AllowOnly Guard Smoke Test Results
Policy: repos=["github/gh-aw*"], min-integrity=approved
Run: https://github.com/github/gh-aw-mcpg/actions/runs/28218625506
In-Scope Access (github/gh-aw*)
| Tool |
Target |
Result |
Status |
| list_issues |
gh-aw-mcpg |
3 issues returned (github-actions[bot], approved) |
✅ |
| list_pull_requests |
gh-aw-mcpg |
3 PRs returned (github-actions[bot], approved) |
✅ |
| list_commits |
gh-aw-mcpg |
3 commits returned |
✅ |
| get_file_contents |
gh-aw-mcpg |
README.md returned (full content) |
✅ |
| list_branches |
gh-aw-mcpg |
5 branches returned |
✅ |
| search_code |
gh-aw-mcpg |
429 rate limited (not policy related) |
⚠️ N/A |
| list_issues |
gh-aw |
[] — 3 items filtered (FIRST_TIMER/NONE authors) |
✅ |
| get_file_contents |
gh-aw |
meta(redacted) filtered by integrity |
⚠️ |
Out-of-Scope Access (octocat/Hello-World)
| Tool |
Result |
Status |
| list_issues |
[] — 3 items filtered by integrity policy |
✅ |
| list_pull_requests |
[] — 3 items filtered by integrity policy |
✅ |
| list_commits |
[] — 3 items filtered by integrity policy |
✅ |
| get_file_contents |
meta(redacted) filtered/blocked |
✅ |
| search_code |
[] — 1 item filtered by integrity policy |
✅ |
Global APIs
| Tool |
Result |
Status |
| search_repositories |
[] — 3 items filtered by integrity policy |
✅ |
| search_users |
Tool not available in MCP server |
⚠️ N/A |
Integrity Filtering
| Observation |
Status |
| gh-aw issues: 3 items from FIRST_TIMER/NONE authors were filtered out |
✅ |
| gh-aw-mcpg full page (20): all items from approved bots/members — no unwanted filtering |
✅ |
| gh-aw-mcpg PRs full page (20): all from github-actions[bot] and Copilot — approved integrity |
✅ |
Filtering message confirms min-integrity=approved enforcement active |
✅ |
Observations
- Out-of-scope blocking works via integrity filtering: items from out-of-scope repos are assigned low integrity and filtered, resulting in empty responses rather than explicit access errors.
gh-aw get_file_contents was filtered identically to octocat/Hello-World. This may indicate a glob edge case (github/gh-aw* matching github/gh-aw with empty suffix) or metadata operations apply stricter integrity rules. list_issues for gh-aw was processed (items found, then filtered), confirming the repo IS reachable.search_code for gh-aw-mcpg returned HTTP 429 (rate limit) — unrelated to guard policy.search_users is not available in this MCP server configuration.
Summary
- In-Scope Access (gh-aw-mcpg): 5/5 ✅ (1 N/A rate limit)
- In-Scope Access (gh-aw): 1/2 ✅ (1 ⚠️ metadata filtered — possible scope boundary behavior)
- Out-of-Scope Blocked: 5/5 ✅
- Global APIs Blocked: 1/1 ✅ (1 N/A tool unavailable)
- Integrity Filtering: ✅
- Overall: PASS
🛡️ AllowOnly guard smoke test by Smoke AllowOnly
AllowOnly Guard Smoke Test Results
Policy: repos=["github/gh-aw*"], min-integrity=approved
Run: https://github.com/github/gh-aw-mcpg/actions/runs/28218625506
In-Scope Access (github/gh-aw*)
Out-of-Scope Access (octocat/Hello-World)
Global APIs
Integrity Filtering
min-integrity=approvedenforcement activeObservations
gh-awget_file_contentswas filtered identically tooctocat/Hello-World. This may indicate a glob edge case (github/gh-aw*matchinggithub/gh-awwith empty suffix) or metadata operations apply stricter integrity rules.list_issuesforgh-awwas processed (items found, then filtered), confirming the repo IS reachable.search_codeforgh-aw-mcpgreturned HTTP 429 (rate limit) — unrelated to guard policy.search_usersis not available in this MCP server configuration.Summary