refactor: address code review feedback

- Remove SessionIDFromContext != default coupling in getSessionID
- Drop now-unused log import from session.go
- Add comment explaining normalization-before-lock safety in LabelAgent

Agent-Logs-Url: https://github.com/github/gh-aw-mcpg/sessions/25cbb04b-116d-40aa-aea0-f59a319da6d5

Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>

Author: Copilot

internal/guard/wasm.go

@@ -628,6 +628,9 @@ func (g *WasmGuard) LabelAgent(ctx context.Context, policy interface{}, backend
 		return nil, fmt.Errorf("WASM guard does not export label_agent")
 	}
 
+	// Normalisation and payload-build operate only on the caller-supplied `policy`
+	// argument and do not access any g.* fields, so they are safe to run outside
+	// the lock that callWasmGuardFunction acquires.
 	normalizedPolicy, err := normalizePolicyPayload(policy)
 	if err != nil {
 		logWasm.Printf("LabelAgent normalizePolicyPayload failed: guard=%s, error=%v", g.name, err)

internal/server/session.go

@@ -3,7 +3,6 @@ package server
 import (
 	"context"
 	"fmt"
-	"log"
 	"os"
 	"path/filepath"
 	"time"
@@ -39,14 +38,7 @@ func SessionIDFromContext(ctx context.Context) string {
 // getSessionID extracts the MCP session ID from the context
 func (us *UnifiedServer) getSessionID(ctx context.Context) string {
 	sessionID := SessionIDFromContext(ctx)
-	if sessionID != "default" {
-		logSession.Printf("Extracted session ID from context: %s", auth.TruncateSessionID(sessionID))
-	} else {
-		// No session ID in context - this happens before the SDK assigns one
-		// For now, use "default" as a placeholder for single-client scenarios
-		// In production multi-agent scenarios, the SDK will provide session IDs after initialize
-		log.Printf("No session ID in context, using 'default' (this is normal before SDK session is established)")
-	}
+	logSession.Printf("Extracted session ID from context: %s", auth.TruncateSessionID(sessionID))
 	return sessionID
 }