Deduplicate Phase 5 DIFC collection filtering across unified server and proxy

[Copilot]

Phase 5 DIFC collection filtering had the same enforcement flow implemented independently in internal/server/unified.go and internal/proxy/handler.go, creating a high-risk divergence point. This change centralizes filtering/blocking decisions while preserving each caller’s response-shaping behavior.

• What changed

  • Added shared Phase 5 helper in internal/difc/pipeline_decisions.go:
    • FilterAndConvertLabeledData(...)
    • FilterResult (final result, filtered collection metadata, strict-mode block decision)
  • Moved common logic into this helper:
    • detect collection-labeled responses
    • run FilterCollection(...)
    • apply ShouldBlockFilteredResponse(...)
    • convert filtered/simple labeled data via ToResult()

• Unified server refactor (internal/server/unified.go)

  • Replaced inline Phase 5 branch tree with the shared helper call.
  • Retained server-specific behavior:
    • MCP error response formatting on strict block
    • singular-read-tool filtered-singleton optimization
    • existing filtered-item logging and notice behavior

• Proxy refactor (internal/proxy/handler.go)

  • Replaced duplicated Phase 5 filtering decisions with the shared helper.
  • Removed local toResultOrWriteEmpty helper now made redundant.
  • Retained proxy-specific behavior:
    • HTTP 403 DIFC forbidden response path
    • GraphQL original-body passthrough vs rebuild behavior
    • search envelope rewrap / single-object unwrap paths

• Coverage updates (internal/difc/pipeline_decisions_test.go)

  • Added focused tests for shared helper behavior in:
    • strict (block on filtered items)
    • filter (partial result)
    • propagate (partial result, no strict block)
    • nil/simple labeled data conversion
    • conversion error propagation

filterResult, err := difc.FilterAndConvertLabeledData(
    evaluator,
    pre.AgentLabels.Secrecy,
    pre.AgentLabels.Integrity,
    pre.Operation,
    labeledData,
    enforcementMode,
)
if err != nil { /* caller-specific error handling */ }
if filterResult.Blocked { /* strict-mode deny response */ }
finalResult := filterResult.FinalResult

[Copilot]

Pull request overview

This PR centralizes Phase 5 DIFC fine-grained collection filtering decisions into a shared helper to reduce duplication and prevent drift between the unified MCP server and the HTTP proxy while preserving each caller’s response-shaping behavior.

Changes:

• Added difc.FilterAndConvertLabeledData(...) + difc.FilterResult to encapsulate “is this a collection?”, filtering, strict-mode block decision, and ToResult() conversion.
• Refactored unified server and proxy handlers to use the shared helper while keeping their caller-specific denial/response behavior (MCP error vs HTTP 403; GraphQL passthrough/rebuild; envelope wrapping).
• Added unit tests for the shared helper in internal/difc/pipeline_decisions_test.go.

Show a summary per file

File	Description
internal/server/unified.go	Replaces inline Phase 5 branch logic with the shared helper while preserving strict-block and server-specific filtered-item handling.
internal/proxy/handler.go	Removes duplicated Phase 5 conversion/filtering decisions and uses the shared helper while preserving proxy response shaping.
internal/difc/pipeline_decisions.go	Introduces shared Phase 5 helper and result struct for filtering/blocking/conversion decisions.
internal/difc/pipeline_decisions_test.go	Adds targeted tests for the new shared helper behavior.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 4/4 changed files
• Comments generated: 1