refactor: extract difc.NewComponents to deduplicate DIFC initialization (#4498)

The four-step DIFC initialization sequence (`ParseEnforcementMode` →
`NewAgentRegistryWithDefaults` → `NewCapabilities` →
`NewEvaluatorWithMode`) was duplicated verbatim in both
`server/unified.go` and `proxy/proxy.go`, with silently diverging
default modes (`EnforcementStrict` vs `EnforcementFilter`).

## Changes

- **`internal/difc/evaluator.go`** — Adds `DIFCComponents` struct and
`NewComponents(modeStr string, defaultMode EnforcementMode)
DIFCComponents` constructor that encapsulates the full initialization
sequence
- **`internal/server/unified.go`** — Replaces inline DIFC init with
`difc.NewComponents(cfg.DIFCMode, difc.EnforcementStrict)`
- **`internal/proxy/proxy.go`** — Replaces inline DIFC init with
`difc.NewComponents(cfg.DIFCMode, difc.EnforcementFilter)`, preserving
the proxy-specific warning log for invalid mode strings

```go
// internal/difc/evaluator.go
type DIFCComponents struct {
    Mode          EnforcementMode
    AgentRegistry *AgentRegistry
    Capabilities  *Capabilities
    Evaluator     *Evaluator
}

func NewComponents(modeStr string, defaultMode EnforcementMode) DIFCComponents {
    mode, err := ParseEnforcementMode(modeStr)
    if err != nil {
        mode = defaultMode
    }
    return DIFCComponents{
        Mode:          mode,
        AgentRegistry: NewAgentRegistryWithDefaults(nil, nil),
        Capabilities:  NewCapabilities(),
        Evaluator:     NewEvaluatorWithMode(mode),
    }
}
```

Future changes to the DIFC initialization sequence (e.g. adding a new
component) now have a single update point.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build2613986933/b513/launcher.test
/tmp/go-build2613986933/b513/launcher.test
-test.testlogfile=/tmp/go-build2613986933/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build2613986933/b435/vet.cfg _.a -I x_amd64/vet --gdwarf-5
balancer/gracefu-atomic -o x_amd64/vet -W cks...&#34; t.go
x_amd64/compile . --gdwarf2 893947/b314/ x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build1963674460/b509/launcher.test
/tmp/go-build1963674460/b509/launcher.test
-test.testlogfile=/tmp/go-build1963674460/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true tHjXILjQ_ -buildtags
/opt/hostedtoolcache/go/1.25.9/xjson -errorsas -ifaceassert -nilfunc
StwtP8fWF_W- logs�� tes.crt aw-mcpg/internal/proxy/graphql_r--log-format
7c330d9c11d84b8d-d -errorsas -ifaceassert -nilfunc
ache/go/1.25.9/x-test.timeout=10m0s` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2613986933/b495/config.test
/tmp/go-build2613986933/b495/config.test
-test.testlogfile=/tmp/go-build2613986933/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build2613986933/b368/vet.cfg _.a otection x_amd64/vet --gdwarf-5
credentials -o x_amd64/vet -E w6WVsrdoR -I x_amd64/vet -I .io/auto/sdk
-imultiarch x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build1963674460/b491/config.test
/tmp/go-build1963674460/b491/config.test
-test.testlogfile=/tmp/go-build1963674460/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
-unreachable=fal--log-format /tmp/go-build261json docker-buildx
f19db7ad4b9e741c980b3140ec557422c5d/log.json nwind-tables p/bin/as
docker-buildx -ato�� 40a26d5ba8f85386 -buildtags ine
by/6e9cb3f11e119/usr/lib/open-iscsi/net-interface-handler -ifaceassert
-nilfunc ine` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build2613986933/b513/launcher.test
/tmp/go-build2613986933/b513/launcher.test
-test.testlogfile=/tmp/go-build2613986933/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build2613986933/b435/vet.cfg _.a -I x_amd64/vet --gdwarf-5
balancer/gracefu-atomic -o x_amd64/vet -W cks...&#34; t.go
x_amd64/compile . --gdwarf2 893947/b314/ x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build1963674460/b509/launcher.test
/tmp/go-build1963674460/b509/launcher.test
-test.testlogfile=/tmp/go-build1963674460/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true tHjXILjQ_ -buildtags
/opt/hostedtoolcache/go/1.25.9/xjson -errorsas -ifaceassert -nilfunc
StwtP8fWF_W- logs�� tes.crt aw-mcpg/internal/proxy/graphql_r--log-format
7c330d9c11d84b8d-d -errorsas -ifaceassert -nilfunc
ache/go/1.25.9/x-test.timeout=10m0s` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build2613986933/b513/launcher.test
/tmp/go-build2613986933/b513/launcher.test
-test.testlogfile=/tmp/go-build2613986933/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build2613986933/b435/vet.cfg _.a -I x_amd64/vet --gdwarf-5
balancer/gracefu-atomic -o x_amd64/vet -W cks...&#34; t.go
x_amd64/compile . --gdwarf2 893947/b314/ x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build1963674460/b509/launcher.test
/tmp/go-build1963674460/b509/launcher.test
-test.testlogfile=/tmp/go-build1963674460/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true tHjXILjQ_ -buildtags
/opt/hostedtoolcache/go/1.25.9/xjson -errorsas -ifaceassert -nilfunc
StwtP8fWF_W- logs�� tes.crt aw-mcpg/internal/proxy/graphql_r--log-format
7c330d9c11d84b8d-d -errorsas -ifaceassert -nilfunc
ache/go/1.25.9/x-test.timeout=10m0s` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build2613986933/b522/mcp.test
/tmp/go-build2613986933/b522/mcp.test
-test.testlogfile=/tmp/go-build2613986933/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 8939�� cfg
elemetry.io/otel-ifaceassert x_amd64/vet --gdwarf-5
telabs/wazero/in/usr/bin/runc -o x_amd64/vet cfg 893947/b432/_pkg_.a
-trimpath x_amd64/vet -p /internal/httpco/usr/bin/runc -lang=go1.17
x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build1963674460/b518/mcp.test
/tmp/go-build1963674460/b518/mcp.test
-test.testlogfile=/tmp/go-build1963674460/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true y -buildtags` (dns
block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

internal/difc/evaluator.go

@@ -89,6 +89,37 @@ func ParseEnforcementMode(s string) (EnforcementMode, error) {
 	}
 }
 
+// DIFCComponents holds the set of DIFC objects needed by a server or proxy.
+type DIFCComponents struct {
+	Mode          EnforcementMode
+	AgentRegistry *AgentRegistry
+	Capabilities  *Capabilities
+	Evaluator     *Evaluator
+}
+
+// NewComponents initializes the standard DIFC component set and returns it
+// together with any parse error.
+// When modeStr is empty or cannot be parsed, defaultMode is used and the parse
+// error is returned so callers can decide whether to log a warning.
+func NewComponents(modeStr string, defaultMode EnforcementMode) (DIFCComponents, error) {
+	mode := defaultMode
+	var parseErr error
+	if modeStr != "" {
+		parsed, err := ParseEnforcementMode(modeStr)
+		if err != nil {
+			parseErr = err
+		} else {
+			mode = parsed
+		}
+	}
+	return DIFCComponents{
+		Mode:          mode,
+		AgentRegistry: NewAgentRegistryWithDefaults(nil, nil),
+		Capabilities:  NewCapabilities(),
+		Evaluator:     NewEvaluatorWithMode(mode),
+	}, parseErr
+}
+
 // AccessDecision represents the result of a DIFC evaluation
 type AccessDecision int
 

internal/proxy/proxy.go

@@ -100,15 +100,13 @@ func New(ctx context.Context, cfg Config) (*Server, error) {
 	apiURL = strings.TrimRight(apiURL, "/")
 	logProxy.Printf("Using upstream GitHub API URL: %s", apiURL)
 
-	// Parse enforcement mode
-	difcMode, err := difc.ParseEnforcementMode(cfg.DIFCMode)
-	if err != nil {
-		if cfg.DIFCMode != "" {
-			log.Printf("[proxy] WARNING: invalid DIFC mode %q, defaulting to filter", cfg.DIFCMode)
-		}
-		difcMode = difc.EnforcementFilter // default to filter for proxy
+	// Initialize DIFC components (defaults to filter mode for the proxy).
+	// NewComponents returns any parse error so we can warn without parsing twice.
+	difcComponents, difcParseErr := difc.NewComponents(cfg.DIFCMode, difc.EnforcementFilter)
+	if difcParseErr != nil {
+		log.Printf("[proxy] WARNING: invalid DIFC mode %q, defaulting to filter", cfg.DIFCMode)
 	}
-	logProxy.Printf("Enforcement mode resolved: %s", difcMode)
+	logProxy.Printf("Enforcement mode resolved: %s", difcComponents.Mode)
 
 	// Load the WASM guard
 	logProxy.Printf("Loading WASM guard from: %s", cfg.WasmPath)
@@ -120,12 +118,12 @@ func New(ctx context.Context, cfg Config) (*Server, error) {
 
 	s := &Server{
 		guard:           g,
-		evaluator:       difc.NewEvaluatorWithMode(difcMode),
-		agentRegistry:   difc.NewAgentRegistryWithDefaults(nil, nil),
-		capabilities:    difc.NewCapabilities(),
+		evaluator:       difcComponents.Evaluator,
+		agentRegistry:   difcComponents.AgentRegistry,
+		capabilities:    difcComponents.Capabilities,
 		githubToken:     cfg.GitHubToken,
 		githubAPIURL:    apiURL,
-		enforcementMode: difcMode,
+		enforcementMode: difcComponents.Mode,
 		httpClient: &http.Client{
 			Timeout: 60 * time.Second,
 			Transport: &http.Transport{
@@ -144,7 +142,7 @@ func New(ctx context.Context, cfg Config) (*Server, error) {
 		logProxy.Printf("No guard policy configured, running without policy enforcement")
 	}
 
-	logProxy.Printf("Proxy server created successfully: mode=%s", difcMode)
+	logProxy.Printf("Proxy server created successfully: mode=%s", difcComponents.Mode)
 	return s, nil
 }
 

internal/server/unified.go

@@ -142,11 +142,10 @@ func NewUnified(ctx context.Context, cfg *config.Config) (*UnifiedServer, error)
 	logUnified.Printf("Payload configuration: dir=%s, pathPrefix=%s, sizeThreshold=%d bytes (%.2f KB)",
 		payloadDir, payloadPathPrefix, payloadSizeThreshold, float64(payloadSizeThreshold)/1024)
 
-	// Parse DIFC enforcement mode
-	difcMode, err := difc.ParseEnforcementMode(cfg.DIFCMode)
-	if err != nil {
-		// Default to strict mode if not specified or invalid
-		difcMode = difc.EnforcementStrict
+	// Initialize DIFC components (defaults to strict mode for the server)
+	difcComponents, difcParseErr := difc.NewComponents(cfg.DIFCMode, difc.EnforcementStrict)
+	if difcParseErr != nil {
+		logger.LogWarn("startup", "invalid DIFC mode %q, defaulting to strict: %v", cfg.DIFCMode, difcParseErr)
 	}
 
 	us := &UnifiedServer{
@@ -164,9 +163,9 @@ func NewUnified(ctx context.Context, cfg *config.Config) (*UnifiedServer, error)
 
 		// Initialize DIFC components
 		guardRegistry: guard.NewRegistry(),
-		agentRegistry: difc.NewAgentRegistryWithDefaults(nil, nil),
-		capabilities:  difc.NewCapabilities(),
-		evaluator:     difc.NewEvaluatorWithMode(difcMode),
+		agentRegistry: difcComponents.AgentRegistry,
+		capabilities:  difcComponents.Capabilities,
+		evaluator:     difcComponents.Evaluator,
 		cfg:           cfg, // Store config for guard loading
 
 		// Cache tracer at construction to avoid calling otel.Tracer on every request.