Skip to content

Guard coverage: classify create_agent_task as read-write and blocked#3139

Merged
lpcox merged 2 commits intomainfrom
copilot/guard-coverage-fix-cli-write-operation
Apr 4, 2026
Merged

Guard coverage: classify create_agent_task as read-write and blocked#3139
lpcox merged 2 commits intomainfrom
copilot/guard-coverage-fix-cli-write-operation

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 4, 2026
edited
Loading

gh agent-task create (POST copilot-api/agents/swe/v1/jobs/{owner}/{repo}) had no guard entry despite causing real repo mutations (branch creation + PR). Per agent instructions, this operation is read-write (reads task context, writes branch/PR) and unsupported (unconditionally blocked).

tools.rs

  • Added "create_agent_task" to READ_WRITE_OPERATIONS — operation is classified as "read-write" in label_resource
  • Added "create_agent_task" to is_blocked_tool() — DIFC evaluator always denies it via blocked_integrity override, consistent with transfer_repository, archive_repository, etc.

labels/tool_rules.rs

  • Added match arm for create_agent_task applying repo-visibility secrecy before the blocked_integrity override kicks in at label_resource
// tools.rs
pub const READ_WRITE_OPERATIONS: &[&str] = &[
    // ...existing entries...
    "create_agent_task", // gh agent-task create — blocked: unsupported agent operation
];

pub fn is_blocked_tool(tool_name: &str) -> bool {
    matches!(
        tool_name,
        "transfer_repository" | "archive_repository" | "unarchive_repository"
            | "rename_repository" | "create_agent_task"
    )
}

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /tmp/go-build2534278610/b340/launcher.test /tmp/go-build2534278610/b340/launcher.test -test.testlogfile=/tmp/go-build2534278610/b340/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2534278610/b223/vet.cfg flib/difflib.go 64/src/runtime/cgo x_amd64/compile (dns block)
  • invalid-host-that-does-not-exist-12345.com
    • Triggering command: /tmp/go-build2534278610/b322/config.test /tmp/go-build2534278610/b322/config.test -test.testlogfile=/tmp/go-build2534278610/b322/testlog.txt -test.paniconexit0 -test.timeout=10m0s rev-�� ternal/engine/wazevo/backend/isa/amd64/abi_entry_amd64.s (dns block)
  • nonexistent.local
    • Triggering command: /tmp/go-build2534278610/b340/launcher.test /tmp/go-build2534278610/b340/launcher.test -test.testlogfile=/tmp/go-build2534278610/b340/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2534278610/b223/vet.cfg flib/difflib.go 64/src/runtime/cgo x_amd64/compile (dns block)
  • slow.example.com
    • Triggering command: /tmp/go-build2534278610/b340/launcher.test /tmp/go-build2534278610/b340/launcher.test -test.testlogfile=/tmp/go-build2534278610/b340/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2534278610/b223/vet.cfg flib/difflib.go 64/src/runtime/cgo x_amd64/compile (dns block)
  • this-host-does-not-exist-12345.com
    • Triggering command: /tmp/go-build2534278610/b349/mcp.test /tmp/go-build2534278610/b349/mcp.test -test.testlogfile=/tmp/go-build2534278610/b349/testlog.txt -test.paniconexit0 -test.timeout=10m0s go_.�� @v1.1.3/ascii/eq-errorsas @v1.1.3/ascii/va-ifaceassert x_amd64/vet -I /tmp/go-build132/usr/bin/runc -I x_amd64/vet -I g_.a 0098554/b151/ x_amd64/vet -o /dev/null (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 4, 2026 that may be closed by this pull request
[guard-coverage] Guard coverage gap: 1 new CLI write operation not covered (gh agent-task create) #3132
Closed
Copilot AI changed the title [WIP] Fix guard coverage gap for new CLI write operation Guard coverage: classify create_agent_task as read-write and blocked Apr 4, 2026
Copilot AI requested a review from lpcox April 4, 2026 00:43
Copilot finished work on behalf of lpcox April 4, 2026 00:43
@github-actions github-actions bot mentioned this pull request Apr 4, 2026
Closed
@lpcox lpcox marked this pull request as ready for review April 4, 2026 03:52
Copilot AI review requested due to automatic review settings April 4, 2026 03:52
@lpcox lpcox merged commit 893fa02 into main Apr 4, 2026
17 checks passed
@lpcox lpcox deleted the copilot/guard-coverage-fix-cli-write-operation branch April 4, 2026 03:52
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds guard coverage for gh agent-task create by classifying create_agent_task as a read-write operation and unconditionally blocking it, while ensuring repo-visibility secrecy is applied during labeling.

Changes:

  • Classify create_agent_task as "read-write" and add it to the unconditional blocklist.
  • Apply repo-visibility secrecy for create_agent_task in tool label rules.
  • Add a unit test asserting create_agent_task is read-write and blocked.
Show a summary per file
File Description
guards/github-guard/rust-guard/src/tools.rs Adds create_agent_task classification (read-write + blocked) and a unit test for the classification/blocking.
guards/github-guard/rust-guard/src/labels/tool_rules.rs Adds labeling rule to apply repo-visibility secrecy for create_agent_task prior to blocked integrity override in label_resource.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 3

guards/github-guard/rust-guard/src/tools.rs
"issue_write",
"sub_issue_write",
"update_gist",
// Pre-emptive entries for anticipated future MCP tools (no equivalent tool today)
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment says these are “pre-emptive entries … (no equivalent tool today)”, but create_agent_task is an actual supported tool name being classified/blocked in this PR. Please reword this header comment so it doesn’t imply the tool doesn’t exist (it’s misleading for future readers reviewing guard coverage).

Suggested change
// Pre-emptive entries for anticipated future MCP tools (no equivalent tool today)
// Additional guarded read-write operations, including supported tool mappings that remain blocked

Copilot uses AI. Check for mistakes.
guards/github-guard/rust-guard/src/tools.rs
Comment on lines +234 to +235
!is_write_operation("create_agent_task"),
"create_agent_task should not be in WRITE_OPERATIONS (it is in READ_WRITE_OPERATIONS)"
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The test asserts !is_write_operation("create_agent_task"), which bakes in the current implementation detail that read-write ops are excluded from is_write_operation. Since is_write_operation is only used as part of operation classification (and could reasonably be broadened to include read-write ops in the future), consider removing this assertion or instead asserting that the labeled operation is "read-write" / that it’s not explicitly listed in WRITE_OPERATIONS.

Suggested change
!is_write_operation("create_agent_task"),
"create_agent_task should not be in WRITE_OPERATIONS (it is in READ_WRITE_OPERATIONS)"
!WRITE_OPERATIONS.contains(&"create_agent_task"),
"create_agent_task should not be explicitly listed in WRITE_OPERATIONS (it is in READ_WRITE_OPERATIONS)"

Copilot uses AI. Check for mistakes.
guards/github-guard/rust-guard/src/labels/tool_rules.rs
Comment on lines +630 to +637
// === Copilot coding-agent task (blocked: unsupported agent operation) ===
"create_agent_task" => {
// Creates a Copilot coding-agent job that modifies repo branches and opens a PR.
// Blocked via is_blocked_tool(); secrecy applied so the resource is correctly
// classified before the integrity override in label_resource.
// S = S(repo); I = blocked (override applied in label_resource)
secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
}
Copy link

Copilot AI Apr 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

apply_tool_labels now has a dedicated create_agent_task arm to apply repo-visibility secrecy, but there’s no unit test exercising this new labeling behavior. Please add a test (similar to test_apply_tool_labels_transfer_repository_secrecy_inherits_repo_visibility in labels/mod.rs) to ensure the create_agent_task arm is hit and continues to apply repo-visibility secrecy as intended.

Copilot uses AI. Check for mistakes.
@github-actions github-actions bot mentioned this pull request Apr 4, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[guard-coverage] Guard coverage gap: 1 new CLI write operation not covered (gh agent-task create)

3 participants

@lpcox