fail excess entries, don't abort the run
  let mut update_wi_seen = 0usize;

  …and check/increment inside the main dispatch loop.

⚠️ Suggestions

• src/tools/update_work_item.rs — TargetConfig::Pattern catch-all: The match arm _ => false silently rejects any non-"*" string target (e.g. target: "my-prefix") with a generic "not permitted" error. Since the docs only allow "*" or an integer, it would be clearer to either validate the string at config deserialization time or extend the error message to say which values are valid.

• src/tools/update_work_item.rs — no minimum body length: create-work-item enforces a 30-character minimum on description. update-work-item has no lower bound on body. Probably intentional (partial update of a field is valid), but worth a comment if so.

✅ What Looks Good

• Extensive unit tests covering config defaults, deserialization, target validation, field-permission guards, and the tag_prefix_matches logic in pure-Rust isolation — solid coverage without requiring a live ADO org.
• title_prefix / tag_prefix guards fetching the current work item before patching are clean and the early-return failure paths are clear.
• WRITE_REQUIRING_SAFE_OUTPUTS updated to include update-work-item — compile-time guard for missing write service connections is consistent.
• Sanitization at both the MCP ingestion layer (mcp.rs) and at execute_sanitized time provides correct defense-in-depth.

Generated by Rust PR Reviewer for issue #65 · ◷

[jamesadevine]

@copilot
🐛 Bugs / Logic Issues
src/tools/update_work_item.rs:435-436 — System.WorkItemType is read-only via the WIT PATCH API
Setting System.WorkItemType in a JSON Patch document sent to PATCH /_apis/wit/workitems/{id} is not supported by the ADO REST API. The field is effectively immutable through this endpoint, and the call will return a 400 response ("The field 'System.WorkItemType' cannot be modified"). The error is handled gracefully (it becomes an ExecutionResult::failure rather than a panic), but the feature simply cannot work as documented. The work_item_type config flag and agent parameter should either be removed or the implementation should use the [ADO Work Item type-change endpoint]((learn.microsoft.com/redacted) with bypassRules=true (which requires elevated permissions).

src/tools/update_work_item.rs:426-430 — /multilineFieldsFormat op breaks older ADO Server instances
The extra patch operation that sets /multilineFieldsFormat/System.Description to "Markdown" is only recognised by Azure DevOps Services and Server 2022+. On older on-premises deployments this operation may cause the entire PATCH request to fail with a 400, meaning body/description updates won't work at all. Consider either omitting the multilineFieldsFormat op (the body will still be stored, just rendered as HTML) or guarding it behind a config flag.

⚠️ Suggestions
src/tools/update_work_item.rs:308-318 — unknown TargetConfig::Pattern strings silently block all updates
The _ => false arm means any Pattern value that isn't "*" (e.g. target: "all") silently rejects every update with a generic "not permitted" message. An operator who misreads the docs could be confused for a long time. Consider using _ => { warn!("Unknown target pattern '{}'; no updates will be permitted", p); false } or erroring at config-parse time with an explicit message.

Missing integration test fixture — the PR adds unit tests but there's no fixture in tests/fixtures/ exercising a round-trip compilation of a markdown file that includes update-work-item in safe-outputs. At minimum a case verifying that permissions.write is required (exercising the validate_write_permissions path) would be valuable.

[Copilot]

@copilot
🐛 Bugs / Logic Issues
src/tools/update_work_item.rs:435-436 — System.WorkItemType is read-only via the WIT PATCH API
...

All four issues addressed in 197a27f:

1. work_item_type removed — System.WorkItemType is read-only via the WIT PATCH API. Removed from UpdateWorkItemParams, UpdateWorkItemResult, Sanitize impl, UpdateWorkItemConfig, execute_impl, and mcp.rs.

2. multilineFieldsFormat guarded behind markdown-body: false — the extra patch op that sets the description format to Markdown is now only emitted when operators explicitly set markdown-body: true. Default is false for compat with older ADO Server instances.

3. Unknown TargetConfig::Pattern now warns — replaced the silent _ => false arm with an explicit log::warn!() that names the unrecognised pattern string.

4. Compiler integration tests added — test_update_work_item_requires_write_sc and test_update_work_item_compiles_with_write_sc are in tests/compiler_tests.rs, covering the full config surface including markdown-body, tag-prefix, and title-prefix.

Security summary: no new vulnerabilities introduced; changes are purely removals and opt-in additions.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.github.com (HTTP Only)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com 18gjmaxdo7vm2jyfidd.0ub4z6z.rcgu.o n09t5bwvfg5z17tzt47.0ub4z6z.rcgu.o b.05y3skou2n8gywnq1xg30s6nw.15xu6es.rcgu.o b.0a9mzns1w8h8hjt5t2ctpscqh.15xu6es.rcgu.o b.0dvg5p338ze4yo8sclenf881a.15xu6es.rcgu.o b.0dx997ws7aolj1y340bx0d6e5.15xu6es.rcgu.o b.0q4dyj2s5hiuc6j4v5i9q6jg7.15xu6es.rcgu.o b.0r3pe41pju7n15rf01z828jy9.15xu6es.rcgu.o b.0st8ftpil8vvr8aptfgk5l9d4.15xu6es.rcgu.o b.115rxut0y51w7elubrycm7rr6.15xu6es.rcgu.o b.18jyy94t4oev2upsdapziepnb.15xu6es.rcgu.o b.1a3v69ywrr870cv3s0my1xrqv.15xu6es.rcgu.o b.1n70h8mnc4lv6myvt7xv1774j.15xu6es.rcgu.o b.1rzfl8n5jj6pb28b4t6wqgpti.15xu6es.rcgu.o b.220a3tz1x7lsbsl14itqakolp.15xu6es.rcgu.o b.2b3v53f7x475pleph3cuavv68.15xu6es.rcgu.o (packet block)
• dev.azure.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 cfg(feature, values()) -C metadata=a93397023a9f5923 7.th�� 7.thiserror_impl.971f6a7430b99441-cgu.13.rcgu.o 0e408.00mdgrb20p5x77eazk2p9gjyy.1m5nn66.rcgu.o 0e408.01teq1ycpdi29xtq38m58avzw.1m5nn66.rcgu.o 0e408.04wdksz2udhbsmhbmz31ifrn2.1m5nn66.rcgu.o 0e408.0roi7kz8fyd01vr8wopkslw4t.1m5nn66.rcgu.o 0e408.0w0s0sshyajplf2l699oxuwfk.1m5nn66.rcgu.o 0e408.0zz0925kng4sqhjswpq47h7d1.1m5nn66.rcgu.o 0e408.1h8m7eedzoqh87j6ntnde3cky.1m5nn66.rcgu.o 0e408.21isguhevtn32dqcdl1j05fjf.1m5nn66.rcgu.o 0e408.27hw7b2y70hemqls64pwyeeau.1m5nn66.rcgu.o 0e408.2ap69xa5jhcu8bzvi8nf665ru.1m5nn66.rcgu.o 0e408.2l7sln5w36yyxwfvup96uk3iy.1m5nn66.rcgu.o 0e408.2z3o4ny3w29nexl27pg3lovk0.1m5nn66.rcgu.o 0e408.31ku1szu3n6wt3joczv7xzi8i.1m5nn66.rcgu.o 0e408.3q1z69vza816v6i52bhfjdqwn.1m5nn66.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com b.0dvg5p338ze4yo8sclenf881a.15xu6es.rcgu.o b.0dx997ws7aolj1y340bx0d6e5.15xu6es.rcgu.o b.0q4dyj2s5hiuc6j4v5i9q6jg7.15xu6es.rcgu.o b.0r3pe41pju7n15rf01z828jy9.15xu6es.rcgu.o b.0st8ftpil8vvr8aptfgk5l9d4.15xu6es.rcgu.o b.115rxut0y51w7elubrycm7rr6.15xu6es.rcgu.o b.18jyy94t4oev2upsdapziepnb.15xu6es.rcgu.o b.1a3v69ywrr870cv3s0my1xrqv.15xu6es.rcgu.o b.1n70h8mnc4lv6myvt7xv1774j.15xu6es.rcgu.o b.1rzfl8n5jj6pb28b4t6wqgpti.15xu6es.rcgu.o b.220a3tz1x7lsbsl14itqakolp.15xu6es.rcgu.o b.2b3v53f7x475pleph3cuavv68.15xu6es.rcgu.o (dns block)
• msazuresphere.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com b.0dvg5p338ze4yo8sclenf881a.15xu6es.rcgu.o b.0dx997ws7aolj1y340bx0d6e5.15xu6es.rcgu.o b.0q4dyj2s5hiuc6j4v5i9q6jg7.15xu6es.rcgu.o b.0r3pe41pju7n15rf01z828jy9.15xu6es.rcgu.o b.0st8ftpil8vvr8aptfgk5l9d4.15xu6es.rcgu.o b.115rxut0y51w7elubrycm7rr6.15xu6es.rcgu.o b.18jyy94t4oev2upsdapziepnb.15xu6es.rcgu.o b.1a3v69ywrr870cv3s0my1xrqv.15xu6es.rcgu.o b.1n70h8mnc4lv6myvt7xv1774j.15xu6es.rcgu.o b.1rzfl8n5jj6pb28b4t6wqgpti.15xu6es.rcgu.o b.220a3tz1x7lsbsl14itqakolp.15xu6es.rcgu.o b.2b3v53f7x475pleph3cuavv68.15xu6es.rcgu.o (dns block)
• raw.github.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com 18gjmaxdo7vm2jyfidd.0ub4z6z.rcgu.o n09t5bwvfg5z17tzt47.0ub4z6z.rcgu.o b.05y3skou2n8gywnq1xg30s6nw.15xu6es.rcgu.o b.0a9mzns1w8h8hjt5t2ctpscqh.15xu6es.rcgu.o b.0dvg5p338ze4yo8sclenf881a.15xu6es.rcgu.o b.0dx997ws7aolj1y340bx0d6e5.15xu6es.rcgu.o b.0q4dyj2s5hiuc6j4v5i9q6jg7.15xu6es.rcgu.o b.0r3pe41pju7n15rf01z828jy9.15xu6es.rcgu.o b.0st8ftpil8vvr8aptfgk5l9d4.15xu6es.rcgu.o b.115rxut0y51w7elubrycm7rr6.15xu6es.rcgu.o b.18jyy94t4oev2upsdapziepnb.15xu6es.rcgu.o b.1a3v69ywrr870cv3s0my1xrqv.15xu6es.rcgu.o b.1n70h8mnc4lv6myvt7xv1774j.15xu6es.rcgu.o b.1rzfl8n5jj6pb28b4t6wqgpti.15xu6es.rcgu.o b.220a3tz1x7lsbsl14itqakolp.15xu6es.rcgu.o b.2b3v53f7x475pleph3cuavv68.15xu6es.rcgu.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[jamesadevine]

/rust-review

[github-actions]

✅ Rust PR Reviewer completed successfully!

[github-actions]

🔍 Rust PR Review

Summary: Needs changes — solid implementation overall, but two substantive issues worth addressing before merge.

Findings

🐛 Bugs / Logic Issues

• src/execute.rs:88-100 — max enforcement aborts ALL safe outputs, not just the offending tool

  When update_wi_count > update_config.max, the code does return Err(...) from execute_safe_outputs. This causes the entire safe-output processing job to fail — PRs, wiki pages, and every other queued output are discarded along with the offending work-item updates. Compare with create_work_item, which uses write_safe_output_file_with_maximum at Stage 1 (MCP write time) to silently cap at the limit — excess outputs simply aren't written, so Stage 2 never sees them.

  Either mirror that pattern for update-work-item (preferred, keeps Stage 2 clean), or change the Stage 2 check to process only the first max entries rather than aborting everything.

🔒 Security Concerns

• src/tools/update_work_item.rs:456 — semicolons in tag values enable tag-injection

  patch_doc.push(replace_field_op("System.Tags", tags.join("; ")));

  ADO interprets System.Tags as a semicolon-delimited list. If an agent supplies a tag string containing ; (e.g. "foo; injected-tag"), it will silently be split into two tags. sanitize_text does not strip semicolons. The fix is to strip or reject semicolons before joining:

  let safe_tags: Vec<&str> = tags.iter()
      .map(|t| t.trim_matches(|c: char| c == ';' || c.is_whitespace()))
      .filter(|t| !t.is_empty())
      .collect();
  patch_doc.push(replace_field_op("System.Tags", safe_tags.join("; ")));

  Or add a validation step in Validate::validate that rejects tags containing ;.

⚠️ Suggestions

• src/tools/update_work_item.rs / src/mcp.rs — double sanitization

  Fields are sanitized in mcp.rs before try_into(), then sanitized again via Sanitize::sanitize_fields() inside execute_sanitized. Idempotent, so not a bug, but one layer is redundant. Since other tools follow the same pattern (sanitize at MCP layer), this is consistent — but worth noting the Stage 2 sanitization is the real safety net and the MCP-layer one can be dropped for simplicity.

• UpdateWorkItemConfig.status vs UpdateWorkItemParams.state naming asymmetry

  The config key is named status (YAML: status: true) but the agent parameter is named state. The struct-level comment explains the discrepancy, but the error message "set 'status: true' in safe-outputs" when a state update is blocked is the only hint in the runtime path. Consider renaming the config field to state to match the agent API, or at least make the mismatch more prominent in the schema docs.

✅ What Looks Good

• The target constraint + title-prefix + tag-prefix guard chain is well-designed and the layered defence is clear.
• TargetConfig with #[serde(untagged)] correctly handles both target: 42 (integer ID) and target: "*" (wildcard pattern), with a defensive warning+block for unrecognised string patterns.
• WRITE_REQUIRING_SAFE_OUTPUTS correctly updated; compile-time validation ensures update-work-item fails cleanly without a write service connection.
• Unit test coverage is thorough — config defaults, target rejection, disabled-field rejection, and sanitization are all exercised.

Generated by Rust PR Reviewer for issue #65 · ◷

[jamesadevine]

@copilot

🐛 Bugs / Logic Issues
src/execute.rs:88-100 — max enforcement aborts ALL safe outputs, not just the offending tool

When update_wi_count > update_config.max, the code does return Err(...) from execute_safe_outputs. This causes the entire safe-output processing job to fail — PRs, wiki pages, and every other queued output are discarded along with the offending work-item updates. Compare with create_work_item, which uses write_safe_output_file_with_maximum at Stage 1 (MCP write time) to silently cap at the limit — excess outputs simply aren't written, so Stage 2 never sees them.

Either mirror that pattern for update-work-item (preferred, keeps Stage 2 clean), or change the Stage 2 check to process only the first max entries rather than aborting everything.

🔒 Security Concerns
src/tools/update_work_item.rs:456 — semicolons in tag values enable tag-injection

patch_doc.push(replace_field_op("System.Tags", tags.join("; ")));
ADO interprets System.Tags as a semicolon-delimited list. If an agent supplies a tag string containing ; (e.g. "foo; injected-tag"), it will silently be split into two tags. sanitize_text does not strip semicolons. The fix is to strip or reject semicolons before joining:

let safe_tags: Vec<&str> = tags.iter()
.map(|t| t.trim_matches(|c: char| c == ';' || c.is_whitespace()))
.filter(|t| !t.is_empty())
.collect();
patch_doc.push(replace_field_op("System.Tags", safe_tags.join("; ")));
Or add a validation step in Validate::validate that rejects tags containing ;.

⚠️ Suggestions
src/tools/update_work_item.rs / src/mcp.rs — double sanitization

Fields are sanitized in mcp.rs before try_into(), then sanitized again via Sanitize::sanitize_fields() inside execute_sanitized. Idempotent, so not a bug, but one layer is redundant. Since other tools follow the same pattern (sanitize at MCP layer), this is consistent — but worth noting the Stage 2 sanitization is the real safety net and the MCP-layer one can be dropped for simplicity.

UpdateWorkItemConfig.status vs UpdateWorkItemParams.state naming asymmetry

The config key is named status (YAML: status: true) but the agent parameter is named state. The struct-level comment explains the discrepancy, but the error message "set 'status: true' in safe-outputs" when a state update is blocked is the only hint in the runtime path. Consider renaming the config field to state to match the agent API, or at least make the mismatch more prominent in the schema docs

[Copilot]

@copilot

...

Both bugs fixed in 3824b23:

max enforcement (execute.rs): Removed the pre-pass return Err(...) block. Now a per-entry counter tracks how many update-work-item outputs have been processed; excess entries get a failure result (with the work item ID in the message) and are skipped via continue — all other queued outputs (PRs, wiki pages, etc.) continue to execute normally. Added test_execute_update_work_item_max_skips_excess_not_abort to verify the noop following skipped entries still succeeds.

Tag injection (update_work_item.rs): Added a check in Validate::validate that rejects any tag containing a semicolon, since ADO uses semicolons as tag separators — this surfaces a clear error to the agent at Stage 1 rather than silently injecting extra tags. Two new unit tests: test_params_rejects_tag_with_semicolon and test_params_accepts_tags_without_semicolons.

The double-sanitization observation and the status/state naming asymmetry are noted — both are consistent patterns across the codebase and not changed here.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• api.github.com (HTTP Only)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.1/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0kap0pflzgx6ry7ccfo5lsi4s.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.1/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0naqtgjvtt2z08o9r2bsy3vsy.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0nnltlwjhbi2sierv2z2e0v4q.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0o1xeyrih15x5nieshxwa0lh0.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0yer5cdrtd7z3opj1bbslv708.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2kxma�� /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2nkx7ezwyyqca5jhkfvfksmjz.1fiqcl3.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2tuk7drm704exbz4hyppemjx0.1fiqcl3.rcgu.o g/de�� lib/rustlib/x86_-plugin-opt=/usr/libexec/gcc/x86_64-linux-gnu/13/lto-wrapper lib/rustlib/x86_-plugin-opt=-fresolution=/tmp/cc8Gj9N5.res mbols.o 481cafea220ba5.ccc 481cafea220ba5.c-m64 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustcykXsm1/symbols.o 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.0/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.06qu1f5hupwnv3rp5dlc858cl.0vwooil.rcgu.o (packet block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com e-48�� e-486665cf5f9386-Wl,--as-needed e-486665cf5f9386-Wl,-Bstatic lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld e-486665cf5f9386grep e-486665cf5f9386-E e-486665cf5f9386FAILED|test result lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld e-48�� e-486665cf5f938638.schemars_derive.8ab7bd81af8422e1-cgu.13.rcgu.o e-486665cf5f938638.schemars_derive.8ab7bd81af8422e1-cgu.14.rcgu.o s/rustc9GlIiA/symbols.o d30fe3.rlib s/derive_more_imshow s/derive_more_im197a27f6247316f374f6d2297b11cb1311b7c1c3:src/tools/update_work_item.rs s/derive_more_impl-04ebe6c200f92-m64 (packet block)
• dev.azure.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408.1h8m7eedzoqh87j6ntnde3cky.09j1nbu.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408.21isguhevtn32dqcdl1j05fjf.09j1nbu.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408.27hw7b2y70hemqls64pwyeeau.09j1nbu.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408.2ap69xa5jhcu8bzvi8nf665ru.09j1nbu.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/mcp_firewall_tests-551a308b9470e408.2l7sln5w36yyxwfvup96uk3iy.09j1nbu.rcgu.o 05cul8qphqegfqe5vic.1fye9tl.rcgu.o bchxj5yr94ahs4uiq41.1fye9tl.rcgu.o h1in3vj0oglz7fbumvv.1fye9tl.rcgu.o etptle6gzzclu1tmcpl.1fye9tl.rcgu.o o1qt1fu51yw4s960xxh.1fye9tl.rcgu.o 9jfck0qlt9cucd11yai.1fye9tl.rcgu.o r86157martb2448fzwm.1fye9tl.rcgu.o furqxktwvbvksfyum8x.1fye9tl.rcgu.o 51dh3klhzlopiy1g4zo.1fye9tl.rcgu.o cvjekm4j5cpq745kzi9.1fye9tl.rcgu.o lkh6kzls2sf8jzzx78f.1fye9tl.rcgu.o volwpbh40xx446gvcm4.1fye9tl.rcgu.o ev4plz0odikumibizcr.1fye9tl.rcgu.o flzgx6ry7ccfo5lsi4s.1fye9tl.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0yer5cdrtd7z3opj1bbslv708.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2kxma�� /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2nkx7ezwyyqca5jhkfvfksmjz.1fiqcl3.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2tuk7drm704exbz4hyppemjx0.1fiqcl3.rcgu.o g/de�� lib/rustlib/x86_--error-format=json lib/rustlib/x86_--json=diagnostic-rendered-ansi,artifacts,future-incompat mbols.o 481cafea220ba5.ccc 481cafea220ba5.c-m64 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustcykXsm1/symbols.o 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.0/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.06qu1f5hupwnv3rp5dlc858cl.0vwooil.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2 w6du63m9e7k3dgsssj3.0z4s149.rcgu.o mnk0v22975b7p1g8oc8.0z4s149.rcgu.o 18gjmaxdo7vm2jyfidd.0z4s149.rcgu.o n09t5bwvfg5z17tzt47.0z4s149.rcgu.o pdxubid09r01rfbxe14.0z4s149.rcgu.o a1wcaggmdlan99d9p82.0z4s149.rcgu.o 5dutswaws174h5iuhoq.0z4s149.rcgu.o l2k4lgotqksrier2b0t.0z4s149.rcgu.o baok3emibk8wmp8dmv4.0z4s149.rcgu.o ei7vdpaq7obds8871jq.0z4s149.rcgu.o xlpmca0zhfqp6snmsvp.0z4s149.rcgu.o jqdb�� mcvnkj9bu1o3lb6e5ty.0z4s149.rcgu.o 6qwjqasdataeuqsfx7b.0z4s149.rcgu.o known-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/bin/gcc-ld/ld.lld target/debug/buigit -incompat a43e9d259ea.bxjrcore.quotePath=false known-linux-gnu/diff (dns block)
• msazuresphere.visualstudio.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.0yer5cdrtd7z3opj1bbslv708.0vwooil.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2kxma�� /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2nkx7ezwyyqca5jhkfvfksmjz.1fiqcl3.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2tuk7drm704exbz4hyppemjx0.1fiqcl3.rcgu.o g/de�� lib/rustlib/x86_--error-format=json lib/rustlib/x86_--json=diagnostic-rendered-ansi,artifacts,future-incompat mbols.o 481cafea220ba5.ccc 481cafea220ba5.c-m64 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustcykXsm1/symbols.o 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.0/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-65dae42eaa050fb2.06qu1f5hupwnv3rp5dlc858cl.0vwooil.rcgu.o (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow api.github.com --allow dev.azure.com --allow *.visualstudio.com s/serde_derive-fhead s/serde_derive-f-10 s/serde_derive-f/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/libfnv-1e77ae8f0484c8fd.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld o (dns block)
• raw.github.com
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.1now /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.1-z /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2relro /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2-o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/ado_aw-5c39ca9a324ebf83 /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2kxma�� /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2nkx7ezwyyqca5jhkfvfksmjz.1fiqcl3.rcgu.o /home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.2tuk7drm704exbz4hyppemjx0.1fiqcl3.rcgu.o g/de�� lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/async_trait-0d9946b44b5e2a43.a/home/REDACTED/.rustup/toolchains/stable-x86_64-REDACTED-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld lib/rustlib/x86_/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/async_trait-0d9946b44b5e2a43.a-flavor mbols.o 481cafea220ba5.ccc 481cafea220ba5.c-m64 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/rustcykXsm1/symbols.o 481cafea220ba5.c/home/REDACTED/work/ado-aw/ado-aw/target/debug/deps/proxy_tests-90c56adb783e73e6.0-plugin-opt=-fresolution=/tmp/ccMhb9vl.res (dns block)
  • Triggering command: /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw /home/REDACTED/work/ado-aw/ado-aw/target/debug/ado-aw proxy --allow *.github.com 0e40�� 0e408.3temdhtm4ffo69ithuakg2um5.09j1nbu.rcgu.o 0e408.41v4l3e5zaegnl73vi7fbejoa.09j1nbu.rcgu.o f/jiff-0.2.18/src/lib.rs e-486665cf5f9386bash e-486665cf5f9386--norc e-486665cf5f9386--noprofile e-486665cf5f9386feature="derive" e-48�� mbols.o ests-551a308b9470e408.00mdgrb20p5x77eazk2p9gjyy.09j1nbu.rcgu.o lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld ests-551a308b947git ests-551a308b947show ests-551a308b947197a27f6247316f374f6d2297b11cb1311b7c1c3:src/tools/update_work_item.rs lib/rustlib/x86_64-REDACTED-linux-gnu/bin/rust-lld (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)