Refactor: Consolidate scattered validation functions into domain-specific files (#8185)

Author: Copilot

pkg/workflow/firewall.go

@@ -1,7 +1,6 @@
 package workflow
 
 import (
-	"fmt"
 	"strings"
 
 	"github.com/githubnext/gh-aw/pkg/constants"
@@ -188,22 +187,3 @@ func getAWFImageTag(firewallConfig *FirewallConfig) string {
 	// Strip the 'v' prefix if present (AWF expects version without 'v' prefix)
 	return strings.TrimPrefix(version, "v")
 }
-
-// ValidateLogLevel validates that a firewall log-level value is one of the allowed enum values.
-// Valid values are: "debug", "info", "warn", "error".
-// Empty string is allowed as it defaults to "info" at runtime.
-// Returns an error if the log-level is invalid.
-func ValidateLogLevel(level string) error {
-	// Empty string is allowed (defaults to "info")
-	if level == "" {
-		return nil
-	}
-
-	valid := []string{"debug", "info", "warn", "error"}
-	for _, v := range valid {
-		if level == v {
-			return nil
-		}
-	}
-	return fmt.Errorf("invalid log-level '%s', must be one of: %v", level, valid)
-}

pkg/workflow/firewall_validation.go

@@ -0,0 +1,30 @@
+// Package workflow provides firewall validation functions for agentic workflow compilation.
+//
+// This file contains domain-specific validation functions for firewall configuration:
+//   - ValidateLogLevel() - Validates firewall log-level values
+//
+// These validation functions are organized in a dedicated file following the validation
+// architecture pattern where domain-specific validation belongs in domain validation files.
+// See validation.go for the complete validation architecture documentation.
+package workflow
+
+import "fmt"
+
+// ValidateLogLevel validates that a firewall log-level value is one of the allowed enum values.
+// Valid values are: "debug", "info", "warn", "error".
+// Empty string is allowed as it defaults to "info" at runtime.
+// Returns an error if the log-level is invalid.
+func ValidateLogLevel(level string) error {
+	// Empty string is allowed (defaults to "info")
+	if level == "" {
+		return nil
+	}
+
+	valid := []string{"debug", "info", "warn", "error"}
+	for _, v := range valid {
+		if level == v {
+			return nil
+		}
+	}
+	return fmt.Errorf("invalid log-level '%s', must be one of: %v", level, valid)
+}

pkg/workflow/gateway.go

@@ -69,21 +69,6 @@ func generateMCPGatewaySteps(workflowData *WorkflowData, mcpServersConfig map[st
 	return steps
 }
 
-// validateAndNormalizePort validates the port value and returns the normalized port or an error
-func validateAndNormalizePort(port int) (int, error) {
-	// If port is 0, use the default
-	if port == 0 {
-		return DefaultMCPGatewayPort, nil
-	}
-
-	// Validate port is in valid range (1-65535)
-	if err := validateIntRange(port, 1, 65535, "port"); err != nil {
-		return 0, err
-	}
-
-	return port, nil
-}
-
 // generateMCPGatewayStartStep generates the step that starts the MCP gateway
 func generateMCPGatewayStartStep(config *MCPGatewayRuntimeConfig, mcpServersConfig map[string]any) GitHubActionStep {
 	gatewayLog.Print("Generating MCP gateway start step")

pkg/workflow/gateway_validation.go

@@ -0,0 +1,24 @@
+// Package workflow provides gateway validation functions for agentic workflow compilation.
+//
+// This file contains domain-specific validation functions for MCP gateway configuration:
+//   - validateAndNormalizePort() - Validates and normalizes gateway port values
+//
+// These validation functions are organized in a dedicated file following the validation
+// architecture pattern where domain-specific validation belongs in domain validation files.
+// See validation.go for the complete validation architecture documentation.
+package workflow
+
+// validateAndNormalizePort validates the port value and returns the normalized port or an error
+func validateAndNormalizePort(port int) (int, error) {
+	// If port is 0, use the default
+	if port == 0 {
+		return DefaultMCPGatewayPort, nil
+	}
+
+	// Validate port is in valid range (1-65535)
+	if err := validateIntRange(port, 1, 65535, "port"); err != nil {
+		return 0, err
+	}
+
+	return port, nil
+}

pkg/workflow/sandbox.go

@@ -1,28 +1,21 @@
-// Package workflow provides sandbox configuration and validation for agentic workflows.
+// Package workflow provides sandbox configuration for agentic workflows.
 //
 // This file handles:
 //   - Sandbox type definitions (AWF, SRT)
 //   - Sandbox configuration structures and parsing
 //   - Sandbox runtime config generation
-//   - Domain-specific validation for sandbox configurations
 //
 // # Validation Functions
 //
-// This file contains domain-specific validation functions for sandbox configuration:
-//   - validateMountsSyntax() - Validates container mount syntax
-//   - validateSandboxConfig() - Validates complete sandbox configuration
-//
-// These validation functions are co-located with sandbox logic following the principle
-// that domain-specific validation belongs in domain files. See validation.go for the
-// validation architecture documentation.
+// Domain-specific validation functions for sandbox configuration are located in
+// sandbox_validation.go following the validation architecture pattern.
+// See validation.go for the validation architecture documentation.
 package workflow
 
 import (
 	"encoding/json"
 	"fmt"
-	"strings"
 
-	"github.com/githubnext/gh-aw/pkg/constants"
 	"github.com/githubnext/gh-aw/pkg/logger"
 )
 
@@ -245,101 +238,3 @@ func generateSRTConfigJSON(workflowData *WorkflowData) (string, error) {
 	sandboxLog.Printf("Generated SRT config: %s", string(jsonBytes))
 	return string(jsonBytes), nil
 }
-
-// validateMountsSyntax validates that mount strings follow the correct syntax
-// Expected format: "source:destination:mode" where mode is either "ro" or "rw"
-func validateMountsSyntax(mounts []string) error {
-	for i, mount := range mounts {
-		// Split the mount string by colons
-		parts := strings.Split(mount, ":")
-
-		// Must have exactly 3 parts: source, destination, mode
-		if len(parts) != 3 {
-			return fmt.Errorf("invalid mount syntax at index %d: '%s'. Expected format: 'source:destination:mode' (e.g., '/host/path:/container/path:ro')", i, mount)
-		}
-
-		source := parts[0]
-		dest := parts[1]
-		mode := parts[2]
-
-		// Validate that source and destination are not empty
-		if source == "" {
-			return fmt.Errorf("invalid mount at index %d: source path is empty in '%s'", i, mount)
-		}
-		if dest == "" {
-			return fmt.Errorf("invalid mount at index %d: destination path is empty in '%s'", i, mount)
-		}
-
-		// Validate mode is either "ro" or "rw"
-		if mode != "ro" && mode != "rw" {
-			return fmt.Errorf("invalid mount at index %d: mode must be 'ro' (read-only) or 'rw' (read-write), got '%s' in '%s'", i, mode, mount)
-		}
-
-		sandboxLog.Printf("Validated mount %d: source=%s, dest=%s, mode=%s", i, source, dest, mode)
-	}
-
-	return nil
-}
-
-// validateSandboxConfig validates the sandbox configuration
-// Returns an error if the configuration is invalid
-func validateSandboxConfig(workflowData *WorkflowData) error {
-	if workflowData == nil || workflowData.SandboxConfig == nil {
-		return nil // No sandbox config is valid
-	}
-
-	sandboxConfig := workflowData.SandboxConfig
-
-	// Validate mounts syntax if specified
-	agentConfig := getAgentConfig(workflowData)
-	if agentConfig != nil && len(agentConfig.Mounts) > 0 {
-		if err := validateMountsSyntax(agentConfig.Mounts); err != nil {
-			return err
-		}
-	}
-
-	// Validate that SRT is only used with Copilot engine
-	if isSRTEnabled(workflowData) {
-		// Check if the sandbox-runtime feature flag is enabled
-		if !isFeatureEnabled(constants.SandboxRuntimeFeatureFlag, workflowData) {
-			return fmt.Errorf("sandbox-runtime feature is experimental and requires the 'sandbox-runtime' feature flag to be enabled. Set 'features: { sandbox-runtime: true }' in frontmatter or set GH_AW_FEATURES=sandbox-runtime")
-		}
-
-		if workflowData.EngineConfig == nil || workflowData.EngineConfig.ID != "copilot" {
-			engineID := "none"
-			if workflowData.EngineConfig != nil {
-				engineID = workflowData.EngineConfig.ID
-			}
-			return fmt.Errorf("sandbox-runtime is only supported with Copilot engine (current engine: %s)", engineID)
-		}
-
-		// Check for mutual exclusivity with AWF
-		if workflowData.NetworkPermissions != nil && workflowData.NetworkPermissions.Firewall != nil && workflowData.NetworkPermissions.Firewall.Enabled {
-			return fmt.Errorf("sandbox-runtime and AWF firewall cannot be used together; please use either 'sandbox: sandbox-runtime' or 'network.firewall' but not both")
-		}
-	}
-
-	// Validate config structure if provided
-	if sandboxConfig.Config != nil {
-		if sandboxConfig.Type != SandboxTypeRuntime {
-			return fmt.Errorf("custom sandbox config can only be provided when type is 'sandbox-runtime'")
-		}
-	}
-
-	// Validate MCP gateway configuration
-	if sandboxConfig.MCP != nil {
-		mcpConfig := sandboxConfig.MCP
-
-		// Validate mutual exclusivity of command and container
-		if mcpConfig.Command != "" && mcpConfig.Container != "" {
-			return fmt.Errorf("sandbox.mcp: cannot specify both 'command' and 'container', use one or the other")
-		}
-
-		// Validate entrypointArgs is only used with container
-		if len(mcpConfig.EntrypointArgs) > 0 && mcpConfig.Container == "" {
-			return fmt.Errorf("sandbox.mcp: 'entrypointArgs' can only be used with 'container'")
-		}
-	}
-
-	return nil
-}

pkg/workflow/sandbox_validation.go

@@ -0,0 +1,118 @@
+// Package workflow provides sandbox validation functions for agentic workflow compilation.
+//
+// This file contains domain-specific validation functions for sandbox configuration:
+//   - validateMountsSyntax() - Validates container mount syntax
+//   - validateSandboxConfig() - Validates complete sandbox configuration
+//
+// These validation functions are organized in a dedicated file following the validation
+// architecture pattern where domain-specific validation belongs in domain validation files.
+// See validation.go for the complete validation architecture documentation.
+package workflow
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/githubnext/gh-aw/pkg/constants"
+	"github.com/githubnext/gh-aw/pkg/logger"
+)
+
+var sandboxValidationLog = logger.New("workflow:sandbox_validation")
+
+// validateMountsSyntax validates that mount strings follow the correct syntax
+// Expected format: "source:destination:mode" where mode is either "ro" or "rw"
+func validateMountsSyntax(mounts []string) error {
+	for i, mount := range mounts {
+		// Split the mount string by colons
+		parts := strings.Split(mount, ":")
+
+		// Must have exactly 3 parts: source, destination, mode
+		if len(parts) != 3 {
+			return fmt.Errorf("invalid mount syntax at index %d: '%s'. Expected format: 'source:destination:mode' (e.g., '/host/path:/container/path:ro')", i, mount)
+		}
+
+		source := parts[0]
+		dest := parts[1]
+		mode := parts[2]
+
+		// Validate that source and destination are not empty
+		if source == "" {
+			return fmt.Errorf("invalid mount at index %d: source path is empty in '%s'", i, mount)
+		}
+		if dest == "" {
+			return fmt.Errorf("invalid mount at index %d: destination path is empty in '%s'", i, mount)
+		}
+
+		// Validate mode is either "ro" or "rw"
+		if mode != "ro" && mode != "rw" {
+			return fmt.Errorf("invalid mount at index %d: mode must be 'ro' (read-only) or 'rw' (read-write), got '%s' in '%s'", i, mode, mount)
+		}
+
+		sandboxValidationLog.Printf("Validated mount %d: source=%s, dest=%s, mode=%s", i, source, dest, mode)
+	}
+
+	return nil
+}
+
+// validateSandboxConfig validates the sandbox configuration
+// Returns an error if the configuration is invalid
+func validateSandboxConfig(workflowData *WorkflowData) error {
+	if workflowData == nil || workflowData.SandboxConfig == nil {
+		return nil // No sandbox config is valid
+	}
+
+	sandboxConfig := workflowData.SandboxConfig
+
+	// Validate mounts syntax if specified
+	agentConfig := getAgentConfig(workflowData)
+	if agentConfig != nil && len(agentConfig.Mounts) > 0 {
+		if err := validateMountsSyntax(agentConfig.Mounts); err != nil {
+			return err
+		}
+	}
+
+	// Validate that SRT is only used with Copilot engine
+	if isSRTEnabled(workflowData) {
+		// Check if the sandbox-runtime feature flag is enabled
+		if !isFeatureEnabled(constants.SandboxRuntimeFeatureFlag, workflowData) {
+			return fmt.Errorf("sandbox-runtime feature is experimental and requires the 'sandbox-runtime' feature flag to be enabled. Set 'features: { sandbox-runtime: true }' in frontmatter or set GH_AW_FEATURES=sandbox-runtime")
+		}
+
+		if workflowData.EngineConfig == nil || workflowData.EngineConfig.ID != "copilot" {
+			engineID := "none"
+			if workflowData.EngineConfig != nil {
+				engineID = workflowData.EngineConfig.ID
+			}
+			return fmt.Errorf("sandbox-runtime is only supported with Copilot engine (current engine: %s)", engineID)
+		}
+
+		// Check for mutual exclusivity with AWF
+		if workflowData.NetworkPermissions != nil && workflowData.NetworkPermissions.Firewall != nil && workflowData.NetworkPermissions.Firewall.Enabled {
+			return fmt.Errorf("sandbox-runtime and AWF firewall cannot be used together; please use either 'sandbox: sandbox-runtime' or 'network.firewall' but not both")
+		}
+	}
+
+	// Validate config structure if provided
+	if sandboxConfig.Config != nil {
+		if sandboxConfig.Type != SandboxTypeRuntime {
+			return fmt.Errorf("custom sandbox config can only be provided when type is 'sandbox-runtime'")
+		}
+	}
+
+	// Validate MCP gateway configuration
+	if sandboxConfig.MCP != nil {
+		mcpConfig := sandboxConfig.MCP
+
+		// Validate mutual exclusivity of command and container
+		if mcpConfig.Command != "" && mcpConfig.Container != "" {
+			return fmt.Errorf("sandbox.mcp: cannot specify both 'command' and 'container', use one or the other")
+		}
+
+		// Validate entrypointArgs is only used with container
+		if len(mcpConfig.EntrypointArgs) > 0 && mcpConfig.Container == "" {
+			return fmt.Errorf("sandbox.mcp: 'entrypointArgs' can only be used with 'container'")
+		}
+	}
+
+	return nil
+}

pkg/workflow/validation.go

@@ -18,6 +18,9 @@
 //   - engine_validation.go: AI engine configuration validation
 //   - mcp_config_validation.go: MCP server configuration validation
 //   - template_validation.go: Template structure validation
+//   - firewall_validation.go: Firewall log-level validation
+//   - gateway_validation.go: Gateway port validation
+//   - sandbox_validation.go: Sandbox and mounts validation
 //
 // # When to Add New Validation
 //