Summary
The GitHub guard does not fully cover 1 operation from the github-mcp-server. This may allow write operations to bypass DIFC classification.
- MCP tools scanned: 107 (from github-mcp-server
pkg/github/__toolsnaps__/)
- CLI write commands scanned: 52
- Guard-covered write tools (tools.rs): 63 (WRITE_OPERATIONS) + 30 (READ_WRITE_OPERATIONS) = 93 explicit entries
- New gaps found this run: 1
MCP Tool Classification Gaps (tools.rs)
These MCP tools perform write or mutating operations but are missing from WRITE_OPERATIONS or READ_WRITE_OPERATIONS in guards/github-guard/rust-guard/src/tools.rs:
| Tool Name |
Operation Type |
Suggested Classification |
Notes |
sub_issue_write |
read-write |
READ_WRITE_OPERATIONS |
Composite sub-issue write tool (creates/removes/reprioritizes sub-issue links). The granular tools add_sub_issue, remove_sub_issue, reprioritize_sub_issue are already covered, but the composite sub_issue_write tool is missing. |
Suggested fix for tools.rs
/// Read-write operations that both read and modify data
pub const READ_WRITE_OPERATIONS: &[&str] = &[
// ... existing entries ...
"sub_issue_write", // composite sub-issue write (add/remove/reprioritize sub-issue links)
];
References
Generated by GitHub Guard Coverage Checker (MCP + CLI) · sonnet46 1.8M · ◷
Summary
The GitHub guard does not fully cover 1 operation from the github-mcp-server. This may allow write operations to bypass DIFC classification.
pkg/github/__toolsnaps__/)MCP Tool Classification Gaps (tools.rs)
These MCP tools perform write or mutating operations but are missing from
WRITE_OPERATIONSorREAD_WRITE_OPERATIONSinguards/github-guard/rust-guard/src/tools.rs:sub_issue_writeREAD_WRITE_OPERATIONSadd_sub_issue,remove_sub_issue,reprioritize_sub_issueare already covered, but the compositesub_issue_writetool is missing.Suggested fix for tools.rs
References