From f6b631f74ec0beb9c8bf5ab2577bd3eefadda195 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 30 Apr 2026 05:22:22 +0000 Subject: [PATCH] Add debug logging to wasm_payload.go policy validation Add logWasm debug logging to key policy payload functions: - normalizePolicyPayload: log string policy parsing entry/result - buildStrictLabelAgentPayload: log validation entry and success with policy fields - BuildLabelAgentPayload: log trusted-bots/users injection counts Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- internal/guard/wasm_payload.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/internal/guard/wasm_payload.go b/internal/guard/wasm_payload.go index ac417f29..1c448f40 100644 --- a/internal/guard/wasm_payload.go +++ b/internal/guard/wasm_payload.go @@ -15,6 +15,7 @@ func normalizePolicyPayload(policy interface{}) (interface{}, error) { if policyString, ok := policy.(string); ok { trimmed := strings.TrimSpace(policyString) + logWasm.Printf("normalizePolicyPayload: received string policy, len=%d", len(trimmed)) if trimmed == "" { return nil, fmt.Errorf("policy string is empty") } @@ -26,18 +27,21 @@ func normalizePolicyPayload(policy interface{}) (interface{}, error) { switch parsed.(type) { case map[string]interface{}: + logWasm.Printf("normalizePolicyPayload: string policy parsed successfully as object") return parsed, nil default: return nil, fmt.Errorf("policy JSON must decode to an object") } } + logWasm.Printf("normalizePolicyPayload: received non-string policy, passing through") return policy, nil } // buildStrictLabelAgentPayload validates the normalised policy and returns a // map ready to be serialised as the label_agent input payload. func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, error) { + logWasm.Printf("buildStrictLabelAgentPayload: validating policy payload") if policy == nil { return nil, fmt.Errorf("invalid guard policy transport shape: expected {\"allow-only\":{\"repos\":...,\"min-integrity\":...}}") } @@ -219,6 +223,7 @@ func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, e } } + logWasm.Printf("buildStrictLabelAgentPayload: policy validated successfully, repos=%v, min-integrity=%v", reposRaw, integrityRaw) return payload, nil } @@ -228,6 +233,7 @@ func buildStrictLabelAgentPayload(policy interface{}) (map[string]interface{}, e // both trustedBots and trustedUsers are nil or empty, the returned payload contains only the // allow-only policy. func BuildLabelAgentPayload(policy interface{}, trustedBots []string, trustedUsers []string) interface{} { + logWasm.Printf("BuildLabelAgentPayload: trustedBots=%d, trustedUsers=%d", len(trustedBots), len(trustedUsers)) if len(trustedBots) == 0 && len(trustedUsers) == 0 { return policy } @@ -250,6 +256,7 @@ func BuildLabelAgentPayload(policy interface{}, trustedBots []string, trustedUse bots[i] = b } payload["trusted-bots"] = bots + logWasm.Printf("BuildLabelAgentPayload: injected %d trusted-bots into payload", len(trustedBots)) } if len(trustedUsers) > 0 { @@ -264,6 +271,7 @@ func BuildLabelAgentPayload(policy interface{}, trustedBots []string, trustedUse // Inject into allow-only object if present if allowOnly, ok := payload["allow-only"].(map[string]interface{}); ok { allowOnly["trusted-users"] = users + logWasm.Printf("BuildLabelAgentPayload: injected %d trusted-users into allow-only", len(trustedUsers)) } }