Summary
The GitHub guard does not fully cover 1 operation from the github-mcp-server. The set_issue_fields tool was added to the upstream MCP server since the last coverage check and is missing from both the write-operation classification in tools.rs and the DIFC labeling rules in tool_rules.rs.
- MCP tools scanned: 102 (↑ from 82 on 2026-04-13, +20 new tools)
- CLI write commands scanned: 45 (unchanged)
- Guard-covered write tools (tools.rs): 57 WRITE_OPERATIONS + 30 READ_WRITE_OPERATIONS = 87 entries
- Tools with explicit DIFC rules (tool_rules.rs): ~48 match groups
- New gaps found this run: 1
MCP Tool Classification Gaps (tools.rs)
set_issue_fields performs a write/mutating operation but is missing from WRITE_OPERATIONS or READ_WRITE_OPERATIONS in guards/github-guard/rust-guard/src/tools.rs:
| Tool Name |
Operation Type |
Suggested Classification |
Notes |
set_issue_fields |
read-write |
READ_WRITE_OPERATIONS |
Sets org-level custom field values (text/number/date/single-select) on an issue via GraphQL. Accepts owner, repo, issue_number, and fields array. Can also delete field values. Similar to update_issue_* granular tools. |
Suggested fix for tools.rs
// Add to READ_WRITE_OPERATIONS alongside the other granular issue update tools:
pub const READ_WRITE_OPERATIONS: &[&str] = &[
// ... existing entries ...
// Granular issue update tools (alongside issue_write composite)
"update_issue_assignees",
"update_issue_body",
"update_issue_labels",
"update_issue_milestone",
"update_issue_state",
"update_issue_title",
"update_issue_type",
"set_issue_fields", // GraphQL: sets org-level custom field values on an issue
];
MCP Tool DIFC Labeling Gaps (tool_rules.rs)
set_issue_fields has no explicit match arm in apply_tool_labels in guards/github-guard/rust-guard/src/labels/tool_rules.rs. It falls through to the default _ => {} handler, which leaves secrecy and integrity at their initial (unscoped) values.
| Tool Name |
Data Scope |
Suggested Labels |
Risk |
set_issue_fields |
repo-scoped |
secrecy: S(repo), integrity: writer |
Medium — response includes updated issue metadata; same scope as update_issue_* tools |
Suggested fix for tool_rules.rs
Add "set_issue_fields" to the existing granular issue write operations match arm:
// === Granular repo-scoped write operations ===
"update_issue_assignees"
| "update_issue_body"
| "update_issue_labels"
| "update_issue_milestone"
| "update_issue_state"
| "update_issue_title"
| "update_issue_type"
| "set_issue_fields" // ← add this
| "add_sub_issue"
// ... rest of match arm unchanged ...
=> {
secrecy = apply_repo_visibility_secrecy(&owner, &repo, repo_id, secrecy, ctx);
integrity = writer_integrity(repo_id, ctx);
}
GitHub CLI-Only Gaps
No new CLI-only gaps detected in this run (45 CLI write commands scanned, same as previous run).
Stale Guard Entries
No stale guard entries detected. All entries in WRITE_OPERATIONS and READ_WRITE_OPERATIONS that are not in the current MCP tool snapshot are either:
- Explicitly marked as pre-emptive (future tools), or
- Deprecated aliases (retained for backward compat during alias transition)
Context
The upstream tool count grew from 82 → 102 (+20 tools) since the last run on 2026-04-13. All 20 new tools are correctly classified and labeled except set_issue_fields.
Tool description from the snap:
"Set issue field values for an issue. Fields are organization-level custom fields (text, number, date, or single select). Use this to create or update field values on an issue."
References
Generated by GitHub Guard Coverage Checker (MCP + CLI) · ● 1.5M · ◷
Summary
The GitHub guard does not fully cover 1 operation from the github-mcp-server. The
set_issue_fieldstool was added to the upstream MCP server since the last coverage check and is missing from both the write-operation classification intools.rsand the DIFC labeling rules intool_rules.rs.MCP Tool Classification Gaps (tools.rs)
set_issue_fieldsperforms a write/mutating operation but is missing fromWRITE_OPERATIONSorREAD_WRITE_OPERATIONSinguards/github-guard/rust-guard/src/tools.rs:set_issue_fieldsREAD_WRITE_OPERATIONSowner,repo,issue_number, andfieldsarray. Can also delete field values. Similar toupdate_issue_*granular tools.Suggested fix for tools.rs
MCP Tool DIFC Labeling Gaps (tool_rules.rs)
set_issue_fieldshas no explicit match arm inapply_tool_labelsinguards/github-guard/rust-guard/src/labels/tool_rules.rs. It falls through to the default_ => {}handler, which leaves secrecy and integrity at their initial (unscoped) values.set_issue_fieldsupdate_issue_*toolsSuggested fix for tool_rules.rs
Add
"set_issue_fields"to the existing granular issue write operations match arm:GitHub CLI-Only Gaps
No new CLI-only gaps detected in this run (45 CLI write commands scanned, same as previous run).
Stale Guard Entries
No stale guard entries detected. All entries in
WRITE_OPERATIONSandREAD_WRITE_OPERATIONSthat are not in the current MCP tool snapshot are either:Context
The upstream tool count grew from 82 → 102 (+20 tools) since the last run on 2026-04-13. All 20 new tools are correctly classified and labeled except
set_issue_fields.Tool description from the snap:
References