github · pelikhan · Jun 21, 2026 · Jun 21, 2026 · Jun 21, 2026 · Jun 21, 2026
diff --git a/pkg/agentdrain/mask.go b/pkg/agentdrain/mask.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/sliceutil"
 )
 
@@ -67,7 +68,7 @@ func FlattenEvent(evt AgentEvent, excludeFields []string) string {
 	}
 
 	keys := sliceutil.FilterMapKeys(evt.Fields, func(k string, _ string) bool {
-		return !hasStringKey(excluded, k)
+		return !setutil.Contains(excluded, k)
 	})
 	sort.Strings(keys)
 

diff --git a/pkg/agentdrain/seenmapbool_helpers.go b/pkg/agentdrain/seenmapbool_helpers.go
diff --git a/pkg/cli/access_log.go b/pkg/cli/access_log.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/github/gh-aw/pkg/console"
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/stringutil"
 )
 
@@ -101,14 +102,14 @@ func parseSquidAccessLog(logPath string, verbose bool) (*DomainAnalysis, error)
 
 		if isAllowed {
 			analysis.AllowedCount++
-			if !hasStringKey(allowedDomainsSet, domain) {
+			if !setutil.Contains(allowedDomainsSet, domain) {
 				allowedDomainsSet[domain] = struct {
 				}{}
 				analysis.AllowedDomains = append(analysis.AllowedDomains, domain)
 			}
 		} else {
 			analysis.BlockedCount++
-			if !hasStringKey(blockedDomainsSet, domain) {
+			if !setutil.Contains(blockedDomainsSet, domain) {
 				blockedDomainsSet[domain] = struct {
 				}{}
 				analysis.BlockedDomains = append(analysis.BlockedDomains, domain)

diff --git a/pkg/cli/add_interactive_engine.go b/pkg/cli/add_interactive_engine.go
@@ -7,8 +7,10 @@ import (
 	"strings"
 
 	"charm.land/huh/v2"
+
 	"github.com/github/gh-aw/pkg/console"
 	"github.com/github/gh-aw/pkg/constants"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/sliceutil"
 	"github.com/github/gh-aw/pkg/styles"
 	"github.com/github/gh-aw/pkg/workflow"
@@ -46,7 +48,7 @@ func (c *AddInteractiveConfig) selectAIEngineAndKey() error {
 		// Priority 1: Check existing repository secrets using EngineOptions
 		// This takes precedence over workflow preference since users should use what's already available
 		for _, opt := range constants.EngineOptions {
-			if hasStringKey(c.existingSecrets, opt.SecretName) {
+			if setutil.Contains(c.existingSecrets, opt.SecretName) {
 				defaultEngine = opt.Value
 				addInteractiveLog.Printf("Found existing secret %s, recommending engine: %s", opt.SecretName, opt.Value)
 				break
@@ -94,7 +96,7 @@ func (c *AddInteractiveConfig) selectAIEngineAndKey() error {
 		// Add markers for secret availability and workflow specification.
 		// opt may be nil for catalog engines not yet represented in EngineOptions;
 		// in that case we conservatively show '[no secret]'.
-		if opt != nil && hasStringKey(c.existingSecrets, opt.SecretName) {
+		if opt != nil && setutil.Contains(c.existingSecrets, opt.SecretName) {
 			label += " [secret exists]"
 		} else {
 			label += " [no secret]"

diff --git a/pkg/cli/codemod_engine_env_secrets.go b/pkg/cli/codemod_engine_env_secrets.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/sliceutil"
 	"github.com/github/gh-aw/pkg/workflow"
 )
@@ -133,7 +134,7 @@ func findUnsafeEngineEnvSecretKeys(envMap map[string]any, allowed map[string]str
 	unsafe := make(map[string]struct {
 	})
 	for key, value := range envMap {
-		if hasStringKey(allowed, key) {
+		if setutil.Contains(allowed, key) {
 			continue
 		}
 		strVal, ok := value.(string)
@@ -208,7 +209,7 @@ func removeUnsafeEngineEnvKeys(lines []string, unsafeKeys map[string]struct {
 
 		if inEnv && !removingKey && len(trimmed) > 0 && !strings.HasPrefix(trimmed, "#") && len(indent) > len(envIndent) {
 			key := parseYAMLMapKey(trimmed)
-			if key != "" && hasStringKey(unsafeKeys, key) {
+			if key != "" && setutil.Contains(unsafeKeys, key) {
 				modified = true
 				removingKey = true
 				removingKeyIndent = indent
@@ -288,7 +289,7 @@ func getTopLevelEnvSecretsGuidedErrorCodemod() Codemod {
 			seenExpressions := make(map[string]struct {
 			})
 			for _, expr := range secretExpressions {
-				if hasStringKey(seenExpressions, expr) {
+				if setutil.Contains(seenExpressions, expr) {
 					continue
 				}
 				seenExpressions[expr] = struct {

diff --git a/pkg/cli/codemod_safe_output_require_title_prefix.go b/pkg/cli/codemod_safe_output_require_title_prefix.go
@@ -4,6 +4,7 @@ import (
 	"strings"
 
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 )
 
 var safeOutputRequireTitlePrefixCodemodLog = logger.New("cli:codemod_safe_output_require_title_prefix")
@@ -140,7 +141,7 @@ func renameSafeOutputTitlePrefixConstraints(lines []string, handlersToRename map
 				continue
 			}
 			key := strings.TrimSuffix(trimmed, ":")
-			if hasStringKey(handlersToRename, key) {
+			if setutil.Contains(handlersToRename, key) {
 				activeHandler = key
 				activeHandlerIndent = indent
 				handlerChildIndent = ""

diff --git a/pkg/cli/codemod_steps_run_secrets_env.go b/pkg/cli/codemod_steps_run_secrets_env.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 )
 
 var stepsRunSecretsEnvCodemodLog = logger.New("cli:codemod_steps_run_secrets_env")
@@ -247,7 +248,7 @@ func rewriteStepRunSecretsToEnv(stepLines []string, stepIndent string) ([]string
 					modified = true
 				}
 				for _, binding := range bindings {
-					if !hasStringKey(seen, binding.Name) {
+					if !setutil.Contains(seen, binding.Name) {
 						seen[binding.Name] = struct {
 						}{}
 						orderedBindings = append(orderedBindings, binding.Name)
@@ -264,7 +265,7 @@ func rewriteStepRunSecretsToEnv(stepLines []string, stepIndent string) ([]string
 			modified = true
 		}
 		for _, binding := range bindings {
-			if !hasStringKey(seen, binding.Name) {
+			if !setutil.Contains(seen, binding.Name) {
 				seen[binding.Name] = struct {
 				}{}
 				orderedBindings = append(orderedBindings, binding.Name)
@@ -281,7 +282,7 @@ func rewriteStepRunSecretsToEnv(stepLines []string, stepIndent string) ([]string
 
 	missingBindings := make([]string, 0, len(orderedBindings))
 	for _, name := range orderedBindings {
-		if !hasStringKey(existingEnvKeys, name) {
+		if !setutil.Contains(existingEnvKeys, name) {
 			missingBindings = append(missingBindings, name)
 		}
 	}
@@ -387,7 +388,7 @@ func replaceStepExpressionRefs(line string, shellIsPowerShell bool, existingBind
 		} else {
 			result.WriteString("$" + envName)
 		}
-		if !hasStringKey(registeredNames, envName) {
+		if !setutil.Contains(registeredNames, envName) {
 			registeredNames[envName] = struct {
 			}{}
 			ordered = append(ordered, stepExpressionBinding{

diff --git a/pkg/cli/compile_file_operations.go b/pkg/cli/compile_file_operations.go
@@ -40,6 +40,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/stringutil"
 
 	"github.com/github/gh-aw/pkg/console"
@@ -165,7 +166,7 @@ func compileModifiedFilesWithDependencies(ctx context.Context, compiler *workflo
 
 		// Add to unique set
 		for _, workflow := range affected {
-			if !hasStringKey(uniqueWorkflows, workflow) {
+			if !setutil.Contains(uniqueWorkflows, workflow) {
 				uniqueWorkflows[workflow] = struct {
 				}{}
 				workflowsToCompile = append(workflowsToCompile, workflow)

diff --git a/pkg/cli/compile_post_processing.go b/pkg/cli/compile_post_processing.go
@@ -43,6 +43,7 @@ import (
 
 	"github.com/github/gh-aw/pkg/console"
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/workflow"
 )
 
@@ -176,7 +177,7 @@ func purgeOrphanedLockFiles(workflowsDir string, expectedLockFiles []string, ver
 		if strings.HasSuffix(existing, ".campaign.lock.yml") {
 			continue
 		}
-		if !hasStringKey(expectedLockFileSet, existing) {
+		if !setutil.Contains(expectedLockFileSet, existing) {
 			orphanedFiles = append(orphanedFiles, existing)
 		}
 	}

diff --git a/pkg/cli/compile_workflow_processor.go b/pkg/cli/compile_workflow_processor.go
@@ -30,6 +30,7 @@ import (
 
 	"github.com/github/gh-aw/pkg/console"
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/stringutil"
 	"github.com/github/gh-aw/pkg/workflow"
 )
@@ -202,7 +203,7 @@ func extractSafeOutputLabels(data *workflow.WorkflowData) []string {
 	var labels []string
 
 	addLabel := func(label string) {
-		if label != "" && !hasStringKey(seen, label) {
+		if label != "" && !setutil.Contains(seen, label) {
 			seen[label] = struct {
 			}{}
 			labels = append(labels, label)

diff --git a/pkg/cli/dependency_graph.go b/pkg/cli/dependency_graph.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/github/gh-aw/pkg/logger"
 	"github.com/github/gh-aw/pkg/parser"
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/workflow"
 )
 
@@ -297,7 +298,7 @@ func (g *DependencyGraph) findAffectedTopLevelWorkflows(filePath string) []strin
 		// Get all workflows that import this file
 		importers := g.reverseImports[current]
 		for _, importer := range importers {
-			if hasStringKey(visited, importer) {
+			if setutil.Contains(visited, importer) {
 				continue
 			}
 			visited[importer] = struct {

diff --git a/pkg/cli/devcontainer.go b/pkg/cli/devcontainer.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/github/gh-aw/pkg/constants"
 	"github.com/github/gh-aw/pkg/fileutil"
+	"github.com/github/gh-aw/pkg/setutil"
 
 	"github.com/github/gh-aw/pkg/gitutil"
 	"github.com/github/gh-aw/pkg/logger"
@@ -289,7 +290,7 @@ func mergeExtensions(existing, toAdd []string) []string {
 
 	// Add existing extensions
 	for _, ext := range existing {
-		if !hasStringKey(extensionSet, ext) {
+		if !setutil.Contains(extensionSet, ext) {
 			extensionSet[ext] = struct {
 			}{}
 			result = append(result, ext)
@@ -298,7 +299,7 @@ func mergeExtensions(existing, toAdd []string) []string {
 
 	// Add new extensions if not already present
 	for _, ext := range toAdd {
-		if !hasStringKey(extensionSet, ext) {
+		if !setutil.Contains(extensionSet, ext) {
 			extensionSet[ext] = struct {
 			}{}
 			result = append(result, ext)

diff --git a/pkg/cli/drain3_integration.go b/pkg/cli/drain3_integration.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/github/gh-aw/pkg/agentdrain"
 	"github.com/github/gh-aw/pkg/logger"
+	"github.com/github/gh-aw/pkg/setutil"
 )
 
 var drain3Log = logger.New("cli:drain3_integration")
@@ -359,7 +360,7 @@ func buildAnomalyReasons(anomalies []struct {
 	})
 	for _, a := range anomalies {
 		r := fmt.Sprintf("stage=%s score=%.2f: %s", a.evt.Stage, a.report.AnomalyScore, a.report.Reason)
-		if !hasStringKey(seen, r) {
+		if !setutil.Contains(seen, r) {
 			reasons = append(reasons, r)
 			seen[r] = struct {
 			}{}

diff --git a/pkg/cli/enable.go b/pkg/cli/enable.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"
 
+	"github.com/github/gh-aw/pkg/setutil"
 	"github.com/github/gh-aw/pkg/stringutil"
 
 	"github.com/github/gh-aw/pkg/console"
@@ -321,7 +322,7 @@ func DisableAllWorkflowsExcept(repoSlug string, exceptWorkflows []string, verbos
 		base := filepath.Base(yamlFile)
 
 		// Skip if it's in the keep-enabled set
-		if hasStringKey(keepEnabled, base) {
+		if setutil.Contains(keepEnabled, base) {
 			if verbose {
 				fmt.Fprintf(os.Stderr, "Keeping enabled: %s\n", base)
 			}
@@ -330,7 +331,7 @@ func DisableAllWorkflowsExcept(repoSlug string, exceptWorkflows []string, verbos
 
 		// Check if the base name without extension matches
 		nameWithoutExt := strings.TrimSuffix(base, filepath.Ext(base))
-		if hasStringKey(keepEnabled, nameWithoutExt) {
+		if setutil.Contains(keepEnabled, nameWithoutExt) {
 			if verbose {
 				fmt.Fprintf(os.Stderr, "Keeping enabled: %s\n", base)
 			}