feat(ai): consume the identity code in the GitHub write-guard (#13275)

Per @neo-gpt's #13277 review: the write-guard's getGitHubIdentityErrorCode now keys on the core's stable IdentityAssertionCode (generic code -> GITHUB_* mapping) instead of reason.includes(...) string-matching. This retires the fragile prose-matching that #13275 set out to fix, so the PR fully delivers the write-guard-adoption AC and the close-target no longer overclaims. The spec's fake assertExpectedIdentity seams now faithfully return the core's code. The exact GITHUB_* output taxonomy is preserved.

Author: tobiu

ai/mcp/server/github-workflow/toolService.mjs

@@ -12,7 +12,7 @@ import PullRequestService from '../../../services/github-workflow/PullRequestSer
 import RepositoryService  from '../../../services/github-workflow/RepositoryService.mjs';
 import ToolService        from '../../ToolService.mjs';
 import SyncService        from '../../../services/github-workflow/SyncService.mjs';
-import {assertExpectedIdentity as assertExpectedGitHubIdentity} from '../../../graph/assertExpectedIdentity.mjs';
+import {assertExpectedIdentity as assertExpectedGitHubIdentity, IdentityAssertionCode} from '../../../graph/assertExpectedIdentity.mjs';
 import RequestContextService from '../shared/services/RequestContextService.mjs';
 import config             from './config.mjs';
 
@@ -137,32 +137,25 @@ function normalizeGitHubIdentityLogin(identity) {
 }
 
 /**
- * @summary Maps the shared assertion reason into a stable write-boundary error code.
- * @param {String|null} reason Shared assertion reason.
+ * @summary Maps the shared assertion's stable {@link IdentityAssertionCode} into a write-boundary
+ * error code. Keys on the machine `code`, not the human-readable `reason` prose (which is free to
+ * reword); an unknown or absent code falls back to the generic assertion-failed code.
+ * @param {String} code The shared assertion's `code`.
  * @returns {String}
  */
-function getGitHubIdentityErrorCode(reason) {
-    if (!reason) {
-        return 'GITHUB_IDENTITY_ASSERTION_FAILED';
+function getGitHubIdentityErrorCode(code) {
+    switch (code) {
+        case IdentityAssertionCode.EXPECTED_UNMAPPABLE:
+            return 'GITHUB_IDENTITY_UNRESOLVED';
+        case IdentityAssertionCode.NO_AUTHED_LOGIN:
+            return 'GITHUB_VIEWER_UNRESOLVED';
+        case IdentityAssertionCode.MEMORY_CORE_MISMATCH:
+            return 'GITHUB_MEMORY_CORE_IDENTITY_MISMATCH';
+        case IdentityAssertionCode.LOGIN_MISMATCH:
+            return 'GITHUB_IDENTITY_MISMATCH';
+        default:
+            return 'GITHUB_IDENTITY_ASSERTION_FAILED';
     }
-
-    if (reason.includes('missing or unmappable')) {
-        return 'GITHUB_IDENTITY_UNRESOLVED';
-    }
-
-    if (reason.includes('no authed login')) {
-        return 'GITHUB_VIEWER_UNRESOLVED';
-    }
-
-    if (reason.includes('Memory-Core identity')) {
-        return 'GITHUB_MEMORY_CORE_IDENTITY_MISMATCH';
-    }
-
-    if (reason.includes('authed as')) {
-        return 'GITHUB_IDENTITY_MISMATCH';
-    }
-
-    return 'GITHUB_IDENTITY_ASSERTION_FAILED';
 }
 
 /**
@@ -176,7 +169,7 @@ function createGitHubIdentityError(assertion) {
 
     Object.assign(error, {
         ...assertion,
-        code: getGitHubIdentityErrorCode(assertion.reason)
+        code: getGitHubIdentityErrorCode(assertion.code)
     });
 
     return error;

test/playwright/unit/ai/services/github-workflow/toolService.spec.mjs

@@ -244,7 +244,8 @@ test.describe('Neo.ai.services.github-workflow.toolService — write identity gu
         }, {
             assertExpectedIdentity: async () => ({
                 ok    : true,
-                reason: null
+                reason: null,
+                code  : 'OK'
             })
         });
 
@@ -262,7 +263,8 @@ test.describe('Neo.ai.services.github-workflow.toolService — write identity gu
         }, {
             assertExpectedIdentity: async () => ({
                 ok    : false,
-                reason: 'identity drift: authed as neo-opus-ada, expected neo-gpt'
+                reason: 'identity drift: authed as neo-opus-ada, expected neo-gpt',
+                code  : 'LOGIN_MISMATCH'
             })
         });
 
@@ -280,7 +282,8 @@ test.describe('Neo.ai.services.github-workflow.toolService — write identity gu
         }, {
             assertExpectedIdentity: async () => ({
                 ok    : false,
-                reason: "identity drift: expected identity 'missing-agent' is missing or unmappable in identityRoots"
+                reason: "identity drift: expected identity 'missing-agent' is missing or unmappable in identityRoots",
+                code  : 'EXPECTED_UNMAPPABLE'
             })
         });
 
@@ -297,7 +300,8 @@ test.describe('Neo.ai.services.github-workflow.toolService — write identity gu
         }, {
             assertExpectedIdentity: async () => ({
                 ok    : false,
-                reason: 'identity drift: no authed login resolved, expected neo-gpt'
+                reason: 'identity drift: no authed login resolved, expected neo-gpt',
+                code  : 'NO_AUTHED_LOGIN'
             })
         });
 
@@ -318,7 +322,8 @@ test.describe('Neo.ai.services.github-workflow.toolService — write identity gu
         }, {
             assertExpectedIdentity: async () => ({
                 ok    : false,
-                reason: 'identity drift: authed as neo-opus-ada, expected neo-gpt'
+                reason: 'identity drift: authed as neo-opus-ada, expected neo-gpt',
+                code  : 'LOGIN_MISMATCH'
             })
         });