Guard coverage: classify create_agent_task as read-write and blocked (#3139)

lpcox · web-flow · commit 893fa0201565 · 2026-04-03T20:52:10.000-07:00
`gh agent-task create` (`POST copilot-api/agents/swe/v1/jobs/{owner}/{repo}`) had no guard entry despite causing real repo mutations (branch creation + PR). Per agent instructions, this operation is read-write (reads task context, writes branch/PR) and unsupported (unconditionally blocked). ### `tools.rs` - Added `"create_agent_task"` to `READ_WRITE_OPERATIONS` — operation is classified as `"read-write"` in `label_resource` - Added `"create_agent_task"` to `is_blocked_tool()` — DIFC evaluator always denies it via `blocked_integrity` override, consistent with `transfer_repository`, `archive_repository`, etc. ### `labels/tool_rules.rs` - Added match arm for `create_agent_task` applying repo-visibility secrecy before the `blocked_integrity` override kicks in at `label_resource` ```rust // tools.rs pub const READ_WRITE_OPERATIONS: &[&str] = &[ // ...existing entries... "create_agent_task", // gh agent-task create — blocked: unsupported agent operation ]; pub fn is_blocked_tool(tool_name: &str) -> bool { matches!( tool_name, "transfer_repository" | "archive_repository" | "unarchive_repository" | "rename_repository" | "create_agent_task" ) } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build2534278610/b340/launcher.test /tmp/go-build2534278610/b340/launcher.test -test.testlogfile=/tmp/go-build2534278610/b340/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2534278610/b223/vet.cfg flib/difflib.go 64/src/runtime/cgo x_amd64/compile` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2534278610/b322/config.test /tmp/go-build2534278610/b322/config.test -test.testlogfile=/tmp/go-build2534278610/b322/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� ternal/engine/wazevo/backend/isa/amd64/abi_entry_amd64.s` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build2534278610/b340/launcher.test /tmp/go-build2534278610/b340/launcher.test -test.testlogfile=/tmp/go-build2534278610/b340/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2534278610/b223/vet.cfg flib/difflib.go 64/src/runtime/cgo x_amd64/compile` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build2534278610/b340/launcher.test /tmp/go-build2534278610/b340/launcher.test -test.testlogfile=/tmp/go-build2534278610/b340/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2534278610/b223/vet.cfg flib/difflib.go 64/src/runtime/cgo x_amd64/compile` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build2534278610/b349/mcp.test /tmp/go-build2534278610/b349/mcp.test -test.testlogfile=/tmp/go-build2534278610/b349/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� @v1.1.3/ascii/eq-errorsas @v1.1.3/ascii/va-ifaceassert x_amd64/vet -I /tmp/go-build132/usr/bin/runc -I x_amd64/vet -I g_.a 0098554/b151/ x_amd64/vet -o /dev/null` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/guards/github-guard/rust-guard/src/labels/tool_rules.rs b/guards/github-guard/rust-guard/src/labels/tool_rules.rs
@@ -627,6 +627,15 @@ pub fn apply_tool_labels(
             integrity = writer_integrity(repo_id, ctx);
         }
 
+        // === Copilot coding-agent task (blocked: unsupported agent operation) ===
+        "create_agent_task" => {
+            // Creates a Copilot coding-agent job that modifies repo branches and opens a PR.
+            // Blocked via is_blocked_tool(); secrecy applied so the resource is correctly
+            // classified before the integrity override in label_resource.
+            // S = S(repo); I = blocked (override applied in label_resource)
+            secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
+        }
+
         // === Copilot agent operations (repo-scoped) ===
         "assign_copilot_to_issue" | "request_copilot_review" => {
             // Copilot assignment/review requests return repo-scoped content.
diff --git a/guards/github-guard/rust-guard/src/tools.rs b/guards/github-guard/rust-guard/src/tools.rs
@@ -62,6 +62,9 @@ pub const READ_WRITE_OPERATIONS: &[&str] = &[
     "issue_write",
     "sub_issue_write",
     "update_gist",
+    // Pre-emptive entries for anticipated future MCP tools (no equivalent tool today)
+    // gh agent-task create — creates a Copilot coding-agent job (branch + PR); blocked as unsupported
+    "create_agent_task",
 ];
 
 /// Check if a tool is a write operation
@@ -121,10 +124,16 @@ pub fn is_unlock_operation(tool_name: &str) -> bool {
 ///   symmetric to `archive_repository` and equally unsupported.
 /// - `rename_repository`: renames a repository, breaking all clone URLs, webhooks, and external
 ///   references; unsupported as an agent operation.
+/// - `create_agent_task`: creates a Copilot coding-agent job that opens a branch and PR;
+///   unsupported as a directly invocable agent operation.
 pub fn is_blocked_tool(tool_name: &str) -> bool {
     matches!(
         tool_name,
-        "transfer_repository" | "archive_repository" | "unarchive_repository" | "rename_repository"
+        "transfer_repository"
+            | "archive_repository"
+            | "unarchive_repository"
+            | "rename_repository"
+            | "create_agent_task"
     )
 }
 
@@ -210,4 +219,20 @@ mod tests {
             );
         }
     }
+
+    #[test]
+    fn test_create_agent_task_is_read_write_and_blocked() {
+        assert!(
+            is_read_write_operation("create_agent_task"),
+            "create_agent_task must be classified as a read-write operation"
+        );
+        assert!(
+            is_blocked_tool("create_agent_task"),
+            "create_agent_task must be unconditionally blocked (unsupported agent operation)"
+        );
+        assert!(
+            !is_write_operation("create_agent_task"),
+            "create_agent_task should not be in WRITE_OPERATIONS (it is in READ_WRITE_OPERATIONS)"
+        );
+    }
 }
