[test] Add tests for config.AllowOnlyPolicy.UnmarshalJSON and NormalizeScopeKind

[github-actions]

Test Coverage Improvement: guard_policy.go

Functions Analyzed

Function	Package	Previous Coverage	New Coverage
AllowOnlyPolicy.UnmarshalJSON	internal/config	67.7%	93.5%
NormalizeScopeKind	internal/config	0.0%	100.0%
GuardPolicy.UnmarshalJSON	internal/config	~86%	93.1%
NormalizeGuardPolicy	internal/config	97.8%	98.9%
ValidateWriteSinkPolicy	internal/config	~90%	95.2%

Overall internal/config package: 92.2% → 93.8%

Why These Functions?

AllowOnlyPolicy.UnmarshalJSON had 67.7% coverage despite being a core security-policy parsing function with 9 distinct field branches and error paths. The four newest fields — endorsement-reactions, disapproval-reactions, disapproval-integrity, and endorser-min-integrity — had zero test coverage for both happy paths and error paths.

NormalizeScopeKind was an exported function at 0% coverage in the internal/config package (existing tests live in internal/server which requires the go-sdk dependency and couldn't run in the CI environment that generated coverage data).

Tests Added

• ✅ TestNormalizeScopeKind — 10 table-driven cases: nil input, empty map, no scope_kind field, already-lowercase, uppercase, whitespace trimming, mixed case+spaces, non-string value, other fields preserved, immutability of input
• ✅ TestGuardPolicyUnmarshalJSON_InvalidInnerJSON — error paths when allow-only/write-sink inner values contain invalid JSON or fail inner-struct validation
• ✅ TestAllowOnlyPolicyUnmarshalJSON_FieldErrorPaths — error paths for all 9 fields when the JSON value has an incompatible type (repos, min-integrity, blocked-users, approval-labels, trusted-users, endorsement-reactions, disapproval-reactions, disapproval-integrity, endorser-min-integrity)
• ✅ TestAllowOnlyPolicyUnmarshalJSON_EndorsementDisapprovalFields — happy-path parsing for all 4 previously-untested fields, including empty arrays and the full set together
• ✅ TestValidateWriteSinkPolicy_NilInput — nil guard in ValidateWriteSinkPolicy
• ✅ TestNormalizeGuardPolicy_WriteSinkPath — write-sink path error in NormalizeGuardPolicy
• ✅ TestNormalizeGuardPolicy_EndorsementReactionDedup — deduplication (case-insensitive), empty-entry rejection, valid integrity normalization for endorsement-reactions, disapproval-reactions, disapproval-integrity, endorser-min-integrity
• ✅ TestNormalizeAndValidateScopeArray_NonStringElement — non-string element in repos array
• ✅ TestAllowOnlyPolicyUnmarshalJSON_FullRoundTrip — full marshal/unmarshal round-trip with all fields

Coverage Report

Before: internal/config 92.2%
After:  internal/config 93.8%
Improvement: +1.6%

AllowOnlyPolicy.UnmarshalJSON:  67.7% → 93.5%  (+25.8%)
NormalizeScopeKind:              0.0% → 100.0% (+100.0%)
GuardPolicy.UnmarshalJSON:      ~86% → 93.1%
NormalizeGuardPolicy:           97.8% → 98.9%
ValidateWriteSinkPolicy:        ~90% → 95.2%
```

## Test Execution

All 45 new sub-tests pass:
```
=== RUN   TestNormalizeScopeKind
--- PASS: TestNormalizeScopeKind (10 sub-tests)
=== RUN   TestGuardPolicyUnmarshalJSON_InvalidInnerJSON
--- PASS: TestGuardPolicyUnmarshalJSON_InvalidInnerJSON (5 sub-tests)
=== RUN   TestAllowOnlyPolicyUnmarshalJSON_FieldErrorPaths
--- PASS: TestAllowOnlyPolicyUnmarshalJSON_FieldErrorPaths (9 sub-tests)
=== RUN   TestAllowOnlyPolicyUnmarshalJSON_EndorsementDisapprovalFields
--- PASS: TestAllowOnlyPolicyUnmarshalJSON_EndorsementDisapprovalFields (7 sub-tests)
=== RUN   TestValidateWriteSinkPolicy_NilInput
--- PASS: TestValidateWriteSinkPolicy_NilInput
=== RUN   TestNormalizeGuardPolicy_WriteSinkPath
--- PASS: TestNormalizeGuardPolicy_WriteSinkPath
=== RUN   TestNormalizeGuardPolicy_EndorsementReactionDedup
--- PASS: TestNormalizeGuardPolicy_EndorsementReactionDedup (7 sub-tests)
=== RUN   TestNormalizeAndValidateScopeArray_NonStringElement
--- PASS: TestNormalizeAndValidateScopeArray_NonStringElement
=== RUN   TestAllowOnlyPolicyUnmarshalJSON_FullRoundTrip
--- PASS: TestAllowOnlyPolicyUnmarshalJSON_FullRoundTrip

---

Generated by Test Coverage Improver
Next run will target the next most complex under-tested function

Warning

⚠️ Firewall blocked 8 domains

The following domains were blocked by the firewall during workflow execution:

• go.opentelemetry.io
• go.yaml.in
• golang.org
• google.golang.org
• gopkg.in
• invalidhostthatdoesnotexist12345.com
• proxy.golang.org
• releaseassets.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "go.opentelemetry.io"
    - "go.yaml.in"
    - "golang.org"
    - "google.golang.org"
    - "gopkg.in"
    - "invalidhostthatdoesnotexist12345.com"
    - "proxy.golang.org"
    - "releaseassets.githubusercontent.com"

See Network Configuration for more information.

Generated by Test Coverage Improver · ● 7.1M · ◷

[Copilot]

Pull request overview

Adds targeted unit tests in internal/config to increase branch/edge-case coverage for guard-policy parsing and normalization code paths, especially around AllowOnlyPolicy.UnmarshalJSON and NormalizeScopeKind.

Changes:

• Added table-driven tests covering NormalizeScopeKind normalization behavior and immutability.
• Added tests for GuardPolicy / AllowOnlyPolicy JSON unmarshal error paths and the newer endorsement/disapproval-related fields.
• Added tests exercising selected NormalizeGuardPolicy / ValidateWriteSinkPolicy validation and normalization behaviors.

Show a summary per file

File	Description
internal/config/guard_policy_unmarshal_coverage_test.go	New tests to improve coverage of guard-policy unmarshalling/normalization and related validation paths

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/1 changed files
• Comments generated: 4

[Copilot]

The JSON literal in this case is not valid JSON, so GuardPolicy.UnmarshalJSON fails in the initial json.Unmarshal(data, &raw) step and never reaches the inner allow-only unmarshal. If the goal is to exercise the inner-object error path, use syntactically valid JSON where allow-only has an invalid type/shape (e.g., a string/number/array) so the top-level parse succeeds and the error comes from unmarshalling allowOnlyRaw into AllowOnlyPolicy.

[Copilot]

Same issue as the prior case: {"write-sink": {not valid}} is invalid top-level JSON, so this doesn't test an inner write-sink unmarshal failure—it's effectively covered by the "invalid top-level JSON" test. To test the json.Unmarshal(writeSinkRaw, &writeSink) failure, make the overall JSON valid but set write-sink to an incompatible type/shape (or an object with an invalid accept type).

Suggested change

	name: "write-sink inner value is invalid JSON",
	json: `{"write-sink": {not valid}}`,
	wantErr: "invalid character",
	name: "write-sink inner value fails WriteSinkPolicy unmarshal",
	json: `{"write-sink": "not an object"}`,
	wantErr: "cannot unmarshal string",

[Copilot]

This "repos field invalid JSON type" case uses invalid JSON ({invalid}), so AllowOnlyPolicy.UnmarshalJSON fails before it can iterate fields; it doesn't exercise the repos-specific branch. Also, since Repos is interface{}, unmarshalling any valid JSON value into it won't error—so there isn't a realistic per-field unmarshal error path for repos here. Consider removing this case, or move repos-type validation to a NormalizeGuardPolicy test (e.g., a non-string/non-array repos value should hit the allow-only.repos must be ... error).

[Copilot]

This round-trip test doesn't assert anything about Repos. Since Repos is interface{}, it's easy for regressions to slip through (e.g., the slice type/contents changing) while all other assertions still pass. Add an assertion that parsed.Repos deep-equals original.Repos (and/or assert the expected concrete type, like []interface{} with string elements).

[lpcox]

@copilot update the pr based on this review feedback #4012 (review)

[Copilot]

@copilot update the pr based on this review feedback #4012 (review)

Updated in commit b1d99cf.

I addressed the review feedback by switching the inner-unmarshal tests to valid top-level JSON with incompatible inner types, removing the invalid/impossible repos unmarshal case, and adding a Repos round-trip assertion. All targeted tests and full make agent-finished passed, and parallel validation returned no issues.

No UI changes were made (test-only change), so there is no UI screenshot to provide.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build2532789203/b514/launcher.test /tmp/go-build2532789203/b514/launcher.test -test.testlogfile=/tmp/go-build2532789203/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2532789203/b432/vet.cfg m/grpc-gateway/vgo1.25.8 m/grpc-gateway/v-c=4 x_amd64/vet 6929828/b151/ ternal/engine/wa-atomic (dns block)
• invalid-host-that-does-not-exist-12345.com
  • Triggering command: /tmp/go-build2532789203/b496/config.test /tmp/go-build2532789203/b496/config.test -test.testlogfile=/tmp/go-build2532789203/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2532789203/b379/vet.cfg @v1.1.3/cpu/x86/go1.25.8 6929828/b151/ x_amd64/vet --gdwarf-5 ternal/engine/in-atomic -o x_amd64/vet 6929�� g_.a -I x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet (dns block)
  • Triggering command: /tmp/go-build2113664720/b496/config.test /tmp/go-build2113664720/b496/config.test -test.testlogfile=/tmp/go-build2113664720/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s -o (dns block)
• nonexistent.local
  • Triggering command: /tmp/go-build2532789203/b514/launcher.test /tmp/go-build2532789203/b514/launcher.test -test.testlogfile=/tmp/go-build2532789203/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2532789203/b432/vet.cfg m/grpc-gateway/vgo1.25.8 m/grpc-gateway/v-c=4 x_amd64/vet 6929828/b151/ ternal/engine/wa-atomic (dns block)
• slow.example.com
  • Triggering command: /tmp/go-build2532789203/b514/launcher.test /tmp/go-build2532789203/b514/launcher.test -test.testlogfile=/tmp/go-build2532789203/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build2532789203/b432/vet.cfg m/grpc-gateway/vgo1.25.8 m/grpc-gateway/v-c=4 x_amd64/vet 6929828/b151/ ternal/engine/wa-atomic (dns block)
• this-host-does-not-exist-12345.com
  • Triggering command: /tmp/go-build2532789203/b523/mcp.test /tmp/go-build2532789203/b523/mcp.test -test.testlogfile=/tmp/go-build2532789203/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s x.cg�� .cfg om/modelcontextprotocol/go-sdk@v1.5.0/mcp/cmd.go x_amd64/vet � Warning: golanbash g/grpc/balancer//usr/bin/runc -o x_amd64/vet .cfg�� jpff/2HN23tiQ9vJFNPcMjpff -m64 x_amd64/vet /tmp/go-build369bash 6929828/b468/ -fno-stack-prote--version x_amd64/vet (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)