rust-guard: consolidate github-baseline match arms + add Display for ScopeKind (#2640)

Seven match arms in `apply_tool_labels` repeated identical
`baseline_scope = "github"` and `integrity = project_github_label(ctx)`
assignments, differing only in `secrecy`. `ScopeKind` had no `Display`
impl, forcing a private 5-arm match in `normalized_scope_kind` just to
stringify variants.

### `tool_rules.rs` — merge 7 arms into 2
Group by secrecy value; eliminate ~40 lines of near-identical code:

```rust
// Before: 7 separate arms, each repeating baseline_scope + integrity

// After:
"get_me" | "get_teams" | "get_team_members"
| "list_starred_repositories"
| "get_copilot_space" | "list_copilot_spaces" => {
    secrecy = private_user_label();
    baseline_scope = "github".to_string();
    integrity = project_github_label(ctx);
}
"search_orgs"
| "list_global_security_advisories" | "get_global_security_advisory"
| "github_support_docs_search" => {
    secrecy = vec![];
    baseline_scope = "github".to_string();
    integrity = project_github_label(ctx);
}
```

### `helpers.rs` — add `Display` for `ScopeKind`
Moves variant→string conversion onto the type where it belongs, making
it available to any future caller via `.to_string()` or `{}` formatting.

### `lib.rs` — simplify `normalized_scope_kind`
Replaces the 5-arm match with a single
`scopes[0].scope_kind.to_string()` call.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build2380398191/b334/launcher.test
/tmp/go-build2380398191/b334/launcher.test
-test.testlogfile=/tmp/go-build2380398191/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s ache�� g_.a rg x_amd64/vet` (dns
block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2380398191/b319/config.test
/tmp/go-build2380398191/b319/config.test
-test.testlogfile=/tmp/go-build2380398191/b319/testlog.txt
-test.paniconexit0 -test.timeout=10m0s conf��
ternal/engine/interpreter/compiler.go
ternal/engine/interpreter/format.go x_amd64/compile` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build2380398191/b334/launcher.test
/tmp/go-build2380398191/b334/launcher.test
-test.testlogfile=/tmp/go-build2380398191/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s ache�� g_.a rg x_amd64/vet` (dns
block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build2380398191/b334/launcher.test
/tmp/go-build2380398191/b334/launcher.test
-test.testlogfile=/tmp/go-build2380398191/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s ache�� g_.a rg x_amd64/vet` (dns
block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2380398191/b343/mcp.test
/tmp/go-build2380398191/b343/mcp.test
-test.testlogfile=/tmp/go-build2380398191/b343/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -o /proxy/graphql.go
/proxy/graphql_rewrite.go x_amd64/vet -p syscall -lang=go1.25
x_amd64/vet -I g_.a 5678121/b151/ x_amd64/vet --gdwarf-5
ernal/middleware-qE` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

🔒 GitHub Advanced Security automatically protects Copilot coding agent
pull requests. You can protect all pull requests by enabling Advanced
Security for your repositories. [Learn more about Advanced
Security.](https://gh.io/cca-advanced-security)

Author: lpcox

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -54,6 +54,19 @@ pub enum ScopeKind {
     RepoPrefix,
 }
 
+impl std::fmt::Display for ScopeKind {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        let s = match self {
+            ScopeKind::All => "All",
+            ScopeKind::Public => "Public",
+            ScopeKind::Owner => "Owner",
+            ScopeKind::Repo => "Repo",
+            ScopeKind::RepoPrefix => "RepoPrefix",
+        };
+        f.write_str(s)
+    }
+}
+
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct PolicyScopeEntry {
     pub scope_kind: ScopeKind,

guards/github-guard/rust-guard/src/labels/tool_rules.rs

@@ -474,56 +474,37 @@ pub fn apply_tool_labels(
             integrity = vec![];
         }
 
-        // === Context: User & Org Identity ===
-        "get_me" => {
-            // Current user profile — private to the authenticated user.
-            // May contain private email, name, and other PII.
+        // === Private GitHub-controlled metadata (user-associated): PII/org-structure sensitive ===
+        "get_me"
+        | "get_teams"
+        | "get_team_members"
+        | "list_starred_repositories"
+        | "get_copilot_space"
+        | "list_copilot_spaces" => {
+            // User profile, org team membership, starred repos, and Copilot Spaces are all
+            // GitHub-controlled metadata that may contain PII or reveal internal org structure.
             // S = private:user
             // I = project:github (GitHub-controlled metadata)
             secrecy = private_user_label();
             baseline_scope = "github".to_string();
             integrity = project_github_label(ctx);
         }
 
-        "get_teams" | "get_team_members" => {
-            // Org team membership — may reveal internal org structure.
-            // S = private:user (org membership is sensitive)
-            // I = project:github (GitHub-controlled metadata)
-            secrecy = private_user_label();
-            baseline_scope = "github".to_string();
-            integrity = project_github_label(ctx);
-        }
-
-        // === Starred Repositories ===
-        "list_starred_repositories" => {
-            // User's starred repos — reveals user preferences/interests.
-            // S = private:user (personal data)
-            // I = project:github (GitHub-controlled metadata)
-            secrecy = private_user_label();
-            baseline_scope = "github".to_string();
-            integrity = project_github_label(ctx);
-        }
-
-        // === Organization Search ===
-        "search_orgs" => {
-            // Public organization profiles.
+        // === Public GitHub-controlled metadata: org profiles, advisories, docs ===
+        "search_orgs"
+        | "list_global_security_advisories"
+        | "get_global_security_advisory"
+        | "github_support_docs_search" => {
+            // Public organization profiles, global CVE advisories, and GitHub docs contain no
+            // private data but are curated/controlled by GitHub.
             // S = public (empty)
             // I = project:github (GitHub-controlled metadata)
             secrecy = vec![];
             baseline_scope = "github".to_string();
             integrity = project_github_label(ctx);
         }
 
-        // === Security Advisories ===
-        "list_global_security_advisories" | "get_global_security_advisory" => {
-            // Global security advisories are public CVE data from GHSA.
-            // S = public (empty) — these are published advisories
-            // I = project:github — curated by GitHub security team
-            secrecy = vec![];
-            baseline_scope = "github".to_string();
-            integrity = project_github_label(ctx);
-        }
-
+        // === Security Advisories (repository/org-scoped) ===
         "list_repository_security_advisories" | "list_org_repository_security_advisories" => {
             // Repository/org security advisories may include draft advisories
             // with non-public vulnerability details.
@@ -533,26 +514,6 @@ pub fn apply_tool_labels(
             integrity = writer_integrity(repo_id, ctx);
         }
 
-        // === Copilot Spaces (org/user-scoped) ===
-        "get_copilot_space" | "list_copilot_spaces" => {
-            // Copilot Spaces are org-scoped; may contain private configuration or policies.
-            // S = private:user (conservative — spaces may reference private data)
-            // I = project:github (GitHub-controlled metadata)
-            secrecy = private_user_label();
-            baseline_scope = "github".to_string();
-            integrity = project_github_label(ctx);
-        }
-
-        // === GitHub Support Docs Search (public) ===
-        "github_support_docs_search" => {
-            // Public GitHub documentation search — no private data.
-            // S = public (empty)
-            // I = project:github (GitHub-curated content)
-            secrecy = vec![];
-            baseline_scope = "github".to_string();
-            integrity = project_github_label(ctx);
-        }
-
         _ => {
             // Default: inherit provided labels
         }

guards/github-guard/rust-guard/src/lib.rs

@@ -460,13 +460,7 @@ fn scope_token(scopes: &[PolicyScopeEntry]) -> String {
 
 fn normalized_scope_kind(scopes: &[PolicyScopeEntry]) -> String {
     if scopes.len() == 1 {
-        match scopes[0].scope_kind {
-            ScopeKind::All => "All".to_string(),
-            ScopeKind::Public => "Public".to_string(),
-            ScopeKind::Owner => "Owner".to_string(),
-            ScopeKind::Repo => "Repo".to_string(),
-            ScopeKind::RepoPrefix => "RepoPrefix".to_string(),
-        }
+        scopes[0].scope_kind.to_string()
     } else {
         "Composite".to_string()
     }