refactor(difc): extract EvaluateCoarseAccess to eliminate duplicated Phase 2 logic

[Copilot]

The DIFC Phase 2 coarse-grained check block (Evaluate → IsAllowed → ShouldBypassCoarseDeny → handle denial) was duplicated across internal/server/unified.go and internal/proxy/handler.go, with the proxy version already diverging (missing FormatViolationError and RecordError).

Changes

• internal/difc/pipeline_decisions.go — New CoarseCheckOutcome type (CoarseAllowed / CoarseBypassForRead / CoarseDenied) and EvaluateCoarseAccess helper that encapsulates the full Phase 2 decision; returns the typed outcome plus the raw EvaluationResult so each caller can format its own denial response (MCP error vs HTTP 403)

• internal/server/unified.go and internal/proxy/handler.go — Replace their local Evaluate + nested-if blocks with a switch on EvaluateCoarseAccess

• internal/difc/pipeline_decisions_test.go — TestEvaluateCoarseAccess covering all three outcomes

// Before (duplicated in two places, already diverged):
result := evaluator.Evaluate(agentLabels.Secrecy, agentLabels.Integrity, resource, operation)
if !result.IsAllowed() {
    if difc.ShouldBypassCoarseDeny(operation) { /* log + continue */ } else { /* block */ }
}

// After (shared decision, caller-specific response):
coarseOutcome, result := difc.EvaluateCoarseAccess(evaluator, agentLabels.Secrecy, agentLabels.Integrity, resource, operation)
switch coarseOutcome {
case difc.CoarseAllowed:      // log allowed
case difc.CoarseBypassForRead: // log + continue to Phase 3
case difc.CoarseDenied:        // caller-specific block response
}

[lpcox]

@copilot fix the failing ci checks https://github.com/github/gh-aw-mcpg/actions/runs/26587229951/job/78336399208?pr=6639 https://github.com/github/gh-aw-mcpg/actions/runs/26587229951/job/78336399091?pr=6639

[Copilot]

Pull request overview

Extracts the duplicated DIFC Phase 2 coarse-grained access check logic from internal/server/unified.go and internal/proxy/handler.go into a single shared helper EvaluateCoarseAccess in internal/difc/pipeline_decisions.go, returning a typed CoarseCheckOutcome so each caller still formats its own denial response (MCP error vs HTTP 403). This reduces drift between the server and proxy pipelines (the proxy version was already missing FormatViolationError / span error recording).

Changes:

• Add CoarseCheckOutcome enum and EvaluateCoarseAccess helper centralizing Evaluate + ShouldBypassCoarseDeny.
• Replace duplicated Phase 2 if/else blocks in unified.go and proxy/handler.go with a typed switch on the new outcome.
• Add TestEvaluateCoarseAccess covering allowed/bypass-for-read/denied-write/denied-readwrite outcomes.

Show a summary per file

File	Description
internal/difc/pipeline_decisions.go	Introduces CoarseCheckOutcome and EvaluateCoarseAccess helper.
internal/difc/pipeline_decisions_test.go	Adds table-driven test for the new helper across the three outcomes.
internal/server/unified.go	Switches Phase 2 to use the shared helper; inadvertently swaps tracing.RecordSpanError for inline calls referencing an unimported codes package.
internal/proxy/handler.go	Switches Phase 2 to the shared helper via a switch on the typed outcome.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1