[guard-coverage] Guard coverage gap: 1 write operation from github-mcp-server not classified

[github-actions]

Summary

The GitHub guard does not fully cover 1 write operation from the github-mcp-server. The upstream server added a new discussion_comment_write tool that is missing from both WRITE_OPERATIONS and READ_WRITE_OPERATIONS in tools.rs. This allows agents to create/edit discussion comments without triggering DIFC write-path checks.

• MCP tools scanned: 105 (↑ from 102 last run — 3 new tools added upstream)
• CLI write commands scanned: 52
• Guard-covered write tools (tools.rs): 88 (57 write + 31 read-write)
• New gaps found this run: 1

---

MCP Tool Classification Gaps (tools.rs)

This MCP tool performs write/mutating operations but is missing from WRITE_OPERATIONS or READ_WRITE_OPERATIONS in guards/github-guard/rust-guard/src/tools.rs:

Tool Name	Operation Type	Suggested Classification	Notes
discussion_comment_write	write	WRITE_OPERATIONS	Creates or edits GitHub Discussion comments via GraphQL mutations (addDiscussionComment / updateDiscussionComment)

Suggested fix for tools.rs

// Add to WRITE_OPERATIONS:
pub const WRITE_OPERATIONS: &[&str] = &[
    // ... existing entries ...
    "discussion_comment_write",  // creates or edits GitHub Discussion comments
];

---

MCP Tool DIFC Labeling Gaps (tool_rules.rs)

In addition to the classification gap, the following new upstream tools have no explicit match arm in apply_tool_labels:

Tool Name	Data Scope	Suggested Labels	Risk
discussion_comment_write	repo-scoped	secrecy: S(repo), integrity: writer	High (write path, no DIFC rule)
list_repository_collaborators	repo-scoped	secrecy: S(repo), integrity: reader	Low (read-only, but returns who has write/admin access)

For discussion_comment_write, add a match arm modeled after other *_write tools (e.g., issue_write).
For list_repository_collaborators, add a match arm modeled after other repo-scoped list tools (e.g., list_issues).

---

References

• github-mcp-server tools.go
• github-mcp-server discussions.go
• guard tools.rs
• guard tool_rules.rs
• Run: §25951429906

Generated by GitHub Guard Coverage Checker (MCP + CLI) · ● 1.2M · ◷

• expires on May 30, 2026, 3:24 AM UTC

[github-actions]

🤖 This is an automated response from Repo Assist.

I verified the findings in this report against the current codebase. Both gaps are confirmed:

Gap 1 — discussion_comment_write missing from WRITE_OPERATIONS (tools.rs)

Searching tools.rs for "discussion" returns zero results — the tool is entirely absent from WRITE_OPERATIONS and READ_WRITE_OPERATIONS. The fix is a one-line addition to WRITE_OPERATIONS (alongside other *_write tools like label_write, projects_write):

// tools.rs — WRITE_OPERATIONS array (around line 24)
"discussion_comment_write",  // adds/edits GitHub Discussion comments

Gap 2 — discussion_comment_write and list_repository_collaborators missing from tool_rules.rs

tool_rules.rs has existing match arms for read-only discussion tools (get_discussion, get_discussion_comments, list_discussions, list_discussion_categories) but no arm for discussion_comment_write. The new tool needs:

• A write-path arm modelled on "issue_write" (secrecy: S(repo), integrity: writer-level)
• A similar arm for list_repository_collaborators modelled on existing list tools (secrecy: S(repo), integrity: reader-level)

Both changes are self-contained and low-risk. I'll pick this up in a future fix run unless a maintainer gets to it first.

Generated by Repo Assist · ● 1.3M · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55