Skip to content

[log] Add debug logging to DIFC evaluator #430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lpcox merged 1 commit into from
Jan 22, 2026
Merged

[log] Add debug logging to DIFC evaluator #430

lpcox merged 1 commit into from
Jan 22, 2026

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Jan 22, 2026

Summary

This PR adds debug logging to internal/difc/evaluator.go to improve troubleshooting of DIFC (Decentralized Information Flow Control) policy evaluation.

Changes Made

File Modified: internal/difc/evaluator.go (1 file, focused PR)

  1. Added logger infrastructure:

    • Import: github.com/githubnext/gh-aw-mcpg/internal/logger
    • Logger declaration: var log = logger.New("difc:evaluator")

  2. Added 9 logging calls:

    • Evaluate() - Log operation entry with operation type and resource description
    • evaluateRead() - Log read evaluation with agent secrecy/integrity labels
    • evaluateRead() - Log read denial for integrity check failures
    • evaluateRead() - Log read denial for secrecy check failures
    • evaluateRead() - Log read access allowed
    • evaluateWrite() - Log write evaluation with agent secrecy/integrity labels
    • evaluateWrite() - Log write denial for integrity check failures
    • evaluateWrite() - Log write denial for secrecy check failures
    • evaluateWrite() - Log write access allowed
    • FilterCollection() - Log collection filtering entry with operation and item count
    • FilterCollection() - Log filtering results with accessible/filtered/total counts

Why This File?

  • Contains critical security logic for DIFC policy evaluation
  • No existing logger (needed debug infrastructure)
  • Complex decision-making logic that benefits from execution tracing
  • Important for troubleshooting access control issues in production

Logging Guidelines Followed

Logger naming convention: difc:evaluator follows pkg:filename pattern
No side effects: All log arguments are simple variables, no function calls
Meaningful context: Includes operation type, resource description, agent labels, and tags
Both allow and deny: Logs successful and failed access decisions
Project guidelines: Follows AGENTS.md debug logging standards

Testing

The changes preserve all existing behavior and only add debug logging:

  • No functional changes to DIFC evaluation logic
  • Logging is disabled by default (requires DEBUG=difc:* or DEBUG=*)
  • All log arguments are pre-computed values with no side effects

Debug Output Example

# Enable DIFC evaluator debug logging
DEBUG=difc:evaluator ./awmg --config config.toml

# Example output (when DIFC is enabled):
difc:evaluator Evaluating access: operation=read, resource=github-repository
difc:evaluator Evaluating read access: resource=github-repository, agentSecrecy=[public], agentIntegrity=[trusted]
difc:evaluator Read access allowed: resource=github-repository

Related

  • Part of ongoing effort to improve debug logging across the codebase
  • Follows the same pattern as existing loggers in server:handlers, launcher:launcher, config:config

AI generated by Go Logger Enhancement

@web-flow @github-actions
Add debug logging to DIFC evaluator
fbfd96d 
Enhances internal/difc/evaluator.go with debug logging following project guidelines:

- Add logger.New("difc:evaluator") declaration
- Log evaluation entry points with operation and resource context
- Log read access decisions (allow/deny) with agent labels
- Log write access decisions (allow/deny) with agent labels
- Log collection filtering with accessible/filtered counts

The logging provides visibility into DIFC policy evaluation for troubleshooting
access control decisions without introducing side effects.
@github-actions github-actions bot added automation enhancement New feature or request labels Jan 22, 2026
@lpcox lpcox marked this pull request as ready for review January 22, 2026 15:52
@lpcox lpcox merged commit 6820a53 into main Jan 22, 2026
@lpcox lpcox deleted the go-logger-difc-evaluator-384940df4c53bd9d branch January 22, 2026 15:52
This was referenced Jan 23, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automation enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lpcox @web-flow