guard: add 11 CLI-only GitHub operations to guard coverage

[Copilot]

The GitHub guard fully covered all 88 upstream MCP tools but was missing 11 write operations reachable only via gh CLI commands — leaving them without synthetic tool names in WRITE_OPERATIONS/READ_WRITE_OPERATIONS and without explicit DIFC labels in tool_rules.rs.

tools.rs

WRITE_OPERATIONS — 10 new entries (maintained sorted order for binary_search):

• archive_project_item / unarchive_project_item — gh project item-archive [--undo]
• create_project_draft_item — gh project item-create
• create_project_field / delete_project_field — gh project field-create/delete
• create_repository_autolink / delete_repository_autolink — gh repo autolink create/delete
• create_linked_branch — gh issue develop
• mark_project_template / unmark_project_template — gh project mark-template [--undo]

READ_WRITE_OPERATIONS — 1 new entry:

• update_project_draft_issue — gh project item-edit --title/--body

tool_rules.rs

Two grouped arms added:

Repo-scoped (mirrors edit_repository — S(repo), writer integrity on repo_id):

"create_repository_autolink"
| "delete_repository_autolink"
| "create_linked_branch" => { ... }

Project-scoped (mirrors projects_write — org-scoped baseline, writer integrity on owner):

"archive_project_item"
| "create_project_draft_item"
| "create_project_field"
| "delete_project_field"
| "mark_project_template"
| "unarchive_project_item"
| "unmark_project_template"
| "update_project_draft_issue" => { ... }

[Copilot]

Pull request overview

This PR extends the GitHub guard’s synthetic tool coverage to include 11 gh CLI-only GitHub write/mutate operations that weren’t reachable via upstream MCP tools, ensuring they’re classified as write/read-write operations and receive explicit DIFC labeling in the Rust guard.

Changes:

• Added 10 new CLI-only entries to WRITE_OPERATIONS and 1 new entry to READ_WRITE_OPERATIONS, maintaining sorted order for binary_search.
• Updated apply_tool_labels matching in tool_rules.rs to explicitly label the new repo-scoped and project-scoped operations consistent with existing patterns (edit_repository / projects_write).

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/tools.rs	Adds the 11 CLI-only operations into the correct write/read-write classification lists while preserving sorted invariants enforced by tests.
guards/github-guard/rust-guard/src/labels/tool_rules.rs	Adds the new tool names to the appropriate labeling match arms so they receive repo-scoped or org/project-scoped DIFC labels.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0