Refactor DIFC label constructors to eliminate duplication

[Copilot]

Duplicate code analysis identified ~54 lines of duplication across 2 patterns in the DIFC and config validation modules.

Changes

DIFC Label Constructors

Extracted common label-with-tags creation pattern into newLabelWithTags() helper:

// Before: Duplicated logic in both constructors
func NewSecrecyLabelWithTags(tags []Tag) *SecrecyLabel {
    label := NewSecrecyLabel()
    label.Label.AddAll(tags)
    return label
}

func NewIntegrityLabelWithTags(tags []Tag) *IntegrityLabel {
    label := NewIntegrityLabel()
    label.Label.AddAll(tags)
    return label
}

// After: Single helper, constructors simplified
func newLabelWithTags(tags []Tag) *Label {
    label := NewLabel()
    label.AddAll(tags)
    return label
}

func NewSecrecyLabelWithTags(tags []Tag) *SecrecyLabel {
    return &SecrecyLabel{Label: newLabelWithTags(tags)}
}

func NewIntegrityLabelWithTags(tags []Tag) *IntegrityLabel {
    return &IntegrityLabel{Label: newLabelWithTags(tags)}
}

Eliminates ~8 lines of duplication in internal/difc/labels.go.

Docker Inspect Wrappers

Analysis confirmed checkPortMapping(), checkStdinInteractive(), and checkLogDirMounted() already share the runDockerInspect() helper. Each function has distinct domain logic and return types. No further abstraction warranted.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build4007704820/b274/launcher.test /tmp/go-build4007704820/b274/launcher.test -test.testlogfile=/tmp/go-build4007704820/b274/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.6/x64/src/runtime/cgo .cfg 64/pkg/tool/linux_amd64/vet -p vendor/golang.or-unsafeptr=false -lang=go1.25 64/pkg/tool/linux_amd64/vet -I 8340911/b183/ -I rgo/bin/as -g" "-lresolv" --64 -o 8340911/b183/ (dns block)
• invalid-host-that-does-not-exist-12345.com
  • Triggering command: /tmp/go-build3364410036/b001/config.test /tmp/go-build3364410036/b001/config.test -test.testlogfile=/tmp/go-build3364410036/b001/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true go ps140/fips140.go-imultiarch 64/pkg/tool/linux86_64-linux-gnu (dns block)
• nonexistent.local
  • Triggering command: /tmp/go-build4007704820/b274/launcher.test /tmp/go-build4007704820/b274/launcher.test -test.testlogfile=/tmp/go-build4007704820/b274/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.6/x64/src/runtime/cgo .cfg 64/pkg/tool/linux_amd64/vet -p vendor/golang.or-unsafeptr=false -lang=go1.25 64/pkg/tool/linux_amd64/vet -I 8340911/b183/ -I rgo/bin/as -g" "-lresolv" --64 -o 8340911/b183/ (dns block)
• slow.example.com
  • Triggering command: /tmp/go-build4007704820/b274/launcher.test /tmp/go-build4007704820/b274/launcher.test -test.testlogfile=/tmp/go-build4007704820/b274/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ache/go/1.25.6/x64/src/runtime/cgo .cfg 64/pkg/tool/linux_amd64/vet -p vendor/golang.or-unsafeptr=false -lang=go1.25 64/pkg/tool/linux_amd64/vet -I 8340911/b183/ -I rgo/bin/as -g" "-lresolv" --64 -o 8340911/b183/ (dns block)
• this-host-does-not-exist-12345.com
  • Triggering command: /tmp/go-build4007704820/b283/mcp.test /tmp/go-build4007704820/b283/mcp.test -test.testlogfile=/tmp/go-build4007704820/b283/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 64/src/net red-by: lpcox <15877973+lpcox@users.noreply.github.com> ache/go/1.25.6/x64/pkg/tool/linux_amd64/vet -p crypto/internal/-unsafeptr=false -lang=go1.25 01.o (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[duplicate-code] Duplicate Code Analysis Report - f550849</issue_title>
<issue_description>Analysis of commit f550849

Summary

This analysis identified 2 significant duplication patterns across the Go codebase, affecting the DIFC (Decentralized Information Flow Control) module and configuration validation code. A total of approximately 54 lines of meaningful duplicated code were detected.

Detected Patterns

This analysis found 2 significant duplication patterns requiring refactoring:

1. DIFC Label Constructor Duplication - Severity: Medium - See sub-issue #aw_xyz789ghi012
2. Docker Inspect Wrapper Functions - Severity: Medium - See sub-issue #aw_mno345pqr678

Overall Impact

• Total Duplicated Lines: ~54 lines across 2 patterns
• Affected Files: 2 files (internal/difc/labels.go, internal/difc/agent.go, internal/config/validation_env.go)
• Maintainability Risk: Medium - Duplication increases risk of inconsistent updates
• Refactoring Priority: Medium - Both patterns are in active development areas

Next Steps

1. Review individual pattern sub-issues for detailed analysis
2. Prioritize refactoring based on severity and impact
3. Create implementation plan for highest priority patterns
4. Consider using Go generics or helper functions to reduce duplication

Analysis Metadata

• Analyzed Files: 60 Go files (excluding tests, workflows, and agent configs)
• Detection Method: Semantic code analysis using grep and manual code review
• Commit: f550849
• Analysis Date: 2026-02-05T03:03:56Z
• Triggered by: @lpcox

AI generated by Duplicate Code Detector

• expires on Feb 12, 2026, 3:07 AM UTC

Comments on the Issue (you are @copilot in this section)

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

• Fixes [duplicate-code] Duplicate Code Analysis Report - f550849 #678

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[Copilot]

Pull request overview

This PR refactors DIFC (Decentralized Information Flow Control) label constructors to eliminate code duplication by introducing a shared helper function. The refactoring extracts common label initialization logic that was duplicated across NewSecrecyLabelWithTags() and NewIntegrityLabelWithTags().

Changes:

• Introduced newLabelWithTags() helper function to centralize label-with-tags creation logic
• Simplified NewSecrecyLabelWithTags() and NewIntegrityLabelWithTags() to use the shared helper
• Reduced ~8 lines of duplicated code in the DIFC module

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.