cleanup: remove guard CLI flags, auto-detect DIFC from policies (#1723)

## Summary

Remove unnecessary guard CLI flags and simplify DIFC configuration.
Guards are now auto-enabled when an allow-only policy is detected — no
explicit flags needed.

## Flags Removed

| Flag | Env Var | Reason |
|------|---------|--------|
| `--enable-guards` | `MCP_GATEWAY_ENABLE_GUARDS` | Auto-detected from
policies |
| `--enable-config-extensions` | `MCP_GATEWAY_CONFIG_EXTENSIONS` |
Extension fields always accepted |
| `--session-secrecy` | `MCP_GATEWAY_SESSION_SECRECY` | Session labels
set by guards |
| `--session-integrity` | `MCP_GATEWAY_SESSION_INTEGRITY` | Session
labels set by guards |

## How DIFC Auto-Detection Works

After guard registration in `NewUnified()`, the gateway checks:
1. Does any server have a non-noop guard registered?
2. Is there a global guard policy override (`--guard-policy-json`)?
3. Does any server have per-server `guard-policies` configured?

If any condition is true, DIFC is automatically enabled. Otherwise, all
servers get noop guards and DIFC remains disabled.

## Other Changes

- Remove `EnableDIFC` field from `config.Config` and `SessionConfig`
struct
- Add `HasNonNoopGuard()` to `guard.Registry` for auto-detection
- Add `hasServerGuardPolicies()` helper to detect per-server guard
policies
- `requireGuardPolicyIfGuardEnabled()` now warns and falls back to noop
instead of fatal error
- Restore JSON schema validation in `LoadFromStdin`: extension fields
(`guards`, per-server `guard`) are stripped from a copy before
validation so spec-compliance is maintained while still accepting
gateway-specific extensions; unsupported fields like `command` are
properly rejected
- Fix flaky integration tests (hardcoded ports → dynamic
`getFreePort(t)`)
- Update guard-policies docs to canonical `allow-only` format
- Remove all references to removed flags from scripts and docs

## Testing

- `make agent-finished` passes (format, build, lint, unit + integration
tests)
- 24 files changed

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/github/gh-aw-mcpg/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

Author: lpcox

README.md

@@ -132,7 +132,7 @@ For the complete JSON configuration specification with all validation rules, see
         "EXPANDED_VAR": "${MY_HOME}/config"
       },
       "guard-policies": {
-        "github": {
+        "allow-only": {
           "repos": ["github/gh-aw-mcpg", "github/gh-aw"],
           "min-integrity": "unapproved"
         }
@@ -189,12 +189,21 @@ For the complete JSON configuration specification with all validation rules, see
 - **`url`** (required for http): HTTP endpoint URL for `type: "http"` servers
 
 - **`guard-policies`** (optional): Guard policies for access control at the MCP gateway level
-  - Structure is server-specific and depends on the MCP server implementation
+  - Uses the `"allow-only"` policy format to restrict which repositories a guard allows
   - For **GitHub MCP server**, controls repository access with the following structure:
+    ```json
+    "guard-policies": {
+      "allow-only": {
+        "repos": ["github/gh-aw-mcpg", "github/gh-aw"],
+        "min-integrity": "unapproved"
+      }
+    }
+    ```
+    TOML equivalent:
     ```toml
-    [servers.github.guard_policies.github]
-    repos = ["github/gh-aw-mcpg", "github/gh-aw"]  # Repository patterns
-    min-integrity = "unapproved"                    # Minimum integrity level
+    [servers.github.guard_policies.allow-only]
+    repos = ["github/gh-aw-mcpg", "github/gh-aw"]
+    min-integrity = "unapproved"
     ```
     - **`repos`**: Repository access scope
       - `"all"` - All repositories accessible by the token

config.example.toml

@@ -72,7 +72,7 @@ GITHUB_PERSONAL_ACCESS_TOKEN = ""  # Pass through from host
 # Optional: Guard policies for access control at the MCP gateway level
 # The structure is server-specific. For GitHub MCP server, this controls repository access.
 # Example: Restrict access to specific GitHub organization and repositories
-# [servers.github.guard_policies.github]
+# [servers.github.guard_policies.allow-only]
 # repos = ["github/gh-aw-mcpg", "github/gh-aw"]  # Exact repository patterns
 # min-integrity = "unapproved"                   # Minimum integrity level for GitHub changes:
 #                                                #   - none: allow any ref (branches, PRs, tags)
@@ -127,10 +127,10 @@ args = [
 # Advanced Options
 # ============================================================================
 
-# Enable Data Information Flow Control (DIFC) security model (default: false)
-# When enabled, enforces information flow control policies on tool calls
-# This is an experimental feature - keep disabled for standard MCP compatibility
-# enable_guards = false
+# Guards enforcement mode: strict, filter, or propagate (default: strict)
+# Guards are automatically enabled when an allow-only policy is detected
+# in the server configuration (guard-policies field)
+# guards_mode = "strict"
 
 # ============================================================================
 # Notes

guards/github-guard/docs/OVERVIEW.md

@@ -111,8 +111,6 @@ make test-copilot-public-only
 
 **Environment Variables**:
 ```bash
-MCP_GATEWAY_ENABLE_GUARDS=1
-MCP_GATEWAY_CONFIG_EXTENSIONS=1
 MCP_GATEWAY_GUARD_POLICY_JSON='{"allow-only":{"repos":"public","min-integrity": "none"}}'
 ```
 
@@ -131,8 +129,6 @@ make test-copilot-owner-only
 
 **Environment Variables**:
 ```bash
-MCP_GATEWAY_ENABLE_GUARDS=1
-MCP_GATEWAY_CONFIG_EXTENSIONS=1
 ALLOW_OWNER=lpcox
 MCP_GATEWAY_GUARD_POLICY_JSON='{"allow-only":{"repos":["lpcox/*"],"min-integrity": "none"}}'
 ```
@@ -152,8 +148,6 @@ make test-copilot-repo-only
 
 **Environment Variables**:
 ```bash
-MCP_GATEWAY_ENABLE_GUARDS=1
-MCP_GATEWAY_CONFIG_EXTENSIONS=1
 MCP_GATEWAY_GUARD_POLICY_JSON='{"allow-only":{"repos":["owner/repo"],"min-integrity": "none"}}'
 ```
 

guards/github-guard/scripts/run_copilot_test.sh

@@ -327,8 +327,6 @@ case "$MODE" in
     echo -e "${BLUE}Mode: all - Allow all repos with approved integrity floor${NC}"
     SERVER_GUARD_POLICIES_JSON="$ALLOW_ONLY_ALL_POLICY"
     DOCKER_ENV_ARGS+=(
-      -e MCP_GATEWAY_ENABLE_GUARDS=1
-      -e MCP_GATEWAY_CONFIG_EXTENSIONS=1
       -e DEBUG='server:unified,guard:wasm'
     )
     ;;
@@ -337,8 +335,6 @@ case "$MODE" in
         echo -e "${BLUE}Mode: public-only - Filtering private data (public repos only)${NC}"
       SERVER_GUARD_POLICIES_JSON="$ALLOW_ONLY_PUBLIC_POLICY"
         DOCKER_ENV_ARGS+=(
-            -e MCP_GATEWAY_ENABLE_GUARDS=1
-            -e MCP_GATEWAY_CONFIG_EXTENSIONS=1
             -e DEBUG='server:unified,guard:wasm'
         )
         ;;
@@ -347,8 +343,6 @@ case "$MODE" in
       echo -e "${BLUE}Mode: owner-only - Filtering data outside owner scope (${ALLOW_OWNER})${NC}"
       SERVER_GUARD_POLICIES_JSON="$ALLOW_ONLY_OWNER_POLICY"
       DOCKER_ENV_ARGS+=(
-        -e MCP_GATEWAY_ENABLE_GUARDS=1
-        -e MCP_GATEWAY_CONFIG_EXTENSIONS=1
         -e DEBUG='server:unified,guard:wasm'
       )
       ;;
@@ -357,8 +351,6 @@ case "$MODE" in
         echo -e "${BLUE}Mode: repo-only - Filtering data outside repo scope (${DIFC_SCOPE})${NC}"
       SERVER_GUARD_POLICIES_JSON="$ALLOW_ONLY_REPO_POLICY"
         DOCKER_ENV_ARGS+=(
-        -e MCP_GATEWAY_ENABLE_GUARDS=1
-        -e MCP_GATEWAY_CONFIG_EXTENSIONS=1
         -e DEBUG='server:unified,guard:wasm'
         )
         ;;
@@ -367,8 +359,6 @@ case "$MODE" in
         echo -e "${BLUE}Mode: prefix-only - Filtering data outside repo prefix scope (lpcox/git-*)${NC}"
         SERVER_GUARD_POLICIES_JSON="$ALLOW_ONLY_PREFIX_POLICY"
         DOCKER_ENV_ARGS+=(
-        -e MCP_GATEWAY_ENABLE_GUARDS=1
-        -e MCP_GATEWAY_CONFIG_EXTENSIONS=1
         -e DEBUG='server:unified,guard:wasm'
         )
         ;;
@@ -377,8 +367,6 @@ case "$MODE" in
         echo -e "${BLUE}Mode: multi-only - Filtering using multiple repo scopes (lpcox/git-* + lpcox/github-guard)${NC}"
         SERVER_GUARD_POLICIES_JSON="$ALLOW_ONLY_MULTI_POLICY"
         DOCKER_ENV_ARGS+=(
-        -e MCP_GATEWAY_ENABLE_GUARDS=1
-        -e MCP_GATEWAY_CONFIG_EXTENSIONS=1
         -e DEBUG='server:unified,guard:wasm'
         )
         ;;
@@ -472,8 +460,6 @@ ACTIVE_ALLOW_ONLY_POLICY=""
 # Add DIFC flags for non-yolo modes
 if [ "$MODE" != "yolo" ] && [ "$MODE" != "lockdown" ]; then
     GATEWAY_CLI_ARGS+=(
-        --enable-config-extensions
-        --enable-guards
     )
 
     # DIFC mode is guard-managed at runtime (do not set via CLI)

guards/github-guard/scripts/run_integration_tests.sh

@@ -155,10 +155,7 @@ echo ""
 
 GATEWAY_TEST_MODE="integration"
 GATEWAY_GUARDS_MODE="gateway-default"
-GATEWAY_CLI_ARGS=(
-    --enable-config-extensions
-    --enable-guards
-)
+GATEWAY_CLI_ARGS=()
 
 echo "Gateway runtime settings:"
 echo "  Test mode: $GATEWAY_TEST_MODE"
@@ -185,8 +182,6 @@ echo ""
     -e MCP_GATEWAY_DOMAIN=localhost \
     -e MCP_GATEWAY_API_KEY="$GATEWAY_API_KEY" \
     -e DOCKER_API_VERSION=1.44 \
-    -e MCP_GATEWAY_ENABLE_GUARDS=1 \
-    -e MCP_GATEWAY_CONFIG_EXTENSIONS=1 \
     -e MCP_GATEWAY_WASM_GUARDS_DIR="/guards" \
     -v /var/run/docker.sock:/var/run/docker.sock \
     -v "/tmp:/tmp:rw" \

internal/cmd/flags.go

@@ -32,7 +32,8 @@
 //	flags_logging.go  getDefaultPayloadDir()          → MCP_GATEWAY_PAYLOAD_DIR
 //	flags_logging.go  getDefaultPayloadPathPrefix()   → MCP_GATEWAY_PAYLOAD_PATH_PREFIX
 //	flags_logging.go  getDefaultPayloadSizeThreshold() → MCP_GATEWAY_PAYLOAD_SIZE_THRESHOLD
-//	flags_difc.go     getDefaultEnableDIFC()          → MCP_GATEWAY_ENABLE_GUARDS
+//	flags_difc.go     getDefaultDIFCMode()             → MCP_GATEWAY_GUARDS_MODE
+//	flags_difc.go     getDefaultDIFCSinkServerIDs()    → MCP_GATEWAY_GUARDS_SINK_SERVER_IDS
 //
 // This pattern is intentionally kept in individual feature files because:
 //   - Each helper names the specific environment variable it reads, making the

internal/cmd/flags_difc.go

@@ -13,19 +13,9 @@ import (
 	"github.com/spf13/cobra"
 )
 
-// DIFC flag defaults
-const (
-	defaultEnableDIFC       = false
-	defaultConfigExtensions = false
-)
-
 // DIFC flag variables
 var (
-	enableDIFC        bool
 	difcMode          string
-	enableConfigExt   bool   // Enable config extensions (guards, session labels)
-	sessionSecrecy    string // Comma-separated initial secrecy labels
-	sessionIntegrity  string // Comma-separated initial integrity labels
 	difcSinkServerIDs string // Comma-separated server IDs that should include DIFC tag snapshots in RPC JSONL logs
 	guardPolicyJSON   string
 	allowOnlyPublic   bool
@@ -36,12 +26,7 @@ var (
 
 func init() {
 	RegisterFlag(func(cmd *cobra.Command) {
-		cmd.Flags().BoolVar(&enableDIFC, "enable-guards", getDefaultEnableDIFC(), "Enable guards enforcement for information flow control")
-		cmd.Flags().MarkHidden("enable-guards")
 		cmd.Flags().StringVar(&difcMode, "guards-mode", getDefaultDIFCMode(), "Guards enforcement mode: strict (deny violations), filter (remove denied tools), or propagate (auto-adjust agent labels on reads)")
-		cmd.Flags().BoolVar(&enableConfigExt, "enable-config-extensions", getDefaultConfigExtensions(), "Enable config extensions (guards, session labels) - required for guards session label features")
-		cmd.Flags().StringVar(&sessionSecrecy, "session-secrecy", getDefaultSessionSecrecy(), "Comma-separated initial secrecy labels for agent sessions (requires --enable-config-extensions)")
-		cmd.Flags().StringVar(&sessionIntegrity, "session-integrity", getDefaultSessionIntegrity(), "Comma-separated initial integrity labels for agent sessions (requires --enable-config-extensions)")
 		cmd.Flags().StringVar(&difcSinkServerIDs, "guards-sink-server-ids", getDefaultDIFCSinkServerIDs(), "Comma-separated server IDs whose RPC JSONL logs should include agent secrecy/integrity tag snapshots")
 		cmd.Flags().StringVar(&guardPolicyJSON, "guard-policy-json", getDefaultGuardPolicyJSON(), "Guard policy JSON (e.g. {\"allow-only\":{\"repos\":\"public\",\"min-integrity\":\"none\"}})")
 		cmd.Flags().BoolVar(&allowOnlyPublic, "allowonly-scope-public", getDefaultAllowOnlyScopePublic(), "Use public AllowOnly scope")
@@ -51,12 +36,6 @@ func init() {
 	})
 }
 
-// getDefaultEnableDIFC returns the default guards setting, checking MCP_GATEWAY_ENABLE_GUARDS
-// environment variable first, then falling back to the hardcoded default (false)
-func getDefaultEnableDIFC() bool {
-	return envutil.GetEnvBool("MCP_GATEWAY_ENABLE_GUARDS", defaultEnableDIFC)
-}
-
 // getDefaultDIFCMode returns the default guards mode, checking MCP_GATEWAY_GUARDS_MODE
 // environment variable first, then falling back to the hardcoded default (strict)
 func getDefaultDIFCMode() string {
@@ -79,24 +58,6 @@ func isValidDIFCMode(mode string) bool {
 	return false
 }
 
-// getDefaultConfigExtensions returns the default config extensions setting,
-// checking MCP_GATEWAY_CONFIG_EXTENSIONS environment variable first
-func getDefaultConfigExtensions() bool {
-	return envutil.GetEnvBool("MCP_GATEWAY_CONFIG_EXTENSIONS", defaultConfigExtensions)
-}
-
-// getDefaultSessionSecrecy returns the default session secrecy labels from
-// MCP_GATEWAY_SESSION_SECRECY environment variable
-func getDefaultSessionSecrecy() string {
-	return os.Getenv("MCP_GATEWAY_SESSION_SECRECY")
-}
-
-// getDefaultSessionIntegrity returns the default session integrity labels from
-// MCP_GATEWAY_SESSION_INTEGRITY environment variable
-func getDefaultSessionIntegrity() string {
-	return os.Getenv("MCP_GATEWAY_SESSION_INTEGRITY")
-}
-
 func getDefaultDIFCSinkServerIDs() string {
 	return os.Getenv("MCP_GATEWAY_GUARDS_SINK_SERVER_IDS")
 }
@@ -192,22 +153,6 @@ func ValidateDIFCMode(mode string) error {
 	return nil
 }
 
-// parseSessionLabels parses a comma-separated string of labels into a slice
-func parseSessionLabels(labels string) []string {
-	if labels == "" {
-		return nil
-	}
-	parts := strings.Split(labels, ",")
-	result := make([]string, 0, len(parts))
-	for _, part := range parts {
-		trimmed := strings.TrimSpace(part)
-		if trimmed != "" {
-			result = append(result, trimmed)
-		}
-	}
-	return result
-}
-
 func parseDIFCSinkServerIDs(input string) ([]string, error) {
 	if strings.TrimSpace(input) == "" {
 		return nil, nil