[Repo Assist] perf(rust-guard): add ORDER_LOW_TO_HIGH_PIPED const and direct tests for parse_integrity/scope_string (#5468)

🤖 *This PR was created by Repo Assist, an automated AI assistant.*

## Root Cause

`parse_integrity` in `lib.rs` built an error message string at runtime
via a 7-step iterator chain:
```rust
policy_integrity::ORDER_HIGH_TO_LOW
    .iter()
    .rev()
    .copied()
    .collect::<Vec<_>>()
    .join("|")
```
This allocates a temporary `Vec<&str>` and a heap `String` each time an
invalid `min-integrity` value is supplied, even though the result is the
compile-time constant `"none|unapproved|approved|merged"`.

Additionally, `parse_integrity` and `scope_string` had no direct unit
tests — they were only covered indirectly through integration tests,
leaving the error message text and None-fallback arms of `scope_string`
unverified.

## Changes

**`guards/github-guard/rust-guard/src/labels/constants.rs`**
- Added `ORDER_LOW_TO_HIGH_PIPED: &str =
"none|unapproved|approved|merged"` to the `policy_integrity` module — a
compile-time constant replacing the runtime chain.
- Added `order_low_to_high_piped_matches_order_high_to_low`: a
consistency test that derives the piped string from `ORDER_HIGH_TO_LOW`
at test time and asserts it equals `ORDER_LOW_TO_HIGH_PIPED`, preventing
silent drift if integrity levels are ever added or reordered.

**`guards/github-guard/rust-guard/src/lib.rs`**
- Replaced the 7-step iterator chain in `parse_integrity` with
`policy_integrity::ORDER_LOW_TO_HIGH_PIPED`.
- Added `parse_integrity_accepts_all_valid_values`: verifies all four
valid tokens are accepted.
- Added `parse_integrity_rejects_unknown_value`: verifies the error
message contains the full `ORDER_LOW_TO_HIGH_PIPED` constant string (not
just individual tokens), locking down the exact error message content.
- Added `scope_string_all_arms`: covers all 8 `ScopeKind` arms including
None-fallback cases for Owner/Repo/RepoPrefix.

## Test Status

**Rust tests**: ✅ 387/387 passed (`cargo test` in
`guards/github-guard/rust-guard/`)

**Go build/tests**: ⚠️ Infrastructure issue — `go 1.25.0` toolchain
download blocked by network firewall (`proxy.golang.org` forbidden). No
Go files were changed.




> [!WARNING]
>


> Generated by <a
href="https://github.com/github/gh-aw-mcpg/actions/runs/25673459949/agentic_workflow">Repo
Assist</a> · ● 2.2M · <a
href="https://github.com/search?q=repo%3Agithub%2Fgh-aw-mcpg+%22gh-aw-workflow-id%3A+repo-assist%22&type=pullrequests">◷</a>
>
> To install this <a
href="https://github.com/githubnext/agentics/blob/851905c06e905bf362a9f6cc54f912e3df747d55/workflows/repo-assist.md">agentic
workflow</a>, run
> ```
> gh aw add
githubnext/agentics@851905c
> ```

Author: lpcox

guards/github-guard/rust-guard/src/labels/constants.rs

@@ -29,6 +29,30 @@ pub mod policy_integrity {
     pub const MERGED: &str = "merged";
 
     pub const ORDER_HIGH_TO_LOW: [&str; 4] = [MERGED, APPROVED, UNAPPROVED, NONE];
+    /// Low-to-high order joined with `|`, ready for use in error messages.
+    pub const ORDER_LOW_TO_HIGH_PIPED: &str = "none|unapproved|approved|merged";
+}
+
+#[cfg(test)]
+mod tests {
+    use super::policy_integrity;
+
+    /// Ensures ORDER_LOW_TO_HIGH_PIPED stays in sync with ORDER_HIGH_TO_LOW.
+    /// If a new integrity level is added or reordered, this test will catch the drift.
+    #[test]
+    fn order_low_to_high_piped_matches_order_high_to_low() {
+        let derived: String = policy_integrity::ORDER_HIGH_TO_LOW
+            .iter()
+            .rev()
+            .copied()
+            .collect::<Vec<_>>()
+            .join("|");
+        assert_eq!(
+            derived,
+            policy_integrity::ORDER_LOW_TO_HIGH_PIPED,
+            "ORDER_LOW_TO_HIGH_PIPED is out of sync with ORDER_HIGH_TO_LOW"
+        );
+    }
 }
 
 /// Canonical *reserved* scope token strings used for baseline and integrity scoping.

guards/github-guard/rust-guard/src/lib.rs

@@ -443,12 +443,7 @@ fn parse_integrity(value: &str) -> Result<MinIntegrity, String> {
         policy_integrity::MERGED => Ok(MinIntegrity::Merged),
         _ => Err(format!(
             "AllowOnly.min-integrity must be one of {}",
-            policy_integrity::ORDER_HIGH_TO_LOW
-                .iter()
-                .rev()
-                .copied()
-                .collect::<Vec<_>>()
-                .join("|")
+            policy_integrity::ORDER_LOW_TO_HIGH_PIPED
         )),
     }
 }
@@ -1347,4 +1342,35 @@ mod tests {
         assert_eq!(preview.len(), 500);
         assert_eq!(preview.chars().count(), 250);
     }
+
+    #[test]
+    fn parse_integrity_accepts_all_valid_values() {
+        assert_eq!(parse_integrity("none"), Ok(MinIntegrity::None));
+        assert_eq!(parse_integrity("unapproved"), Ok(MinIntegrity::Unapproved));
+        assert_eq!(parse_integrity("approved"), Ok(MinIntegrity::Approved));
+        assert_eq!(parse_integrity("merged"), Ok(MinIntegrity::Merged));
+    }
+
+    #[test]
+    fn parse_integrity_rejects_unknown_value() {
+        let err = parse_integrity("superuser").expect_err("unknown value must be rejected");
+        assert!(err.contains("must be one of"), "error should describe constraint: {err}");
+        assert!(
+            err.contains(policy_integrity::ORDER_LOW_TO_HIGH_PIPED),
+            "error should contain the full valid-options string \"{}\": {err}",
+            policy_integrity::ORDER_LOW_TO_HIGH_PIPED
+        );
+    }
+
+    #[test]
+    fn scope_string_all_arms() {
+        assert_eq!(scope_string(ScopeKind::All, None, None), POLICY_SCOPE_ALL);
+        assert_eq!(scope_string(ScopeKind::Public, None, None), POLICY_SCOPE_PUBLIC);
+        assert_eq!(scope_string(ScopeKind::Owner, Some("octocat"), None), "octocat");
+        assert_eq!(scope_string(ScopeKind::Owner, None, None), "");
+        assert_eq!(scope_string(ScopeKind::Repo, Some("o"), Some("r")), "o/r");
+        assert_eq!(scope_string(ScopeKind::Repo, None, None), "");
+        assert_eq!(scope_string(ScopeKind::RepoPrefix, Some("o"), Some("pfx")), "o/pfx*");
+        assert_eq!(scope_string(ScopeKind::RepoPrefix, None, None), "");
+    }
 }