Add unauthenticated /reflect endpoint for live DIFC label snapshots in gateway and proxy modes

[Copilot]

This change adds a runtime reflection endpoint to inspect current DIFC agent label state, which was previously not exposed. GET /reflect now returns all known agent IDs with their secrecy/integrity labels, plus current enforcement mode and a timestamp.

• Shared reflect payload builder

  • Added difc.BuildReflectResponse(...) to produce a consistent snapshot shape:
    • agents map (agentID -> {secrecy, integrity})
    • mode (strict/filter/propagate)
    • timestamp (RFC3339 UTC)
  • Output normalizes tag arrays to sorted string slices.

• Gateway support (routed + unified)

  • Added server.HandleReflect(...).
  • Registered /reflect in common endpoint wiring, so it is available in both gateway HTTP modes.
  • Endpoint is intentionally unauthenticated per current requirement.

• Proxy support

  • Added GET /reflect handling in proxy HTTP handler.
  • Works with normal paths and GH-host-prefixed paths (/api/v3/reflect).

• Focused coverage for reflect behavior

  • Added tests for:
    • gateway routed + unified availability
    • unauthenticated access with API key configured
    • populated and empty registry snapshots
    • proxy /reflect and /api/v3/reflect
    • defensive handling of nil registry entries

{
  "agents": {
    "proxy": {
      "secrecy": ["repo:github/private-repo"],
      "integrity": ["approved"]
    },
    "abc123def456": {
      "secrecy": [],
      "integrity": ["unapproved"]
    }
  },
  "mode": "propagate",
  "timestamp": "2026-06-07T13:40:00Z"
}

[lpcox]

@copilot make sure that the endpoint and its schema is clearly documented

[Copilot]

@copilot make sure that the endpoint and its schema is clearly documented

Addressed in ede6b7b. I added clear /reflect endpoint documentation and response schema details in README.md and docs/PROXY_MODE.md, including proxy path variants and a security note about unauthenticated exposure.

[Copilot]

Pull request overview

This PR adds a new runtime introspection endpoint (GET /reflect) that returns a snapshot of current DIFC agent label state (secrecy/integrity), enforcement mode, and a timestamp, and wires it up in both gateway and proxy modes.

Changes:

• Added a shared difc.BuildReflectResponse(...) builder and response types to produce a consistent /reflect payload with sorted tag arrays.
• Registered /reflect in gateway common endpoint wiring and implemented proxy handling (including /api/v3/reflect via GH_HOST prefix stripping).
• Added focused tests for gateway/proxy /reflect behavior and defensive handling of nil registry entries.

Show a summary per file

File	Description
README.md	Documents the new /reflect endpoint and its JSON schema, including a security note.
internal/server/reflect.go	Implements the gateway /reflect handler.
internal/server/reflect_test.go	Tests gateway /reflect availability in routed + unified modes and unauthenticated access.
internal/server/handlers.go	Registers /reflect as a common gateway endpoint.
internal/proxy/handler.go	Adds proxy-mode handling for /reflect after GH_HOST prefix normalization.
internal/proxy/handler_test.go	Tests proxy-mode /reflect for both /reflect and /api/v3/reflect.
internal/difc/reflect.go	Adds shared response types and snapshot builder (BuildReflectResponse).
internal/difc/reflect_test.go	Adds unit tests for the reflect response builder, including nil-entry handling.
docs/PROXY_MODE.md	Documents proxy-mode /reflect behavior and schema.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 9/9 changed files
• Comments generated: 3