Deduplicate guards-mode CLI completions with canonical DIFC mode list (#5244)

lpcox · web-flow · commit e1434fb4a6a7 · 2026-05-07T09:11:18.000-07:00
The CLI shell completions for `--guards-mode` redefined DIFC enforcement modes in multiple places instead of using the canonical list from `internal/difc`. That made completions easy to drift from the actual supported modes. - **Use the canonical DIFC mode list** - Replace hardcoded `[]string{"strict", "filter", "propagate"}` completions in: - `internal/cmd/flags.go` - `internal/cmd/proxy.go` - Wire both sites to `difc.ValidModes` - **Align completion tests with the shared source of truth** - Update the root command and proxy command completion tests to assert against `difc.ValidModes` instead of duplicating the mode literals again - **Result** - Adding or changing a DIFC enforcement mode in `internal/difc` now automatically updates shell completion behavior in both CLI entry points ```go cmd.RegisterFlagCompletionFunc("guards-mode", cobra.FixedCompletions( difc.ValidModes, cobra.ShellCompDirectiveNoFileComp)) ``` > [!WARNING] > > <details> > <summary>Firewall rules blocked me from connecting to one or more addresses (expand for details)</summary> > > #### I tried to connect to the following addresses, but was blocked by firewall rules: > > - `example.com` > - Triggering command: `/tmp/go-build4079301644/b509/launcher.test /tmp/go-build4079301644/b509/launcher.test -test.testlogfile=/tmp/go-build4079301644/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true /internal/httpcommon/ascii.go /internal/httpcommon/headermap.go x_amd64/vet --gdwarf-5 ct/protoregistry-atomic =0 x_amd64/vet swit�� g_.a 8049330/b150/ x_amd64/vet -dynout gr/logr/funcr p=/opt/hostedtoo-bool x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build80479181/b513/launcher.test /tmp/go-build80479181/b513/launcher.test -test.testlogfile=/tmp/go-build80479181/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build80479181/b506/vet.cfg /tmp/go-build3676587456/b093/vet.cfg -goversion x_amd64/compile -c=4 -nolocalimports -importcfg x_amd64/compile` (dns block) > - `invalid-host-that-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build4079301644/b491/config.test /tmp/go-build4079301644/b491/config.test -test.testlogfile=/tmp/go-build4079301644/b491/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 1.80.0/status/status.go om/tetratelabs/wazero@v1.11.0/internal/wasip1/clgoogle.golang.org/protobuf/internal/encoding/jso-atomic x_amd64/vet --gdwarf-5 ternal/engine/wa-unsafeptr=false -o x_amd64/vet 3MdK�� g_.a --debug-prefix-map x_amd64/vet abis binarylog -I x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build80479181/b495/config.test /tmp/go-build80479181/b495/config.test -test.testlogfile=/tmp/go-build80479181/b495/testlog.txt -test.paniconexit0 -test.timeout=10m0s 6587�� /tmp/go-build1708049330/b433/_pkg_.a .cfg 64/pkg/tool/linux_amd64/vet -p golang.org/x/net--norc -lang=go1.25 64/pkg/tool/linux_amd64/vet 6587�� HwxzEigtvtf4iKtLrGai/HwxzEigtvtf4iKtLrGai -goversion 64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg 64/pkg/tool/linuorigin` (dns block) > - `nonexistent.local` > - Triggering command: `/tmp/go-build4079301644/b509/launcher.test /tmp/go-build4079301644/b509/launcher.test -test.testlogfile=/tmp/go-build4079301644/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true /internal/httpcommon/ascii.go /internal/httpcommon/headermap.go x_amd64/vet --gdwarf-5 ct/protoregistry-atomic =0 x_amd64/vet swit�� g_.a 8049330/b150/ x_amd64/vet -dynout gr/logr/funcr p=/opt/hostedtoo-bool x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build80479181/b513/launcher.test /tmp/go-build80479181/b513/launcher.test -test.testlogfile=/tmp/go-build80479181/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build80479181/b506/vet.cfg /tmp/go-build3676587456/b093/vet.cfg -goversion x_amd64/compile -c=4 -nolocalimports -importcfg x_amd64/compile` (dns block) > - `slow.example.com` > - Triggering command: `/tmp/go-build4079301644/b509/launcher.test /tmp/go-build4079301644/b509/launcher.test -test.testlogfile=/tmp/go-build4079301644/b509/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true /internal/httpcommon/ascii.go /internal/httpcommon/headermap.go x_amd64/vet --gdwarf-5 ct/protoregistry-atomic =0 x_amd64/vet swit�� g_.a 8049330/b150/ x_amd64/vet -dynout gr/logr/funcr p=/opt/hostedtoo-bool x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build80479181/b513/launcher.test /tmp/go-build80479181/b513/launcher.test -test.testlogfile=/tmp/go-build80479181/b513/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build80479181/b506/vet.cfg /tmp/go-build3676587456/b093/vet.cfg -goversion x_amd64/compile -c=4 -nolocalimports -importcfg x_amd64/compile` (dns block) > - `this-host-does-not-exist-12345.com` > - Triggering command: `/tmp/go-build4079301644/b518/mcp.test /tmp/go-build4079301644/b518/mcp.test -test.testlogfile=/tmp/go-build4079301644/b518/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true .cfg olang.org/grpc@v-ifaceassert x_amd64/vet _amd64.s --gdwarf2 --64 x_amd64/vet .cfg�� 8049330/b392/_pkg_.a -I x_amd64/vet --gdwarf-5 g/protobuf/inter/usr/bin/runc -o x_amd64/vet` (dns block) > - Triggering command: `/tmp/go-build80479181/b522/mcp.test /tmp/go-build80479181/b522/mcp.test -test.testlogfile=/tmp/go-build80479181/b522/testlog.txt -test.paniconexit0 -test.timeout=10m0s estl�� se .com/github/gh-aw-mcpg/sessions/b4704323-4863-49cd-8abb-630e0c2a0430 .cfg ppb/timestamp.pbrunc user.email ache/go/1.25.9/x-lang=go1.24 ache/go/1.25.9/x64/pkg/tool/linux_amd64/vet` (dns block) > > If you need me to access, download, or install something from one of these locations, you can either: > > - Configure [Actions setup steps](https://gh.io/copilot/actions-setup-steps) to set up my environment, which run before the firewall is enabled > - Add the appropriate URLs or hosts to the custom allowlist in this repository's [Copilot coding agent settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent) (admins only) > > </details>
diff --git a/internal/cmd/flags.go b/internal/cmd/flags.go
@@ -35,6 +35,7 @@
 package cmd
 
 import (
+	"github.com/github/gh-aw-mcpg/internal/difc"
 	"github.com/github/gh-aw-mcpg/internal/guard"
 	"github.com/spf13/cobra"
 )
@@ -76,7 +77,7 @@ func registerFlagCompletions(cmd *cobra.Command) {
 
 	// Enum completions for DIFC flags
 	cmd.RegisterFlagCompletionFunc("guards-mode", cobra.FixedCompletions(
-		[]string{"strict", "filter", "propagate"}, cobra.ShellCompDirectiveNoFileComp))
+		difc.ValidModes, cobra.ShellCompDirectiveNoFileComp))
 	cmd.RegisterFlagCompletionFunc("allowonly-min-integrity", cobra.FixedCompletions(
 		guard.AllowedIntegrityLevels, cobra.ShellCompDirectiveNoFileComp))
 
diff --git a/internal/cmd/flags_test.go b/internal/cmd/flags_test.go
@@ -4,6 +4,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/github/gh-aw-mcpg/internal/difc"
 	"github.com/github/gh-aw-mcpg/internal/guard"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
@@ -152,7 +153,7 @@ func TestRegisterFlagCompletions(t *testing.T) {
 		completions, directive := completionFn(cmd, nil, "")
 		assert.Equal(t, cobra.ShellCompDirectiveNoFileComp, directive,
 			"guards-mode flag should use NoFileComp directive")
-		assert.ElementsMatch(t, []string{"strict", "filter", "propagate"}, completions,
+		assert.ElementsMatch(t, difc.ValidModes, completions,
 			"guards-mode should complete with all valid mode values")
 	})
 
diff --git a/internal/cmd/proxy.go b/internal/cmd/proxy.go
@@ -13,6 +13,7 @@ import (
 	"syscall"
 
 	"github.com/github/gh-aw-mcpg/internal/config"
+	"github.com/github/gh-aw-mcpg/internal/difc"
 	"github.com/github/gh-aw-mcpg/internal/envutil"
 	"github.com/github/gh-aw-mcpg/internal/logger"
 	"github.com/github/gh-aw-mcpg/internal/proxy"
@@ -141,7 +142,7 @@ Local usage:
 
 	// Enum completions for proxy DIFC flag
 	cmd.RegisterFlagCompletionFunc("guards-mode", cobra.FixedCompletions(
-		[]string{"strict", "filter", "propagate"}, cobra.ShellCompDirectiveNoFileComp))
+		difc.ValidModes, cobra.ShellCompDirectiveNoFileComp))
 
 	return cmd
 }
diff --git a/internal/cmd/proxy_test.go b/internal/cmd/proxy_test.go
@@ -5,6 +5,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/github/gh-aw-mcpg/internal/difc"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -305,7 +306,7 @@ func TestNewProxyCmd_GuardsModeCompletion(t *testing.T) {
 
 	assert.Equal(t, cobra.ShellCompDirectiveNoFileComp, directive,
 		"guards-mode completion should use ShellCompDirectiveNoFileComp directive")
-	assert.ElementsMatch(t, []string{"strict", "filter", "propagate"}, completions,
+	assert.ElementsMatch(t, difc.ValidModes, completions,
 		"guards-mode completion should return all valid enforcement modes")
 }
 
