fix: move validateTrustedBots to validation.go and enforce on stdin path (#2217)

`validateTrustedBots` lived in `config_core.go` while all other
validation helpers live in `validation.go`. The stdin JSON path also
silently dropped `trustedBots: []` instead of rejecting it per spec
§4.1.3.4.

## Changes

- **`validation.go`**: Move `validateTrustedBots` here; call it from
`validateGatewayConfig` so the stdin path enforces the same constraint
as TOML
- **`config_core.go`**: Remove `validateTrustedBots` and unused
`strings` import
- **`config_stdin.go`**: Call `validateTrustedBots` in
`convertStdinConfig` when `TrustedBots != nil` (defense-in-depth);
restructured to eliminate redundant length check
- **`config_stdin_test.go`**: Update `"empty trustedBots not
propagated"` sub-test to expect an error
- **`config_test.go`**: Add `TestLoadFromStdin_WithEmptyTrustedBots`
covering the full `LoadFromStdin` path

Both config sources now consistently reject `trustedBots: []`:

```toml
# TOML — already rejected
[gateway]
trusted_bots = []  # → error: trusted_bots must be a non-empty array when present
```

```json
// JSON stdin — now also rejected
{
  "gateway": {
    "trustedBots": []
  }
}
// → error: minimum 1 items required (schema) / trusted_bots must be non-empty (custom validator)
```

<!-- START COPILOT CODING AGENT TIPS -->
---

⌨️ Start Copilot coding agent tasks without leaving your editor —
available in [VS Code](https://gh.io/cca-vs-code-docs), [Visual
Studio](https://gh.io/cca-visual-studio-docs), [JetBrains
IDEs](https://gh.io/cca-jetbrains-docs) and
[Eclipse](https://gh.io/cca-eclipse-docs).

Author: lpcox

internal/config/config_core.go

@@ -29,7 +29,6 @@ import (
 	"io"
 	"log"
 	"os"
-	"strings"
 
 	"github.com/BurntSushi/toml"
 	"github.com/github/gh-aw-mcpg/internal/logger"
@@ -283,23 +282,6 @@ func LoadFromFile(path string) (*Config, error) {
 	return &cfg, nil
 }
 
-// validateTrustedBots checks that the trusted_bots list conforms to spec §4.1.3.4:
-// when present, it must be a non-empty array of non-empty strings.
-func validateTrustedBots(bots []string) error {
-	if bots == nil {
-		return nil
-	}
-	if len(bots) == 0 {
-		return fmt.Errorf("trusted_bots must be a non-empty array when present (spec §4.1.3.4)")
-	}
-	for i, bot := range bots {
-		if strings.TrimSpace(bot) == "" {
-			return fmt.Errorf("trusted_bots[%d] must be a non-empty string", i)
-		}
-	}
-	return nil
-}
-
 // logger for config package
 var logConfig = log.New(io.Discard, "[CONFIG] ", log.LstdFlags)
 

internal/config/config_stdin.go

@@ -281,7 +281,10 @@ func convertStdinConfig(stdinCfg *StdinConfig) (*Config, error) {
 		if stdinCfg.Gateway.PayloadDir != "" {
 			cfg.Gateway.PayloadDir = stdinCfg.Gateway.PayloadDir
 		}
-		if len(stdinCfg.Gateway.TrustedBots) > 0 {
+		if stdinCfg.Gateway.TrustedBots != nil {
+			if err := validateTrustedBots(stdinCfg.Gateway.TrustedBots); err != nil {
+				return nil, err
+			}
 			cfg.Gateway.TrustedBots = stdinCfg.Gateway.TrustedBots
 		}
 	} else {

internal/config/config_stdin_test.go

@@ -988,18 +988,17 @@ func TestConvertStdinConfig_TrustedBots(t *testing.T) {
 		assert.Equal(t, []string{"copilot-swe-agent[bot]", "my-org-bot"}, cfg.Gateway.TrustedBots)
 	})
 
-	t.Run("empty trustedBots not propagated", func(t *testing.T) {
+	t.Run("empty trustedBots rejected per spec §4.1.3.4", func(t *testing.T) {
 		stdinCfg := &StdinConfig{
 			MCPServers: map[string]*StdinServerConfig{},
 			Gateway: &StdinGatewayConfig{
 				TrustedBots: []string{},
 			},
 		}
 
-		cfg, err := convertStdinConfig(stdinCfg)
-		require.NoError(t, err)
-		require.NotNil(t, cfg.Gateway)
-		assert.Nil(t, cfg.Gateway.TrustedBots)
+		_, err := convertStdinConfig(stdinCfg)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "trusted_bots must be a non-empty array when present")
 	})
 
 	t.Run("nil trustedBots not propagated", func(t *testing.T) {

internal/config/config_test.go

@@ -1738,3 +1738,38 @@ func TestLoadFromStdin_WithTrustedBots(t *testing.T) {
 
 	assert.Equal(t, []string{"github-actions[bot]", "copilot-swe-agent[bot]"}, cfg.Gateway.TrustedBots)
 }
+
+// TestLoadFromStdin_WithEmptyTrustedBots verifies JSON stdin parsing rejects trustedBots: [].
+// Covers spec §4.1.3.4 (trustedBots MUST be a non-empty array when present).
+func TestLoadFromStdin_WithEmptyTrustedBots(t *testing.T) {
+	stdinJSON := `{
+		"mcpServers": {
+			"test": {
+				"container": "test/container:latest",
+				"type": "stdio"
+			}
+		},
+		"gateway": {
+			"port": 8080,
+			"domain": "localhost",
+			"apiKey": "test-key",
+			"trustedBots": []
+		}
+	}`
+
+	oldStdin := os.Stdin
+	defer func() { os.Stdin = oldStdin }()
+
+	r, w, err := os.Pipe()
+	require.NoError(t, err)
+	os.Stdin = r
+
+	go func() {
+		defer w.Close()
+		_, _ = w.Write([]byte(stdinJSON))
+	}()
+
+	_, err = LoadFromStdin()
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "trustedBots")
+}

internal/config/validation.go

@@ -365,10 +365,32 @@ func validateGatewayConfig(gateway *StdinGatewayConfig) error {
 		}
 	}
 
+	// Validate trustedBots per spec §4.1.3.4: must be non-empty array when present
+	if err := validateTrustedBots(gateway.TrustedBots); err != nil {
+		return err
+	}
+
 	logValidation.Print("Gateway config validation passed")
 	return nil
 }
 
+// validateTrustedBots checks that the trusted_bots/trustedBots list conforms to spec §4.1.3.4:
+// when present, it must be a non-empty array of non-empty strings.
+func validateTrustedBots(bots []string) error {
+	if bots == nil {
+		return nil
+	}
+	if len(bots) == 0 {
+		return fmt.Errorf("trusted_bots must be a non-empty array when present (spec §4.1.3.4)")
+	}
+	for i, bot := range bots {
+		if strings.TrimSpace(bot) == "" {
+			return fmt.Errorf("trusted_bots[%d] must be a non-empty string", i)
+		}
+	}
+	return nil
+}
+
 // validateTOMLStdioContainerization validates that TOML stdio servers use Docker for containerization.
 // This enforces MCP Gateway Specification Section 3.2.1: "Stdio-based MCP servers MUST be containerized."
 func validateTOMLStdioContainerization(servers map[string]*ServerConfig) error {