From c6b1e64761513a614b81dff3a276c42c0582a7ca Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 17 May 2026 16:01:13 +0000
Subject: [PATCH 1/2] Initial plan


From 8b60cbed0e3d64213cdf6e0e8483065bd353d5d9 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 17 May 2026 16:09:53 +0000
Subject: [PATCH 2/2] Refactor noop guard fallback construction

---
 internal/server/guard_init.go | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/internal/server/guard_init.go b/internal/server/guard_init.go
index 949802efd..3c0c9464a 100644
--- a/internal/server/guard_init.go
+++ b/internal/server/guard_init.go
@@ -16,6 +16,10 @@ import (
 
 var logGuardInit = logger.New("server:guard_init")
 
+func newNoopGuard() guard.Guard {
+	return guard.NewNoopGuard()
+}
+
 // hasServerGuardPolicies reports whether any server in cfg has per-server guard policies
 // configured. This is used during DIFC auto-detection to enable enforcement when policies
 // are present even if no non-noop guard was registered (e.g., guard missing or failed to load).
@@ -77,7 +81,7 @@ func (us *UnifiedServer) registerGuard(serverID string) error {
 				g, err = us.createGuardFromConfig(guardName, guardCfg)
 				if err != nil {
 					logger.LogWarnToServer(serverID, "difc", "Failed to create guard '%s': %v (falling back to noop)", guardName, err)
-					g = guard.NewNoopGuard()
+					g = newNoopGuard()
 				}
 			} else {
 				// Guard name specified but no config found - try registered guard types
@@ -85,12 +89,12 @@ func (us *UnifiedServer) registerGuard(serverID string) error {
 				g, err = guard.CreateGuard(guardName)
 				if err != nil {
 					logger.LogWarnToServer(serverID, "difc", "Guard '%s' not found: %v (falling back to noop)", guardName, err)
-					g = guard.NewNoopGuard()
+					g = newNoopGuard()
 				}
 			}
 		} else {
 			// No guard configured - use noop
-			g = guard.NewNoopGuard()
+			g = newNoopGuard()
 		}
 	}
 
@@ -126,7 +130,7 @@ func (us *UnifiedServer) requireGuardPolicyIfGuardEnabled(serverID string, g gua
 		}
 
 		logger.LogWarnToServer(serverID, "difc", "Guard '%s' is available but no guard policy is set; falling back to noop guard", g.Name())
-		return guard.NewNoopGuard(), nil
+		return newNoopGuard(), nil
 	}
 
 	return g, nil
@@ -207,7 +211,7 @@ func (us *UnifiedServer) logWASMGuardsDirConfiguration() {
 func (us *UnifiedServer) createGuardFromConfig(name string, cfg *config.GuardConfig) (guard.Guard, error) {
 	switch cfg.Type {
 	case "noop", "":
-		return guard.NewNoopGuard(), nil
+		return newNoopGuard(), nil
 
 	case "wasm":
 		// WASM guard loading - requires path