Conversation
Adds comprehensive test coverage for two under-tested functions in internal/server/unified.go: - normalizeScopeKind: 10 test cases covering nil input, empty map, missing scope_kind field, uppercase/mixed-case normalization, leading/ trailing whitespace trimming, non-string scope_kind values, preservation of other fields, and immutability of the input map. - resolveGuardPolicy: 20 test cases covering all code paths including nil config (legacy), global policy override (with default/custom source, and invalid policy), server not found, nil server config, valid/invalid server guard-policies, Guard field pointing to missing/nil/policy-less/ valid/invalid guard configs. - resolveWriteSinkPolicy: 4 test cases covering no policy, write-sink policy, allow-only policy (nil write-sink), error from resolveGuardPolicy, and nil config. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox
added a commit
that referenced
this pull request
Mar 19, 2026
…sue (#2158) ## Summary Adds a **Guard Filtering Summary** section to the repo-assist Monthly Activity Issue so maintainers can see what objects the guard policy blocked during each run. ## What it looks like When the guard filters objects, the monthly activity issue will include: ```markdown ## Guard Filtering Summary | Type | Count | Resources | |------|-------|-----------| | Issues | 7 | #1711, #2049, #2086, #2087, #2089, #2093, #2100 | | PRs | 7 | #2037, #2042, #2061, #2063, #2064, #2092, #2096 | | Other | 2 | actions_list, get_repository_tree | **Policy**: `repos: [github/*], min-integrity: merged` **Total filtered**: 54 items across 17 tool calls ``` When no filtering occurs, it states "No objects were filtered by the guard policy." ## How it works 1. **New section in issue template** — "Guard Filtering Summary" sits between "Future Work" and "Run History" 2. **New step 6** — Agent reads `/tmp/gh-aw/mcp-logs/rpc-messages.jsonl` via bash, parses `DIFC_FILTERED` entries, groups by type (issues/PRs/other), deduplicates across tool calls 3. **Python one-liner** — Extracts resource descriptions, groups into a JSON summary the agent uses to populate the template ## Motivation From [run 23274488766](https://github.com/github/gh-aw-mcpg/actions/runs/23274488766), 54 objects were silently filtered with `min-integrity: merged`. The agent reported "GitHub API access to private repo issues unavailable" without understanding why. This change gives both the agent and maintainers explicit visibility into guard policy impact.
4 tasks
Contributor
There was a problem hiding this comment.
Pull request overview
Adds targeted unit tests in internal/server to increase coverage for guard policy resolution and policy scope normalization logic used by UnifiedServer.
Changes:
- Adds a new test suite covering
normalizeScopeKindbehavior (including trimming/lowercasing and non-mutation). - Adds comprehensive table-driven-style coverage for
UnifiedServer.resolveGuardPolicybranches (global override, server guard-policies, legacy fallback, guard config lookup, and error cases). - Adds tests for
UnifiedServer.resolveWriteSinkPolicybehavior across policy types and error conditions.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+236
to
+238
| "min-integrity": "approved", | ||
| "repos": "github/gh-aw*", | ||
| }, |
There was a problem hiding this comment.
In this test, allow-only.repos is set to a string pattern ("github/gh-aw*"), but config.ValidateGuardPolicy only accepts string repos values of "all" or "public". For scoped repos, repos needs to be an array (e.g., []interface{}{...} / []string{...}), otherwise resolveGuardPolicy will return an error and this test will fail.
Comment on lines
+229
to
+239
| // Already tested in guard_policy_parsing_test.go, but adding a write-sink variant | ||
| cfg := &config.Config{ | ||
| Servers: map[string]*config.ServerConfig{ | ||
| "github": { | ||
| Type: "stdio", | ||
| GuardPolicies: map[string]interface{}{ | ||
| "allow-only": map[string]interface{}{ | ||
| "min-integrity": "approved", | ||
| "repos": "github/gh-aw*", | ||
| }, | ||
| }, |
There was a problem hiding this comment.
The comment says this adds a "write-sink variant", but the test config uses an allow-only policy. Either update the comment to match the test or change the test to actually cover a write-sink server guard-policies case.
lpcox
added a commit
that referenced
this pull request
Mar 21, 2026
…e target (#2267) ## Problem Main is broken — `make test` fails due to 3 issues introduced by recent PRs: 1. **Duplicate test functions** in `internal/server/` — PR #2092 and #2096 both added `validAllowOnlyPolicy()` and overlapping `TestNormalizeScopeKind_*` tests 2. **Nil pointer dereference** in `ParseToolArguments` — PR #2061 added a log line that accesses `req.Params.Name` before the nil check 3. **Missing Makefile target** — `test-container-proxy` target and container test file were lost in the squash merge of PR #2231 ## Fixes - Remove duplicate `validAllowOnlyPolicy()` from `resolve_guard_policy_test.go` (keep `ensure_guard_initialized_test.go` version) - Remove duplicate `TestNormalizeScopeKind_*` tests from `ensure_guard_initialized_test.go` (keep the more comprehensive set in `resolve_guard_policy_test.go`) - Fix test using string repos pattern (`"github/gh-aw*"`) — must be `[]interface{}` array - Fix assertion expecting `"approved"` — now correctly matches the shared helper's `IntegrityNone` - Move `ParseToolArguments` log line after the nil check - Restore `test-container-proxy` Makefile target and `proxy_container_test.go` (8 container integration tests) ## Verification - `make agent-finished` ✅ all checks pass - `make test-container-proxy` ✅ 7 pass, 1 skip (macOS gh CLI TLS — expected)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Test Coverage Improvement:
resolveGuardPolicyandnormalizeScopeKindFunctions Analyzed
internal/serverresolveGuardPolicy,normalizeScopeKind,resolveWriteSinkPolicyinternal/server/unified.goresolveGuardPolicyhas 11 distinct code paths;normalizeScopeKindis a pure normalizer with type-dispatch)Why These Functions?
resolveGuardPolicy(42 lines, 11 code paths) had only 1 of 11 paths tested inguard_policy_parsing_test.go. It drives all DIFC guard policy resolution and is called on every tool invocation when DIFC is enabled.normalizeScopeKindhad zero tests despite being called during guard session initialization.Tests Added
New file:
internal/server/resolve_guard_policy_test.go— 32 test casesnormalizeScopeKind(10 tests)nilinput returnsnilscope_kindfield — other fields preservedscope_kindalready lowercase — unchangedscope_kinduppercase → lowercasedscope_kindwith leading/trailing spaces → trimmedscope_kinduppercase + spaces → trimmed and lowercasedscope_kind→ preserved unchangedscope_kindresolveGuardPolicy(18 tests)cfg→ returns("legacy", nil, nil)"override"source"cli")"env"sourcecfg.Servers→"legacy""legacy"guard-policies→"server"sourceguard-policies(missingmin-integrity) → errorguard-policies, emptyGuardfield →"legacy"Guardset but not incfg.Guards→"legacy"Guardset,cfg.Guards[name]is nil →"legacy"Guardset, guard config has nilPolicy→"legacy"Guardset, guard config has valid AllowOnly policy →"config"sourceGuardset, guard config has valid WriteSink policy →"config"sourceGuardset, guard config has invalid policy (empty) → errorcfg.Serversmap →"legacy"resolveWriteSinkPolicy(4 tests)WriteSinkPolicyresolveGuardPolicy→ nilCoverage Improvement
normalizeScopeKindresolveGuardPolicyresolveWriteSinkPolicyGenerated by Test Coverage Improver
Warning
The following domain was blocked by the firewall during workflow execution:
proxy.golang.orgTo allow these domains, add them to the
network.allowedlist in your workflow frontmatter:See Network Configuration for more information.