Skip to content

[test] Add tests for cmd.resolveGuardPolicyOverride#2171

Draft
github-actions[bot] wants to merge 1 commit intomainfrom
test/resolve-guard-policy-override-138b0362555f2c89
Draft

[test] Add tests for cmd.resolveGuardPolicyOverride#2171
github-actions[bot] wants to merge 1 commit intomainfrom
test/resolve-guard-policy-override-138b0362555f2c89

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 19, 2026

Test Coverage Improvement: resolveGuardPolicyOverride

Function Analyzed

  • Package: internal/cmd
  • Function: resolveGuardPolicyOverride
  • Previous Coverage: 0% (no direct tests existed)
  • Estimated New Coverage: ~90%+ (all execution branches covered)
  • Complexity: High — 6+ execution branches, reads both CLI flags and environment variables

Why This Function?

resolveGuardPolicyOverride in internal/cmd/root.go is a critical security function that determines which guard policy to apply at startup. It had zero direct test coverage despite having multiple complex branches that interact with:

  • Cobra CLI flags (--guard-policy-json, --allowonly-scope-*, --allowonly-min-integrity)
  • Environment variables (MCP_GATEWAY_GUARD_POLICY_JSON, MCP_GATEWAY_ALLOWONLY_*)
  • The config.ParseGuardPolicyJSON and config.BuildAllowOnlyPolicy logic

Incorrectly resolved guard policies could silently weaken security enforcement (DIFC), making this a high-value test target.

Tests Added

  • Happy path: No flags or env vars set → returns nil, "", nil
  • CLI --guard-policy-json with valid JSON → source="cli"
  • CLI --guard-policy-json with invalid JSON → error path
  • CLI --guard-policy-json with whitespace-only → falls through to AllowOnly path
  • CLI --allowonly-scope-public + min-integrity → AllowOnly policy with repos="public"
  • CLI --allowonly-scope-owner + min-integrity → AllowOnly policy with owner scope
  • CLI --allowonly-scope-owner + --allowonly-scope-repo → combined scope
  • CLI repo without owner → validation error
  • CLI min-integrity only (no scope) → error ("exactly one AllowOnly scope")
  • CLI invalid min-integrity value → error
  • Env MCP_GATEWAY_GUARD_POLICY_JSON valid → source="env"
  • Env MCP_GATEWAY_GUARD_POLICY_JSON invalid → error
  • Env MCP_GATEWAY_GUARD_POLICY_JSON whitespace-only → treated as unset, skipped
  • Env MCP_GATEWAY_ALLOWONLY_SCOPE_PUBLIC → AllowOnly policy from env
  • Env MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER + min-integrity → AllowOnly policy
  • Env MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER + SCOPE_REPO → combined scope
  • Env repo without owner → validation error
  • Env min-integrity only (no scope) → error
  • CLI takes precedence over env vars
  • MCP_GATEWAY_GUARD_POLICY_JSON takes precedence over AllowOnly env vars

Test Design

The tests use a makeGuardPolicyTestCmd() helper that:

  1. Creates a fresh cobra.Command with all 5 guard-policy flags registered
  2. Resets the package-level global variables to zero values to prevent cross-test contamination
  3. Uses cmd.Flags().Set(name, value) to simulate CLI flag changes (which marks flags as Changed())

This accurately mirrors how cobra processes real CLI input, ensuring cmd.Flags().Changed() returns correct values.

Generated by Test Coverage Improver
Next run could target: server.resolveGuardPolicy (guards config path), mcp.initializeHTTPSession (error branches)

Generated by Test Coverage Improver ·

Warning

⚠️ Firewall blocked 2 domains

The following domains were blocked by the firewall during workflow execution:

  • proxy.golang.org
  • releaseassets.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"
    - "releaseassets.githubusercontent.com"

See Network Configuration for more information.

@github-actions
Add tests for cmd.resolveGuardPolicyOverride
272a547 
Adds comprehensive unit tests for the resolveGuardPolicyOverride function
in internal/cmd/root.go. This function had 0% direct test coverage despite
being a critical security function that determines which guard policy to
apply based on CLI flags and environment variables.

Tests cover all 6+ execution branches:
- No override (nil returned when no flags or env vars set)
- CLI --guard-policy-json with valid JSON (source=cli)
- CLI --guard-policy-json with invalid JSON (error path)
- CLI --guard-policy-json with whitespace only (falls through to AllowOnly)
- CLI --allowonly-scope-public with min-integrity
- CLI --allowonly-scope-owner with optional repo
- CLI repo without owner validation error
- CLI min-integrity only without scope (error path)
- CLI invalid min-integrity value (error path)
- Env MCP_GATEWAY_GUARD_POLICY_JSON valid (source=env)
- Env MCP_GATEWAY_GUARD_POLICY_JSON invalid (error path)
- Env MCP_GATEWAY_GUARD_POLICY_JSON whitespace (treated as unset)
- Env AllowOnly scope variants (public, owner, owner+repo)
- Env repo without owner error path
- Env min-integrity only without scope error path
- CLI takes precedence over env vars
- MCP_GATEWAY_GUARD_POLICY_JSON takes precedence over AllowOnly env vars

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions bot mentioned this pull request Mar 20, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants