Smoke AllowOnly: 24135577830

[github-actions]

AllowOnly Guard Smoke Test Results

Policy: repos=["github/gh-aw*"], min-integrity=approved
Run: https://github.com/github/gh-aw-mcpg/actions/runs/24135577830

In-Scope Access (github/gh-aw*)

Tool	Target	Result	Status
list_issues	gh-aw-mcpg	3 issues returned (github-actions[bot], MEMBER)	✅
list_pull_requests	gh-aw-mcpg	3 PRs returned (github-actions[bot], MEMBER)	✅
list_commits	gh-aw-mcpg	3 commits returned (lpcox OWNER, copilot-swe-agent)	✅
get_file_contents	gh-aw-mcpg	README.md returned (full content)	✅
list_branches	gh-aw-mcpg	5 branches returned	✅
search_code	gh-aw-mcpg	3 results returned	✅
list_issues	gh-aw	empty — 3 items integrity-filtered (authors below "approved")	❌
get_file_contents	gh-aw	empty — metadata integrity-filtered	❌

Note on gh-aw: These failures are due to integrity filtering, not repo-scope blocking. The github/gh-aw repo IS accessible (matches github/gh-aw*), but all queried items have authors with association below approved (CONTRIBUTOR/NONE). This is correct guard behavior — the policy enforces both repo scope AND min-integrity simultaneously.

Out-of-Scope Access (octocat/Hello-World)

Tool	Result	Status
list_issues	empty — 3 items filtered/blocked	✅
list_pull_requests	empty — 3 items filtered/blocked	✅
list_commits	empty — 3 items filtered/blocked	✅
get_file_contents	empty — metadata filtered/blocked	✅
search_code	empty — metadata filtered/blocked	✅

Global APIs

Tool	Result	Status
search_repositories	empty — 3 repos filtered (none match github/gh-aw*)	✅
search_users	N/A — tool not available in GitHub MCP server	➖

Integrity Filtering

Observation	Status
gh-aw-mcpg list_issues (perPage=20): all 20 items from approved authors (MEMBER/github-actions[bot])	✅
gh-aw-mcpg list_pull_requests (perPage=20): all 3 PRs from approved authors	✅
gh-aw list_issues: 3 items explicitly integrity-filtered (non-approved author_association)	✅
octocat/Hello-World items filtered with integrity policy enforcement	✅

Summary

• In-Scope Access: 6/8 ✅ (2 correctly integrity-filtered on gh-aw — no data from non-approved authors)
• Out-of-Scope Blocked: 5/5 ✅
• Global APIs Blocked: 1/1 tested ✅ (search_users N/A)
• Integrity Filtering: ✅
• Overall: PASS

Note

🔒 Integrity filter blocked 17 items

The following items were blocked because they don't meet the GitHub integrity level.

• octocat/Hello-World@7fd1a60 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• octocat/Hello-World@7629413 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• octocat/Hello-World@553c207 list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• #7472 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• #7468 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• #7464 list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• 🚨 New article published 😫 octocat/Hello-World#7476 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• 🚨 New article published 😫 octocat/Hello-World#7475 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• 🚨 New article published 😫 octocat/Hello-World#7474 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• Gemini engine fails with AWF proxy: GEMINI_API_BASE_URL points to proxy but proxy has no Gemini handler gh-aw#25294 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• Workflow Health Manager - Meta-Orchestrator - Issue Group gh-aw#25293 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• P1 Systemic: Multiple workflows failing with "engine terminated unexpectedly" (exit code 1) — Apr 8 gh-aw#25292 list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• get_file_contents get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• https://github.com/guardian/guardian.github.com search_repositories: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• https://github.com/oreoshake/guard-brakeman search_repositories: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• https://github.com/johnbintz/guard-rails search_repositories: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved".
• ... and 1 more item

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

🛡️ AllowOnly guard smoke test by Smoke AllowOnly

• expires on Apr 8, 2026, 2:39 PM UTC

[github-actions]

This issue was automatically closed because it expired on 2026-04-08T14:39:36.310Z.

Closed by Workflow