refactor: move collaborator_permission to proxy, add strutil.RandomBytes

[Copilot]

Addresses two of three refactoring opportunities identified by semantic function clustering analysis: a domain-specific file misplaced in a generic utility package, and a duplicated crypto/rand usage pattern that can share a common primitive.

Move httputil/collaborator_permission.go → proxy/

ParseCollaboratorPermissionArgs, LogAndWrapCollaboratorPermission, and FetchCollaboratorPermission are GitHub REST API helpers for a specific MCP tool — not generic HTTP utilities. Moving them to internal/proxy/ aligns package responsibility with actual content.

• internal/proxy/collaborator_permission.go — moved file, updated package/logger namespace (proxy:collaborator_permission)
• internal/proxy/collaborator_permission_helpers_test.go — unit tests relocated from httputil
• internal/proxy/proxy.go — callers now use unqualified names (same package)
• internal/server/unified.go — updated to import proxy and call proxy.ParseCollaboratorPermissionArgs / proxy.FetchCollaboratorPermission
• internal/httputil/collaborator_permission{,_test}.go — deleted

Add strutil.RandomBytes as shared crypto/rand primitive

internal/tracing/provider.go called crypto/rand.Read directly while internal/strutil already owns random generation. Added RandomBytes(n int) ([]byte, error) and its testable core randomBytesFromReader, then refactored randomHexFromReader to delegate to it:

// strutil/random_hex.go
func randomBytesFromReader(n int, r io.Reader) ([]byte, error) { ... }
func RandomBytes(n int) ([]byte, error) { return randomBytesFromReader(n, rand.Reader) }
func randomHexFromReader(n int, r io.Reader) (string, error) {
    b, err := randomBytesFromReader(n, r)
    ...
    return hex.EncodeToString(b), nil
}

// tracing/provider.go — crypto/rand import removed
func generateRandomSpanID() (trace.SpanID, error) {
    var id trace.SpanID
    b, err := strutil.RandomBytes(len(id))
    if err != nil {
        return id, fmt.Errorf("failed to generate random span ID: %w", err)
    }
    copy(id[:], b)
    return id, nil
}

Deferred

server/difc_log.go (Priority 3) is left in place — moving to internal/difc/ is only warranted if other packages need those DIFC log helpers, which is not currently the case.

[Copilot]

Pull request overview

This PR refactors ownership boundaries by moving collaborator-permission REST helpers from generic HTTP utilities into the proxy package, and extracts reusable random byte generation into strutil.

Changes:

• Relocated collaborator-permission helper code/tests into internal/proxy and updated call sites in proxy/server code.
• Added strutil.RandomBytes and refactored RandomHex internals to share the byte-generation primitive.
• Updated tracing span ID generation to use the shared strutil.RandomBytes helper.

Show a summary per file

File	Description
internal/proxy/collaborator_permission.go	Moves collaborator-permission helper implementation into the proxy package and updates logger namespace.
internal/proxy/collaborator_permission_helpers_test.go	Relocates helper tests into the proxy package and avoids test-name collision.
internal/proxy/proxy.go	Updates proxy caller to use same-package collaborator-permission helpers.
internal/server/unified.go	Updates server caller to use exported proxy collaborator-permission helpers.
internal/strutil/random_hex.go	Adds reusable random byte generation and delegates random hex generation through it.
internal/strutil/random_hex_test.go	Adds coverage for RandomBytes and its testable reader-backed helper.
internal/tracing/provider.go	Replaces direct crypto/rand span ID generation with strutil.RandomBytes.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 7/7 changed files
• Comments generated: 0