[Repo Assist] fix(config): add promotion-label and demotion-label fields to AllowOnlyPolicy (#4928)

lpcox · web-flow · commit 2612cc6ff503 · 2026-05-01T07:36:21.000-07:00
🤖 *This PR was created by Repo Assist, an automated AI assistant.* ## Summary Fixes a compliance regression introduced in commit `662a784` where `promotion_label` and `demotion_label` were added to the Rust WASM guard's `AllowOnlyPolicy` but the Go config layer was never updated. **Without this fix**, any operator using: ```json {"allow-only": {"repos": "public", "min-integrity": "unapproved", "promotion-label": "agent-approved", "demotion-label": "agent-blocked"}} ``` ...via `--guard-policy-json`, `MCP_GATEWAY_GUARD_POLICY_JSON`, or a config file would receive: ``` allow-only contains unsupported field "promotion-label" ``` and the gateway would refuse to start. The feature added in `662a784` was entirely inaccessible. ## Changes - **`internal/config/guard_policy.go`**: Add `PromotionLabel`/`DemotionLabel` to `AllowOnlyPolicy` struct, `UnmarshalJSON` switch cases, `MarshalJSON` serialized struct, and `NormalizedGuardPolicy` - **`internal/config/guard_policy_validation.go`**: Pass through `PromotionLabel`/`DemotionLabel` in `NormalizeGuardPolicy` - **`internal/config/guard_policy_test.go`**: Add 6 test cases covering round-trip parsing, both fields combined, empty-field behaviour, and `ParseGuardPolicyJSON` acceptance ## Test Status The Go module proxy (`proxy.golang.org`) is blocked by the network firewall in this environment, preventing `go test` execution. The changes are syntactically verified with `gofmt -l` (clean) and follow the established pattern used by all other `AllowOnlyPolicy` fields (`DisapprovalIntegrity`, `EndorserMinIntegrity`, etc.). Closes #4920 > [!WARNING] > **⚠️ Firewall blocked 1 domain** > > The following domain was blocked by the firewall during workflow execution: > > - `proxy.golang.org` > > To allow these domains, add them to the `network.allowed` list in your workflow frontmatter: > > ```yaml > network: > allowed: > - defaults > - "proxy.golang.org" > ``` > > See [Network Configuration](https://github.github.com/gh-aw/reference/network/) for more information. > Generated by [Repo Assist](https://github.com/github/gh-aw-mcpg/actions/runs/25214503729/agentic_workflow) · ● 4.6M · [◷](https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+repo-assist%22&type=pullrequests) > > To install this [agentic workflow](https://github.com/githubnext/agentics/blob/851905c06e905bf362a9f6cc54f912e3df747d55/workflows/repo-assist.md), run > ``` > gh aw add githubnext/agentics@851905c > ```
diff --git a/internal/config/guard_policy.go b/internal/config/guard_policy.go
@@ -47,6 +47,8 @@ type AllowOnlyPolicy struct {
 	DisapprovalReactions []string    `toml:"DisapprovalReactions" json:"disapproval-reactions,omitempty"`
 	DisapprovalIntegrity string      `toml:"DisapprovalIntegrity" json:"disapproval-integrity,omitempty"`
 	EndorserMinIntegrity string      `toml:"EndorserMinIntegrity" json:"endorser-min-integrity,omitempty"`
+	PromotionLabel       string      `toml:"PromotionLabel" json:"promotion-label,omitempty"`
+	DemotionLabel        string      `toml:"DemotionLabel" json:"demotion-label,omitempty"`
 }
 
 // NormalizedGuardPolicy is a canonical policy representation for caching and observability.
@@ -61,6 +63,8 @@ type NormalizedGuardPolicy struct {
 	DisapprovalReactions []string `json:"disapproval-reactions,omitempty"`
 	DisapprovalIntegrity string   `json:"disapproval-integrity,omitempty"`
 	EndorserMinIntegrity string   `json:"endorser-min-integrity,omitempty"`
+	PromotionLabel       string   `json:"promotion-label,omitempty"`
+	DemotionLabel        string   `json:"demotion-label,omitempty"`
 }
 
 func (p *GuardPolicy) UnmarshalJSON(data []byte) error {
@@ -168,6 +172,14 @@ func (p *AllowOnlyPolicy) UnmarshalJSON(data []byte) error {
 			if err := json.Unmarshal(value, &p.EndorserMinIntegrity); err != nil {
 				return fmt.Errorf("invalid allow-only.endorser-min-integrity: %w", err)
 			}
+		case "promotion-label":
+			if err := json.Unmarshal(value, &p.PromotionLabel); err != nil {
+				return fmt.Errorf("invalid allow-only.promotion-label: %w", err)
+			}
+		case "demotion-label":
+			if err := json.Unmarshal(value, &p.DemotionLabel); err != nil {
+				return fmt.Errorf("invalid allow-only.demotion-label: %w", err)
+			}
 		default:
 			return fmt.Errorf("allow-only contains unsupported field %q", key)
 		}
@@ -195,6 +207,8 @@ func (p AllowOnlyPolicy) MarshalJSON() ([]byte, error) {
 		DisapprovalReactions []string    `json:"disapproval-reactions,omitempty"`
 		DisapprovalIntegrity string      `json:"disapproval-integrity,omitempty"`
 		EndorserMinIntegrity string      `json:"endorser-min-integrity,omitempty"`
+		PromotionLabel       string      `json:"promotion-label,omitempty"`
+		DemotionLabel        string      `json:"demotion-label,omitempty"`
 	}
 
 	return json.Marshal(serializedAllowOnly(p))
diff --git a/internal/config/guard_policy_test.go b/internal/config/guard_policy_test.go
@@ -1140,3 +1140,79 @@ func TestNormalizeGuardPolicyReactionEndorsement(t *testing.T) {
 		assert.Equal(t, original.EndorserMinIntegrity, got.EndorserMinIntegrity)
 	})
 }
+
+// TestNormalizeGuardPolicyPromotionDemotionLabels tests NormalizeGuardPolicy with promotion-label and demotion-label.
+func TestNormalizeGuardPolicyPromotionDemotionLabels(t *testing.T) {
+	t.Run("promotion-label round-trips through NormalizeGuardPolicy", func(t *testing.T) {
+		policy := &GuardPolicy{AllowOnly: &AllowOnlyPolicy{
+			Repos:          "public",
+			MinIntegrity:   "unapproved",
+			PromotionLabel: "agent-approved",
+		}}
+		got, err := NormalizeGuardPolicy(policy)
+		require.NoError(t, err)
+		assert.Equal(t, "agent-approved", got.PromotionLabel)
+		assert.Empty(t, got.DemotionLabel)
+	})
+
+	t.Run("demotion-label round-trips through NormalizeGuardPolicy", func(t *testing.T) {
+		policy := &GuardPolicy{AllowOnly: &AllowOnlyPolicy{
+			Repos:         "public",
+			MinIntegrity:  "unapproved",
+			DemotionLabel: "agent-blocked",
+		}}
+		got, err := NormalizeGuardPolicy(policy)
+		require.NoError(t, err)
+		assert.Equal(t, "agent-blocked", got.DemotionLabel)
+		assert.Empty(t, got.PromotionLabel)
+	})
+
+	t.Run("both labels set together", func(t *testing.T) {
+		policy := &GuardPolicy{AllowOnly: &AllowOnlyPolicy{
+			Repos:          "public",
+			MinIntegrity:   "unapproved",
+			PromotionLabel: "agent-approved",
+			DemotionLabel:  "agent-blocked",
+		}}
+		got, err := NormalizeGuardPolicy(policy)
+		require.NoError(t, err)
+		assert.Equal(t, "agent-approved", got.PromotionLabel)
+		assert.Equal(t, "agent-blocked", got.DemotionLabel)
+	})
+
+	t.Run("labels absent → normalized fields empty", func(t *testing.T) {
+		policy := &GuardPolicy{AllowOnly: &AllowOnlyPolicy{
+			Repos:        "public",
+			MinIntegrity: "none",
+		}}
+		got, err := NormalizeGuardPolicy(policy)
+		require.NoError(t, err)
+		assert.Empty(t, got.PromotionLabel)
+		assert.Empty(t, got.DemotionLabel)
+	})
+
+	t.Run("JSON round-trip with promotion-label and demotion-label", func(t *testing.T) {
+		original := AllowOnlyPolicy{
+			Repos:          "public",
+			MinIntegrity:   "unapproved",
+			PromotionLabel: "agent-approved",
+			DemotionLabel:  "agent-blocked",
+		}
+		data, err := json.Marshal(original)
+		require.NoError(t, err)
+
+		var got AllowOnlyPolicy
+		require.NoError(t, json.Unmarshal(data, &got))
+		assert.Equal(t, original.PromotionLabel, got.PromotionLabel)
+		assert.Equal(t, original.DemotionLabel, got.DemotionLabel)
+	})
+
+	t.Run("ParseGuardPolicyJSON accepts promotion-label and demotion-label", func(t *testing.T) {
+		jsonStr := `{"allow-only":{"repos":"public","min-integrity":"unapproved","promotion-label":"agent-approved","demotion-label":"agent-blocked"}}`
+		got, err := ParseGuardPolicyJSON(jsonStr)
+		require.NoError(t, err)
+		require.NotNil(t, got.AllowOnly)
+		assert.Equal(t, "agent-approved", got.AllowOnly.PromotionLabel)
+		assert.Equal(t, "agent-blocked", got.AllowOnly.DemotionLabel)
+	})
+}
diff --git a/internal/config/guard_policy_validation.go b/internal/config/guard_policy_validation.go
@@ -206,6 +206,14 @@ func NormalizeGuardPolicy(policy *GuardPolicy) (*NormalizedGuardPolicy, error) {
 		normalized.EndorserMinIntegrity = v
 	}
 
+	// Pass through promotion-label and demotion-label as-is (validated by Rust guard).
+	if v := strings.TrimSpace(policy.AllowOnly.PromotionLabel); v != "" {
+		normalized.PromotionLabel = v
+	}
+	if v := strings.TrimSpace(policy.AllowOnly.DemotionLabel); v != "" {
+		normalized.DemotionLabel = v
+	}
+
 	switch scope := policy.AllowOnly.Repos.(type) {
 	case string:
 		scopeValue := strings.ToLower(strings.TrimSpace(scope))
