Deduplicate guard policy JSON roundtrip and enforce logger wrapper level parity (#4155)

lpcox · web-flow · commit 291b13099a93 · 2026-04-19T15:00:06.000-07:00
Duplicate-code analysis flagged two remaining patterns: repeated policy `Marshal`→`Unmarshal` map conversion in guard/proxy paths, and repeated log-level wrapper sets across logger variants. This PR centralizes the policy conversion path and adds a guardrail test for logger wrapper completeness. - **Policy conversion deduplication (guard + proxy)** - Added `PolicyToMap(policy interface{}) (map[string]interface{}, error)` in `internal/guard/policy_helpers.go`. - Replaced duplicated roundtrip blocks in: - `internal/guard/wasm.go` (`buildStrictLabelAgentPayload`, `BuildLabelAgentPayload`) - `internal/proxy/proxy.go` (`initGuardPolicy`, including `allow-only` extraction path) - Standardized error surface for invalid/non-object policies while preserving caller-specific context. - **Logger wrapper drift prevention** - Added `internal/logger/log_level_wrappers_test.go`. - Test asserts file/markdown/server wrapper sets all cover the same levels as `logFuncs` to prevent partial additions when introducing new log levels. - **Focused helper coverage** - Added `internal/guard/policy_helpers_test.go` with coverage for: - nil policy - non-object policy - unmarshalable policy - deep-copy behavior for nested map mutation safety ```go // shared helper now used by both guard and proxy policy paths payload, err := guard.PolicyToMap(policy) if err != nil { return fmt.Errorf("policy must be a JSON object: %w", err) } ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build73390749/b509/launcher.test /tmp/go-build73390749/b509/launcher.test -test.testlogfile=/tmp/go-build73390749/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 1.80.0/internal/resolver/delegatingresolver/delegatingresolver.go xrGu/Ij3Uman6G7fpe4BrxrGu x_amd64/vet --gdwarf-5 envconfig -o x_amd64/vet 7745�� .a ache/go/1.25.8/x-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build73390749/b509/launcher.test /tmp/go-build73390749/b509/launcher.test -test.testlogfile=/tmp/go-build73390749/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 1.80.0/internal/resolver/delegatingresolver/delegatingresolver.go xrGu/Ij3Uman6G7fpe4BrxrGu x_amd64/vet --gdwarf-5 envconfig -o x_amd64/vet 7745�� .a ache/go/1.25.8/x-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build73390749/b509/launcher.test /tmp/go-build73390749/b509/launcher.test -test.testlogfile=/tmp/go-build73390749/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 1.80.0/internal/resolver/delegatingresolver/delegatingresolver.go xrGu/Ij3Uman6G7fpe4BrxrGu x_amd64/vet --gdwarf-5 envconfig -o x_amd64/vet 7745�� .a ache/go/1.25.8/x-ifaceassert x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build73390749/b518/mcp.test /tmp/go-build73390749/b518/mcp.test -test.testlogfile=/tmp/go-build73390749/b518/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true fflib@v1.0.0/difflib/difflib.go otection x_amd64/vet --gdwarf-5 --64 lcache/go/1.25.8-bool x_amd64/vet -E 60I2XHAs9 8177450/b287//_c-ifaceassert x_amd64/vet -I . 77450/b287/ x_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/internal/guard/policy_helpers.go b/internal/guard/policy_helpers.go
@@ -0,0 +1,27 @@
+package guard
+
+import (
+	"encoding/json"
+	"fmt"
+)
+
+// PolicyToMap converts a policy value to a generic map through a JSON roundtrip.
+// It returns an error if the value cannot be serialized or does not decode to a
+// JSON object.
+func PolicyToMap(policy interface{}) (map[string]interface{}, error) {
+	if policy == nil {
+		return nil, fmt.Errorf("policy is required")
+	}
+
+	policyJSON, err := json.Marshal(policy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to serialize policy: %w", err)
+	}
+
+	var payload map[string]interface{}
+	if err := json.Unmarshal(policyJSON, &payload); err != nil {
+		return nil, fmt.Errorf("policy must decode to a JSON object: %w", err)
+	}
+
+	return payload, nil
+}
diff --git a/internal/guard/policy_helpers_test.go b/internal/guard/policy_helpers_test.go
@@ -0,0 +1,50 @@
+package guard
+
+import (
+	"math"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestPolicyToMap(t *testing.T) {
+	t.Run("returns deep copy for map input", func(t *testing.T) {
+		policy := map[string]interface{}{
+			"allow-only": map[string]interface{}{
+				"repos":         "public",
+				"min-integrity": "none",
+			},
+		}
+
+		payload, err := PolicyToMap(policy)
+		require.NoError(t, err)
+		require.NotNil(t, payload)
+
+		allowOnly, ok := payload["allow-only"].(map[string]interface{})
+		require.True(t, ok)
+		allowOnly["repos"] = "all"
+
+		original, ok := policy["allow-only"].(map[string]interface{})
+		require.True(t, ok)
+		assert.Equal(t, "public", original["repos"])
+	})
+
+	t.Run("nil policy returns error", func(t *testing.T) {
+		_, err := PolicyToMap(nil)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "policy is required")
+	})
+
+	t.Run("non-object policy returns error", func(t *testing.T) {
+		_, err := PolicyToMap([]string{"not-an-object"})
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "policy must decode to a JSON object")
+	})
+
+	t.Run("unmarshalable policy returns error", func(t *testing.T) {
+		_, err := PolicyToMap(math.NaN())
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "failed to serialize policy")
+	})
+}
diff --git a/internal/guard/wasm.go b/internal/guard/wasm.go
@@ -364,13 +364,8 @@ func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, e
 		}
 	}
 
-	policyJSON, err := json.Marshal(policy)
+	payload, err := PolicyToMap(policy)
 	if err != nil {
-		return nil, fmt.Errorf("failed to serialize label_agent policy: %w", err)
-	}
-
-	var payload map[string]interface{}
-	if err := json.Unmarshal(policyJSON, &payload); err != nil {
 		return nil, fmt.Errorf("failed to decode label_agent policy payload: %w", err)
 	}
 
@@ -549,20 +544,16 @@ func BuildLabelAgentPayload(policy interface{}, trustedBots []string, trustedUse
 		return policy
 	}
 
-	// Marshal the policy to a generic map so we can inject the trusted-bots and trusted-users
-	// keys alongside the allow-only policy without altering the policy itself.
-	policyJSON, err := json.Marshal(policy)
+	// Convert the policy to a generic map so we can inject the trusted-bots and
+	// trusted-users keys alongside the allow-only policy without altering the
+	// policy itself.
+	payload, err := PolicyToMap(policy)
 	if err != nil {
-		// If we can't marshal the policy, return it as-is; buildStrictLabelAgentPayload
+		// If we can't convert the policy, return it as-is; buildStrictLabelAgentPayload
 		// will surface the error later.
 		return policy
 	}
 
-	var payload map[string]interface{}
-	if err := json.Unmarshal(policyJSON, &payload); err != nil {
-		return policy
-	}
-
 	if len(trustedBots) > 0 {
 		// trusted-bots is a top-level key in the label_agent payload.
 		// Convert []string to []interface{} for JSON compatibility.
diff --git a/internal/logger/log_level_wrappers_test.go b/internal/logger/log_level_wrappers_test.go
@@ -0,0 +1,53 @@
+package logger
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLogLevelWrappers_CoverAllRegisteredLevels(t *testing.T) {
+	fileWrappers := map[LogLevel]func(string, string, ...interface{}){
+		LogLevelInfo:  LogInfo,
+		LogLevelWarn:  LogWarn,
+		LogLevelError: LogError,
+		LogLevelDebug: LogDebug,
+	}
+
+	markdownWrappers := map[LogLevel]func(string, string, ...interface{}){
+		LogLevelInfo:  LogInfoMd,
+		LogLevelWarn:  LogWarnMd,
+		LogLevelError: LogErrorMd,
+		LogLevelDebug: LogDebugMd,
+	}
+
+	serverWrappers := map[LogLevel]func(string, string, string, ...interface{}){
+		LogLevelInfo:  LogInfoWithServer,
+		LogLevelWarn:  LogWarnWithServer,
+		LogLevelError: LogErrorWithServer,
+		LogLevelDebug: LogDebugWithServer,
+	}
+
+	expectedLevels := make([]LogLevel, 0, len(logFuncs))
+	for level := range logFuncs {
+		expectedLevels = append(expectedLevels, level)
+	}
+
+	fileLevels := make([]LogLevel, 0, len(fileWrappers))
+	for level := range fileWrappers {
+		fileLevels = append(fileLevels, level)
+	}
+	assert.ElementsMatch(t, expectedLevels, fileLevels)
+
+	markdownLevels := make([]LogLevel, 0, len(markdownWrappers))
+	for level := range markdownWrappers {
+		markdownLevels = append(markdownLevels, level)
+	}
+	assert.ElementsMatch(t, expectedLevels, markdownLevels)
+
+	serverLevels := make([]LogLevel, 0, len(serverWrappers))
+	for level := range serverWrappers {
+		serverLevels = append(serverLevels, level)
+	}
+	assert.ElementsMatch(t, expectedLevels, serverLevels)
+}
diff --git a/internal/proxy/proxy.go b/internal/proxy/proxy.go
@@ -156,14 +156,21 @@ func (s *Server) initGuardPolicy(ctx context.Context, policyJSON string, trusted
 	}
 
 	// Validate the policy structure
-	policyMap, ok := policy.(map[string]interface{})
-	if !ok {
-		return fmt.Errorf("policy must be a JSON object")
+	policyMap, err := guard.PolicyToMap(policy)
+	if err != nil {
+		return fmt.Errorf("policy must be a JSON object: %w", err)
 	}
 	guardPolicy := &config.GuardPolicy{}
 	if ao, hasAO := policyMap["allow-only"]; hasAO {
 		logProxy.Printf("Parsing allow-only policy from guard configuration")
-		aoBytes, _ := json.Marshal(ao)
+		aoMap, err := guard.PolicyToMap(ao)
+		if err != nil {
+			return fmt.Errorf("invalid allow-only policy: %w", err)
+		}
+		aoBytes, err := json.Marshal(aoMap)
+		if err != nil {
+			return fmt.Errorf("invalid allow-only policy: %w", err)
+		}
 		var allowOnly config.AllowOnlyPolicy
 		if err := json.Unmarshal(aoBytes, &allowOnly); err != nil {
 			return fmt.Errorf("invalid allow-only policy: %w", err)
