Refactor WASM guard detection placement and inline config validation log wrappers (#5774)

Semantic clustering surfaced two low-risk refactors: WASM guard
auto-detection lived in `cmd/proxy.go` instead of the WASM cache module,
and `config/validation.go` used one-line private logging wrappers that
obscured validation flow. This PR tightens cohesion in `internal/cmd`
and simplifies config validation control flow without behavior changes.

- **WASM setup cohesion (`internal/cmd`)**
- Moved `containerGuardWasmPath` and `detectGuardWasm()` from
`internal/cmd/proxy.go` to `internal/cmd/wasm_cache.go`.
- Kept `newProxyCmd()` behavior unchanged (`defaultGuard :=
detectGuardWasm()`), but colocated guard-path detection with other WASM
cache/bootstrap logic.

- **Validation flow simplification (`internal/config`)**
  - Removed private wrappers:
    - `logValidateServerStart`
    - `logValidateServerPassed`
    - `logValidateServerFailed`
- Inlined equivalent `logValidation.Printf(...)` calls at usage sites in
server/auth/containerization validation paths to make control flow
directly readable.

- **Illustrative change**
  ```go
  // before
logValidateServerFailed(name, server.Type, "HTTP server missing url
field")

  // after
  logValidation.Printf("Validation failed: %s, name=%s, type=%s",
      "HTTP server missing url field", name, server.Type)
  ```

Author: lpcox

internal/cmd/proxy.go

@@ -55,21 +55,6 @@ func init() {
 	rootCmd.AddCommand(newProxyCmd())
 }
 
-// containerGuardWasmPath is the baked-in guard path in the container image.
-const containerGuardWasmPath = "/guards/github/00-github-guard.wasm"
-
-// detectGuardWasm returns the baked-in container guard path if it exists,
-// or empty string if not found (requiring the user to specify --guard-wasm).
-func detectGuardWasm() string {
-	logProxyCmd.Printf("Checking for baked-in guard at %s", containerGuardWasmPath)
-	if _, err := os.Stat(containerGuardWasmPath); err == nil {
-		logProxyCmd.Printf("Auto-detected baked-in guard: %s", containerGuardWasmPath)
-		return containerGuardWasmPath
-	}
-	logProxyCmd.Print("Baked-in guard not found, --guard-wasm flag required")
-	return ""
-}
-
 func newProxyCmd() *cobra.Command {
 	defaultGuard := detectGuardWasm()
 	defaultProxyLogDir := envutil.GetEnvString("MCP_GATEWAY_LOG_DIR", config.DefaultLogDir)

internal/cmd/wasm_cache.go

@@ -12,6 +12,21 @@ import (
 	"github.com/github/gh-aw-mcpg/internal/guard"
 )
 
+// containerGuardWasmPath is the baked-in guard path in the container image.
+const containerGuardWasmPath = "/guards/github/00-github-guard.wasm"
+
+// detectGuardWasm returns the baked-in container guard path if it exists,
+// or empty string if not found (requiring the user to specify --guard-wasm).
+func detectGuardWasm() string {
+	debugLog.Printf("Checking for baked-in guard at %s", containerGuardWasmPath)
+	if _, err := os.Stat(containerGuardWasmPath); err == nil {
+		debugLog.Printf("Auto-detected baked-in guard: %s", containerGuardWasmPath)
+		return containerGuardWasmPath
+	}
+	debugLog.Print("Baked-in guard not found, --guard-wasm flag required")
+	return ""
+}
+
 func defaultWasmCacheDir(logDir string) string {
 	if logDir == "" {
 		return config.DefaultWasmCacheDirName

internal/config/validation.go

@@ -18,21 +18,6 @@ type ValidationError = rules.ValidationError
 
 var logValidation = logger.New("config:validation")
 
-// logValidateServerStart logs the beginning of server config validation.
-func logValidateServerStart(name, serverType string) {
-	logValidation.Printf("Validating server config: name=%s, type=%s", name, serverType)
-}
-
-// logValidateServerPassed logs a successful server config validation.
-func logValidateServerPassed(name, serverType string) {
-	logValidation.Printf("Server config validation passed: name=%s, type=%s", name, serverType)
-}
-
-// logValidateServerFailed logs a failed server config validation with the given reason.
-func logValidateServerFailed(name, serverType, reason string) {
-	logValidation.Printf("Validation failed: %s, name=%s, type=%s", reason, name, serverType)
-}
-
 // validateMounts validates mount specifications using centralized rules
 func validateMounts(mounts []string, jsonPath string) error {
 	for i, mount := range mounts {
@@ -45,7 +30,7 @@ func validateMounts(mounts []string, jsonPath string) error {
 
 // validateServerConfigWithCustomSchemas validates a server configuration with custom schema support
 func validateServerConfigWithCustomSchemas(name string, server *StdinServerConfig, customSchemas map[string]interface{}) error {
-	logValidateServerStart(name, server.Type)
+	logValidation.Printf("Validating server config: name=%s, type=%s", name, server.Type)
 	jsonPath := fmt.Sprintf("mcpServers.%s", name)
 
 	// Validate type (empty defaults to stdio)
@@ -74,7 +59,7 @@ func validateStandardServerConfig(name string, server *StdinServerConfig, jsonPa
 	// For stdio servers, container is required
 	if server.Type == "stdio" || server.Type == "local" {
 		if server.Container == "" {
-			logValidateServerFailed(name, server.Type, "stdio server missing container field")
+			logValidation.Printf("Validation failed: %s, name=%s, type=%s", "stdio server missing container field", name, server.Type)
 			return rules.MissingRequired("container", "stdio", jsonPath, "Add a 'container' field (e.g., \"ghcr.io/owner/image:tag\")")
 		}
 
@@ -95,11 +80,11 @@ func validateStandardServerConfig(name string, server *StdinServerConfig, jsonPa
 	// For HTTP servers, url is required and mounts are not allowed
 	if server.Type == "http" {
 		if server.URL == "" {
-			logValidateServerFailed(name, server.Type, "HTTP server missing url field")
+			logValidation.Printf("Validation failed: %s, name=%s, type=%s", "HTTP server missing url field", name, server.Type)
 			return rules.MissingRequired("url", "HTTP", jsonPath, "Add a 'url' field (e.g., \"https://example.com/mcp\")")
 		}
 		if len(server.Mounts) > 0 {
-			logValidateServerFailed(name, server.Type, "HTTP server has mounts field")
+			logValidation.Printf("Validation failed: %s, name=%s, type=%s", "HTTP server has mounts field", name, server.Type)
 			return rules.UnsupportedField("mounts", "mounts are only supported for stdio (containerized) servers", jsonPath, "Remove the 'mounts' field from HTTP server configuration; mounts only apply to stdio servers")
 		}
 
@@ -114,17 +99,17 @@ func validateStandardServerConfig(name string, server *StdinServerConfig, jsonPa
 	if server.ToolTimeout != nil && *server.ToolTimeout != 0 {
 		toolTimeoutField := server.toolTimeoutField()
 		if err := rules.TimeoutMinimum(*server.ToolTimeout, ToolTimeoutMin, toolTimeoutField, jsonPath+"."+toolTimeoutField); err != nil {
-			logValidateServerFailed(name, server.Type, fmt.Sprintf("%s %d is below minimum %d", toolTimeoutField, *server.ToolTimeout, ToolTimeoutMin))
+			logValidation.Printf("Validation failed: %s, name=%s, type=%s", fmt.Sprintf("%s %d is below minimum %d", toolTimeoutField, *server.ToolTimeout, ToolTimeoutMin), name, server.Type)
 			return err
 		}
 	}
 
 	if err := validateToolResponseFilters(server.ToolResponseFilters, jsonPath+".tool_response_filters"); err != nil {
-		logValidateServerFailed(name, server.Type, fmt.Sprintf("tool_response_filters invalid: %v", err))
+		logValidation.Printf("Validation failed: %s, name=%s, type=%s", fmt.Sprintf("tool_response_filters invalid: %v", err), name, server.Type)
 		return err
 	}
 
-	logValidateServerPassed(name, server.Type)
+	logValidation.Printf("Server config validation passed: name=%s, type=%s", name, server.Type)
 	return nil
 }
 
@@ -163,7 +148,7 @@ func validateServerAuth(auth *AuthConfig, serverType, name, jsonPath string) err
 		return nil
 	}
 	if serverType != "http" {
-		logValidateServerFailed(name, serverType, fmt.Sprintf("auth is set on non-HTTP server type: %s", serverType))
+		logValidation.Printf("Validation failed: %s, name=%s, type=%s", fmt.Sprintf("auth is set on non-HTTP server type: %s", serverType), name, serverType)
 		return rules.UnsupportedField(
 			"auth",
 			fmt.Sprintf("server type %q", serverType),
@@ -179,20 +164,20 @@ func validateAuthConfig(auth *AuthConfig, serverName, jsonPath string) error {
 	logValidation.Printf("Validating auth config: server=%s, type=%s", serverName, auth.Type)
 
 	if auth.Type == "" {
-		logValidateServerFailed(serverName, "http", "auth.type is empty")
+		logValidation.Printf("Validation failed: %s, name=%s, type=%s", "auth.type is empty", serverName, "http")
 		return rules.MissingRequired("type", "auth", authPath, "Specify the authentication type (currently only \"github-oidc\" is supported)")
 	}
 
 	if auth.Type != "github-oidc" {
-		logValidateServerFailed(serverName, "http", fmt.Sprintf("unsupported auth.type: %s", auth.Type))
+		logValidation.Printf("Validation failed: %s, name=%s, type=%s", fmt.Sprintf("unsupported auth.type: %s", auth.Type), serverName, "http")
 		return rules.UnsupportedType("type", auth.Type, authPath, fmt.Sprintf("Unsupported auth type %q. Currently only \"github-oidc\" is supported", auth.Type))
 	}
 
 	// Fail-fast: check that required OIDC environment variables are present.
 	// This catches misconfigurations at config-load time rather than deferring
 	// the error to the first request against this server.
 	if os.Getenv("ACTIONS_ID_TOKEN_REQUEST_URL") == "" {
-		logValidateServerFailed(serverName, "http", "ACTIONS_ID_TOKEN_REQUEST_URL is not set")
+		logValidation.Printf("Validation failed: %s, name=%s, type=%s", "ACTIONS_ID_TOKEN_REQUEST_URL is not set", serverName, "http")
 		return rules.MissingRequired(
 			"ACTIONS_ID_TOKEN_REQUEST_URL", "github-oidc", authPath,
 			oidc.ErrMissingOIDCEnvVar(serverName).Error())
@@ -461,7 +446,7 @@ func validateTOMLStdioContainerization(servers map[string]*ServerConfig) error {
 
 			// Check if command is Docker
 			if cfg.Command != "docker" {
-				logValidateServerFailed(name, "stdio", fmt.Sprintf("stdio server using non-Docker command, command=%s", cfg.Command))
+				logValidation.Printf("Validation failed: %s, name=%s, type=%s", fmt.Sprintf("stdio server using non-Docker command, command=%s", cfg.Command), name, "stdio")
 				return fmt.Errorf(
 					"server '%s': stdio servers must use containerized execution (command must be 'docker', got '%s'). "+
 						"This is required by MCP Gateway Specification Section 3.2.1 (Containerization Requirement). "+