fix(guard): enforce explicit DIFC labels for notification management and repo creation writes

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/52471578-c908-4c54-a0a3-4ed6d7167541

Co-authored-by: lpcox <[email protected]>

Author: Copilot

guards/github-guard/rust-guard/src/labels/mod.rs

@@ -4614,22 +4614,31 @@ mod tests {
     }
 
     #[test]
-    fn test_apply_tool_labels_dismiss_notification_private_user() {
+    fn test_apply_tool_labels_notification_management_public_project_github() {
         let ctx = default_ctx();
         let tool_args = json!({ "threadId": "123" });
 
-        let (secrecy, integrity, _desc) = apply_tool_labels(
+        for tool in &[
             "dismiss_notification",
-            &tool_args,
-            "",
-            vec![],
-            vec![],
-            String::new(),
-            &ctx,
-        );
+            "mark_all_notifications_read",
+            "manage_notification_subscription",
+            "manage_repository_notification_subscription",
+        ] {
+            let (secrecy, integrity, _desc) =
+                apply_tool_labels(tool, &tool_args, "", vec![], vec![], String::new(), &ctx);
 
-        assert_eq!(secrecy, private_user_label(), "dismiss_notification must carry private:user secrecy");
-        assert_eq!(integrity, none_integrity("", &ctx), "dismiss_notification should have none-level integrity (references unknown content)");
+            assert!(
+                secrecy.is_empty(),
+                "{} should have empty (public) secrecy",
+                tool
+            );
+            assert_eq!(
+                integrity,
+                project_github_label(&ctx),
+                "{} should have project:github integrity",
+                tool
+            );
+        }
     }
 
     #[test]
@@ -4919,7 +4928,7 @@ mod tests {
             "repo": "copilot"
         });
 
-        let (_secrecy, integrity, _desc) = apply_tool_labels(
+        let (secrecy, integrity, _desc) = apply_tool_labels(
             "fork_repository",
             &tool_args,
             repo_id,
@@ -4929,7 +4938,38 @@ mod tests {
             &ctx,
         );
 
-        assert_eq!(integrity, writer_integrity(repo_id, &ctx), "fork_repository should have writer integrity");
+        assert!(secrecy.is_empty(), "fork_repository should have empty (public) secrecy");
+        assert_eq!(
+            integrity,
+            writer_integrity("github", &ctx),
+            "fork_repository should have writer integrity in github scope"
+        );
+    }
+
+    #[test]
+    fn test_apply_tool_labels_create_repository_writer_integrity() {
+        let ctx = default_ctx();
+        let repo_id = "github/copilot";
+        let tool_args = json!({
+            "name": "new-repo"
+        });
+
+        let (secrecy, integrity, _desc) = apply_tool_labels(
+            "create_repository",
+            &tool_args,
+            repo_id,
+            vec![],
+            vec![],
+            String::new(),
+            &ctx,
+        );
+
+        assert!(secrecy.is_empty(), "create_repository should have empty (public) secrecy");
+        assert_eq!(
+            integrity,
+            writer_integrity("github", &ctx),
+            "create_repository should have writer integrity in github scope"
+        );
     }
 
     #[test]

guards/github-guard/rust-guard/src/labels/tool_rules.rs

@@ -466,17 +466,26 @@ pub fn apply_tool_labels(
         }
 
         // === Notifications (user-scoped, private) ===
-        "list_notifications" | "get_notification_details"
-        | "dismiss_notification" | "mark_all_notifications_read"
-        | "manage_notification_subscription"
-        | "manage_repository_notification_subscription" => {
+        "list_notifications" | "get_notification_details" => {
             // Notifications are private to the authenticated user.
             // S = private:user
             // I = none (notifications reference external content of unknown trust)
             secrecy = private_user_label();
             integrity = vec![];
         }
 
+        // === Notification management (account-scoped writes) ===
+        "dismiss_notification"
+        | "mark_all_notifications_read"
+        | "manage_notification_subscription"
+        | "manage_repository_notification_subscription" => {
+            // These operations change notification/subscription state and return minimal metadata.
+            // S = public (empty); I = project:github
+            secrecy = vec![];
+            baseline_scope = "github".to_string();
+            integrity = project_github_label(ctx);
+        }
+
         // === Private GitHub-controlled metadata (user-associated): PII/org-structure sensitive ===
         "get_me"
         | "get_teams"
@@ -562,14 +571,23 @@ pub fn apply_tool_labels(
 
         // === Repo content and structure write operations ===
         "create_or_update_file" | "push_files" | "delete_file" | "create_branch"
-        | "update_pull_request_branch" | "create_repository" | "fork_repository" => {
+        | "update_pull_request_branch" => {
             // Write operations that modify repo content/structure.
             // S = S(repo) — response references repo-scoped content
             // I = writer (agent-authored content)
             secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
             integrity = writer_integrity(repo_id, ctx);
         }
 
+        // === Repository creation/fork (user/org-scoped writes) ===
+        "create_repository" | "fork_repository" => {
+            // Creating/forking repositories is account-scoped and does not return repo content.
+            // S = public (empty); I = writer(github)
+            secrecy = vec![];
+            baseline_scope = "github".to_string();
+            integrity = writer_integrity("github", ctx);
+        }
+
         // === Projects write operations (org-scoped) ===
         "projects_write"
         // Deprecated aliases that map to projects_write