Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(go-policy): make LoadFromYAML replace rules; add MergeFromYAML#2162

Merged
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/go-policy-loadfromyaml-replace
May 12, 2026
Merged

fix(go-policy): make LoadFromYAML replace rules; add MergeFromYAML#2162
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/go-policy-loadfromyaml-replace

Conversation

@finnoybu

Copy link
Copy Markdown
Contributor

Summary

PolicyEngine.LoadFromYAML appended to PolicyEngine.rules on every call. Reloading the same YAML on a config refresh doubled the rule set each time: harmless for first-match-wins evaluation but quietly inflating memory and per-evaluation cost on long-lived processes.

Change

  • LoadFromYAML(path) now replaces the engine's existing rules on success. On read or parse error the previous rule set is left intact, so a bad reload doesn't strip enforcement.
  • New MergeFromYAML(path) retains the previous additive behaviour for callers composing rules from multiple files.
  • Internal readPolicyRulesFromYAML helper factored out of both paths.
  • README and docs/tutorials/22-go-sdk.md updated to describe LoadFromYAML as a replace and to point callers at MergeFromYAML for the additive form.

Behaviour change

The previous LoadFromYAML is now MergeFromYAML — callers who relied on the additive behaviour need to switch to the new method. The previous form was undocumented as such outside of one tutorial sentence; the tutorial is updated in this PR.

Tests

go test ./... from agent-governance-golang/packages/agentmesh/ passes. New / renamed tests:

  • TestLoadFromYAMLReplacesExistingRules — rename of the previous additive test; now asserts replace semantics.
  • TestLoadFromYAMLReloadDoesNotDouble — load the same file three times; assert the rule count stays equal to the file's rule count (regression for the double-append bug).
  • TestLoadFromYAMLPreservesRulesOnError — read error and parse error both leave the existing rule set intact.
  • TestMergeFromYAMLAppendsToExistingRules — additive Merge variant.

Test plan

  • go test ./... passes from agent-governance-golang/packages/agentmesh/.
  • Three repeated LoadFromYAML calls produce the file's rule count (not 3 x).
  • Failed LoadFromYAML leaves the prior rules in place.
  • MergeFromYAML continues to append.

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Go].

LoadFromYAML appended to PolicyEngine.rules on every call. Reloading
the same YAML on a config refresh doubled the rule set each time:
harmless for first-match-wins evaluation but quietly inflating memory
and per-evaluation cost on long-lived processes.

Replace semantics is the natural reading of a "load" verb (treat the
file as the source of truth) and matches how YAML config reload is used
in practice. To preserve the additive form for callers composing rules
from multiple files, expose a new MergeFromYAML that retains the
previous append behaviour.

Behaviour changes for callers:

- LoadFromYAML(path) discards the engine's existing rules on success.
- On read or parse error LoadFromYAML leaves the existing rule set
  untouched, so a bad reload does not strip enforcement.
- MergeFromYAML(path) appends YAML rules to the existing rule set
  (the previous LoadFromYAML semantics).

Tests:

- TestLoadFromYAMLReplacesExistingRules — assert replace semantics
  (rename of the previous additive test).
- TestLoadFromYAMLReloadDoesNotDouble — load the same file three
  times, assert the rule count stays equal to the file's rule count.
- TestLoadFromYAMLPreservesRulesOnError — read error and parse error
  both leave the existing rule set intact.
- TestMergeFromYAMLAppendsToExistingRules — additive Merge variant.

Docs: README.md and docs/tutorials/22-go-sdk.md updated to describe
LoadFromYAML as a replace and to point callers at MergeFromYAML for
the additive form.
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: breaking-change-detector — API Compatibility

API Compatibility

Severity Change Impact
Breaking PolicyEngine.LoadFromYAML now replaces existing rules instead of appending them. Existing users relying on the previous additive behavior must switch to MergeFromYAML.
Breaking Removal of the previous additive behavior from PolicyEngine.LoadFromYAML. Code relying on the undocumented additive behavior will break.
Non-Breaking New PolicyEngine.MergeFromYAML method added. Provides an alternative for users who need additive behavior.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: code-reviewer — View details

TL;DR: 1 blocker, 0 warnings. The change introduces a breaking change in the policy engine's behavior without sufficient backward compatibility measures.

# Sev Issue Where
1 CRITICAL Breaking change in LoadFromYAML behavior not documented as such README, policy.go

Action items: Update documentation to clearly indicate that LoadFromYAML now replaces existing rules, and ensure that users are aware of the breaking change to avoid potential security bypasses.

Warnings: No warnings found. Fine as follow-up PRs.

@github-actions github-actions Bot added documentation Improvements or additions to documentation size/M Medium PR (< 200 lines) labels May 12, 2026
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

  • MergeFromYAML() in policy.go -- missing docstring
  • README.md -- section on LoadFromYAML needs update
  • CHANGELOG -- missing entry for behavioral change in LoadFromYAML method

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: security-scanner — View details

No security issues found.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: test-generator — `policy.go`

policy.go

  • TestLoadFromYAMLReloadDoesNotDouble -- verifies that reloading the same YAML file does not double the rule count.
  • TestLoadFromYAMLPreservesRulesOnError -- ensures existing rules remain intact when a read or parse error occurs.

policy_test.go

  • TestMergeFromYAMLAppendsToExistingRules -- checks that MergeFromYAML correctly appends new rules to the existing set.

@github-actions

Copy link
Copy Markdown

🟡 Contributor Check: MEDIUM

Check Result
Profile MEDIUM
Credential NONE
Overall MEDIUM

Automated check by AGT Contributor Check.

@github-actions github-actions Bot added the needs-review:MEDIUM Contributor check flagged MEDIUM risk label May 12, 2026
@github-actions

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ❌ Failed Issues detected
🛡️ Security Scan ✅ Passed No issues found
🔄 Breaking Changes ✅ Completed Analysis complete
📝 Docs Sync ✅ Completed Analysis complete
🧪 Test Coverage ✅ Completed Analysis complete

Verdict: ❌ Changes needed

@imran-siddique imran-siddique merged commit 4611c85 into microsoft:main May 12, 2026
13 of 14 checks passed
MohammadHaroonAbuomar pushed a commit to MohammadHaroonAbuomar/agt-acs that referenced this pull request Jun 1, 2026
…icrosoft#2162)

LoadFromYAML appended to PolicyEngine.rules on every call. Reloading
the same YAML on a config refresh doubled the rule set each time:
harmless for first-match-wins evaluation but quietly inflating memory
and per-evaluation cost on long-lived processes.

Replace semantics is the natural reading of a "load" verb (treat the
file as the source of truth) and matches how YAML config reload is used
in practice. To preserve the additive form for callers composing rules
from multiple files, expose a new MergeFromYAML that retains the
previous append behaviour.

Behaviour changes for callers:

- LoadFromYAML(path) discards the engine's existing rules on success.
- On read or parse error LoadFromYAML leaves the existing rule set
  untouched, so a bad reload does not strip enforcement.
- MergeFromYAML(path) appends YAML rules to the existing rule set
  (the previous LoadFromYAML semantics).

Tests:

- TestLoadFromYAMLReplacesExistingRules — assert replace semantics
  (rename of the previous additive test).
- TestLoadFromYAMLReloadDoesNotDouble — load the same file three
  times, assert the rule count stays equal to the file's rule count.
- TestLoadFromYAMLPreservesRulesOnError — read error and parse error
  both leave the existing rule set intact.
- TestMergeFromYAMLAppendsToExistingRules — additive Merge variant.

Docs: README.md and docs/tutorials/22-go-sdk.md updated to describe
LoadFromYAML as a replace and to point callers at MergeFromYAML for
the additive form.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation needs-review:MEDIUM Contributor check flagged MEDIUM risk size/M Medium PR (< 200 lines)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants