[test] Add tests for config.NormalizeGuardPolicy and guard policy helpers

[github-actions]

Test Coverage Improvement: guard_policy.go functions

Function Analyzed

• Package: internal/config
• Primary function: NormalizeGuardPolicy
• Supporting functions: isValidRepoScope, isValidRepoOwner, isValidRepoName, normalizeAndValidateScopeArray, isScopeTokenChar, ParseGuardPolicyJSON, ValidateGuardPolicy, GuardPolicy.UnmarshalJSON, AllowOnlyPolicy.UnmarshalJSON
• Complexity: High — 8+ branches in NormalizeGuardPolicy, 10+ branches in isValidRepoScope, type-switch logic, boundary validation

Why This Function?

guard_policy.go contains the core security policy validation logic for DIFC guards. While config_difc_test.go and config_guardpolicies_test.go exercise these functions indirectly via LoadFromStdin()/LoadFromFile(), they do not directly unit-test the low-level helper functions. Many branches and edge cases were completely untested:

• Uppercase letter rejection in owner/repo names (only lowercase allowed by isScopeTokenChar)
• Boundary values for owner length (39 char limit) and repo name length (100 char limit)
• Invalid wildcard patterns (wildcard in middle, multiple wildcards, wildcard at start)
• Duplicate scope detection and sorted output in normalizeAndValidateScopeArray
• Legacy "integrity" vs canonical "min-integrity" key in AllowOnlyPolicy.UnmarshalJSON
• Case-insensitive and whitespace-trimming behaviour in NormalizeGuardPolicy
• []string type path in NormalizeGuardPolicy (separate branch from []interface{})

Tests Added

New file: internal/config/guard_policy_test.go — 674 lines, 13 test functions

• ✅ TestNormalizeGuardPolicy — 15 cases: nil policy, nil AllowOnly, string variants (all/public/invalid/casing/whitespace), []interface{} with sorting, []string type, empty array, duplicates, invalid min-integrity, type mismatch
• ✅ TestIsValidRepoScope — 25 cases: all valid patterns (exact, wildcard, prefix-wildcard, special chars), all invalid patterns (no slash, three parts, leading/trailing slash, uppercase, dots, spaces, multiple wildcards, wildcard-in-middle)
• ✅ TestIsValidRepoOwner — 13 cases: empty, single char, 39/40-char boundaries, valid character classes, invalid chars (uppercase, dot, space, @)
• ✅ TestIsValidRepoName — 13 cases: empty, single char, 100/101-char boundaries, valid/invalid chars
• ✅ TestNormalizeAndValidateScopeArray — 11 cases: empty array, non-string element, empty/whitespace strings, invalid pattern, duplicates, valid single, multiple with sort, wildcard patterns
• ✅ TestGuardPolicyUnmarshalJSON — 5 cases: invalid JSON, unsupported field, missing allow-only, canonical key, legacy allowonly key
• ✅ TestAllowOnlyPolicyUnmarshalJSON — 8 cases: invalid JSON, unsupported field, missing repos, missing min-integrity, whitespace-only min-integrity, canonical key, legacy integrity key, repos as array
• ✅ TestGuardPolicyMarshalJSON — round-trip serialization with canonical allow-only key
• ✅ TestAllowOnlyPolicyMarshalJSON — verifies min-integrity canonical key (not legacy integrity)
• ✅ TestParseGuardPolicyJSONComprehensive — 7 cases: invalid JSON, invalid policy structures, valid policies with all integrity levels and legacy key
• ✅ TestValidateGuardPolicy — nil, valid, invalid policy delegation
• ✅ TestIsScopeTokenChar — all 36 valid chars + invalid chars (uppercase, dot, slash, space, symbols)

---

Generated by Test Coverage Improver
Target: internal/config.NormalizeGuardPolicy — highest complexity with incomplete branch coverage

Generated by Test Coverage Improver · ◷

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.