refactor: extract shared DIFC enforcement pipeline to internal/guard/pipeline.go

[Copilot]

The 6-phase DIFC enforcement pipeline was independently implemented in both internal/proxy/handler.go and internal/server/unified.go (~100 lines of near-identical security logic), creating drift risk: a security fix in one path could silently leave the other exposed.

Changes

New: internal/guard/pipeline.go

Shared pipeline types and phase helpers placed in guard (sits above difc, below proxy/server — no circular import):

• PipelineInput — unified inputs struct (agent ID, tool name, args, guard, evaluator, registry, capabilities, enforcement mode, backend caller)
• PipelinePreResult — outputs from phases 0–2 (agent labels, labeled resource, operation, coarse outcome, eval result)
• PipelineAccessDenied — typed error for Phase 2 denial; carries EvalResult, Resource, and AgentLabels so callers can formulate context-appropriate denial responses (HTTP 403 vs MCP error)
• RunPipelinePrePhases — phases 0–2: get/create agent labels, store tool args in context, LabelResource, coarse access check
• RunPipelinePhase4 — conditional LabelResponse (gated by ShouldCallLabelResponse)
• RunPipelinePhase6 — label accumulation in propagate mode; falls back to resource labels when labeledData is nil (aligns proxy behavior with server — proxy previously skipped this fallback)

Refactored: proxy/handler.go and server/unified.go

Phases 0–2, 4, and 6 replaced with shared helper calls. Context-specific logic remains inline:

• Phase 3: HTTP forward (proxy) vs MCP backend call via circuit breaker (server)
• Phase 5: GraphQL/REST response reconstruction (proxy) vs MCP collection filtering with notices and singular-item errors (server)

// Before (duplicated in both files):
agentLabels := s.AgentRegistry.GetOrCreate("proxy")
resource, operation, err := s.guard.LabelResource(ctx, toolName, args, backend, s.Capabilities)
coarseOutcome, evalResult := difc.EvaluateCoarseAccess(s.Evaluator, agentLabels.Secrecy, ...)
switch coarseOutcome { /* ... */ }

// After:
ctx, pre, err := guard.RunPipelinePrePhases(ctx, pipelineIn)
if denied, ok := err.(*guard.PipelineAccessDenied); ok { /* caller-specific denial */ }

New: internal/guard/pipeline_test.go

16 unit tests covering all shared phases: Phase 0 label retrieval and context injection, Phase 1 error propagation, Phase 2 allow/bypass-for-read/deny outcomes, Phase 4 conditional labeling, Phase 6 accumulation across all three enforcement modes.

[Copilot]

Pull request overview

This PR centralizes the shared DIFC enforcement phases used by both proxy and unified MCP server paths, reducing duplicated security-sensitive pipeline logic.

Changes:

• Adds internal/guard/pipeline.go with shared helpers for phases 0–2, 4, and 6.
• Refactors internal/proxy/handler.go and internal/server/unified.go to call the shared pipeline helpers while keeping transport-specific execution/filtering inline.
• Adds unit tests for the new guard pipeline helpers.

Show a summary per file

File	Description
internal/guard/pipeline.go	Introduces shared DIFC pipeline input/result types and phase helpers.
internal/guard/pipeline_test.go	Adds unit coverage for the extracted pipeline phases.
internal/proxy/handler.go	Replaces duplicated proxy DIFC phase logic with shared guard pipeline calls.
internal/server/unified.go	Replaces duplicated unified-server DIFC phase logic with shared guard pipeline calls.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1