Deduplicate integrity-level enums by centralizing canonical values in `guard` by Copilot · Pull Request #5245 · github/gh-aw-mcpg

Copilot · 2026-05-07T15:33:03Z

Integrity-level values (none, unapproved, approved, merged) were duplicated across guard, config, and cmd, despite guard claiming to be the source of truth. This change makes guard authoritative and updates downstream usage to consume canonical values directly.

Canonical integrity values
- Exported guard.AllowedIntegrityLevels from internal/guard/wasm_validate.go.
- Built the internal validation set from that exported slice, so validation and exported values cannot drift.
CLI completion now uses canonical values
- Updated allowonly-min-integrity shell completion in internal/cmd/flags.go to use guard.AllowedIntegrityLevels instead of inline literals.
- Updated corresponding completion test to assert against the canonical slice.
Config error messages now derive valid values dynamically
- Replaced hardcoded integrity value lists in:
  - internal/config/guard_policy_validation.go
  - internal/config/guard_policy_parse.go
- Error text now formats valid values via strings.Join(guard.AllowedIntegrityLevels, ", ").
Focused test coverage for dedup behavior
- Added an assertion in guard_policy_parse_test.go that invalid integrity errors render from the canonical list.
- Kept existing integrity acceptance behavior unchanged.

return nil, fmt.Errorf(
    "min-integrity must be one of: %s",
    strings.Join(guard.AllowedIntegrityLevels, ", "),
)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

example.com
- Triggering command: /tmp/go-build3081364729/b509/launcher.test /tmp/go-build3081364729/b509/launcher.test -test.testlogfile=/tmp/go-build3081364729/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a internal/testcert/testcert.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -E g_.a -m64 x_amd64/compile /tmp/go-build392/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet g/x/net/http/htt-atomic -fno-stack-prote-bool x_amd64/compile (dns block)
- Triggering command: /tmp/go-build3323417617/b513/launcher.test /tmp/go-build3323417617/b513/launcher.test -test.testlogfile=/tmp/go-build3323417617/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -uns�� -unreachable=false /tmp/go-build3081364729/b246/vet.cfg bash g_.a -trimpath x_amd64/vet /opt/hostedtoolc--others -ato�� submodules | head -n 10 -buildtags /tmp/go-build3081364729/b225/cmd.test -errorsas -ifaceassert -nilfunc /tmp/go-build3081364729/b225/cmd.test (dns block)
invalid-host-that-does-not-exist-12345.com
- Triggering command: /tmp/go-build3081364729/b491/config.test /tmp/go-build3081364729/b491/config.test -test.testlogfile=/tmp/go-build3081364729/b491/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true uf@v1.36.11/internal/filetype/build.go -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -I g_.a -I x_amd64/vet --gdwarf-5 ateway/v2/utilit-atomic -o x_amd64/vet (dns block)
- Triggering command: /tmp/go-build191210255/b276/config.test /tmp/go-build191210255/b276/config.test -test.testlogfile=/tmp/go-build191210255/b276/testlog.txt -test.paniconexit0 -test.timeout=10m0s (dns block)
- Triggering command: /tmp/go-build2613079384/b487/config.test /tmp/go-build2613079384/b487/config.test -test.testlogfile=/tmp/go-build2613079384/b487/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp�� /home/REDACTED/go/pkg/mod/go.opent-p /home/REDACTED/go/pkg/mod/go.opentgithub.com/github/gh-aw-mcpg/internal/tracing_test .cfg sor.go duration.go .13/x64/as ache/go/1.25.9/x64/pkg/tool/linu-goversion (dns block)
nonexistent.local
- Triggering command: /tmp/go-build3081364729/b509/launcher.test /tmp/go-build3081364729/b509/launcher.test -test.testlogfile=/tmp/go-build3081364729/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a internal/testcert/testcert.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -E g_.a -m64 x_amd64/compile /tmp/go-build392/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet g/x/net/http/htt-atomic -fno-stack-prote-bool x_amd64/compile (dns block)
- Triggering command: /tmp/go-build3323417617/b513/launcher.test /tmp/go-build3323417617/b513/launcher.test -test.testlogfile=/tmp/go-build3323417617/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -uns�� -unreachable=false /tmp/go-build3081364729/b246/vet.cfg bash g_.a -trimpath x_amd64/vet /opt/hostedtoolc--others -ato�� submodules | head -n 10 -buildtags /tmp/go-build3081364729/b225/cmd.test -errorsas -ifaceassert -nilfunc /tmp/go-build3081364729/b225/cmd.test (dns block)
slow.example.com
- Triggering command: /tmp/go-build3081364729/b509/launcher.test /tmp/go-build3081364729/b509/launcher.test -test.testlogfile=/tmp/go-build3081364729/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a internal/testcert/testcert.go x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -E g_.a -m64 x_amd64/compile /tmp/go-build392/opt/hostedtoolcache/go/1.25.9/x64/pkg/tool/linux_amd64/vet g/x/net/http/htt-atomic -fno-stack-prote-bool x_amd64/compile (dns block)
- Triggering command: /tmp/go-build3323417617/b513/launcher.test /tmp/go-build3323417617/b513/launcher.test -test.testlogfile=/tmp/go-build3323417617/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s -uns�� -unreachable=false /tmp/go-build3081364729/b246/vet.cfg bash g_.a -trimpath x_amd64/vet /opt/hostedtoolc--others -ato�� submodules | head -n 10 -buildtags /tmp/go-build3081364729/b225/cmd.test -errorsas -ifaceassert -nilfunc /tmp/go-build3081364729/b225/cmd.test (dns block)
this-host-does-not-exist-12345.com
- Triggering command: /tmp/go-build3081364729/b518/mcp.test /tmp/go-build3081364729/b518/mcp.test -test.testlogfile=/tmp/go-build3081364729/b518/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true olang.org/grpc@v-errorsas -I x_amd64/vet ctor --64 E=3 x_amd64/vet .cfg�� 2347187/b392/_pkg_.a otection x_amd64/vet /tmp/go-build392/usr/libexec/docker/docker-init g/protobuf/inter--version x86_64-linux-gnu x_amd64/vet (dns block)
- Triggering command: /tmp/go-build3323417617/b522/mcp.test /tmp/go-build3323417617/b522/mcp.test -test.testlogfile=/tmp/go-build3323417617/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s n-me�� -bool -buildtags ker/docker-init -errorsas -ifaceassert -nilfunc ker/docker-init -ato�� -bool -buildtags docker-buildx -errorsas -ifaceassert -nilfunc docker-buildx (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/1f4c9106-2998-4aa4-b59c-8ae14b5b015d Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot

Pull request overview

This PR centralizes the canonical integrity-level enum values (none, unapproved, approved, merged) in internal/guard and updates config validation error messages and CLI shell completions to derive from that canonical list, reducing duplication across packages.

Changes:

Exported guard.AllowedIntegrityLevels and derived the internal validation set from it.
Updated CLI completion for --allowonly-min-integrity (and its test) to use the canonical list.
Updated config guard-policy error messages (and a focused test) to format valid integrity values from the canonical list.

Show a summary per file

File	Description
internal/guard/wasm_validate.go	Exports canonical integrity-level list and derives the validation set and error rendering from it.
internal/config/guard_policy_validation.go	Uses `guard.AllowedIntegrityLevels` to format integrity-related validation errors.
internal/config/guard_policy_parse.go	Uses `guard.AllowedIntegrityLevels` to format `BuildAllowOnlyPolicy` invalid-integrity errors.
internal/config/guard_policy_parse_test.go	Adds assertion that invalid integrity errors list canonical values.
internal/cmd/flags.go	Uses `guard.AllowedIntegrityLevels` for shell completions on `allowonly-min-integrity`.
internal/cmd/flags_test.go	Updates completion test to assert against `guard.AllowedIntegrityLevels`.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Files reviewed: 6/6 changed files
Comments generated: 1

+// AllowedIntegrityLevels is the single source of truth for valid integrity-level values.
+var AllowedIntegrityLevels = []string{"none", "unapproved", "approved", "merged"}

-var allowedIntegrityLevelSet = map[string]struct{}{
-	"none":       {},
-	"unapproved": {},
-	"approved":   {},
-	"merged":     {},
-}
+var allowedIntegrityLevelSet = func() map[string]struct{} {
+	m := make(map[string]struct{}, len(AllowedIntegrityLevels))
+	for _, level := range AllowedIntegrityLevels {
+		m[level] = struct{}{}
+	}
+	return m
+}()


Initial plan

91139a9

Copilot AI assigned Copilot and lpcox May 7, 2026

Copilot AI linked an issue May 7, 2026 that may be closed by this pull request

[duplicate-code] Duplicate Code Pattern: Integrity Level Values Scattered Across guard, config, and cmd Packages #5186

Closed

7 tasks

Copilot started work on behalf of lpcox May 7, 2026 15:33 View session

Copilot AI and others added 2 commits May 7, 2026 15:37

refactor: centralize integrity level list usage across packages

56147ed

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/1f4c9106-2998-4aa4-b59c-8ae14b5b015d Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

test: align integrity-level assertions with canonical guard values

6f777c8

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/1f4c9106-2998-4aa4-b59c-8ae14b5b015d Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Fix duplicate integrity level values across packages~~ Deduplicate integrity-level enums by centralizing canonical values in guard May 7, 2026

Copilot finished work on behalf of lpcox May 7, 2026 15:41

Copilot AI requested a review from lpcox May 7, 2026 15:41

lpcox marked this pull request as ready for review May 7, 2026 15:44

Copilot AI review requested due to automatic review settings May 7, 2026 15:44

Copilot started reviewing on behalf of lpcox May 7, 2026 15:45 View session

lpcox merged commit 293a035 into main May 7, 2026
36 of 37 checks passed

lpcox deleted the copilot/fix-duplicate-code-pattern-another-one branch May 7, 2026 15:47

Copilot AI reviewed May 7, 2026

View reviewed changes

This was referenced May 7, 2026

Smoke Test: Copilot - 25506826307 #5254

Closed

Smoke Test: Copilot - 25507094473 #5256

Closed

Smoke Test: Copilot - 25507835499 #5259

Closed

Smoke Test: Copilot - 25508329101 #5260

Closed

Guards and Integrity: tracking issue #1711

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Deduplicate integrity-level enums by centralizing canonical values in `guard`#5245

Deduplicate integrity-level enums by centralizing canonical values in `guard`#5245
lpcox merged 3 commits into
mainfrom
copilot/fix-duplicate-code-pattern-another-one

Copilot AI commented May 7, 2026 •

edited

Loading

Uh oh!

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Copilot AI commented May 7, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Copilot's findings

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented May 7, 2026 •

edited

Loading