Add synthetic guard coverage for CLI-only issue, repository, and Projects v2 mutations

[Copilot]

The GitHub guard already covered the upstream github-mcp-server tool surface, but it still missed 7 mutating operations reachable through gh. Those gaps meant CLI-only repository deletion, issue deletion, and several Projects v2 mutations could bypass the guard’s synthetic tool classification and DIFC labeling.

• Add missing synthetic write operations

  • Extend WRITE_OPERATIONS in the Rust guard to cover:
    • delete_repository
    • delete_issue
    • update_project
    • delete_project
    • copy_project
    • link_project
    • unlink_project

• Align DIFC labeling with existing mutation patterns

  • Treat delete_issue and delete_repository as repo-scoped destructive writes, using the same secrecy/integrity rules as other repository mutations.
  • Fold the new Projects v2 synthetic operations into the existing org-scoped projects_write labeling path so they inherit owner-scoped writer integrity consistently.

• Lock in coverage with focused guard tests

  • Add classification coverage for the new synthetic write operations.
  • Add label-parity tests proving the new Projects operations behave the same as projects_write.
  • Add repo-scoped write tests for delete_issue and delete_repository.

Example of the new coverage shape:

"projects_write"
| "copy_project"
| "delete_project"
| "link_project"
| "unlink_project"
| "update_project" => {
    if !owner.is_empty() {
        baseline_scope = Cow::Borrowed(owner.as_str());
        integrity = writer_integrity(&baseline_scope, ctx);
    }
}

[Copilot]

Pull request overview

This PR closes synthetic-guard coverage gaps for mutating operations reachable via gh (CLI-only) by extending the Rust GitHub guard’s write-operation classification and ensuring DIFC labels for these operations match existing mutation patterns.

Changes:

• Extend WRITE_OPERATIONS to include CLI-only mutations: delete_repository, delete_issue, and several Projects v2 operations (copy_project, update_project, delete_project, link_project, unlink_project).
• Apply labeling rules so delete_issue/delete_repository are treated as repo-scoped destructive writes, and the new Projects v2 operations inherit the existing org-scoped projects_write labeling path.
• Add/extend focused unit tests to lock in classification coverage and label parity.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/tools.rs	Adds new synthetic CLI-only mutating operations to the write-operation classifier and extends coverage tests.
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Ensures new synthetic operations follow existing repo-scoped and Projects v2 labeling paths for secrecy/integrity.
guards/github-guard/rust-guard/src/labels/mod.rs	Adds parity/regression tests validating Projects alias labeling and repo-scoped write integrity for destructive deletes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 1

[lpcox]

@copilot fix failing ci checks

[Copilot]

@copilot fix failing ci checks

Fixed in 51a0bb8. The failures were caused by internal/httputil/tls_config.go (and its test file) being accidentally introduced alongside internal/httputil/tls.go in the previous commit — both declared the same symbols (MinTLSVersion, NewServerTLSConfig, NewClientTLSConfig), causing a redeclaration compile error. tls_config.go is not present on main; I've removed it and its test file to restore clean compilation.