feat(guard): wazero security hardening — memory cap, backend call limit, interpreter tests

[Copilot]

Go Fan review (#7927) identified security and quality gaps in the wazero WASM guard integration. This PR addresses all five recommendations.

Security

• Memory cap: Add WithMemoryLimitPages(256) (16 MiB) to the production RuntimeConfig. Without this, a guard declaring a large (memory max ...) can grow to consume unbounded host RAM.

  runtimeConfig := wazero.NewRuntimeConfigCompiler().
      WithCloseOnContextDone(true).
      WithMemoryLimitPages(256) // 16 MiB hard cap

• Backend call limit: Add maxBackendCallsPerInvocation = 50 counter in hostCallBackend, reset at the start of each callWasmGuardFunction. Prevents a buggy or malicious guard from looping call_backend indefinitely within a single label call.

Performance

• Interpreter in unit tests: Switch 5 wazero.NewRuntime(ctx) calls in wasm_test.go to wazero.NewRuntimeWithConfig(ctx, wazero.NewRuntimeConfigInterpreter()). JIT compilation is pure overhead for hand-crafted test WASM byte slices.

Readability

• Simplify WithName IIFE: Replace the immediately-invoked function expression with a plain guardName variable.

Tests

• TestHostCallBackendCallLimit: verifies the error sentinel is returned when the limit is exceeded, and that backendCallCount is reset to zero at the start of each invocation.
• The existing TestIsWasmTrap/actual_wazero_trap_still_uses_wasm_error_prefix already serves as a live version assertion for the "wasm error:" string — it instantiates a real trap with the installed wazero and fails if the prefix changes on upgrade.

[Copilot]

Pull request overview

This PR hardens the wazero-backed WASM guard integration by adding resource limits (memory and backend call count), simplifying guard module naming, and optimizing/selecting the interpreter runtime for unit tests to reduce unnecessary JIT overhead.

Changes:

• Add a per-invocation call_backend call counter with a hard limit to prevent runaway backend calls.
• Add a runtime memory cap to constrain guard-controlled linear memory growth.
• Switch several unit tests to use the interpreter runtime and add a new test covering the backend call limit behavior.

Show a summary per file

File	Description
internal/guard/wasm.go	Adds runtime memory cap, simplifies WithName setup, and enforces/reset a per-invocation backend call limit.
internal/guard/wasm_test.go	Uses interpreter runtime in tests and adds coverage for the backend call limit + counter reset behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[lpcox]

@copilot fix the failed ci check https://github.com/github/gh-aw-mcpg/actions/runs/27976677887/job/82796097537?pr=7938

[Copilot]

@copilot fix the failed ci check https://github.com/github/gh-aw-mcpg/actions/runs/27976677887/job/82796097537?pr=7938

Addressed in 906538a. The failed check was a gofmt issue in internal/guard/wasm.go; I fixed the indentation, re-ran make lint, and make agent-finished now passes.