rust-guard: remove hot-path scope/integrity allocations via Cow<str> and zero-alloc rank matching

[Copilot]

✨ Enhancement

policy_scope_token and normalize_scope were allocating on common single-scope/fallthrough paths, and integrity_rank_normalized was allocating per integrity level just to compare labels. This change removes those avoidable allocations in the main integrity-labeling path while preserving existing label semantics.

What does this improve?

• Scope token + normalization fast path
  • policy_scope_token now returns Cow<'_, str>:
    • empty scopes → borrowed ""
    • single scope → borrowed scope label
    • multi-scope → owned joined token
  • normalize_scope now returns Cow<'a, str>, borrowing scope when no scoped replacement is needed instead of cloning.
• Integrity rank matching fast path
  • integrity_rank_normalized now uses label_matches_normalized(...) instead of constructing formatted labels for each rank.
  • Common non-multi-scope comparisons are allocation-free; multi-scope keeps canonical formatting fallback.
• Call-site/lifetime adjustment
  • In label_agent, scope token derivation was moved to read from ctx.scopes after context construction to satisfy borrowing with the new Cow-based flow.

Why is this valuable?

• Cuts repeated small heap allocations in per-item integrity computation (reader/writer/merged/none/max/cap paths), especially in the dominant single-scope case and rank comparisons.

Implementation approach:

• Introduced Cow return types for scope helpers and propagated usage through existing integrity builders without behavior changes.
• Added a non-allocating label predicate with rare-path fallback for multi-scope canonical formatting.
• Added focused helper tests for:
  • borrowed vs owned policy_scope_token behavior,
  • borrowed normalize_scope fallthrough behavior,
  • label_matches_normalized parity across empty/single/multi-scope forms.

pub(crate) fn policy_scope_token(scopes: &[PolicyScopeEntry]) -> Cow<'_, str> {
    let mut labels = scopes.iter().map(|s| s.scope_label.as_str()).filter(|s| !s.is_empty());
    match (labels.next(), labels.next()) {
        (None, _) => Cow::Borrowed(""),
        (Some(first), None) => Cow::Borrowed(first),
        (Some(first), Some(second)) => {
            let mut value = String::from(first);
            value.push_str(" | ");
            value.push_str(second);
            for rest in labels {
                value.push_str(" | ");
                value.push_str(rest);
            }
            Cow::Owned(value)
        }
    }
}

[Copilot]

Pull request overview

This PR reduces allocation overhead in the Rust guard labeling path by using Cow<str> for scope tokens/normalization and avoiding formatted label construction in common integrity rank comparisons.

Changes:

• Converts scope token and normalization helpers to return borrowed values when possible.
• Adds allocation-free integrity label matching for empty/single-scope cases.
• Updates label agent borrowing flow and adds focused helper tests.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/lib.rs	Moves scope token derivation after PolicyContext construction to support borrowing from context scopes.
guards/github-guard/rust-guard/src/labels/helpers.rs	Introduces Cow-based scope helpers, optimized rank matching, and tests for borrowing/matching behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 1

[lpcox]

@copilot address review feedback

[Copilot]

@copilot address review feedback

Addressed in commit 1c36185.

I moved multi-scope handling out of the per-label predicate so canonical formatting is done once per rank and then compared across labels, and updated tests accordingly.