[test] Add tests for config.AllowOnlyPolicy.UnmarshalJSON and NormalizeScopeKind (#4012)

# Test Coverage Improvement: `guard_policy.go`

## Functions Analyzed

| Function | Package | Previous Coverage | New Coverage |
|---|---|---|---|
| `AllowOnlyPolicy.UnmarshalJSON` | `internal/config` | 67.7% | 93.5% |
| `NormalizeScopeKind` | `internal/config` | 0.0% | 100.0% |
| `GuardPolicy.UnmarshalJSON` | `internal/config` | ~86% | 93.1% |
| `NormalizeGuardPolicy` | `internal/config` | 97.8% | 98.9% |
| `ValidateWriteSinkPolicy` | `internal/config` | ~90% | 95.2% |

**Overall `internal/config` package: 92.2% → 93.8%**

## Why These Functions?

`AllowOnlyPolicy.UnmarshalJSON` had 67.7% coverage despite being a core
security-policy parsing function with 9 distinct field branches and
error paths. The four newest fields — `endorsement-reactions`,
`disapproval-reactions`, `disapproval-integrity`, and
`endorser-min-integrity` — had **zero test coverage** for both happy
paths and error paths.

`NormalizeScopeKind` was an exported function at **0% coverage** in the
`internal/config` package (existing tests live in `internal/server`
which requires the `go-sdk` dependency and couldn't run in the CI
environment that generated coverage data).

## Tests Added

- ✅ **`TestNormalizeScopeKind`** — 10 table-driven cases: nil input,
empty map, no `scope_kind` field, already-lowercase, uppercase,
whitespace trimming, mixed case+spaces, non-string value, other fields
preserved, immutability of input
- ✅ **`TestGuardPolicyUnmarshalJSON_InvalidInnerJSON`** — error paths
when `allow-only`/`write-sink` inner values contain invalid JSON or fail
inner-struct validation
- ✅ **`TestAllowOnlyPolicyUnmarshalJSON_FieldErrorPaths`** — error paths
for all 9 fields when the JSON value has an incompatible type (`repos`,
`min-integrity`, `blocked-users`, `approval-labels`, `trusted-users`,
`endorsement-reactions`, `disapproval-reactions`,
`disapproval-integrity`, `endorser-min-integrity`)
- ✅ **`TestAllowOnlyPolicyUnmarshalJSON_EndorsementDisapprovalFields`**
— happy-path parsing for all 4 previously-untested fields, including
empty arrays and the full set together
- ✅ **`TestValidateWriteSinkPolicy_NilInput`** — nil guard in
`ValidateWriteSinkPolicy`
- ✅ **`TestNormalizeGuardPolicy_WriteSinkPath`** — write-sink path error
in `NormalizeGuardPolicy`
- ✅ **`TestNormalizeGuardPolicy_EndorsementReactionDedup`** —
deduplication (case-insensitive), empty-entry rejection, valid integrity
normalization for `endorsement-reactions`, `disapproval-reactions`,
`disapproval-integrity`, `endorser-min-integrity`
- ✅ **`TestNormalizeAndValidateScopeArray_NonStringElement`** —
non-string element in repos array
- ✅ **`TestAllowOnlyPolicyUnmarshalJSON_FullRoundTrip`** — full
marshal/unmarshal round-trip with all fields

## Coverage Report

````
Before: internal/config 92.2%
After:  internal/config 93.8%
Improvement: +1.6%

AllowOnlyPolicy.UnmarshalJSON:  67.7% → 93.5%  (+25.8%)
NormalizeScopeKind:              0.0% → 100.0% (+100.0%)
GuardPolicy.UnmarshalJSON:      ~86% → 93.1%
NormalizeGuardPolicy:           97.8% → 98.9%
ValidateWriteSinkPolicy:        ~90% → 95.2%
```

## Test Execution

All 45 new sub-tests pass:
```
=== RUN   TestNormalizeScopeKind
--- PASS: TestNormalizeScopeKind (10 sub-tests)
=== RUN   TestGuardPolicyUnmarshalJSON_InvalidInnerJSON
--- PASS: TestGuardPolicyUnmarshalJSON_InvalidInnerJSON (5 sub-tests)
=== RUN   TestAllowOnlyPolicyUnmarshalJSON_FieldErrorPaths
--- PASS: TestAllowOnlyPolicyUnmarshalJSON_FieldErrorPaths (9 sub-tests)
=== RUN   TestAllowOnlyPolicyUnmarshalJSON_EndorsementDisapprovalFields
--- PASS: TestAllowOnlyPolicyUnmarshalJSON_EndorsementDisapprovalFields (7 sub-tests)
=== RUN   TestValidateWriteSinkPolicy_NilInput
--- PASS: TestValidateWriteSinkPolicy_NilInput
=== RUN   TestNormalizeGuardPolicy_WriteSinkPath
--- PASS: TestNormalizeGuardPolicy_WriteSinkPath
=== RUN   TestNormalizeGuardPolicy_EndorsementReactionDedup
--- PASS: TestNormalizeGuardPolicy_EndorsementReactionDedup (7 sub-tests)
=== RUN   TestNormalizeAndValidateScopeArray_NonStringElement
--- PASS: TestNormalizeAndValidateScopeArray_NonStringElement
=== RUN   TestAllowOnlyPolicyUnmarshalJSON_FullRoundTrip
--- PASS: TestAllowOnlyPolicyUnmarshalJSON_FullRoundTrip
````

---
*Generated by Test Coverage Improver*
*Next run will target the next most complex under-tested function*




> [!WARNING]
> <details>
> <summary><strong>⚠️ Firewall blocked 8 domains</strong></summary>
>
> The following domains were blocked by the firewall during workflow
execution:
>
> - `go.opentelemetry.io`
> - `go.yaml.in`
> - `golang.org`
> - `google.golang.org`
> - `gopkg.in`
> - `invalidhostthatdoesnotexist12345.com`
> - `proxy.golang.org`
> - `releaseassets.githubusercontent.com`
>
> To allow these domains, add them to the `network.allowed` list in your
workflow frontmatter:
>
> ```yaml
> network:
>   allowed:
>     - defaults
>     - "go.opentelemetry.io"
>     - "go.yaml.in"
>     - "golang.org"
>     - "google.golang.org"
>     - "gopkg.in"
>     - "invalidhostthatdoesnotexist12345.com"
>     - "proxy.golang.org"
>     - "releaseassets.githubusercontent.com"
> ```
>
> See [Network
Configuration](https://github.github.com/gh-aw/reference/network/) for
more information.
>
> </details>


> Generated by [Test Coverage
Improver](https://github.com/github/gh-aw-mcpg/actions/runs/24563644860/agentic_workflow)
· ● 7.1M ·
[◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+test-coverage-improver%22&type=pullrequests)

<!-- gh-aw-agentic-workflow: Test Coverage Improver, engine: copilot,
model: auto, id: 24563644860, workflow_id: test-coverage-improver, run:
https://github.com/github/gh-aw-mcpg/actions/runs/24563644860 -->

<!-- gh-aw-workflow-id: test-coverage-improver -->

Author: lpcox