Fix: Don't expose /mcp/sys route when DIFC is disabled

[Copilot]

The /mcp/sys route was unconditionally registered in routed mode, creating an exposed but non-functional endpoint when DIFC is disabled (the default).

Changes

• internal/server/routed.go: Only include "sys" in route registration when DIFC is enabled
• internal/server/unified.go: Add IsDIFCEnabled() getter to expose DIFC configuration
• internal/server/routed_test.go: Add tests verifying sys route presence/absence based on DIFC status

Behavior

Before:

$ ./awmg --routed --config config.toml
2026/01/16 01:15:15 Registered route: /mcp/sys      # ← Always registered
2026/01/16 01:15:15 Registered route: /mcp/github

After:

$ ./awmg --routed --config config.toml
2026/01/16 01:20:16 Registered route: /mcp/github   # ← sys route omitted

$ ./awmg --routed --config config.toml --enable-difc
2026/01/16 01:20:18 Registered route: /mcp/sys      # ← sys route only when DIFC enabled
2026/01/16 01:20:18 Registered route: /mcp/github

Original prompt

---

This section details on the original issue you should resolve

<issue_title>2026/01/10 00:21:11 Registered route: /mcp/sys</issue_title>
<issue_description>Don't expose the sys server</issue_description>

<agent_instructions>can you please confirm that the route /mcp/sys is not exposed to clients?</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes 2026/01/10 00:21:11 Registered route: /mcp/sys #110

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.