[gateway] Correct commit integrity elevation for personal repos on non-default refs (#4283)

`list_commits`/`get_commit` on non-default refs could label
owner-authored commits in public personal repos as `none:*` because
commit payloads often lack `author_association`, and
collaborator-permission elevation was org-gated. This caused valid
commits to be filtered when `min-integrity` was `approved`.

- **Integrity elevation path**
- Removed org-only short-circuit in
`elevate_via_collaborator_permission`, so public personal repos can use
collaborator-permission fallback the same as org repos.
- Updated inline docs/comments to reflect the generalized behavior
(missing/`NONE` association handling, not org-specific).

- **Commit owner fast-path**
  - In `commit_integrity`, added a public-repo owner match shortcut:
- when `author.login` matches the repo owner segment of `owner/repo`,
integrity is raised to at least `writer`.
- This covers the common `list_commits` shape where `author_association`
is absent.

- **Targeted tests**
- Added coverage for owner-authored commits on public personal repos
without `author_association`, asserting writer-level integrity.
- Updated collaborator-permission fallback test semantics to match the
new non-org behavior.

```rust
if !repo_private {
    if let Some((owner, _)) = repo_full_name.split_once('/') {
        if author_login.eq_ignore_ascii_case(owner) {
            integrity = max_integrity(
                repo_full_name,
                integrity,
                writer_integrity(repo_full_name, ctx),
                ctx,
            );
        }
    }
    integrity = elevate_via_collaborator_permission(
        author_login,
        repo_full_name,
        "commit",
        &format!("{}@{}", repo_full_name, short_sha),
        integrity,
        ctx,
    );
}
```

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build2733438357/b509/launcher.test
/tmp/go-build2733438357/b509/launcher.test
-test.testlogfile=/tmp/go-build2733438357/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rotocol/[email protected]/auth/auth.go
rotocol/[email protected]/auth/authorization_code.go x_amd64/vet --gdwarf-5
ternal/wasm/bina-atomic -o x_amd64/vet 6163��` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b513/launcher.test
/tmp/go-build2946369755/b513/launcher.test
-test.testlogfile=/tmp/go-build2946369755/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o
f07e34dca1.build--stateless-rpc lib/rustlib/x86_--helper-status lib/��
lib/rustlib/x86_--verbose lib/rustlib/x86_--no-progress
lib/rustlib/x86_REDACTED lib/rustlib/x86_bash
lib/rustlib/x86_/usr/bin/runc lib/rustlib/x86_--version
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib`
(dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2733438357/b491/config.test
/tmp/go-build2733438357/b491/config.test
-test.testlogfile=/tmp/go-build2733438357/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
@v1.1.3/cpu/arm64/arm64.go 6163950/b151/ x_amd64/vet --gdwarf-5 pproxy
-o x_amd64/vet 6163�� g_.a GQCceE2Bv x_amd64/vet --gdwarf-5` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b495/config.test
/tmp/go-build2946369755/b495/config.test
-test.testlogfile=/tmp/go-build2946369755/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o .o .o .o .o .o
.o .o .o ndor/bin/as 2R/5XmsTr43ByGyUorigin` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build2733438357/b509/launcher.test
/tmp/go-build2733438357/b509/launcher.test
-test.testlogfile=/tmp/go-build2733438357/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rotocol/[email protected]/auth/auth.go
rotocol/[email protected]/auth/authorization_code.go x_amd64/vet --gdwarf-5
ternal/wasm/bina-atomic -o x_amd64/vet 6163��` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b513/launcher.test
/tmp/go-build2946369755/b513/launcher.test
-test.testlogfile=/tmp/go-build2946369755/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o
f07e34dca1.build--stateless-rpc lib/rustlib/x86_--helper-status lib/��
lib/rustlib/x86_--verbose lib/rustlib/x86_--no-progress
lib/rustlib/x86_REDACTED lib/rustlib/x86_bash
lib/rustlib/x86_/usr/bin/runc lib/rustlib/x86_--version
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib`
(dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build2733438357/b509/launcher.test
/tmp/go-build2733438357/b509/launcher.test
-test.testlogfile=/tmp/go-build2733438357/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
rotocol/[email protected]/auth/auth.go
rotocol/[email protected]/auth/authorization_code.go x_amd64/vet --gdwarf-5
ternal/wasm/bina-atomic -o x_amd64/vet 6163��` (dns block)
> - Triggering command: `/tmp/go-build2946369755/b513/launcher.test
/tmp/go-build2946369755/b513/launcher.test
-test.testlogfile=/tmp/go-build2946369755/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s .o .o .o .o .o .o
f07e34dca1.build--stateless-rpc lib/rustlib/x86_--helper-status lib/��
lib/rustlib/x86_--verbose lib/rustlib/x86_--no-progress
lib/rustlib/x86_REDACTED lib/rustlib/x86_bash
lib/rustlib/x86_/usr/bin/runc lib/rustlib/x86_--version
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib`
(dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2733438357/b518/mcp.test
/tmp/go-build2733438357/b518/mcp.test
-test.testlogfile=/tmp/go-build2733438357/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 1n8gjiV1M -I
x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -W .cfg
olang.org/grpc@v-ifaceassert x_amd64/vet . --gdwarf2 --64 x_amd64/vet`
(dns block)
> - Triggering command: `/tmp/go-build2946369755/b522/mcp.test
/tmp/go-build2946369755/b522/mcp.test
-test.testlogfile=/tmp/go-build2946369755/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s lib/��
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/librustc_std_workspace_alloc-76b5fe9328c1063f.rlib
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libminiz_oxide-2b6a8d2f6e1dc71b.rlib
ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet 64/src/runtime/cbash
sql/driver/drive/usr/bin/runc cal/bin/as
ache/go/1.25.9/x64/pkg/tool/linu/home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de-d
-ato��` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -1310,14 +1310,13 @@ pub fn collaborator_permission_floor(
 /// Rank threshold for writer-level integrity (none=1, reader=2, writer=3, merged=4).
 const WRITER_RANK: u8 = 3;
 
-/// Attempt to elevate integrity for an author in an org-owned repository
+/// Attempt to elevate integrity for an author in a public repository
 /// by checking their effective collaborator permission.
 ///
 /// When `author_association` gives insufficient integrity (below writer level),
 /// this function checks the user's effective permission via the GitHub
-/// collaborator permission API. This correctly handles org owners/admins whose
-/// `author_association` is reported as "NONE" because their access is inherited
-/// through org ownership rather than direct collaboration.
+/// collaborator permission API. This correctly handles owners/admins whose
+/// `author_association` is absent or reported as "NONE".
 ///
 /// Backend calls are cached per-user, so repeated lookups for the same author
 /// across list/search items are inexpensive.
@@ -1346,10 +1345,6 @@ pub fn elevate_via_collaborator_permission(
         Some((o, r)) if !o.is_empty() && !r.is_empty() => (o, r),
         _ => return integrity,
     };
-    let is_org = super::backend::is_repo_org_owned(owner, repo).unwrap_or(false);
-    if !is_org {
-        return integrity;
-    }
     crate::log_debug(&format!(
         "[integrity] {}:{}: author_association floor below writer (rank={}), checking collaborator permission for {}",
         resource_label, resource_id, integrity_rank(repo_full_name, &integrity, ctx), author_login
@@ -1676,8 +1671,23 @@ pub fn commit_integrity(
 
     let mut integrity = author_association_floor(item, repo_full_name, ctx);
 
-    // Collaborator permission fallback for org repos (handles org owners/admins
-    // whose author_association is "NONE" due to inherited org access).
+    // For public personal repositories, commit payloads often omit
+    // `author_association`. Ensure owner-authored commits still get writer floor.
+    if !repo_private {
+        if let Some((owner, _repo)) = repo_full_name.split_once('/') {
+            if author_login.eq_ignore_ascii_case(owner) {
+                integrity = max_integrity(
+                    repo_full_name,
+                    integrity,
+                    writer_integrity(repo_full_name, ctx),
+                    ctx,
+                );
+            }
+        }
+    }
+
+    // Collaborator permission fallback for public repos (handles owners/admins
+    // whose author_association is missing or "NONE").
     if !repo_private {
         let sha = item.get("sha").and_then(|v| v.as_str()).unwrap_or("unknown");
         let short_sha = if sha.len() > 8 { &sha[..8] } else { sha };

guards/github-guard/rust-guard/src/labels/mod.rs

@@ -826,6 +826,20 @@ mod tests {
         );
     }
 
+    #[test]
+    fn test_commit_integrity_owner_on_public_personal_repo_without_association() {
+        let ctx = default_ctx();
+        let repo = "ahmadabdalla/example";
+        let owner_commit = json!({
+            "author": {"login": "ahmadabdalla"}
+        });
+
+        assert_eq!(
+            commit_integrity(&owner_commit, repo, false, false, &ctx),
+            writer_integrity(repo, &ctx)
+        );
+    }
+
     #[test]
     fn test_trusted_first_party_bot_detection() {
         use super::helpers::is_trusted_first_party_bot;
@@ -5187,17 +5201,15 @@ mod tests {
     }
 
     #[test]
-    fn test_elevate_via_collab_permission_no_elevation_non_org_repo() {
-        // In test mode, is_repo_org_owned returns None (no cache) → unwrap_or(false)
-        // so the function should return integrity unchanged
+    fn test_elevate_via_collab_permission_lookup_failure_keeps_integrity() {
         let ctx = default_ctx();
         let repo = "github/copilot";
         let none = none_integrity(repo, &ctx);
         let result = helpers::elevate_via_collaborator_permission(
             "dsyme", repo, "issue", "github/copilot#42",
             none.clone(), &ctx,
         );
-        assert_eq!(result, none, "should return unchanged when repo is not org-owned (cache miss → false)");
+        assert_eq!(result, none, "should return unchanged when collaborator lookup yields no result");
     }
 
     #[test]