Refactor DIFC pre-phase error handling into a shared guard helper by Copilot · Pull Request #7760 · github/gh-aw-mcpg · GitHub
Skip to content

Refactor DIFC pre-phase error handling into a shared guard helper#7760

Merged
lpcox merged 4 commits into
mainfrom
copilot/duplicate-code-fix
Jun 19, 2026
Merged

Refactor DIFC pre-phase error handling into a shared guard helper#7760
lpcox merged 4 commits into
mainfrom
copilot/duplicate-code-fix

Conversation

Copilot AI commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

RunPipelinePrePhases denial handling had drift-prone duplication in the unified MCP server and HTTP proxy. Both callers were separately unpacking *PipelineAccessDenied and formatting denial responses from the same guard contract.

  • Centralize pre-phase error classification

    • Add guard.HandlePrePhaseError(err) in internal/guard/pipeline.go
    • Move shared PipelineAccessDenied detection and detailed DIFC violation formatting behind one helper
    • Use errors.As so wrapped denial errors still resolve consistently
  • Keep caller-specific response behavior

    • internal/server/unified.go now uses the shared helper and continues returning the detailed formatted MCP error
    • internal/proxy/handler.go now uses the same helper while preserving the existing short HTTP 403 body
  • Tighten the guard contract with focused tests

    • Add guard-level coverage for denied vs non-denied pre-phase errors
    • Ensure only denial errors are classified, while ordinary labeling failures still follow existing fallback paths
denied, detailedErr := guard.HandlePrePhaseError(err)
if denied != nil {
    tracing.RecordSpanError(span, detailedErr, "access denied: "+denied.EvalResult.Reason)
    // caller-specific response handling
}

GitHub Advanced Security started work on behalf of lpcox June 19, 2026 04:27 View session
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 04:28
GitHub Advanced Security started work on behalf of lpcox June 19, 2026 04:32 View session
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 04:33
Copilot AI changed the title [WIP] Fix duplicate code pattern in DIFC Pipeline error handling Refactor DIFC pre-phase error handling into a shared guard helper Jun 19, 2026
Copilot finished work on behalf of lpcox June 19, 2026 04:34
Copilot AI requested a review from lpcox June 19, 2026 04:34
GitHub Advanced Security started work on behalf of lpcox June 19, 2026 04:36 View session
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 04:38
@lpcox lpcox marked this pull request as ready for review June 19, 2026 13:48
Copilot AI review requested due to automatic review settings June 19, 2026 13:48

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors DIFC pre-phase denial handling to eliminate duplicated *guard.PipelineAccessDenied unpacking/formatting logic across the unified MCP server and the HTTP proxy, by centralizing classification + detailed violation formatting in guard.HandlePrePhaseError.

Changes:

  • Added guard.HandlePrePhaseError(err) to classify RunPipelinePrePhases errors via errors.As and produce a formatted DIFC violation error.
  • Updated unified MCP server denial handling to use the shared helper while continuing to return the detailed MCP error payload.
  • Updated proxy denial handling to use the shared helper while preserving the existing short 403 body, and added guard-level tests for denied vs non-denied pre-phase errors.
Show a summary per file
File Description
internal/server/unified.go Replaces inline PipelineAccessDenied handling with the shared guard helper for consistent denial formatting.
internal/proxy/handler.go Uses the shared guard helper for denial classification while keeping the proxy’s short 403 response behavior.
internal/guard/pipeline.go Introduces HandlePrePhaseError to centralize pre-phase denial detection and detailed violation formatting.
internal/guard/pipeline_test.go Adds unit tests covering denied vs non-denied behavior for the new helper, including wrapped denial errors.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 4/4 changed files
  • Comments generated: 1

Comment thread internal/proxy/handler.go Outdated
Comment on lines 208 to 212
if denied, detailedErr := guard.HandlePrePhaseError(err); denied != nil {
logHandler.Printf("[DIFC] Phase 2: BLOCKED %s %s — %s", r.Method, path, denied.EvalResult.Reason)
deniedErr := fmt.Errorf("DIFC policy violation: %s", denied.EvalResult.Reason)
tracing.RecordSpanError(difcSpan, deniedErr, "access denied: "+denied.EvalResult.Reason)
tracing.RecordSpanError(difcSpan, detailedErr, "access denied: "+denied.EvalResult.Reason)
writeDIFCForbidden(w, deniedErr.Error())
@lpcox

lpcox commented Jun 19, 2026

Copy link
Copy Markdown
Collaborator

@copilot address review feedback

Copilot AI commented Jun 19, 2026

Copy link
Copy Markdown
Contributor Author

GitHub Advanced Security started work on behalf of lpcox June 19, 2026 14:38 View session
Copilot finished work on behalf of lpcox June 19, 2026 14:38
GitHub Advanced Security finished work on behalf of lpcox June 19, 2026 14:39
@lpcox lpcox merged commit 8c76c5f into main Jun 19, 2026
27 checks passed
@lpcox lpcox deleted the copilot/duplicate-code-fix branch June 19, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants