Skip to content

fix: trusted bot config conformance with spec §4.1.3.4#2213

Merged
lpcox merged 3 commits intomainfrom
fix/trusted-bot-tests
Mar 20, 2026
Merged

fix: trusted bot config conformance with spec §4.1.3.4#2213
lpcox merged 3 commits intomainfrom
fix/trusted-bot-tests

Conversation

@lpcox
Copy link
Collaborator

@lpcox lpcox commented Mar 20, 2026

Summary

Ensures trusted bot configuration conforms to MCP Gateway Specification §4.1.3.4 (Trusted Bot Identity Configuration) and adds comprehensive test coverage across all layers.

Spec Conformance Fix

Empty array validationbuildStrictLabelAgentPayload now rejects trusted-bots: [] per spec: "trustedBots MUST be a non-empty array of strings when present".

Schema Patch

The v0.62.2 JSON schema doesn't include trustedBots in gatewayConfig (it's in v1.9.0/main). Added it to fetchAndFixSchema() alongside existing registry/guard-policies patches to prevent schema validation failures for valid configs.

New Tests

Layer Tests Coverage
Go guard (wasm_test.go) +3 Empty array rejection, whitespace-only entry, preserves all entries, no mutation
Go config (config_test.go) +3 TOML parse, TOML absent, JSON stdin parse with schema validation
Go config (config_stdin_test.go) +4 convertStdinConfig round-trip: present, empty, nil, no gateway
Go server (unified_test.go) +3 getTrustedBots: configured, empty, nil gateway
Rust guard (mod.rs) +2 PR integrity for configured bot, combined built-in + configured + unknown

Verification

  • make agent-finished passes (format, build, lint, all tests)
  • 74 Rust guard tests pass (was 70)
  • All Go unit + integration tests pass
  • 0 lint issues

@lpcox
fix: trusted bot config conformance with spec §4.1.3.4
927d9e2 
- Reject empty trusted-bots array per spec (MUST be non-empty when present)
- Add trustedBots to gateway schema patch (not yet in v0.62.2 schema)
- Add Go config parsing tests: TOML, JSON stdin, convertStdinConfig
- Add Go guard tests: empty array, whitespace-only, no-mutation, preserve-all
- Add Go server test: getTrustedBots accessor with nil/empty/configured
- Add Rust tests: PR integrity for configured bots, combined built-in +
  configured bot detection, unknown bot rejection

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings March 20, 2026 04:57
Copilot AI reviewed Mar 20, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates trusted-bot configuration handling to align with MCP Gateway Specification §4.1.3.4, ensuring empty trusted bot lists are rejected and adding cross-layer test coverage for the new behavior.

Changes:

  • Enforce stricter validation for trusted-bots in buildStrictLabelAgentPayload (reject empty arrays; improve error messaging).
  • Patch the fetched JSON schema to include gatewayConfig.trustedBots with minItems: 1 to prevent schema-validation failures for valid configs.
  • Add Go + Rust tests covering trusted-bot parsing/propagation and integrity elevation behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
internal/server/unified_test.go Adds unit tests for UnifiedServer.getTrustedBots() accessor behavior.
internal/guard/wasm.go Tightens trusted-bots validation (non-empty array when present).
internal/guard/wasm_test.go Expands coverage for trusted-bots validation and payload construction immutability.
internal/config/validation_schema.go Patches upstream schema to include gatewayConfig.trustedBots.
internal/config/config_test.go Adds TOML + stdin JSON parsing tests for trusted bots.
internal/config/config_stdin_test.go Adds conversion tests verifying trustedBots propagation behavior.
guards/github-guard/rust-guard/src/labels/mod.rs Adds Rust tests ensuring configured trusted bots elevate integrity and combine with built-ins.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

lpcox and others added 2 commits March 19, 2026 22:00
@lpcox
Update internal/config/validation_schema.go
6b6dd05 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lpcox
Update internal/config/config_test.go
f8e508a 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@lpcox lpcox merged commit 47b0674 into main Mar 20, 2026
4 of 5 checks passed
@lpcox lpcox deleted the fix/trusted-bot-tests branch March 20, 2026 05:01
This was referenced Mar 20, 2026
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox