Consolidate integrity-level normalization/validation across config and guard

[Copilot]

Integrity-level validation had duplicated normalization and membership checks in internal/config and internal/guard, creating drift risk in behavior and error handling. This change centralizes that logic in config and updates both call sites to use a single implementation.

• Shared integrity validator in config

  • Added NormalizeIntegrityLevel(raw string, optional bool) (string, error) in internal/config/guard_policy.go.
  • Canonical behavior now lives in one place: trim -> lowercase -> optional-empty handling -> allowed-values check.

• Refactor existing config validation path

  • validateAndNormalizeIntegrityField in internal/config/guard_policy_validation.go now delegates to NormalizeIntegrityLevel and preserves field-specific error context.

• Refactor guard WASM payload validation path

  • validateIntegrityField in internal/guard/wasm_validate.go now delegates to config.NormalizeIntegrityLevel instead of maintaining its own normalization + set-membership logic.
  • Removed the redundant local allowed-integrity set used only for that duplicate check.

• Consistency updates for coupled error-message sources

  • Replaced remaining references to removed duplicate integrity list variable in:
    • internal/config/guard_policy_parse.go
    • internal/config/guard_policy_parse_test.go

• Focused coverage for shared behavior

  • Added direct tests for NormalizeIntegrityLevel in internal/config/guard_policy_test.go (case/whitespace normalization, optional empty, invalid values).

normalized, err := config.NormalizeIntegrityLevel(raw, optional)
if err != nil {
    return "", fmt.Errorf("%s %w", fieldPath, err)
}

[Copilot]

Pull request overview

This PR reduces drift risk by centralizing integrity-level normalization + validation in internal/config, and updating both config normalization and guard WASM payload validation to use the shared implementation.

Changes:

• Added config.NormalizeIntegrityLevel(raw, optional) to provide a single canonical “trim → lowercase → optional-empty → allowed-values” pipeline.
• Refactored config guard-policy normalization (validateAndNormalizeIntegrityField) to delegate to the shared helper while preserving field-path context via wrapping.
• Refactored guard WASM payload validation (validateIntegrityField) to use the shared helper and removed the duplicated local allowed-values set; updated coupled error-message sources and added focused tests.

Show a summary per file

File	Description
internal/guard/wasm_validate.go	Removes duplicate integrity membership logic and delegates validation to config.NormalizeIntegrityLevel.
internal/config/guard_policy.go	Introduces NormalizeIntegrityLevel as the canonical integrity-level normalization/validation helper.
internal/config/guard_policy_validation.go	Routes integrity-field validation through the shared helper and wraps errors with field-path context.
internal/config/guard_policy_test.go	Adds direct unit tests for the shared integrity normalization/validation behavior.
internal/config/guard_policy_parse.go	Updates an error message source to reference the canonical integrity list after removing the old variable.
internal/config/guard_policy_parse_test.go	Aligns expected error-message formatting with the updated canonical integrity list reference.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 6/6 changed files
• Comments generated: 0