refactor: consolidate duplicate DIFC filtered-item struct and tagsToStrings (#2111)

Two duplication patterns introduced in `internal/server/difc_log.go`
required parallel edits across files when modifying DIFC filter event
data shapes.

## Changes

- **Struct consolidation** — `FilteredItemLogEntry` (server) and
`JSONLFilteredItem` (logger) shared identical 11-field data definitions.
Moved the shared fields into a new `logger.FilteredItemLogEntry`;
`JSONLFilteredItem` now embeds it, keeping only its own `Timestamp` and
`Type` fields:

  ```go
  // Before: 11 fields duplicated verbatim in both structs
  type JSONLFilteredItem struct {
      Timestamp string `json:"timestamp"`
      Type      string `json:"type"`
      ServerID  string `json:"server_id"`
      // ... 9 more duplicated fields
  }

  // After: embed the shared struct
  type JSONLFilteredItem struct {
      Timestamp string `json:"timestamp"`
      Type      string `json:"type"`
      FilteredItemLogEntry
  }
  ```

- **Remove `toJSONLFilteredItem()`** — field-by-field copy method
replaced with a direct struct literal:
`&logger.JSONLFilteredItem{FilteredItemLogEntry: entry}`

- **Eliminate duplicate `tagsToStrings`** — local helper in
`difc_log.go` was identical to `difc.TagsToStrings`; replaced all call
sites with the canonical package function

- **Test updates** — `difc_log_test.go` updated to reference
`logger.FilteredItemLogEntry` instead of the removed local type

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build3728142662/b332/launcher.test
/tmp/go-build3728142662/b332/launcher.test
-test.testlogfile=/tmp/go-build3728142662/b332/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rev-�� /unix` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3728142662/b317/config.test
/tmp/go-build3728142662/b317/config.test
-test.testlogfile=/tmp/go-build3728142662/b317/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rev-�� ache/go/1.25.8/x-p
cf9O/V70NMeR5oSymain x_amd64/vet` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build3728142662/b332/launcher.test
/tmp/go-build3728142662/b332/launcher.test
-test.testlogfile=/tmp/go-build3728142662/b332/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rev-�� /unix` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build3728142662/b332/launcher.test
/tmp/go-build3728142662/b332/launcher.test
-test.testlogfile=/tmp/go-build3728142662/b332/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rev-�� /unix` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3728142662/b341/mcp.test
/tmp/go-build3728142662/b341/mcp.test
-test.testlogfile=/tmp/go-build3728142662/b341/testlog.txt
-test.paniconexit0 -test.timeout=10m0s rev-��
ache/go/1.25.8/x64/src/runtime/cgo1.25.8` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

<!-- START COPILOT CODING AGENT TIPS -->
---

💡 You can make Copilot smarter by setting up custom instructions,
customizing its development environment and configuring Model Context
Protocol (MCP) servers. Learn more [Copilot coding agent
tips](https://gh.io/copilot-coding-agent-tips) in the docs.

Author: lpcox

internal/logger/jsonl_logger.go

@@ -139,12 +139,10 @@ func LogRPCMessageJSONLWithTags(direction RPCMessageDirection, messageType RPCMe
 	})
 }
 
-// JSONLFilteredItem represents a DIFC-filtered item logged to the JSONL stream.
-// These entries appear alongside RPC messages so filter events are visible
-// in context with the request/response that triggered them.
-type JSONLFilteredItem struct {
-	Timestamp         string   `json:"timestamp"`
-	Type              string   `json:"type"` // Always "DIFC_FILTERED"
+// FilteredItemLogEntry holds the data fields for a DIFC-filtered item.
+// It is used for both text log output ([DIFC-FILTERED] JSON lines) and as
+// the embedded payload in JSONLFilteredItem for JSONL log output.
+type FilteredItemLogEntry struct {
 	ServerID          string   `json:"server_id"`
 	ToolName          string   `json:"tool_name"`
 	Description       string   `json:"description"`
@@ -158,6 +156,17 @@ type JSONLFilteredItem struct {
 	SHA               string   `json:"sha,omitempty"`
 }
 
+// JSONLFilteredItem represents a DIFC-filtered item logged to the JSONL stream.
+// These entries appear alongside RPC messages so filter events are visible
+// in context with the request/response that triggered them.
+// It embeds FilteredItemLogEntry so that adding a data field requires only a
+// single edit rather than parallel edits in two structs.
+type JSONLFilteredItem struct {
+	Timestamp string `json:"timestamp"`
+	Type      string `json:"type"` // Always "DIFC_FILTERED"
+	FilteredItemLogEntry
+}
+
 // LogDifcFilteredItem writes a DIFC filter event to the JSONL log.
 func LogDifcFilteredItem(entry *JSONLFilteredItem) {
 	if entry == nil {

internal/server/difc_log.go

@@ -8,24 +8,6 @@ import (
 	"github.com/github/gh-aw-mcpg/internal/logger"
 )
 
-// FilteredItemLogEntry is the structured log record emitted for each item
-// removed by DIFC filtering. It is written as JSON to the unified and
-// per-server text log files under the [DIFC-FILTERED] marker so that filter
-// events can be correlated with the MCP request/response that triggered them.
-type FilteredItemLogEntry struct {
-	ServerID          string   `json:"server_id"`
-	ToolName          string   `json:"tool_name"`
-	Description       string   `json:"description"`
-	Reason            string   `json:"reason"`
-	SecrecyTags       []string `json:"secrecy_tags"`
-	IntegrityTags     []string `json:"integrity_tags"`
-	AuthorAssociation string   `json:"author_association,omitempty"`
-	AuthorLogin       string   `json:"author_login,omitempty"`
-	HTMLURL           string   `json:"html_url,omitempty"`
-	Number            string   `json:"number,omitempty"`
-	SHA               string   `json:"sha,omitempty"`
-}
-
 // logFilteredItems logs structured details for every item removed by DIFC filtering.
 // Each item is written as a [DIFC-FILTERED] JSON entry to both the unified and
 // per-server text log files (via LogInfoWithServer), and as a DIFC_FILTERED entry
@@ -40,22 +22,22 @@ func logFilteredItems(serverID, toolName string, filtered *difc.FilteredCollecti
 		}
 		jsonStr := string(b)
 		logger.LogInfoWithServer(serverID, "difc", "[DIFC-FILTERED] %s", jsonStr)
-		logger.LogDifcFilteredItem(entry.toJSONLFilteredItem())
+		logger.LogDifcFilteredItem(&logger.JSONLFilteredItem{FilteredItemLogEntry: entry})
 	}
 }
 
-// buildFilteredItemLogEntry constructs a FilteredItemLogEntry from a filtered item.
-func buildFilteredItemLogEntry(serverID, toolName string, detail difc.FilteredItemDetail) FilteredItemLogEntry {
-	entry := FilteredItemLogEntry{
+// buildFilteredItemLogEntry constructs a logger.FilteredItemLogEntry from a filtered item.
+func buildFilteredItemLogEntry(serverID, toolName string, detail difc.FilteredItemDetail) logger.FilteredItemLogEntry {
+	entry := logger.FilteredItemLogEntry{
 		ServerID: serverID,
 		ToolName: toolName,
 		Reason:   detail.Reason,
 	}
 
 	if detail.Item.Labels != nil {
 		entry.Description = detail.Item.Labels.Description
-		entry.SecrecyTags = tagsToStrings(detail.Item.Labels.Secrecy.Label.GetTags())
-		entry.IntegrityTags = tagsToStrings(detail.Item.Labels.Integrity.Label.GetTags())
+		entry.SecrecyTags = difc.TagsToStrings(detail.Item.Labels.Secrecy.Label.GetTags())
+		entry.IntegrityTags = difc.TagsToStrings(detail.Item.Labels.Integrity.Label.GetTags())
 	}
 
 	// Extract identifying metadata from the raw item data.
@@ -71,33 +53,6 @@ func buildFilteredItemLogEntry(serverID, toolName string, detail difc.FilteredIt
 	return entry
 }
 
-// toJSONLFilteredItem converts a FilteredItemLogEntry to a logger.JSONLFilteredItem
-// for writing to the JSONL log.
-func (e FilteredItemLogEntry) toJSONLFilteredItem() *logger.JSONLFilteredItem {
-	return &logger.JSONLFilteredItem{
-		ServerID:          e.ServerID,
-		ToolName:          e.ToolName,
-		Description:       e.Description,
-		Reason:            e.Reason,
-		SecrecyTags:       e.SecrecyTags,
-		IntegrityTags:     e.IntegrityTags,
-		AuthorAssociation: e.AuthorAssociation,
-		AuthorLogin:       e.AuthorLogin,
-		HTMLURL:           e.HTMLURL,
-		Number:            e.Number,
-		SHA:               e.SHA,
-	}
-}
-
-// tagsToStrings converts DIFC tags to string slice.
-func tagsToStrings(tags []difc.Tag) []string {
-	s := make([]string, len(tags))
-	for i, t := range tags {
-		s[i] = string(t)
-	}
-	return s
-}
-
 // getStringField returns the first non-empty string value from the map
 // matching any of the given field names.
 func getStringField(m map[string]interface{}, fields ...string) string {

internal/server/difc_log_test.go

@@ -106,7 +106,7 @@ func TestLogFilteredItems_EmitsValidJSONWithExpectedFields(t *testing.T) {
 	require.Len(t, unifiedLines, 1, "unified log should have exactly one DIFC-FILTERED entry")
 
 	jsonStr := extractJSONFromDIFCLine(t, unifiedLines[0])
-	var entry FilteredItemLogEntry
+	var entry logger.FilteredItemLogEntry
 	require.NoError(t, json.Unmarshal([]byte(jsonStr), &entry), "log entry must be valid JSON")
 
 	assert.Equal(t, "github", entry.ServerID)
@@ -125,7 +125,7 @@ func TestLogFilteredItems_EmitsValidJSONWithExpectedFields(t *testing.T) {
 	require.Len(t, serverLines, 1, "server log should have exactly one DIFC-FILTERED entry")
 
 	serverJSONStr := extractJSONFromDIFCLine(t, serverLines[0])
-	var serverEntry FilteredItemLogEntry
+	var serverEntry logger.FilteredItemLogEntry
 	require.NoError(t, json.Unmarshal([]byte(serverJSONStr), &serverEntry), "server log entry must be valid JSON")
 	assert.Equal(t, entry, serverEntry, "server log entry should match unified log entry")
 }
@@ -162,7 +162,7 @@ func TestLogFilteredItems_MultipleItems(t *testing.T) {
 	numbers := map[string]bool{}
 	for _, line := range lines {
 		jsonStr := extractJSONFromDIFCLine(t, line)
-		var entry FilteredItemLogEntry
+		var entry logger.FilteredItemLogEntry
 		require.NoError(t, json.Unmarshal([]byte(jsonStr), &entry))
 		numbers[entry.Number] = true
 	}