refactor(difc): reduce boilerplate duplication in agent.go and labels.go (#2591)

Three structural duplication patterns in `internal/difc/` required
updating multiple identical code blocks for any locking strategy, log
format, or label type changes.

## Changes

- **`modifyTags` helper** — bulk label mutations (`AddSecrecyTags`,
`AddIntegrityTags`, `DropIntegrityTags`) were each inlining the same
lock/operate/log pattern instead of using the existing `modifyTag`
precedent:
  ```go
func (a *AgentLabels) modifyTags(labelType, action, pastTense string,
tags []Tag, fn func()) {
logAgent.Printf("Agent %s %s %d %s tags", a.AgentID, action, len(tags),
labelType)
      a.mu.Lock()
      defer a.mu.Unlock()
      fn()
      if len(tags) > 0 {
log.Printf("[DIFC] Agent %s %s %s tags: %v", a.AgentID, pastTense,
labelType, tags)
      }
  }
  // callers become one-liners:
  func (a *AgentLabels) AddSecrecyTags(tags []Tag) {
a.modifyTags("secrecy", "adding", "gained", tags, func() {
a.Secrecy.Label.AddAll(tags) })
  }
  ```

- **`getTagsLocked` helper** — `GetSecrecyTags` and `GetIntegrityTags`
each duplicated the same `RLock` + `GetTags()` body; extracted to a
single nil-guarded helper.

- **`cloneLabelOrNew` helper** — `SecrecyLabel.Clone` and
`IntegrityLabel.Clone` shared identical nil-guard logic; extracted to a
standalone function so both `Clone` methods become single-line
delegations.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build220454796/b334/launcher.test
/tmp/go-build220454796/b334/launcher.test
-test.testlogfile=/tmp/go-build220454796/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rtcf�� ache/go/1.25.8/x-s
64/src/crypto/hm-w x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build988514342/b330/launcher.test
/tmp/go-build988514342/b330/launcher.test
-test.testlogfile=/tmp/go-build988514342/b330/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
1afb76c6d5a1b24a/run/containerd/io.containerd.runtime.v2.task/moby/c066a1e0c75e18fce6c91b9a92a66sed
y e-handler by/2dfd37f3cd6c3git lang.org/x/text/config` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build220454796/b319/config.test
/tmp/go-build220454796/b319/config.test
-test.testlogfile=/tmp/go-build220454796/b319/testlog.txt
-test.paniconexit0 -test.timeout=10m0s conf�� 64/src/runtime/cgo go
x_amd64/compile` (dns block)
> - Triggering command: `/tmp/go-build988514342/b315/config.test
/tmp/go-build988514342/b315/config.test
-test.testlogfile=/tmp/go-build988514342/b315/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
f6977767ec5dcecf/run/containerd/io.containerd.runtime.v2.task/moby/c066a1e0c75e18fce6c91b9a92a66/bin/sh
runtime-runc/mob--log-format csi/net-interfacjson by/37580e7ab5c50git`
(dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build220454796/b334/launcher.test
/tmp/go-build220454796/b334/launcher.test
-test.testlogfile=/tmp/go-build220454796/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rtcf�� ache/go/1.25.8/x-s
64/src/crypto/hm-w x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build988514342/b330/launcher.test
/tmp/go-build988514342/b330/launcher.test
-test.testlogfile=/tmp/go-build988514342/b330/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
1afb76c6d5a1b24a/run/containerd/io.containerd.runtime.v2.task/moby/c066a1e0c75e18fce6c91b9a92a66sed
y e-handler by/2dfd37f3cd6c3git lang.org/x/text/config` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build220454796/b334/launcher.test
/tmp/go-build220454796/b334/launcher.test
-test.testlogfile=/tmp/go-build220454796/b334/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rtcf�� ache/go/1.25.8/x-s
64/src/crypto/hm-w x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build988514342/b330/launcher.test
/tmp/go-build988514342/b330/launcher.test
-test.testlogfile=/tmp/go-build988514342/b330/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
1afb76c6d5a1b24a/run/containerd/io.containerd.runtime.v2.task/moby/c066a1e0c75e18fce6c91b9a92a66sed
y e-handler by/2dfd37f3cd6c3git lang.org/x/text/config` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build220454796/b343/mcp.test
/tmp/go-build220454796/b343/mcp.test
-test.testlogfile=/tmp/go-build220454796/b343/testlog.txt
-test.paniconexit0 -test.timeout=10m0s o_.o�� 64/src/net
late/parse/lex.go x_amd64/vet -p
github.com/tetra-test.testlogfile=/tmp/go-build220454796/b334/testlog.txt
-lang=go1.24 x_amd64/vet 5991�� _.a 599188/b151/ x_amd64/vet --gdwarf-5
ternal/engine/wa-m -o dmA41Y_/RID864WwwFNZuxdU3EAU` (dns block)
> - Triggering command: `/tmp/go-build988514342/b339/mcp.test
/tmp/go-build988514342/b339/mcp.test
-test.testlogfile=/tmp/go-build988514342/b339/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/tmp/go-build220454796/b370/_pkg_.a
by/ee0f09b892b0c84149e47062e494bfc467b029bcbe96e63e2b5ad75092fcc8cd
ker/cli-plugins/docker-buildx
by/ee0f09b892b0c/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/vet
2b5ad75092fcc8cd-atomic 76224512e8a2c58c-bool ker/cli-plugins/-buildtags
n-me�� tes.crt -goversion /home/REDACTED/wor-nilfunc -c=4
-nolocalimports dea2d1d50bb3e29a-stringintconv 4w8uw1gybk6` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

📱 Kick off Copilot coding agent tasks wherever you are with [GitHub
Mobile](https://gh.io/cca-mobile-docs), available on iOS and Android.

Author: lpcox

internal/difc/agent.go

@@ -57,6 +57,25 @@ func (a *AgentLabels) modifyTag(labelType, action, pastTense string, tag Tag, fn
 	log.Printf("[DIFC] Agent %s %s %s tag: %s", a.AgentID, pastTense, labelType, tag)
 }
 
+// modifyTags is a helper for bulk label mutations, analogous to modifyTag.
+// It handles the mutex lock, executes the modification action, and conditionally logs the operation.
+//
+// Parameters:
+//   - labelType: The type of label being modified ("secrecy" or "integrity")
+//   - action: The verb describing the action ("adding", "dropping", etc.)
+//   - pastTense: The past tense verb for the operational log ("gained", "dropped", etc.)
+//   - tags: The tags being modified
+//   - fn: The function that performs the actual label modification
+func (a *AgentLabels) modifyTags(labelType, action, pastTense string, tags []Tag, fn func()) {
+	logAgent.Printf("Agent %s %s %d %s tags", a.AgentID, action, len(tags), labelType)
+	a.mu.Lock()
+	defer a.mu.Unlock()
+	fn()
+	if len(tags) > 0 {
+		log.Printf("[DIFC] Agent %s %s %s tags: %v", a.AgentID, pastTense, labelType, tags)
+	}
+}
+
 // AddSecrecyTag adds a secrecy tag to the agent
 func (a *AgentLabels) AddSecrecyTag(tag Tag) {
 	a.modifyTag("secrecy", "adding", "gained", tag, func() {
@@ -80,35 +99,23 @@ func (a *AgentLabels) DropIntegrityTag(tag Tag) {
 
 // DropIntegrityTags removes multiple integrity tags from the agent
 func (a *AgentLabels) DropIntegrityTags(tags []Tag) {
-	logAgent.Printf("Agent %s dropping %d integrity tags", a.AgentID, len(tags))
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.Integrity.Label.RemoveAll(tags)
-	if len(tags) > 0 {
-		log.Printf("[DIFC] Agent %s dropped integrity tags: %v", a.AgentID, tags)
-	}
+	a.modifyTags("integrity", "dropping", "dropped", tags, func() {
+		a.Integrity.Label.RemoveAll(tags)
+	})
 }
 
 // AddSecrecyTags adds multiple secrecy tags to the agent
 func (a *AgentLabels) AddSecrecyTags(tags []Tag) {
-	logAgent.Printf("Agent %s adding %d secrecy tags", a.AgentID, len(tags))
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.Secrecy.Label.AddAll(tags)
-	if len(tags) > 0 {
-		log.Printf("[DIFC] Agent %s gained secrecy tags: %v", a.AgentID, tags)
-	}
+	a.modifyTags("secrecy", "adding", "gained", tags, func() {
+		a.Secrecy.Label.AddAll(tags)
+	})
 }
 
 // AddIntegrityTags adds multiple integrity tags to the agent
 func (a *AgentLabels) AddIntegrityTags(tags []Tag) {
-	logAgent.Printf("Agent %s adding %d integrity tags", a.AgentID, len(tags))
-	a.mu.Lock()
-	defer a.mu.Unlock()
-	a.Integrity.Label.AddAll(tags)
-	if len(tags) > 0 {
-		log.Printf("[DIFC] Agent %s gained integrity tags: %v", a.AgentID, tags)
-	}
+	a.modifyTags("integrity", "adding", "gained", tags, func() {
+		a.Integrity.Label.AddAll(tags)
+	})
 }
 
 // ApplyPropagation applies label changes from a propagate-mode evaluation result
@@ -184,18 +191,24 @@ func (a *AgentLabels) Clone() *AgentLabels {
 	}
 }
 
-// GetSecrecyTags returns a copy of secrecy tags (thread-safe)
-func (a *AgentLabels) GetSecrecyTags() []Tag {
+// getTagsLocked returns a copy of tags from the given label under the agent's read lock.
+func (a *AgentLabels) getTagsLocked(label *Label) []Tag {
 	a.mu.RLock()
 	defer a.mu.RUnlock()
-	return a.Secrecy.Label.GetTags()
+	if label == nil {
+		return nil
+	}
+	return label.GetTags()
+}
+
+// GetSecrecyTags returns a copy of secrecy tags (thread-safe)
+func (a *AgentLabels) GetSecrecyTags() []Tag {
+	return a.getTagsLocked(a.Secrecy.Label)
 }
 
 // GetIntegrityTags returns a copy of integrity tags (thread-safe)
 func (a *AgentLabels) GetIntegrityTags() []Tag {
-	a.mu.RLock()
-	defer a.mu.RUnlock()
-	return a.Integrity.Label.GetTags()
+	return a.getTagsLocked(a.Integrity.Label)
 }
 
 // AgentRegistry manages agent labels across all agents

internal/difc/labels.go

@@ -150,6 +150,15 @@ func (l *Label) IsEmpty() bool {
 	return len(l.tags) == 0
 }
 
+// cloneLabelOrNew clones inner if it is non-nil, otherwise returns a new empty Label.
+// This helper centralizes the nil-guard logic shared by SecrecyLabel.Clone and IntegrityLabel.Clone.
+func cloneLabelOrNew(inner *Label) *Label {
+	if inner == nil {
+		return NewLabel()
+	}
+	return inner.Clone()
+}
+
 // SecrecyLabel wraps Label with secrecy-specific flow semantics
 // Secrecy flow: data can only flow to contexts with equal or more secrecy tags
 // l ⊆ target (this has no tags that target doesn't have)
@@ -279,10 +288,7 @@ func (l *SecrecyLabel) CheckFlow(target *SecrecyLabel) (bool, []Tag) {
 
 // Clone creates a copy of the secrecy label
 func (l *SecrecyLabel) Clone() *SecrecyLabel {
-	if l.getLabel() == nil {
-		return NewSecrecyLabel()
-	}
-	return &SecrecyLabel{Label: l.Label.Clone()}
+	return &SecrecyLabel{Label: cloneLabelOrNew(l.getLabel())}
 }
 
 // IntegrityLabel wraps Label with integrity-specific flow semantics
@@ -326,10 +332,7 @@ func (l *IntegrityLabel) CheckFlow(target *IntegrityLabel) (bool, []Tag) {
 
 // Clone creates a copy of the integrity label
 func (l *IntegrityLabel) Clone() *IntegrityLabel {
-	if l.getLabel() == nil {
-		return NewIntegrityLabel()
-	}
-	return &IntegrityLabel{Label: l.Label.Clone()}
+	return &IntegrityLabel{Label: cloneLabelOrNew(l.getLabel())}
 }
 
 // ViolationType indicates what kind of DIFC violation occurred