refactor: consolidate guard policy env var names into constants, replace os.Getenv with envutil (#5546)

## ✨ Enhancement

The five guard-policy env var names were duplicated as string literals
across `flags_difc.go` and `guard_policy_parse.go`, and
`guard_policy_parse.go` mixed raw `os.Getenv` calls with
`envutil.GetEnvBool` — inconsistent with the rest of the codebase.

**What does this improve?**
- Single source of truth for env var names — adding or renaming a
variable is a one-line change
- Consistent `envutil.GetEnvString/Bool` usage throughout guard policy
code

**Implementation approach:**

- **New `internal/config/guard_policy_env.go`** — five exported
constants:
  ```go
  const (
      EnvGuardPolicyJSON       = "MCP_GATEWAY_GUARD_POLICY_JSON"
      EnvAllowOnlyScopePublic  = "MCP_GATEWAY_ALLOWONLY_SCOPE_PUBLIC"
      EnvAllowOnlyScopeOwner   = "MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER"
      EnvAllowOnlyScopeRepo    = "MCP_GATEWAY_ALLOWONLY_SCOPE_REPO"
      EnvAllowOnlyMinIntegrity = "MCP_GATEWAY_ALLOWONLY_MIN_INTEGRITY"
  )
  ```
- **`guard_policy_parse.go`** — replaced `os.Getenv(...)` with
`envutil.GetEnvString(Env..., "")`, replaced string literals with
constants, removed the `os` import
- **`flags_difc.go`** — replaced string literals with `config.EnvXxx`
constants

Author: lpcox

internal/cmd/flags_difc.go

@@ -7,6 +7,7 @@ import (
 	"os"
 	"strings"
 
+	"github.com/github/gh-aw-mcpg/internal/config"
 	"github.com/github/gh-aw-mcpg/internal/difc"
 	"github.com/github/gh-aw-mcpg/internal/envutil"
 	"github.com/github/gh-aw-mcpg/internal/strutil"
@@ -28,11 +29,11 @@ func init() {
 	RegisterFlag(func(cmd *cobra.Command) {
 		cmd.Flags().StringVar(&difcMode, "guards-mode", getDefaultDIFCMode(), "Guards enforcement mode: strict (deny violations), filter (remove denied tools), or propagate (auto-adjust agent labels on reads)")
 		cmd.Flags().StringVar(&difcSinkServerIDs, "guards-sink-server-ids", envutil.GetEnvString("MCP_GATEWAY_GUARDS_SINK_SERVER_IDS", ""), "Comma-separated server IDs whose RPC JSONL logs should include agent secrecy/integrity tag snapshots")
-		cmd.Flags().StringVar(&guardPolicyJSON, "guard-policy-json", envutil.GetEnvString("MCP_GATEWAY_GUARD_POLICY_JSON", ""), "Guard policy JSON (e.g. {\"allow-only\":{\"repos\":\"public\",\"min-integrity\":\"none\"}})")
-		cmd.Flags().BoolVar(&allowOnlyPublic, "allowonly-scope-public", envutil.GetEnvBool("MCP_GATEWAY_ALLOWONLY_SCOPE_PUBLIC", false), "Use public AllowOnly scope")
-		cmd.Flags().StringVar(&allowOnlyOwner, "allowonly-scope-owner", envutil.GetEnvString("MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER", ""), "AllowOnly owner scope value")
-		cmd.Flags().StringVar(&allowOnlyRepo, "allowonly-scope-repo", envutil.GetEnvString("MCP_GATEWAY_ALLOWONLY_SCOPE_REPO", ""), "AllowOnly repo name (requires owner)")
-		cmd.Flags().StringVar(&allowOnlyMinInt, "allowonly-min-integrity", envutil.GetEnvString("MCP_GATEWAY_ALLOWONLY_MIN_INTEGRITY", ""), "AllowOnly integrity: none|unapproved|approved|merged")
+		cmd.Flags().StringVar(&guardPolicyJSON, "guard-policy-json", envutil.GetEnvString(config.EnvGuardPolicyJSON, ""), "Guard policy JSON (e.g. {\"allow-only\":{\"repos\":\"public\",\"min-integrity\":\"none\"}})")
+		cmd.Flags().BoolVar(&allowOnlyPublic, "allowonly-scope-public", envutil.GetEnvBool(config.EnvAllowOnlyScopePublic, false), "Use public AllowOnly scope")
+		cmd.Flags().StringVar(&allowOnlyOwner, "allowonly-scope-owner", envutil.GetEnvString(config.EnvAllowOnlyScopeOwner, ""), "AllowOnly owner scope value")
+		cmd.Flags().StringVar(&allowOnlyRepo, "allowonly-scope-repo", envutil.GetEnvString(config.EnvAllowOnlyScopeRepo, ""), "AllowOnly repo name (requires owner)")
+		cmd.Flags().StringVar(&allowOnlyMinInt, "allowonly-min-integrity", envutil.GetEnvString(config.EnvAllowOnlyMinIntegrity, ""), "AllowOnly integrity: none|unapproved|approved|merged")
 	})
 }
 

internal/config/guard_policy_env.go

@@ -0,0 +1,10 @@
+package config
+
+// Environment variable names for guard policy configuration.
+const (
+	EnvGuardPolicyJSON       = "MCP_GATEWAY_GUARD_POLICY_JSON"
+	EnvAllowOnlyScopePublic  = "MCP_GATEWAY_ALLOWONLY_SCOPE_PUBLIC"
+	EnvAllowOnlyScopeOwner   = "MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER"
+	EnvAllowOnlyScopeRepo    = "MCP_GATEWAY_ALLOWONLY_SCOPE_REPO"
+	EnvAllowOnlyMinIntegrity = "MCP_GATEWAY_ALLOWONLY_MIN_INTEGRITY"
+)

internal/config/guard_policy_parse.go

@@ -224,25 +224,25 @@ func ResolveGuardPolicyOverride(
 		return policy, "cli", nil
 	}
 
-	if envPolicyJSON := strings.TrimSpace(os.Getenv("MCP_GATEWAY_GUARD_POLICY_JSON")); envPolicyJSON != "" {
+	if envPolicyJSON := strings.TrimSpace(envutil.GetEnvString(EnvGuardPolicyJSON, "")); envPolicyJSON != "" {
 		policy, err := ParseGuardPolicyJSON(envPolicyJSON)
 		if err != nil {
 			return nil, "", err
 		}
 		return policy, "env", nil
 	}
 
-	_, hasScopePublic := os.LookupEnv("MCP_GATEWAY_ALLOWONLY_SCOPE_PUBLIC")
-	_, hasScopeOwner := os.LookupEnv("MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER")
-	_, hasScopeRepo := os.LookupEnv("MCP_GATEWAY_ALLOWONLY_SCOPE_REPO")
-	_, hasMinIntegrity := os.LookupEnv("MCP_GATEWAY_ALLOWONLY_MIN_INTEGRITY")
+	_, hasScopePublic := os.LookupEnv(EnvAllowOnlyScopePublic)
+	_, hasScopeOwner := os.LookupEnv(EnvAllowOnlyScopeOwner)
+	_, hasScopeRepo := os.LookupEnv(EnvAllowOnlyScopeRepo)
+	_, hasMinIntegrity := os.LookupEnv(EnvAllowOnlyMinIntegrity)
 
 	if hasScopePublic || hasScopeOwner || hasScopeRepo || hasMinIntegrity {
 		policy, err := BuildAllowOnlyPolicy(
-			envutil.GetEnvBool("MCP_GATEWAY_ALLOWONLY_SCOPE_PUBLIC", false),
-			os.Getenv("MCP_GATEWAY_ALLOWONLY_SCOPE_OWNER"),
-			os.Getenv("MCP_GATEWAY_ALLOWONLY_SCOPE_REPO"),
-			os.Getenv("MCP_GATEWAY_ALLOWONLY_MIN_INTEGRITY"),
+			envutil.GetEnvBool(EnvAllowOnlyScopePublic, false),
+			envutil.GetEnvString(EnvAllowOnlyScopeOwner, ""),
+			envutil.GetEnvString(EnvAllowOnlyScopeRepo, ""),
+			envutil.GetEnvString(EnvAllowOnlyMinIntegrity, ""),
 		)
 		if err != nil {
 			return nil, "", err