Guard DIFC: add explicit label rules for notification writes and repository create/fork operations (#4300)

lpcox · web-flow · commit 8f964e0cf68e · 2026-04-21T17:14:12.000-07:00
The guard’s write classification was complete, but several mutating GitHub MCP tools could still inherit caller-provided DIFC labels via fallback behavior. This change removes that ambiguity for high-impact write paths by defining explicit secrecy/integrity outcomes. - **Notification write operations now have explicit DIFC semantics** - Added dedicated `apply_tool_labels` handling for: - `dismiss_notification` - `mark_all_notifications_read` - `manage_notification_subscription` - `manage_repository_notification_subscription` - These now resolve to: - `S = public` (`[]`) - `I = project:github` - baseline scope `github` - **Repository creation/fork operations split from repo-content writes** - Moved `create_repository` and `fork_repository` out of repo-content mutation grouping. - Added explicit account-scoped rule: - `S = public` (`[]`) - `I = writer(github)` - baseline scope `github` - **Coverage updates in label-rule tests** - Replaced single-tool notification assertion with grouped assertions for all notification management write tools. - Updated `fork_repository` expectations to github-scoped writer integrity/public secrecy. - Added `create_repository` test to lock intended DIFC behavior. ```rust // Notification management (explicit write semantics) "dismiss_notification" | "mark_all_notifications_read" | "manage_notification_subscription" | "manage_repository_notification_subscription" => { secrecy = vec![]; baseline_scope = "github".to_string(); integrity = project_github_label(ctx); } // Repo creation/fork (account-scoped writes) "create_repository" | "fork_repository" => { secrecy = vec![]; baseline_scope = "github".to_string(); integrity = writer_integrity("github", ctx); } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build1964592199/b509/launcher.test /tmp/go-build1964592199/b509/launcher.test -test.testlogfile=/tmp/go-build1964592199/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.9/x-p go x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build2556502756/b513/launcher.test /tmp/go-build2556502756/b513/launcher.test -test.testlogfile=/tmp/go-build2556502756/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s know�� .rlib 6b2b26a06.rlib 327.rlib 653.rlib z8tylr32cgwnziux/tmp/go-build197148868/b453/vet.cfg ruczucboywd9kbz6.0ufrg49.rcgu.o aiea5rg1toc6oekg.0ufrg49.rcgu.o fnr5�� p1agk9if6se1ud54.0ufrg49.rcgu.o fc88gtczrpthgg1u.0ufrg49.rcgu.o x_amd64/vet 5vmlrtxer9j2lnp9/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/link zucrirrh7hnf4z1l-o o4qlefxtp7qruodt/tmp/go-build2556502756/b507/guard.test x_amd64/vet` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build1964592199/b491/config.test /tmp/go-build1964592199/b491/config.test -test.testlogfile=/tmp/go-build1964592199/b491/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 64/src/runtime/c-p go x_amd64/compile` (dns block) > - Triggering command: `/tmp/go-build2556502756/b495/config.test /tmp/go-build2556502756/b495/config.test -test.testlogfile=/tmp/go-build2556502756/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o ithub-guard/rust-guard/target/debug/build/serde-0c0d3ac83fe3437f/rustcMFMlVN/symbols.o ithub-guard/rust-guard/target/debug/build/serde-0c0d3ac83fe3437f/build_script_build-0c0d3ac83fe3/tmp/go-build197148868/b384/vet.cfg ithub-guard/rust-guard/target/debug/build/serde-0c0d3ac83fe3437f/build_script_build-0c0d3ac83fe3437f.build_scrip/tmp/go-build1020409741/b001/exe/a.out ithub-guard/rust/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet ild-e2b702800175/tmp/go-build197148868/b292/vet.cfg ild-e2b702800175437e.f3itfh70g07-m known-linux-gnu/lib/rustlib/x86_fix(guard): enforce explicit DIFC labels for notification management and repo cr-buildid=dcc-Xk-BVFiljIesDi3n/H9wQikqwjRQnx90KP6dH/hKNTvz9caF-1eL6QKuz0/dcc-Xk-B-unsafeptr=false know�� known-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libobject-926daa94a00ee327.rlib known-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libmemchr-48d5b0db80402653.rlib known-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libaddr2line-3367f26bd486b29d.rlib known-linux-gnu//opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet known-linux-gnu//tmp/go-build197148868/b425/vet.cfg known-linux-gnu/lib/rustlib/x86_/tmp/go-build197148868/b039/vet.cfg known-linux-gnu/lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-b16e5cb5eba3e0fd.rlib` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build1964592199/b509/launcher.test /tmp/go-build1964592199/b509/launcher.test -test.testlogfile=/tmp/go-build1964592199/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.9/x-p go x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build2556502756/b513/launcher.test /tmp/go-build2556502756/b513/launcher.test -test.testlogfile=/tmp/go-build2556502756/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s know�� .rlib 6b2b26a06.rlib 327.rlib 653.rlib z8tylr32cgwnziux/tmp/go-build197148868/b453/vet.cfg ruczucboywd9kbz6.0ufrg49.rcgu.o aiea5rg1toc6oekg.0ufrg49.rcgu.o fnr5�� p1agk9if6se1ud54.0ufrg49.rcgu.o fc88gtczrpthgg1u.0ufrg49.rcgu.o x_amd64/vet 5vmlrtxer9j2lnp9/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/link zucrirrh7hnf4z1l-o o4qlefxtp7qruodt/tmp/go-build2556502756/b507/guard.test x_amd64/vet` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build1964592199/b509/launcher.test /tmp/go-build1964592199/b509/launcher.test -test.testlogfile=/tmp/go-build1964592199/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.9/x-p go x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build2556502756/b513/launcher.test /tmp/go-build2556502756/b513/launcher.test -test.testlogfile=/tmp/go-build2556502756/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s know�� .rlib 6b2b26a06.rlib 327.rlib 653.rlib z8tylr32cgwnziux/tmp/go-build197148868/b453/vet.cfg ruczucboywd9kbz6.0ufrg49.rcgu.o aiea5rg1toc6oekg.0ufrg49.rcgu.o fnr5�� p1agk9if6se1ud54.0ufrg49.rcgu.o fc88gtczrpthgg1u.0ufrg49.rcgu.o x_amd64/vet 5vmlrtxer9j2lnp9/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/link zucrirrh7hnf4z1l-o o4qlefxtp7qruodt/tmp/go-build2556502756/b507/guard.test x_amd64/vet` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build1964592199/b518/mcp.test /tmp/go-build1964592199/b518/mcp.test -test.testlogfile=/tmp/go-build1964592199/b518/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true proto/proto.go s/alert.go x_amd64/compile -o lts /tmp/cc9cHcxs.s x_amd64/compile -I g_.a 4592199/b165/ x_amd64/vet --gdwarf-5 ternal/sys -o x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build2556502756/b522/mcp.test /tmp/go-build2556502756/b522/mcp.test -test.testlogfile=/tmp/go-build2556502756/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s ithu�� ithub-guard/rust-guard/target/debug/deps/github_guard-57d41235e07a5585.3r7b32ab9hw1mmy6a1aekmmsh/usr/libexec/docker/docker-init ithub-guard/rust-guard/target/debug/deps/github_guard-57d41235e07a5585.485oswk5h4p2kq4dabhq5b2ke--version x_amd64/vet 6e1dc71b.rlib m/github/gh-aw-m--version -nilfunc x_amd64/vet n-me�� aw-mcpg/guards/github-guard/rust-guard/target/debug/deps/rustcq8hDXS/symbols.o aw-mcpg/guards/github-guard/rust-guard/target/debug/deps/github_guard-57d41235e07a5585.0r6f2y9pm/usr/bin/runc x_amd64/vet aw-mcpg/guards/gbash aw-mcpg/guards/g/usr/bin/runc aw-mcpg/guards/g--version x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/guards/github-guard/rust-guard/src/labels/mod.rs b/guards/github-guard/rust-guard/src/labels/mod.rs
@@ -4614,22 +4614,31 @@ mod tests {
     }
 
     #[test]
-    fn test_apply_tool_labels_dismiss_notification_private_user() {
+    fn test_apply_tool_labels_notification_management_public_project_github() {
         let ctx = default_ctx();
         let tool_args = json!({ "threadId": "123" });
 
-        let (secrecy, integrity, _desc) = apply_tool_labels(
+        for tool in &[
             "dismiss_notification",
-            &tool_args,
-            "",
-            vec![],
-            vec![],
-            String::new(),
-            &ctx,
-        );
+            "mark_all_notifications_read",
+            "manage_notification_subscription",
+            "manage_repository_notification_subscription",
+        ] {
+            let (secrecy, integrity, _desc) =
+                apply_tool_labels(tool, &tool_args, "", vec![], vec![], String::new(), &ctx);
 
-        assert_eq!(secrecy, private_user_label(), "dismiss_notification must carry private:user secrecy");
-        assert_eq!(integrity, none_integrity("", &ctx), "dismiss_notification should have none-level integrity (references unknown content)");
+            assert!(
+                secrecy.is_empty(),
+                "{} should have empty (public) secrecy",
+                tool
+            );
+            assert_eq!(
+                integrity,
+                project_github_label(&ctx),
+                "{} should have project:github integrity",
+                tool
+            );
+        }
     }
 
     #[test]
@@ -4919,7 +4928,7 @@ mod tests {
             "repo": "copilot"
         });
 
-        let (_secrecy, integrity, _desc) = apply_tool_labels(
+        let (secrecy, integrity, _desc) = apply_tool_labels(
             "fork_repository",
             &tool_args,
             repo_id,
@@ -4929,7 +4938,38 @@ mod tests {
             &ctx,
         );
 
-        assert_eq!(integrity, writer_integrity(repo_id, &ctx), "fork_repository should have writer integrity");
+        assert!(secrecy.is_empty(), "fork_repository should have empty (public) secrecy");
+        assert_eq!(
+            integrity,
+            writer_integrity("github", &ctx),
+            "fork_repository should have writer integrity in github scope"
+        );
+    }
+
+    #[test]
+    fn test_apply_tool_labels_create_repository_writer_integrity() {
+        let ctx = default_ctx();
+        let repo_id = "github/copilot";
+        let tool_args = json!({
+            "name": "new-repo"
+        });
+
+        let (secrecy, integrity, _desc) = apply_tool_labels(
+            "create_repository",
+            &tool_args,
+            repo_id,
+            vec![],
+            vec![],
+            String::new(),
+            &ctx,
+        );
+
+        assert!(secrecy.is_empty(), "create_repository should have empty (public) secrecy");
+        assert_eq!(
+            integrity,
+            writer_integrity("github", &ctx),
+            "create_repository should have writer integrity in github scope"
+        );
     }
 
     #[test]
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -466,17 +466,26 @@ pub fn apply_tool_labels(
         }
 
         // === Notifications (user-scoped, private) ===
-        "list_notifications" | "get_notification_details"
-        | "dismiss_notification" | "mark_all_notifications_read"
-        | "manage_notification_subscription"
-        | "manage_repository_notification_subscription" => {
+        "list_notifications" | "get_notification_details" => {
             // Notifications are private to the authenticated user.
             // S = private:user
             // I = none (notifications reference external content of unknown trust)
             secrecy = private_user_label();
             integrity = vec![];
         }
 
+        // === Notification management (account-scoped writes) ===
+        "dismiss_notification"
+        | "mark_all_notifications_read"
+        | "manage_notification_subscription"
+        | "manage_repository_notification_subscription" => {
+            // These operations change notification/subscription state and return minimal metadata.
+            // S = public (empty); I = project:github
+            secrecy = vec![];
+            baseline_scope = "github".to_string();
+            integrity = project_github_label(ctx);
+        }
+
         // === Private GitHub-controlled metadata (user-associated): PII/org-structure sensitive ===
         "get_me"
         | "get_teams"
@@ -562,14 +571,23 @@ pub fn apply_tool_labels(
 
         // === Repo content and structure write operations ===
         "create_or_update_file" | "push_files" | "delete_file" | "create_branch"
-        | "update_pull_request_branch" | "create_repository" | "fork_repository" => {
+        | "update_pull_request_branch" => {
             // Write operations that modify repo content/structure.
             // S = S(repo) — response references repo-scoped content
             // I = writer (agent-authored content)
             secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
             integrity = writer_integrity(repo_id, ctx);
         }
 
+        // === Repository creation/fork (user/org-scoped writes) ===
+        "create_repository" | "fork_repository" => {
+            // Creating/forking repositories is account-scoped and does not return repo content.
+            // S = public (empty); I = writer(github)
+            secrecy = vec![];
+            baseline_scope = "github".to_string();
+            integrity = writer_integrity("github", ctx);
+        }
+
         // === Projects write operations (org-scoped) ===
         "projects_write"
         // Deprecated aliases that map to projects_write
diff --git a/guards/github-guard/rust-guard/src/lib.rs b/guards/github-guard/rust-guard/src/lib.rs
@@ -262,6 +262,12 @@ fn infer_scope_for_baseline(tool_name: &str, tool_args: &Value, repo_id: &str) -
     }
 
     match tool_name {
+        "dismiss_notification"
+        | "mark_all_notifications_read"
+        | "manage_notification_subscription"
+        | "manage_repository_notification_subscription"
+        | "create_repository"
+        | "fork_repository" => "github".to_string(),
         "search_code" | "search_issues" | "search_pull_requests" => {
             let query = tool_args
                 .get("query")
@@ -1159,6 +1165,74 @@ mod tests {
         assert_eq!(inferred, "github/gh-aw-mcpg");
     }
 
+    #[test]
+    fn infer_scope_for_baseline_uses_github_scope_for_notification_management_tools() {
+        let tool_args = json!({ "threadId": "123" });
+        for tool in &[
+            "dismiss_notification",
+            "mark_all_notifications_read",
+            "manage_notification_subscription",
+            "manage_repository_notification_subscription",
+        ] {
+            let inferred = infer_scope_for_baseline(tool, &tool_args, "");
+            assert_eq!(inferred, "github", "{} should infer github baseline scope", tool);
+        }
+    }
+
+    #[test]
+    fn infer_scope_for_baseline_uses_github_scope_for_repo_creation_tools() {
+        let tool_args = json!({ "name": "new-repo" });
+        for tool in &["create_repository", "fork_repository"] {
+            let inferred = infer_scope_for_baseline(tool, &tool_args, "");
+            assert_eq!(inferred, "github", "{} should infer github baseline scope", tool);
+        }
+    }
+
+    #[test]
+    fn notification_management_integrity_preserved_after_baseline() {
+        let ctx = PolicyContext::default();
+        let tool_args = json!({ "threadId": "123" });
+        for tool in &[
+            "dismiss_notification",
+            "mark_all_notifications_read",
+            "manage_notification_subscription",
+            "manage_repository_notification_subscription",
+        ] {
+            let (_, integrity, _) =
+                labels::apply_tool_labels(tool, &tool_args, "", vec![], vec![], String::new(), &ctx);
+            let baseline_scope = infer_scope_for_baseline(tool, &tool_args, "");
+            let after_baseline =
+                labels::ensure_integrity_baseline(&baseline_scope, integrity, &ctx);
+
+            assert_eq!(
+                after_baseline,
+                labels::project_github_label(&ctx),
+                "{} integrity should remain github-scoped after baseline enforcement",
+                tool
+            );
+        }
+    }
+
+    #[test]
+    fn repo_creation_integrity_preserved_after_baseline() {
+        let ctx = PolicyContext::default();
+        let tool_args = json!({ "name": "new-repo" });
+        for tool in &["create_repository", "fork_repository"] {
+            let (_, integrity, _) =
+                labels::apply_tool_labels(tool, &tool_args, "", vec![], vec![], String::new(), &ctx);
+            let baseline_scope = infer_scope_for_baseline(tool, &tool_args, "");
+            let after_baseline =
+                labels::ensure_integrity_baseline(&baseline_scope, integrity, &ctx);
+
+            assert_eq!(
+                after_baseline,
+                labels::writer_integrity("github", &ctx),
+                "{} integrity should remain github writer-scoped after baseline enforcement",
+                tool
+            );
+        }
+    }
+
     #[test]
     fn transfer_repository_integrity_is_blocked_after_ensure_baseline() {
         // Verify that the is_blocked_tool + blocked_integrity override logic produces
diff --git a/test/integration/binary_test.go b/test/integration/binary_test.go
@@ -25,47 +25,53 @@ func TestBinaryInvocation_RoutedMode(t *testing.T) {
 		t.Skip("Skipping binary integration test in short mode")
 	}
 
-	// Find the binary
 	binaryPath := findBinary(t)
 	t.Logf("Using binary: %s", binaryPath)
 
-	// Create a temporary config file
-	configFile := createTempConfig(t, map[string]interface{}{
-		"testserver": map[string]interface{}{
-			"command": "docker",
-			"args":    []string{"run", "--rm", "-i", "alpine:latest", "echo"},
-		},
-	})
-	defer os.Remove(configFile)
+	// Use an in-process mock backend to avoid Docker dependency
+	mockBackend := createMinimalMockMCPBackend(t)
+	defer mockBackend.Close()
 
-	// Start the server process
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
-	port := "13001" // Use a specific port for testing
+	port := "13001"
 	cmd := exec.CommandContext(ctx, binaryPath,
-		"--config", configFile,
+		"--config-stdin",
 		"--listen", "127.0.0.1:"+port,
 		"--routed",
 	)
 
-	// Capture output for debugging
+	configJSON := map[string]interface{}{
+		"mcpServers": map[string]interface{}{
+			"testserver": map[string]interface{}{
+				"type": "http",
+				"url":  mockBackend.URL + "/mcp",
+			},
+		},
+		"gateway": map[string]interface{}{
+			"port":   13001,
+			"domain": "localhost",
+			"apiKey": "test-token",
+		},
+	}
+	configBytes, _ := json.Marshal(configJSON)
+
 	var stdout, stderr bytes.Buffer
+	cmd.Stdin = bytes.NewReader(configBytes)
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 
 	if err := cmd.Start(); err != nil {
 		t.Fatalf("Failed to start server: %v", err)
 	}
 
-	// Ensure the process is killed at the end
 	defer func() {
 		if cmd.Process != nil {
 			cmd.Process.Kill()
 		}
 	}()
 
-	// Wait for server to start
 	serverURL := "http://127.0.0.1:" + port
 	if !waitForServer(t, serverURL+"/health", 10*time.Second) {
 		t.Logf("STDOUT: %s", stdout.String())
@@ -130,29 +136,43 @@ func TestBinaryInvocation_UnifiedMode(t *testing.T) {
 	binaryPath := findBinary(t)
 	t.Logf("Using binary: %s", binaryPath)
 
-	configFile := createTempConfig(t, map[string]interface{}{
-		"backend1": map[string]interface{}{
-			"command": "docker",
-			"args":    []string{"run", "--rm", "-i", "alpine:latest", "echo"},
-		},
-		"backend2": map[string]interface{}{
-			"command": "docker",
-			"args":    []string{"run", "--rm", "-i", "alpine:latest", "echo"},
-		},
-	})
-	defer os.Remove(configFile)
+	// Use in-process mock backends to avoid Docker dependency
+	mockBackend1 := createMinimalMockMCPBackend(t)
+	defer mockBackend1.Close()
+	mockBackend2 := createMinimalMockMCPBackend(t)
+	defer mockBackend2.Close()
 
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
 	port := "13002"
 	cmd := exec.CommandContext(ctx, binaryPath,
-		"--config", configFile,
+		"--config-stdin",
 		"--listen", "127.0.0.1:"+port,
 		"--unified",
 	)
 
+	configJSON := map[string]interface{}{
+		"mcpServers": map[string]interface{}{
+			"backend1": map[string]interface{}{
+				"type": "http",
+				"url":  mockBackend1.URL + "/mcp",
+			},
+			"backend2": map[string]interface{}{
+				"type": "http",
+				"url":  mockBackend2.URL + "/mcp",
+			},
+		},
+		"gateway": map[string]interface{}{
+			"port":   13002,
+			"domain": "localhost",
+			"apiKey": "test-token",
+		},
+	}
+	configBytes, _ := json.Marshal(configJSON)
+
 	var stdout, stderr bytes.Buffer
+	cmd.Stdin = bytes.NewReader(configBytes)
 	cmd.Stdout = &stdout
 	cmd.Stderr = &stderr
 
