feat: proxy pre-agent gh CLI calls through DIFC gateway (#2294)

## Summary

Routes all pre-agent `gh` CLI calls in `repo-assist` through the MCP
gateway DIFC proxy, applying the same `min-integrity: merged` policy
that governs the agent's MCP tool calls.

## Problem

The repo-assist workflow runs several `gh` CLI calls **before** the
agent starts (issue list, PR list, repo-memory clone). These calls
bypass the DIFC pipeline entirely — the agent's guard policy only
applies to MCP tool calls during the agent phase.

## Solution

Add two steps to `repo-assist.lock.yml`:

### Start DIFC Proxy (before first `GH_TOKEN` step)
- Runs `ghcr.io/github/gh-aw-mcpg:v0.1.19` in proxy mode with TLS on
port 18443
- Same policy as agent:
`{"allow-only":{"repos":["github/*"],"min-integrity":"merged"}}`
- Adds proxy CA cert to system trust store (`update-ca-certificates`) so
`gh` CLI (Go) trusts it
- Writes `GH_HOST=localhost:18443` to `$GITHUB_ENV` — all subsequent
steps inherit it

### Stop DIFC Proxy (before agent execution)
- Stops the proxy container
- Clears `GH_HOST` from `$GITHUB_ENV` to prevent leaking into `awf
--env-all`

## Steps Covered

| Pre-Agent Step | Uses `GH_TOKEN` | Proxied | Mechanism |
|---|---|---|---|
| Configure gh CLI for GHE | ✅ | ✅ | `$GITHUB_ENV` |
| Fetch repo data (gh issue/pr list) | ✅ | ✅ | `$GITHUB_ENV` |
| Clone repo-memory branch | ✅ | ✅ | `$GITHUB_ENV` |
| Checkout PR branch | ✅ | ❌ | Uses Octokit, not `gh` CLI |
| Install Copilot CLI | — | ❌ | Explicit `GH_HOST: github.com` override
|
| Agent (awf container) | — | ❌ | `GH_HOST` cleared before agent |

## Design Decisions

- **`$GITHUB_ENV` over per-step env vars**: Propagates to
framework-injected steps (clone-repo-memory) that we can't modify from
the `.md` source
- **System CA trust store**: `gh` CLI uses Go's `http.DefaultTransport`
which reads system CAs — `NODE_EXTRA_CA_CERTS` only works for Node.js
- **Port 18443**: Avoids conflict with the agent's MCP gateway (port 80)
- **Graceful fallback**: If proxy fails to start, workflow continues
with direct API access
- **Lock file only**: Editing `.lock.yml` directly for debugging; `.md`
source changes will follow once validated

## Testing

This is a lock file change — needs to be validated by running the
repo-assist workflow in CI.

Author: lpcox

.github/workflows/repo-assist.lock.yml

@@ -1034,12 +1034,16 @@ pub fn commit_integrity(
 /// Trusted bots:
 /// - dependabot[bot]: GitHub dependency updater
 /// - github-actions[bot]: GitHub Actions workflow actor (GITHUB_TOKEN)
+/// - github-actions: GitHub Actions workflow actor (without [bot] suffix, as returned by some APIs)
+/// - app/github-actions: GitHub Actions workflow actor (with app/ prefix, as returned by gh CLI)
 /// - github-merge-queue[bot]: GitHub merge queue automation
 /// - copilot: GitHub Copilot AI assistant
 pub fn is_trusted_first_party_bot(username: &str) -> bool {
     let lower = username.to_lowercase();
     lower == "dependabot[bot]"
         || lower == "github-actions[bot]"
+        || lower == "github-actions"
+        || lower == "app/github-actions"
         || lower == "github-merge-queue[bot]"
         || lower == "copilot"
 }

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -847,7 +847,8 @@ mod tests {
         // Not bots
         assert!(!is_trusted_first_party_bot("octocat"));
         assert!(!is_trusted_first_party_bot("dependabot"));
-        assert!(!is_trusted_first_party_bot("github-actions"));
+        assert!(is_trusted_first_party_bot("github-actions"));
+        assert!(is_trusted_first_party_bot("app/github-actions"));
         assert!(!is_trusted_first_party_bot(""));
     }
 
@@ -893,6 +894,16 @@ mod tests {
             writer_integrity(repo, &ctx)
         );
 
+        // github-actions without [bot] suffix (as returned by some APIs)
+        let actions_no_bot_issue = json!({
+            "user": {"login": "github-actions"},
+            "author_association": "NONE"
+        });
+        assert_eq!(
+            issue_integrity(&actions_no_bot_issue, repo, false, &ctx),
+            writer_integrity(repo, &ctx)
+        );
+
         // Non-trusted bot still gets none integrity on public repo
         let renovate_issue = json!({
             "user": {"login": "renovate[bot]"},

guards/github-guard/rust-guard/src/labels/mod.rs

@@ -35,6 +35,10 @@ type graphqlPattern struct {
 
 // graphqlPatterns is the ordered list of GraphQL operation → tool name mappings.
 var graphqlPatterns = []graphqlPattern{
+	// Schema introspection queries (safe read-only metadata, no repo data)
+	{queryPattern: regexp.MustCompile(`(?i)__type\s*\(`), toolName: "graphql_introspection"},
+	{queryPattern: regexp.MustCompile(`(?i)__schema\b`), toolName: "graphql_introspection"},
+
 	// Issue operations (singular before plural — more specific first)
 	{queryPattern: regexp.MustCompile(`(?i)repository\s*\([^)]*\)\s*\{[^}]*\bissue\s*\(`), toolName: "issue_read"},
 	{queryPattern: regexp.MustCompile(`(?i)repository\s*\([^)]*\)\s*\{[^}]*\bissues\s*[\({]`), toolName: "list_issues"},
@@ -170,7 +174,9 @@ func extractOwnerRepo(variables map[string]interface{}, query string) (string, s
 }
 
 // IsGraphQLPath returns true if the request path is the GraphQL endpoint.
+// Accepts /graphql (after prefix strip), /api/v3/graphql (before strip),
+// and /api/graphql (GHES-style path used by gh CLI with GH_HOST).
 func IsGraphQLPath(path string) bool {
 	cleaned := strings.TrimSuffix(path, "/")
-	return cleaned == "/graphql" || cleaned == "/api/v3/graphql"
+	return cleaned == "/graphql" || cleaned == "/api/v3/graphql" || cleaned == "/api/graphql"
 }