Skip to content

rust-guard: eliminate hot-path allocations in file secrecy and baseline scope inference #5679

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lpcox merged 5 commits into from
May 14, 2026
+49 −11
Merged

rust-guard: eliminate hot-path allocations in file secrecy and baseline scope inference #5679

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
1b6489b
Initial plan
Copilot May 14, 2026
97bd137
perf(rust-guard): remove avoidable allocations in hot path helpers
Copilot May 14, 2026
3cfc149
test(rust-guard): cover all borrowed scope branches
Copilot May 14, 2026
d895dd8
Potential fix for pull request finding
lpcox May 14, 2026
71c2ba6
Potential fix for pull request finding
lpcox May 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 14 additions & 6 deletions guards/github-guard/rust-guard/src/labels/tool_rules.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -745,17 +745,25 @@ fn check_file_secrecy(
ctx: &PolicyContext,
) -> Vec<String> {
let path_lower = path.to_lowercase();
let segments: Vec<&str> = path_lower.split('/').collect();

// Check for sensitive file extensions/names
for pattern in SENSITIVE_FILE_PATTERNS {
if path_lower.ends_with(pattern) || segments.iter().any(|seg| seg.starts_with(*pattern)) {
return policy_private_scope_label(owner, repo, repo_id, ctx);
}
if SENSITIVE_FILE_PATTERNS
.iter()
.any(|pattern| path_lower.ends_with(pattern))
{
return policy_private_scope_label(owner, repo, repo_id, ctx);
}

if path_lower.split('/').any(|seg| {
SENSITIVE_FILE_PATTERNS
.iter()
.any(|pattern| seg.starts_with(*pattern))
}) {
return policy_private_scope_label(owner, repo, repo_id, ctx);
}

// Get filename
let filename = segments.last().copied().unwrap_or(path_lower.as_str());
let filename = path_lower.rsplit('/').next().unwrap_or(&path_lower);

// Check for sensitive keywords in filename
for keyword in SENSITIVE_FILE_KEYWORDS {
Expand Down
40 changes: 35 additions & 5 deletions guards/github-guard/rust-guard/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ use labels::{
use serde::{Deserialize, Serialize};
use serde_json::Value;
use std::alloc::{alloc as std_alloc, dealloc as std_dealloc, Layout};
use std::borrow::Cow;
use std::slice;
use std::sync::Mutex;

Expand Down Expand Up @@ -257,9 +258,13 @@ struct LabelResponseOutput {
items: Vec<LabeledItem>,
}

fn infer_scope_for_baseline(tool_name: &str, tool_args: &Value, repo_id: &str) -> String {
fn infer_scope_for_baseline<'a>(
tool_name: &str,
tool_args: &Value,
repo_id: &'a str,
) -> Cow<'a, str> {
if !repo_id.is_empty() {
return repo_id.to_string();
return Cow::Borrowed(repo_id);
}

match tool_name {
Expand All @@ -268,16 +273,16 @@ fn infer_scope_for_baseline(tool_name: &str, tool_args: &Value, repo_id: &str) -
| "manage_notification_subscription"
| "manage_repository_notification_subscription"
| "create_repository"
| "fork_repository" => scope_names::GITHUB.to_string(),
| "fork_repository" => Cow::Borrowed(scope_names::GITHUB),
"search_code" | "search_issues" | "search_pull_requests" => {
let query = tool_args
.get("query")
.and_then(|v| v.as_str())
.unwrap_or("");
let (_, _, repo_from_query) = extract_repo_info_from_search_query(query);
repo_from_query
Cow::Owned(repo_from_query)
}
_ => String::new(),
_ => Cow::Borrowed(""),
}
}

Expand Down Expand Up @@ -1096,9 +1101,34 @@ mod tests {
let tool_args = json!({"query": "repo:lpcox/github-guard README"});

let inferred = infer_scope_for_baseline("search_code", &tool_args, "");
assert!(matches!(&inferred, Cow::Owned(_)));
assert_eq!(inferred, "lpcox/github-guard");
}

#[test]
fn infer_scope_for_baseline_borrows_repo_id_when_present() {
let tool_args = json!({});
let inferred = infer_scope_for_baseline("get_file_contents", &tool_args, "octocat/hello-world");

assert!(matches!(inferred, Cow::Borrowed("octocat/hello-world")));
}

#[test]
fn infer_scope_for_baseline_borrows_github_scope_for_repo_creation() {
let tool_args = json!({});
let inferred = infer_scope_for_baseline("create_repository", &tool_args, "");

assert!(matches!(inferred, Cow::Borrowed(scope_names::GITHUB)));
}

#[test]
fn infer_scope_for_baseline_borrows_empty_scope_for_other_tools() {
let tool_args = json!({});
let inferred = infer_scope_for_baseline("get_file_contents", &tool_args, "");

assert!(matches!(inferred, Cow::Borrowed("")));
}

#[test]
fn search_code_baseline_preserves_scoped_integrity() {
let ctx = PolicyContext {
Expand Down
Loading