Align list_repository_collaborators DIFC integrity to reader-level (#5843)

lpcox · web-flow · commit 87c28129eaa5 · 2026-05-16T15:08:43.000-07:00
Compliance review found a mismatch between stated policy intent and
implementation for `list_repository_collaborators`: the PR rationale
specified reader integrity, but the guard assigned writer integrity.
This change resolves that discrepancy in code and tests so the tool’s
label semantics match the documented access-sensitive intent.

- **Policy alignment**
- Updated `list_repository_collaborators` in `tool_rules.rs` to assign
`reader_integrity(repo_id, ctx)` instead of `writer_integrity(repo_id,
ctx)`.
- Kept secrecy handling as private policy scope for
collaborator/permission metadata.

- **Documentation-in-code clarification**
- Updated the inline integrity comment from writer-level to reader-level
to reflect the intended trust boundary for access-sensitive collaborator
data.

- **Unit expectation update**
- Adjusted the dedicated test assertion to expect reader-level integrity
and updated the assertion message accordingly.

```rust
"list_repository_collaborators" =&gt; {
    // S = private policy scope
    // I = reader (access-sensitive metadata should not directly authorize writes)
    secrecy = policy_private_scope_label(&amp;owner, &amp;repo, repo_id, ctx);
    integrity = reader_integrity(repo_id, ctx);
}
```
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -388,9 +388,9 @@ pub fn apply_tool_labels(
             // Lists users with access to the repository; reveals who holds write/admin rights.
             // S = private policy scope — collaborator/permission information is access-controlled
             // even for public repositories.
-            // I = writer (GitHub-controlled repository access metadata)
+            // I = reader (access-sensitive metadata should not directly authorize writes)
             secrecy = policy_private_scope_label(&owner, &repo, repo_id, ctx);
-            integrity = writer_integrity(repo_id, ctx);
+            integrity = reader_integrity(repo_id, ctx);
         }
 
         // === Content Access ===
@@ -939,11 +939,11 @@ mod tests {
             &ctx,
         );
         let _ = secrecy; // secrecy inherits from repo visibility (backend unavailable in tests)
-        let expected_integrity = super::writer_integrity("octocat/hello-world", &ctx);
+        let expected_integrity = super::reader_integrity("octocat/hello-world", &ctx);
         assert_eq!(
             integrity,
             expected_integrity,
-            "list_repository_collaborators must produce writer-level integrity"
+            "list_repository_collaborators must produce reader-level integrity"
         );
     }
 }
