feat: proxy pre-agent gh CLI calls through DIFC gateway

guards/github-guard/rust-guard/src/labels/helpers.rs

@@ -1034,12 +1034,16 @@ pub fn commit_integrity(
 /// Trusted bots:
 /// - dependabot[bot]: GitHub dependency updater
 /// - github-actions[bot]: GitHub Actions workflow actor (GITHUB_TOKEN)
+/// - github-actions: GitHub Actions workflow actor (without [bot] suffix, as returned by some APIs)
+/// - app/github-actions: GitHub Actions workflow actor (with app/ prefix, as returned by gh CLI)
 /// - github-merge-queue[bot]: GitHub merge queue automation
 /// - copilot: GitHub Copilot AI assistant
 pub fn is_trusted_first_party_bot(username: &str) -> bool {
     let lower = username.to_lowercase();
     lower == "dependabot[bot]"
         || lower == "github-actions[bot]"
+        || lower == "github-actions"
+        || lower == "app/github-actions"
         || lower == "github-merge-queue[bot]"
         || lower == "copilot"
 }

guards/github-guard/rust-guard/src/labels/mod.rs

@@ -847,7 +847,8 @@ mod tests {
         // Not bots
         assert!(!is_trusted_first_party_bot("octocat"));
         assert!(!is_trusted_first_party_bot("dependabot"));
-        assert!(!is_trusted_first_party_bot("github-actions"));
+        assert!(is_trusted_first_party_bot("github-actions"));
+        assert!(is_trusted_first_party_bot("app/github-actions"));
         assert!(!is_trusted_first_party_bot(""));
     }
 
@@ -893,6 +894,16 @@ mod tests {
             writer_integrity(repo, &ctx)
         );
 
+        // github-actions without [bot] suffix (as returned by some APIs)
+        let actions_no_bot_issue = json!({
+            "user": {"login": "github-actions"},
+            "author_association": "NONE"
+        });
+        assert_eq!(
+            issue_integrity(&actions_no_bot_issue, repo, false, &ctx),
+            writer_integrity(repo, &ctx)
+        );
+
         // Non-trusted bot still gets none integrity on public repo
         let renovate_issue = json!({
             "user": {"login": "renovate[bot]"},

internal/proxy/graphql.go

@@ -35,6 +35,10 @@ type graphqlPattern struct {
 
 // graphqlPatterns is the ordered list of GraphQL operation → tool name mappings.
 var graphqlPatterns = []graphqlPattern{
+	// Schema introspection queries (safe read-only metadata, no repo data)
+	{queryPattern: regexp.MustCompile(`(?i)__type\s*\(`), toolName: "graphql_introspection"},
+	{queryPattern: regexp.MustCompile(`(?i)__schema\b`), toolName: "graphql_introspection"},
+
 	// Issue operations (singular before plural — more specific first)
 	{queryPattern: regexp.MustCompile(`(?i)repository\s*\([^)]*\)\s*\{[^}]*\bissue\s*\(`), toolName: "issue_read"},
 	{queryPattern: regexp.MustCompile(`(?i)repository\s*\([^)]*\)\s*\{[^}]*\bissues\s*[\({]`), toolName: "list_issues"},
@@ -170,7 +174,9 @@ func extractOwnerRepo(variables map[string]interface{}, query string) (string, s
 }
 
 // IsGraphQLPath returns true if the request path is the GraphQL endpoint.
+// Accepts /graphql (after prefix strip), /api/v3/graphql (before strip),
+// and /api/graphql (GHES-style path used by gh CLI with GH_HOST).
 func IsGraphQLPath(path string) bool {
 	cleaned := strings.TrimSuffix(path, "/")
-	return cleaned == "/graphql" || cleaned == "/api/v3/graphql"
+	return cleaned == "/graphql" || cleaned == "/api/v3/graphql" || cleaned == "/api/graphql"
 }