Skip to content

[test] Add tests for server.ensureGuardInitialized and normalizeScopeKind#2037

Merged
lpcox merged 1 commit intomainfrom
test/ensure-guard-initialized-coverage-f23f96946df355e5
Mar 21, 2026
Merged

[test] Add tests for server.ensureGuardInitialized and normalizeScopeKind#2037
lpcox merged 1 commit intomainfrom
test/ensure-guard-initialized-coverage-f23f96946df355e5

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 16, 2026

Test Coverage Improvement: ensureGuardInitialized + normalizeScopeKind

Functions Analyzed

Detail
Package internal/server
File unified.go
Functions ensureGuardInitialized (~100 LOC, high complexity) + normalizeScopeKind
Previous Coverage 0% direct coverage (only indirect via integration-style callBackendTool tests)
New Coverage All branches covered
Complexity High – ensureGuardInitialized has 10+ distinct branches including caching, error propagation, session creation, label merging, and mode parsing

Why These Functions?

ensureGuardInitialized is the core DIFC session-initialization routine. It:

  • Resolves and validates the guard policy
  • Implements a policy-hash-keyed cache to avoid redundant LabelAgent calls
  • Parses DIFCMode strings from guard results
  • Merges secrecy/integrity tags into the agent registry
  • Creates session state on first use

Despite being central to DIFC enforcement, it had zero direct test coverage – every branch was reachable only via expensive end-to-end callBackendTool integration tests that require a live HTTP backend.

normalizeScopeKind is a pure helper with no tests at all.

Tests Added

normalizeScopeKind (7 tests):

  • nil input → nil output
  • ✅ Empty map → empty map copy
  • ✅ Map without scope_kind field → copy unchanged
  • scope_kind already lowercase → unchanged
  • scope_kind UPPERCASE → lowercased
  • scope_kind mixed-case + whitespace → trimmed and lowercased
  • ✅ Non-string scope_kind → type assertion skipped, value preserved
  • ✅ Input map not mutated (returns copy)

ensureGuardInitialized (12 tests):

  • ✅ Policy nil → evaluator default mode returned, no error
  • resolveGuardPolicy error → wrapped error propagated
  • ✅ Cache hit (same session/server/policy hash) → LabelAgent not called again
  • LabelAgent returns error → error propagated
  • LabelAgent returns nil result → error propagated
  • DIFCMode empty → falls back to evaluator default
  • DIFCMode valid non-empty → overrides evaluator default
  • DIFCMode invalid string → error propagated
  • ✅ New session created when none exists; GuardInit state written correctly
  • ✅ Labels from LabelAgent merged into agentRegistry
  • ✅ Stale policy hash → cache invalidated, LabelAgent re-called
  • ✅ Existing session with nil GuardInit map → map created before writing
  • ✅ Normalized policy stored with scope_kind lowercased via normalizeScopeKind
  • ✅ Multiple serverIDs tracked independently within the same session
  • ✅ Union-semantics: tags from multiple guards are additive, not overwriting

Implementation Notes

Tests use a lightweight newMinimalUnifiedServer helper that constructs a UnifiedServer directly (without calling NewUnified or starting backend servers), making them fast pure-unit tests with no network or process dependencies.

Three new test doubles are introduced:

  • configurableGuard – configurable LabelAgent return values per test
  • countGuard – wraps configurableGuard to count LabelAgent invocations
  • noopBackendCaller – no-op guard.BackendCaller

All names are distinct from existing test types in the package (mockGuard, writeSinkTestGuard, labelAgentTestGuard).

Generated by Test Coverage Improver
Next run candidates: resolveGuardPolicy Guards-config path, mcp.initializeHTTPSession error branches, config.validateStandardServerConfig HTTP+mounts path

Generated by Test Coverage Improver ·

Warning

⚠️ Firewall blocked 3 domains

The following domains were blocked by the firewall during workflow execution:

  • goproxy.io
  • proxy.golang.org
  • sum.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "goproxy.io"
    - "proxy.golang.org"
    - "sum.golang.org"

See Network Configuration for more information.

@github-actions
Add tests for server.ensureGuardInitialized and normalizeScopeKind
182ab6e 
Adds internal/server/ensure_guard_initialized_test.go covering all previously
untested branches of two functions in unified.go:

normalizeScopeKind (7 tests):
- nil input, empty map, map without scope_kind field
- scope_kind already lowercase, UPPERCASE, mixed-case+whitespace
- non-string scope_kind (type assertion skipped)
- immutability guarantee (input map is not modified)

ensureGuardInitialized (12 tests):
- policy nil → evaluator default mode returned
- resolveGuardPolicy error propagation
- cache hit → LabelAgent not called a second time
- LabelAgent error propagation
- LabelAgent nil result error
- DIFCMode empty → falls back to evaluator default
- DIFCMode valid → overrides evaluator default
- DIFCMode invalid → error propagated
- new session created when none exists
- labels from LabelAgent merged into agentRegistry
- stale policy hash → cache invalidation triggers re-init
- existing session with nil GuardInit initialised correctly
- NormalizedPolicy stored with scope_kind lowercased
- multiple serverIDs in same session tracked independently
- union semantics: tags from multiple guards additive

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
lpcox added a commit that referenced this pull request Mar 19, 2026
@lpcox
chore: add guard filtering summary to repo-assist monthly activity is…
2377d43 
…sue (#2158)

## Summary

Adds a **Guard Filtering Summary** section to the repo-assist Monthly
Activity Issue so maintainers can see what objects the guard policy
blocked during each run.

## What it looks like

When the guard filters objects, the monthly activity issue will include:

```markdown
## Guard Filtering Summary

| Type | Count | Resources |
|------|-------|-----------|
| Issues | 7 | #1711, #2049, #2086, #2087, #2089, #2093, #2100 |
| PRs | 7 | #2037, #2042, #2061, #2063, #2064, #2092, #2096 |
| Other | 2 | actions_list, get_repository_tree |

**Policy**: `repos: [github/*], min-integrity: merged`
**Total filtered**: 54 items across 17 tool calls
```

When no filtering occurs, it states "No objects were filtered by the
guard policy."

## How it works

1. **New section in issue template** — "Guard Filtering Summary" sits
between "Future Work" and "Run History"
2. **New step 6** — Agent reads `/tmp/gh-aw/mcp-logs/rpc-messages.jsonl`
via bash, parses `DIFC_FILTERED` entries, groups by type
(issues/PRs/other), deduplicates across tool calls
3. **Python one-liner** — Extracts resource descriptions, groups into a
JSON summary the agent uses to populate the template

## Motivation

From [run
23274488766](https://github.com/github/gh-aw-mcpg/actions/runs/23274488766),
54 objects were silently filtered with `min-integrity: merged`. The
agent reported "GitHub API access to private repo issues unavailable"
without understanding why. This change gives both the agent and
maintainers explicit visibility into guard policy impact.
@lpcox lpcox marked this pull request as ready for review March 21, 2026 14:27
Copilot AI review requested due to automatic review settings March 21, 2026 14:27
@lpcox lpcox merged commit a7dff79 into main Mar 21, 2026
4 checks passed
@lpcox lpcox deleted the test/ensure-guard-initialized-coverage-f23f96946df355e5 branch March 21, 2026 14:27
Copilot AI reviewed Mar 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds direct unit tests in internal/server to cover DIFC session initialization behavior and a small policy normalization helper, improving coverage of high-branch logic in UnifiedServer.ensureGuardInitialized and normalizeScopeKind without relying on integration-style tests.

Changes:

  • Introduces focused unit tests for normalizeScopeKind covering nil/empty inputs, casing/whitespace normalization, type preservation, and non-mutation behavior.
  • Adds unit tests for ensureGuardInitialized covering policy resolution errors, cache-hit behavior, label_agent error/edge cases, DIFCMode parsing/fallback, session state creation, normalized policy persistence, and union semantics for label merging.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

This was referenced Mar 21, 2026
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

automation testing

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox