Guard: ignore stale maintainer reactions when content is edited after endorsement (#4228)

Maintainer reactions were treated as evergreen endorsements, even if an
issue/PR/comment was edited after the reaction was added. This allowed
post-endorsement content mutation to retain `approved` integrity.

- **Stale endorsement detection in reaction evaluation**
- Updated `has_maintainer_reaction_with_callback()` to compare item and
reaction timestamps.
- If `item.updatedAt`/`updated_at` is newer than reaction
`createdAt`/`created_at`, that reaction is ignored for integrity
promotion/demotion.
- Timestamp extraction supports both camelCase and snake_case payload
variants already seen in guard inputs.

- **Observability for skipped reactions**
- Added debug logging when a reaction is skipped as stale, including
reactor, reaction type, and compared timestamps.

- **Coverage for timestamp edge cases**
  - Added focused unit tests for:
    - unmodified item + endorsement (counts)
    - item edited after endorsement (ignored)
    - endorsement after latest edit (counts)
    - mixed stale and fresh reactions (fresh still counts)
    - missing timestamps (preserves prior behavior)

```rust
if let (Some(item_updated), Some(reaction_created)) = (item_updated_at, reaction_created_at) {
    if item_updated > reaction_created {
        // stale endorsement/disapproval: content changed after reaction
        continue;
    }
}
```

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build4228467833/b509/launcher.test
/tmp/go-build4228467833/b509/launcher.test
-test.testlogfile=/tmp/go-build4228467833/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 1.0.9/bool.go
1.0.9/bool_func.go x_amd64/vet --gdwarf-5 ut-2993393641.c -o x_amd64/vet
1043�� g_.a -trimpath x_amd64/vet -p go-sdk/internal/-atomic
-lang=go1.24 x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3552295474/b513/launcher.test
/tmp/go-build3552295474/b513/launcher.test
-test.testlogfile=/tmp/go-build3552295474/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build4228467833/b491/config.test
/tmp/go-build4228467833/b491/config.test
-test.testlogfile=/tmp/go-build4228467833/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
@v1.1.3/cpu/arm/arm.go 1043343/b166/ x_amd64/vet --gdwarf-5 backoff -o
x_amd64/vet 1043�� g_.a 1043343/b166/ x_amd64/vet -p 64 -lang=go1.24
x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3552295474/b495/config.test
/tmp/go-build3552295474/b495/config.test
-test.testlogfile=/tmp/go-build3552295474/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 1043��
/tmp/go-build212/home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/degit
-goversion bin/rustc -c=4 -nolocalimports -importcfg bin/rustc /tmp��
/home/REDACTED/go//home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet
/home/REDACTED/go//home/REDACTED/work/gh-aw-mcpg/gh-aw-mcpg/guards/github-guard/rust-guard/target/de/tmp/go-build4250267068/b498/vet.cfg
.cfg /endpointshardingit 777.build_scriptpush 777.dq1kj865068v-v
-guard/target/deorigin` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build4228467833/b509/launcher.test
/tmp/go-build4228467833/b509/launcher.test
-test.testlogfile=/tmp/go-build4228467833/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 1.0.9/bool.go
1.0.9/bool_func.go x_amd64/vet --gdwarf-5 ut-2993393641.c -o x_amd64/vet
1043�� g_.a -trimpath x_amd64/vet -p go-sdk/internal/-atomic
-lang=go1.24 x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3552295474/b513/launcher.test
/tmp/go-build3552295474/b513/launcher.test
-test.testlogfile=/tmp/go-build3552295474/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build4228467833/b509/launcher.test
/tmp/go-build4228467833/b509/launcher.test
-test.testlogfile=/tmp/go-build4228467833/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true 1.0.9/bool.go
1.0.9/bool_func.go x_amd64/vet --gdwarf-5 ut-2993393641.c -o x_amd64/vet
1043�� g_.a -trimpath x_amd64/vet -p go-sdk/internal/-atomic
-lang=go1.24 x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3552295474/b513/launcher.test
/tmp/go-build3552295474/b513/launcher.test
-test.testlogfile=/tmp/go-build3552295474/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build4228467833/b518/mcp.test
/tmp/go-build4228467833/b518/mcp.test
-test.testlogfile=/tmp/go-build4228467833/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
om/tetratelabs/w-errorsas om/tetratelabs/w-ifaceassert x_amd64/vet .
--gdwarf2 --64 x_amd64/vet .cfg�� 1043343/b261/_pkg_.a
/tmp/go-build2121043343/b298/ x_amd64/vet .
telabs/wazero/in/usr/bin/runc --64 x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3552295474/b522/mcp.test
/tmp/go-build3552295474/b522/mcp.test
-test.testlogfile=/tmp/go-build3552295474/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s lib/��
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libobject-926daa94a00ee327.rlib
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libmemchr-48d5b0db80402653.rlib
lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libaddr2line-3367f26bd486b29d.rlib
lib/rustlib/x86_bash lib/rustlib/x86_/usr/bin/runc
lib/rustlib/x86_--version 05ed-cgu.00.rcgu.o 05ed�� 05ed-cgu.02.rcgu.o
05ed-cgu.03.rcgu.o 05ed-cgu.04.rcgu.o 05ed-cgu.05.rcgubash
05ed-cgu.06.rcgu/usr/bin/runc 05ed-cgu.07.rcgu--version
05ed-cgu.08.rcgu.o` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -467,6 +467,14 @@ pub fn has_maintainer_reaction_with_callback(
     };
 
     let endorser_min_rank = integrity_level_rank(endorser_min);
+    let item_updated_at = item
+        .get("lastEditedAt")
+        .or_else(|| item.get("editedAt"))
+        .or_else(|| item.get("last_edited_at"))
+        .or_else(|| item.get("edited_at"))
+        .or_else(|| item.get("updatedAt"))
+        .or_else(|| item.get("updated_at"))
+        .and_then(|v| v.as_str());
 
     for node in nodes.iter().take(MAX_REACTIONS_TO_CHECK) {
         let content = match node.get("content").and_then(|v| v.as_str()) {
@@ -490,6 +498,26 @@ pub fn has_maintainer_reaction_with_callback(
             None => continue,
         };
 
+        let reaction_created_at = node
+            .get("createdAt")
+            .or_else(|| node.get("created_at"))
+            .and_then(|v| v.as_str());
+        if let (Some(item_updated), Some(reaction_created)) = (item_updated_at, reaction_created_at) {
+            if item_updated > reaction_created {
+                crate::log_debug(&format!(
+                    "[integrity] {}: skipping stale {} reaction {} from @{} \
+                     (item updatedAt={} > reaction createdAt={})",
+                    repo_full_name,
+                    reaction_kind,
+                    content,
+                    login,
+                    item_updated,
+                    reaction_created
+                ));
+                continue;
+            }
+        }
+
         // Fetch reactor's collaborator permission to determine their integrity level.
         let perm = super::backend::get_collaborator_permission_with_callback(
             callback, owner, repo, login,
@@ -2008,6 +2036,101 @@ mod tests {
         ));
     }
 
+    #[test]
+    fn test_has_maintainer_reaction_honors_unmodified_item_endorsement() {
+        let ctx = ctx_with_endorsement_reactions(vec!["THUMBS_UP"]);
+        let item = serde_json::json!({
+            "number": 42,
+            "updatedAt": "2026-04-20T00:00:00Z",
+            "reactions": {"nodes": [{
+                "user": {"login": "alice"},
+                "content": "THUMBS_UP",
+                "createdAt": "2026-04-20T00:00:00Z"
+            }]}
+        });
+        assert!(has_maintainer_reaction_with_callback(
+            &item, "owner/repo", &ctx.endorsement_reactions, "approved", &ctx,
+            admin_permission_callback, "endorsement"
+        ));
+    }
+
+    #[test]
+    fn test_has_maintainer_reaction_skips_stale_endorsement_after_edit() {
+        let ctx = ctx_with_endorsement_reactions(vec!["THUMBS_UP"]);
+        let item = serde_json::json!({
+            "number": 42,
+            "updatedAt": "2026-04-21T00:00:00Z",
+            "reactions": {"nodes": [{
+                "user": {"login": "alice"},
+                "content": "THUMBS_UP",
+                "createdAt": "2026-04-20T00:00:00Z"
+            }]}
+        });
+        assert!(!has_maintainer_reaction_with_callback(
+            &item, "owner/repo", &ctx.endorsement_reactions, "approved", &ctx,
+            admin_permission_callback, "endorsement"
+        ));
+    }
+
+    #[test]
+    fn test_has_maintainer_reaction_honors_endorsement_added_after_edit() {
+        let ctx = ctx_with_endorsement_reactions(vec!["THUMBS_UP"]);
+        let item = serde_json::json!({
+            "number": 42,
+            "updated_at": "2026-04-20T00:00:00Z",
+            "reactions": {"nodes": [{
+                "user": {"login": "alice"},
+                "content": "THUMBS_UP",
+                "createdAt": "2026-04-21T00:00:00Z"
+            }]}
+        });
+        assert!(has_maintainer_reaction_with_callback(
+            &item, "owner/repo", &ctx.endorsement_reactions, "approved", &ctx,
+            admin_permission_callback, "endorsement"
+        ));
+    }
+
+    #[test]
+    fn test_has_maintainer_reaction_counts_fresh_when_stale_and_fresh_mixed() {
+        let ctx = ctx_with_endorsement_reactions(vec!["THUMBS_UP"]);
+        let item = serde_json::json!({
+            "number": 42,
+            "updatedAt": "2026-04-21T00:00:00Z",
+            "reactions": {"nodes": [
+                {
+                    "user": {"login": "alice"},
+                    "content": "THUMBS_UP",
+                    "createdAt": "2026-04-20T00:00:00Z"
+                },
+                {
+                    "user": {"login": "bob"},
+                    "content": "THUMBS_UP",
+                    "createdAt": "2026-04-22T00:00:00Z"
+                }
+            ]}
+        });
+        assert!(has_maintainer_reaction_with_callback(
+            &item, "owner/repo", &ctx.endorsement_reactions, "approved", &ctx,
+            admin_permission_callback, "endorsement"
+        ));
+    }
+
+    #[test]
+    fn test_has_maintainer_reaction_missing_timestamps_keeps_existing_behavior() {
+        let ctx = ctx_with_endorsement_reactions(vec!["THUMBS_UP"]);
+        let item = serde_json::json!({
+            "number": 42,
+            "reactions": {"nodes": [{
+                "user": {"login": "alice"},
+                "content": "THUMBS_UP"
+            }]}
+        });
+        assert!(has_maintainer_reaction_with_callback(
+            &item, "owner/repo", &ctx.endorsement_reactions, "approved", &ctx,
+            admin_permission_callback, "endorsement"
+        ));
+    }
+
     #[test]
     fn test_cap_integrity_at_none() {
         let ctx = test_ctx();