Smoke AllowOnly: 23567573312 #2544
Description
AllowOnly Guard Smoke Test Results
Policy: repos=["github/gh-aw*"], min-integrity=approved
Run: https://github.com/github/gh-aw-mcpg/actions/runs/23567573312
In-Scope Access (github/gh-aw*)
| Tool | Target | Result | Status |
|---|---|---|---|
| list_issues | gh-aw-mcpg | 3 issues returned | ✅ |
| list_pull_requests | gh-aw-mcpg | 3 PRs returned | ✅ |
| list_commits | gh-aw-mcpg | 3 commits returned | ✅ |
| get_file_contents | gh-aw-mcpg | README.md content returned | ✅ |
| list_branches | gh-aw-mcpg | 5 branches returned | ✅ |
| search_code | gh-aw-mcpg | 38 results returned | ✅ |
| list_issues | gh-aw | Repo accessible; all 3 items integrity-filtered (NONE-level authors) | ✅ |
| get_file_contents | gh-aw | Repo accessible; content integrity-filtered | ✅ |
Out-of-Scope Access (octocat/Hello-World)
| Tool | Result | Status |
|---|---|---|
| list_issues | Empty — 3 items integrity-filtered (blocked via DIFC) | ✅ |
| list_pull_requests | Empty — 3 items integrity-filtered (blocked via DIFC) | ✅ |
| list_commits | Empty — 3 items integrity-filtered (blocked via DIFC) | ✅ |
| get_file_contents | Empty — 1 item integrity-filtered (blocked via DIFC) | ✅ |
| search_code | Empty — 1 item integrity-filtered (blocked via DIFC) | ✅ |
Global APIs
| Tool | Result | Status |
|---|---|---|
| search_repositories | Empty — 3 items integrity-filtered (non-github/gh-aw* repos) | ✅ |
| search_users | Tool not available in GitHub MCP server | N/A |
Integrity Filtering
| Observation | Status |
|---|---|
| gh-aw: 3 issues removed (authors have FIRST_TIMER/NONE association, below min-integrity=approved) | ✅ |
| octocat/Hello-World: All issues, PRs, commits filtered (NONE-integrity authors) | ✅ |
| gh-aw-mcpg: Visible items from github-actions[bot] (OWNER/MEMBER) pass through correctly | ✅ |
Summary
- In-Scope Access: 8/8 ✅
- Out-of-Scope Blocked: 5/5 ✅
- Global APIs Blocked: 1/1 ✅ (search_users N/A — tool not available)
- Integrity Filtering: ✅
- Overall: PASS
Note on blocking mechanism: Out-of-scope repos (octocat/Hello-World) are blocked via DIFC integrity filtering rather than a hard scope-block. All items from non-allowed repos receive integrity below the required threshold, producing empty results. The net effect is identical: no data returned.
Note
🔒 Integrity filter blocked 17 items
The following items were blocked because they don't meet the GitHub integrity level.
- Smoke Test: Codex - 23566025025 gh-aw#22994
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - Smoke Test: Claude - 23566025032 gh-aw#22993
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - Smoke Test: Copilot - 23566025048 gh-aw#22992
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - get_file_contents
get_file_contents: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - octocat/Hello-World@7fd1a60
list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - octocat/Hello-World@7629413
list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - octocat/Hello-World@553c207
list_commits: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - search_code
search_code: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - Internationalization octocat/Hello-World#7323
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - Test Issue 1774440959 octocat/Hello-World#7321
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - Test Issue 1774411019 octocat/Hello-World#7317
list_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - https://github.com/guardian/guardian.github.com
search_repositories: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - https://github.com/oreoshake/guard-brakeman
search_repositories: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - https://github.com/johnbintz/guard-rails
search_repositories: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - #7322
list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - #7320
list_pull_requests: has lower integrity than agent requires. The agent cannot read data with integrity below "unapproved". - ... and 1 more item
To allow these resources, lower min-integrity in your GitHub frontmatter:
tools:
github:
min-integrity: approved # merged | approved | unapproved | none🛡️ AllowOnly guard smoke test by Smoke AllowOnly
- expires on Mar 26, 2026, 12:37 AM UTC