Refactor generatePolicyManifest into composable policy section builders

[Copilot]

generatePolicyManifest() in src/squid/policy-manifest.ts had grown into a single 200+ line function that combined eight independent policy concerns in one control flow. This change decomposes policy assembly into focused section builders while preserving rule semantics and ordering in this security-sensitive path.

• What changed

  • Extracted policy section construction into src/squid/policy-rules/section-builders.ts.
  • Kept src/squid/policy-manifest.ts as a thin orchestrator that:
    • parses domain config once,
    • initializes shared rule state (rules, order),
    • invokes section builders in canonical evaluation order.

• Section builders introduced

  • addPortSafetyRules
  • addApiProxyAllowRules
  • addRawIpBlockRules
  • addDlpRules
  • addBlockedDomainRules
  • addProtocolAllowRules
  • addBothProtocolAllowRules
  • addDefaultDenyRule

• Behavioral guarantees retained

  • No public API changes (generatePolicyManifest signature/output unchanged).
  • Rule IDs, ACL names, descriptions, and domain shaping remain consistent with prior behavior.
  • Rule ordering is preserved via a shared monotonic order counter.

• Test updates

  • Added a focused regression assertion in src/squid/policy-manifest.test.ts to verify global sequential ordering across mixed sections and retained boundary rules (deny-unsafe-ports first, deny-default last).

const state: PolicyRuleState = { rules: [], order: 0 };

addPortSafetyRules(state);
addApiProxyAllowRules(state, apiProxyIp);
addRawIpBlockRules(state);
addDlpRules(state, enableDlp);
addBlockedDomainRules(state, blockedDomains);
addProtocolAllowRules(state, domainsByProto, patternsByProto);
addBothProtocolAllowRules(state, domainsByProto, patternsByProto);
addDefaultDenyRule(state);

[Copilot]

Pull request overview

Refactors Squid policy manifest generation by decomposing the previously large generatePolicyManifest() implementation into composable, ordered “section builder” functions, while keeping the manifest schema and rule semantics/order stable in this security-sensitive path.

Changes:

• Added src/squid/policy-rules/section-builders.ts with focused helpers that append policy rules while maintaining a shared monotonic order.
• Simplified src/squid/policy-manifest.ts into an orchestrator that parses domain config once and invokes builders in canonical evaluation order.
• Added a regression test to assert contiguous global rule ordering and boundary rules (first/last) across mixed sections.

Show a summary per file

File	Description
src/squid/policy-rules/section-builders.ts	Introduces section-builder functions and shared PolicyRuleState/pushRule() to append rules with consistent ordering.
src/squid/policy-manifest.ts	Replaces inline rule construction with ordered calls to the new section builders; keeps output shape unchanged.
src/squid/policy-manifest.test.ts	Adds an assertion that rule order values are sequential across all emitted sections and that boundary rule IDs are preserved.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0

[github-actions]

✅ Copilot review passed with no inline comments.

@copilot Add the ready-for-aw label to this PR to trigger agentic CI smoke tests.

[github-actions]

🔑 Smoke Copilot PAT PAT auth validated. All systems operational. ✅

[github-actions]

✅ Smoke Copilot BYOK completed. Copilot BYOK mode operational. 🔓

[github-actions]

✅ Build Test Suite completed successfully!

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🚀 Security Guard has started processing this pull request

[github-actions]

✅ Smoke Gemini completed. All facets verified. 💎

Smoke test complete. PASS.

[github-actions]

Chroot tests passed! Smoke Chroot - All security and functionality tests succeeded.

[github-actions]

✨ The prophecy is fulfilled... Smoke Codex has completed its mystical journey. The stars align. 🌟

[github-actions]

✅ Contribution Check completed successfully!

Contribution guideline review complete: PR #5446 follows the applicable CONTRIBUTING.md requirements; no comment needed.

[github-actions]

🔌 Smoke Services — All services reachable! ✅

[github-actions]

✅ Smoke Copilot BYOK AOAI (Entra) completed. Copilot AOAI BYOK (Entra) mode operational. 🔓

[github-actions]

✅ Smoke Copilot BYOK AOAI (api-key) completed. Copilot AOAI BYOK (api-key) mode operational. 🔓

[github-actions]

✅ Smoke Claude passed

[github-actions]

📡 Smoke OTel Tracing completed. All tracing scenarios validated. ✅

[github-actions]

🤖 Smoke Test Results

PR: Refactor generatePolicyManifest into composable policy section builders
Author: @Copilot | Assignees: @lpcox @Copilot

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP connectivity	✅ 200
File write/read	✅

Overall: PASS

📰 BREAKING: Report filed by Smoke Copilot

[github-actions]

🔬 Smoke Test: Copilot PAT Auth — PASS

Test	Result
GitHub MCP connectivity	✅
GitHub.com HTTP (200)	✅
File write/read	✅

Overall: PASS · Auth mode: PAT (COPILOT_GITHUB_TOKEN)
CC @lpcox @Copilot

🔑 PAT report filed by Smoke Copilot PAT

[github-actions]

Smoke Test: Claude Engine Validation

• API status: ✅ PASS
• gh check: ✅ PASS
• File status: ✅ PASS

Overall result: PASS

Generated by Smoke Claude for issue #5446 · 37.7 AIC · ⊞ 3.1K · ◷

[github-actions]

Smoke test:

• ✅ chore: upgrade gh-aw to v0.81.0 and recompile workflows
• ✅ refactor: extract buildAgentSecurityConfig from buildAgentService
• ✅ GitHub query
• ✅ Playwright title
• ✅ file write/read
• ✅ build
• Overall: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• registry.npmjs.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "registry.npmjs.org"

See Network Configuration for more information.

🔮 The oracle has spoken through Smoke Codex

[github-actions]

Chroot Version Comparison Results

Runtime	Host Version	Chroot Version	Match?
Python	Python 3.12.13	Python 3.12.3	❌
Node.js	v24.16.0	v22.22.3	❌
Go	go1.22.12	go1.22.12	✅

Overall: ❌ Not all versions match.

Go matches, but Python and Node.js differ between host and chroot environments.

Tested by Smoke Chroot

[github-actions]

🏗️ Build Test Suite Results

Ecosystem	Project	Build/Install	Tests	Status
Bun	elysia	✅	1/1 passed	✅ PASS
Bun	hono	✅	1/1 passed	✅ PASS
C++	fmt	✅	N/A	✅ PASS
C++	json	✅	N/A	✅ PASS
Deno	oak	N/A	1/1 passed	✅ PASS
Deno	std	N/A	1/1 passed	✅ PASS
.NET	hello-world	✅	N/A	✅ PASS
.NET	json-parse	✅	N/A	✅ PASS
Go	color	✅	passed	✅ PASS
Go	env	✅	passed	✅ PASS
Go	uuid	✅	passed	✅ PASS
Java	gson	✅	1/1 passed	✅ PASS
Java	caffeine	✅	1/1 passed	✅ PASS
Node.js	clsx	✅	passed	✅ PASS
Node.js	execa	✅	passed	✅ PASS
Node.js	p-limit	✅	passed	✅ PASS
Rust	fd	✅	1/1 passed	✅ PASS
Rust	zoxide	✅	1/1 passed	✅ PASS

Overall: 8/8 ecosystems passed — ✅ PASS

Generated by Build Test Suite for issue #5446 · 32.1 AIC · ⊞ 7.7K · ◷

[github-actions]

🔍 Smoke Test: API Proxy OpenTelemetry Tracing

Scenario	Result	Details
1. Module Loading	✅	otel.js loads successfully; exports startRequestSpan, setTokenAttributes, setBudgetAttributes, endSpan, endSpanError, shutdown, isEnabled + 7 internals
2. Test Suite	✅	39/39 tests passed in otel.test.js (1.744s)
3. Env Var Forwarding	✅	api-proxy-service-config.ts forwards GH_AW_OTLP_ENDPOINTS, OTEL_EXPORTER_OTLP_ENDPOINT, OTEL_EXPORTER_OTLP_HEADERS, GITHUB_AW_OTEL_TRACE_ID, GITHUB_AW_OTEL_PARENT_SPAN_ID, OTEL_SERVICE_NAME
4. Token Tracker Integration	✅	onUsage callback exists in token-tracker-http.js (line 324); proxy-request.js calls otel.startRequestSpan(), setTokenAttributes(), endSpan()
5. OTEL Diagnostics	✅	Graceful degradation confirmed — no OTLP endpoint configured, falls back to FileSpanExporter (/var/log/api-proxy/otel.jsonl) with no errors

All scenarios pass. OTEL tracing integration is fully functional.

📡 OTel tracing validated by Smoke OTel Tracing

[github-actions]

Smoke Test Results: Copilot BYOK (Direct Mode)

Test	Result
GitHub MCP Connectivity	✅
GitHub.com HTTP (code: 200)	✅
File Write/Read	✅
BYOK Inference Path	✅

Mode: Direct BYOK (COPILOT_PROVIDER_API_KEY) → api-proxy sidecar → api.githubcopilot.com

Status: PASS

Cc: @lpcox @Copilot

🔑 BYOK report filed by Smoke Copilot BYOK

[github-actions]

Smoke Test: GitHub Actions Services Connectivity

host.docker.internal resolves to 172.17.0.1 but service ports are unreachable (TCP timeout).

Check	Result
Redis PING	❌ timeout (port 6379)
PostgreSQL pg_isready	❌ no response (port 5432)
PostgreSQL SELECT 1	❌ no response (port 5432)

Overall: FAIL

🔌 Service connectivity validated by Smoke Services

[github-actions]

@Copilot

• test: fix failing npm test after gh-aw v0.81.0 recompile: ✅
• Refactor generatePolicyManifest into composable policy section builders: ✅

Running in direct BYOK mode (AWF_AUTH_TYPE=github-oidc + AWF_AUTH_AZURE_* + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw) authenticated via Microsoft Entra

Overall: PASS

🪪 BYOK (AOAI Entra) report filed by Smoke Copilot BYOK AOAI (Entra)

[github-actions]

• chore: upgrade gh-aw to v0.81.0 and recompile workflows
• refactor: extract buildAgentSecurityConfig from buildAgentService
  ✅ GitHub MCP Testing
  ✅ GitHub.com Connectivity
  ✅ File Writing Testing
  ✅ Bash Tool Testing

Overall status: PASS

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• localhost

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "localhost"

See Network Configuration for more information.

💎 Faceted by Smoke Gemini

[github-actions]

PR titles tested:

• test: fix failing npm test after gh-aw v0.81.0 recompile ✅
• Refactor generatePolicyManifest into composable policy section builders ✅
  Connectivity: MCP ✅, github.com ✅, file I/O ✅, BYOK inference ✅
  Running in direct BYOK mode (COPILOT_PROVIDER_API_KEY + COPILOT_PROVIDER_BASE_URL) via api-proxy → Azure OpenAI (Foundry, o4-mini-aw)
  Overall: PASS
  @lpcox @Copilot

🔑 BYOK (AOAI api-key) report filed by Smoke Copilot BYOK AOAI (api-key)