github · lpcox · Mar 28, 2026 · Mar 28, 2026
diff --git a/internal/difc/evaluator_test.go b/internal/difc/evaluator_test.go
@@ -776,26 +776,6 @@ func TestParseEnforcementMode(t *testing.T) {
 	}
 }
 
-// TestNewEvaluatorWithMode tests creating evaluator with specific mode
-func TestNewEvaluatorWithMode(t *testing.T) {
-	t.Run("creates evaluator with strict mode", func(t *testing.T) {
-		eval := NewEvaluatorWithMode(EnforcementStrict)
-		assert.Equal(t, EnforcementStrict, eval.GetMode())
-	})
-
-	t.Run("creates evaluator with propagate mode", func(t *testing.T) {
-		eval := NewEvaluatorWithMode(EnforcementPropagate)
-		assert.Equal(t, EnforcementPropagate, eval.GetMode())
-	})
-
-	t.Run("SetMode changes mode", func(t *testing.T) {
-		eval := NewEvaluator()
-		assert.Equal(t, EnforcementStrict, eval.GetMode())
-		eval.SetMode(EnforcementPropagate)
-		assert.Equal(t, EnforcementPropagate, eval.GetMode())
-	})
-}
-
 // TestEvaluationResult_RequiresPropagation tests the RequiresPropagation method
 func TestEvaluationResult_RequiresPropagation(t *testing.T) {
 	tests := []struct {

diff --git a/internal/guard/guard_test.go b/internal/guard/guard_test.go
@@ -799,268 +799,4 @@ func TestIsValidAllowOnlyRepos(t *testing.T) {
 	}
 }
 
-func TestParseResourceResponse(t *testing.T) {
-	t.Run("valid resource with secrecy and integrity labels and read operation", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource": map[string]interface{}{
-				"description": "test resource",
-				"secrecy":     []interface{}{"private:owner/repo"},
-				"integrity":   []interface{}{"approved"},
-			},
-			"operation": "read",
-		}
-
-		resource, operation, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		require.NotNil(t, resource)
-		assert.Equal(t, "test resource", resource.Description)
-		assert.Equal(t, difc.OperationRead, operation)
-		assert.Contains(t, resource.Secrecy.Label.GetTags(), difc.Tag("private:owner/repo"))
-		assert.Contains(t, resource.Integrity.Label.GetTags(), difc.Tag("approved"))
-	})
-
-	t.Run("write operation", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource":  map[string]interface{}{},
-			"operation": "write",
-		}
-
-		_, operation, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.Equal(t, difc.OperationWrite, operation)
-	})
-
-	t.Run("read-write operation", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource":  map[string]interface{}{},
-			"operation": "read-write",
-		}
-
-		_, operation, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.Equal(t, difc.OperationReadWrite, operation)
-	})
-
-	t.Run("missing operation defaults to write", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource": map[string]interface{}{"description": "no-op"},
-		}
-
-		_, operation, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.Equal(t, difc.OperationWrite, operation, "missing operation should default to write (most restrictive)")
-	})
-
-	t.Run("unknown operation string defaults to write", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource":  map[string]interface{}{},
-			"operation": "unknown-op",
-		}
-
-		_, operation, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.Equal(t, difc.OperationWrite, operation)
-	})
-
-	t.Run("missing resource key returns error", func(t *testing.T) {
-		response := map[string]interface{}{
-			"operation": "read",
-		}
-
-		resource, _, err := parseResourceResponse(response)
-		require.Error(t, err)
-		assert.Nil(t, resource)
-		assert.Contains(t, err.Error(), "invalid resource format")
-	})
-
-	t.Run("resource not a map returns error", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource":  "not-a-map",
-			"operation": "read",
-		}
-
-		resource, _, err := parseResourceResponse(response)
-		require.Error(t, err)
-		assert.Nil(t, resource)
-	})
-
-	t.Run("resource without description uses empty string", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource": map[string]interface{}{
-				"secrecy": []interface{}{"tag1"},
-			},
-		}
-
-		resource, _, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.Equal(t, "", resource.Description)
-	})
-
-	t.Run("resource without labels has empty labels", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource": map[string]interface{}{
-				"description": "minimal resource",
-			},
-		}
-
-		resource, _, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.True(t, resource.Secrecy.Label.IsEmpty(), "secrecy should be empty when not specified")
-		assert.True(t, resource.Integrity.Label.IsEmpty(), "integrity should be empty when not specified")
-	})
-
-	t.Run("non-string secrecy tags are skipped", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource": map[string]interface{}{
-				"secrecy": []interface{}{"valid-tag", 42, nil, "another-valid-tag"},
-			},
-		}
-
-		resource, _, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		tags := resource.Secrecy.Label.GetTags()
-		assert.Len(t, tags, 2, "non-string secrecy entries should be skipped")
-		assert.Contains(t, tags, difc.Tag("valid-tag"))
-		assert.Contains(t, tags, difc.Tag("another-valid-tag"))
-	})
-
-	t.Run("multiple secrecy and integrity tags", func(t *testing.T) {
-		response := map[string]interface{}{
-			"resource": map[string]interface{}{
-				"secrecy":   []interface{}{"private:org/repo1", "private:org/repo2"},
-				"integrity": []interface{}{"approved", "merged"},
-			},
-		}
-
-		resource, _, err := parseResourceResponse(response)
-		require.NoError(t, err)
-		assert.Len(t, resource.Secrecy.Label.GetTags(), 2)
-		assert.Len(t, resource.Integrity.Label.GetTags(), 2)
-	})
-}
-
-func TestParseCollectionLabeledData(t *testing.T) {
-	t.Run("empty items returns empty collection", func(t *testing.T) {
-		result, err := parseCollectionLabeledData([]interface{}{})
-		require.NoError(t, err)
-		require.NotNil(t, result)
-		assert.Empty(t, result.Items)
-	})
-
-	t.Run("nil items returns empty collection", func(t *testing.T) {
-		result, err := parseCollectionLabeledData(nil)
-		require.NoError(t, err)
-		require.NotNil(t, result)
-		assert.Empty(t, result.Items)
-	})
-
-	t.Run("single item with labels", func(t *testing.T) {
-		items := []interface{}{
-			map[string]interface{}{
-				"data": map[string]interface{}{"id": "123", "title": "Test Issue"},
-				"labels": map[string]interface{}{
-					"description": "issue data",
-					"secrecy":     []interface{}{"private:owner/repo"},
-					"integrity":   []interface{}{"approved"},
-				},
-			},
-		}
-
-		result, err := parseCollectionLabeledData(items)
-		require.NoError(t, err)
-		require.Len(t, result.Items, 1)
-
-		item := result.Items[0]
-		require.NotNil(t, item.Labels)
-		assert.Equal(t, "issue data", item.Labels.Description)
-		assert.Contains(t, item.Labels.Secrecy.Label.GetTags(), difc.Tag("private:owner/repo"))
-		assert.Contains(t, item.Labels.Integrity.Label.GetTags(), difc.Tag("approved"))
-	})
-
-	t.Run("item without labels field has nil labels", func(t *testing.T) {
-		items := []interface{}{
-			map[string]interface{}{
-				"data": "some data",
-			},
-		}
-
-		result, err := parseCollectionLabeledData(items)
-		require.NoError(t, err)
-		require.Len(t, result.Items, 1)
-		assert.Nil(t, result.Items[0].Labels)
-	})
-
-	t.Run("non-map item is skipped", func(t *testing.T) {
-		items := []interface{}{
-			"string-not-a-map",
-			42,
-			map[string]interface{}{"data": "valid item"},
-		}
-
-		result, err := parseCollectionLabeledData(items)
-		require.NoError(t, err)
-		assert.Len(t, result.Items, 1, "non-map items should be skipped")
-	})
-
-	t.Run("multiple items with different labels", func(t *testing.T) {
-		items := []interface{}{
-			map[string]interface{}{
-				"data": "public item",
-				"labels": map[string]interface{}{
-					"secrecy":   []interface{}{"public"},
-					"integrity": []interface{}{},
-				},
-			},
-			map[string]interface{}{
-				"data": "private item",
-				"labels": map[string]interface{}{
-					"secrecy":   []interface{}{"private:owner/repo"},
-					"integrity": []interface{}{"approved"},
-				},
-			},
-		}
-
-		result, err := parseCollectionLabeledData(items)
-		require.NoError(t, err)
-		require.Len(t, result.Items, 2)
-
-		assert.Contains(t, result.Items[0].Labels.Secrecy.Label.GetTags(), difc.Tag("public"))
-		assert.Contains(t, result.Items[1].Labels.Secrecy.Label.GetTags(), difc.Tag("private:owner/repo"))
-	})
-
-	t.Run("item labels without secrecy or integrity use empty labels", func(t *testing.T) {
-		items := []interface{}{
-			map[string]interface{}{
-				"data": "item",
-				"labels": map[string]interface{}{
-					"description": "minimal labels",
-				},
-			},
-		}
-
-		result, err := parseCollectionLabeledData(items)
-		require.NoError(t, err)
-		require.Len(t, result.Items, 1)
-		require.NotNil(t, result.Items[0].Labels)
-		assert.True(t, result.Items[0].Labels.Secrecy.Label.IsEmpty())
-		assert.True(t, result.Items[0].Labels.Integrity.Label.IsEmpty())
-	})
-
-	t.Run("non-string tags in labels are skipped", func(t *testing.T) {
-		items := []interface{}{
-			map[string]interface{}{
-				"data": "item",
-				"labels": map[string]interface{}{
-					"secrecy":   []interface{}{"valid-tag", 99, nil},
-					"integrity": []interface{}{"ok", true},
-				},
-			},
-		}
-
-		result, err := parseCollectionLabeledData(items)
-		require.NoError(t, err)
-		require.Len(t, result.Items, 1)
-		assert.Len(t, result.Items[0].Labels.Secrecy.Label.GetTags(), 1)
-		assert.Len(t, result.Items[0].Labels.Integrity.Label.GetTags(), 1)
-	})
-}
+// TestParseResourceResponse and TestParseCollectionLabeledData are in wasm_response_parse_test.go
diff --git a/internal/guard/wasm_response_parse_test.go b/internal/guard/wasm_response_parse_test.go
@@ -140,8 +140,9 @@ func TestParseResourceResponse(t *testing.T) {
 					"secrecy": []interface{}{"private"},
 				},
 			},
-			wantDesc:    "",
-			wantSecrecy: []difc.Tag{"private"},
+			wantDesc:      "",
+			wantSecrecy:   []difc.Tag{"private"},
+			wantOperation: difc.OperationWrite,
 		},
 		{
 			name: "non-string tags in secrecy array are skipped",
@@ -150,7 +151,8 @@ func TestParseResourceResponse(t *testing.T) {
 					"secrecy": []interface{}{"valid-tag", 42, true, nil, "another-tag"},
 				},
 			},
-			wantSecrecy: []difc.Tag{"another-tag", "valid-tag"},
+			wantSecrecy:   []difc.Tag{"another-tag", "valid-tag"},
+			wantOperation: difc.OperationWrite,
 		},
 		{
 			name: "non-string tags in integrity array are skipped",
@@ -160,6 +162,7 @@ func TestParseResourceResponse(t *testing.T) {
 				},
 			},
 			wantIntegrity: []difc.Tag{"also-good", "good-tag"},
+			wantOperation: difc.OperationWrite,
 		},
 
 		// ── Error cases ────────────────────────────────────────────────────────
@@ -220,7 +223,8 @@ func TestParseResourceResponse(t *testing.T) {
 					"secrecy": "not-an-array",
 				},
 			},
-			wantSecrecy: []difc.Tag{},
+			wantSecrecy:   []difc.Tag{},
+			wantOperation: difc.OperationWrite,
 		},
 		{
 			name: "integrity value is not an array (map) defaults to empty label",
@@ -230,6 +234,7 @@ func TestParseResourceResponse(t *testing.T) {
 				},
 			},
 			wantIntegrity: []difc.Tag{},
+			wantOperation: difc.OperationWrite,
 		},
 		{
 			name: "description field is not a string - ignored",
@@ -238,7 +243,8 @@ func TestParseResourceResponse(t *testing.T) {
 					"description": 999,
 				},
 			},
-			wantDesc: "",
+			wantDesc:      "",
+			wantOperation: difc.OperationWrite,
 		},
 	}
 
@@ -305,11 +311,11 @@ func TestParseResourceResponse_OperationCoverage(t *testing.T) {
 
 func TestParseCollectionLabeledData(t *testing.T) {
 	tests := []struct {
-		name           string
-		items          []interface{}
-		wantItemCount  int
-		wantErr        bool
-		checkItems     func(t *testing.T, collection *difc.CollectionLabeledData)
+		name          string
+		items         []interface{}
+		wantItemCount int
+		wantErr       bool
+		checkItems    func(t *testing.T, collection *difc.CollectionLabeledData)
 	}{
 		// ── Empty / nil inputs ─────────────────────────────────────────────────
 
@@ -605,7 +611,7 @@ func TestParseCollectionLabeledData(t *testing.T) {
 				},
 				"not-a-map",
 				map[string]interface{}{
-					"data": "item-2-empty-labels",
+					"data":   "item-2-empty-labels",
 					"labels": map[string]interface{}{},
 				},
 			},