[Repo Assist] perf(rust-guard): eliminate ctx.clone() and use &'static str in NormalizedPolicy

[github-actions]

🤖 This PR was created by Repo Assist, an automated AI assistant.

Closes #4380

Root Cause

label_agent — the first FFI call on every gateway request — contained two unnecessary heap-allocation hotspots:

1. ctx.clone(): set_runtime_policy_context(ctx.clone()) deep-copied the entire PolicyContext (eight Vec/String fields) before the integrity match block used ctx with only shared borrows. The only reason for the clone was ordering: the call site set the global before computing integrity.

2. NormalizedPolicy owned Strings: scope_kind and min_integrity were stored as heap-allocated Strings even though both values are always compile-time constants (e.g. "All", "Composite", "none", "approved").

Changes

guards/github-guard/rust-guard/src/labels/helpers.rs

• Add ScopeKind::as_str() -> &'static str alongside the existing Display impl.
• Update Display::fmt to delegate to as_str(), eliminating the duplicated match arm.

guards/github-guard/rust-guard/src/lib.rs

• Reorder: compute integrity labels before set_runtime_policy_context. The integrity functions take &PolicyContext (shared borrows); they don't interact with the global. The global is only needed by label_resource / label_response, which are separate FFI calls made after label_agent returns. This reorder is semantically safe.
• Replace set_runtime_policy_context(ctx.clone()) with set_runtime_policy_context(ctx) (move, no clone).
• Change NormalizedPolicy.scope_kind and .min_integrity from String to &'static str.
• Change normalized_scope_kind() to return &'static str using ScopeKind::as_str().
• Remove .to_string() from integrity_floor.as_str().

Trade-offs

None. Both changes are zero-risk refactors: the semantics are identical, the types become more precise, and the allocations are eliminated.

Test Status

test result: ok. 322 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

All 322 Rust guard tests pass. No production behaviour was changed.

Warning

⚠️ Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Generated by Repo Assist · ● 5.9M · ◷

To install this agentic workflow, run

gh aw add githubnext/agentics/workflows/repo-assist.md@851905c06e905bf362a9f6cc54f912e3df747d55

[Copilot]

Pull request overview

This PR removes avoidable heap allocations in the Rust GitHub guard’s label_agent FFI entrypoint by (1) eliminating a deep PolicyContext clone and (2) representing normalized policy string fields as compile-time constants.

Changes:

• Reordered label_agent to compute integrity labels before setting the runtime global policy context, allowing PolicyContext to be moved instead of cloned.
• Changed NormalizedPolicy.scope_kind and NormalizedPolicy.min_integrity from String to &'static str to avoid per-call allocations.
• Added ScopeKind::as_str() and updated its Display implementation to reuse that canonical mapping.

Show a summary per file

File	Description
guards/github-guard/rust-guard/src/lib.rs	Removes ctx.clone() by reordering integrity computation and switches normalized policy fields to &'static str.
guards/github-guard/rust-guard/src/labels/helpers.rs	Adds ScopeKind::as_str() and updates Display to delegate to it (avoids duplication and allocations).

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 2/2 changed files
• Comments generated: 0