From b6ecf248d0839ab5b61a0bb21c433869e01581f0 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Thu, 2 Apr 2026 12:49:25 +0000
Subject: [PATCH] refactor(proxy): extract writeDIFCForbidden helper

Replace two inline httputil.WriteJSONResponse 403 calls in handler.go
with a package-level writeDIFCForbidden helper. This reduces duplication
and makes future changes to the DIFC violation response shape easier
(only one place to update).

Closes #3053

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 internal/proxy/handler.go | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/internal/proxy/handler.go b/internal/proxy/handler.go
index 7b1a3b81..537a4dc3 100644
--- a/internal/proxy/handler.go
+++ b/internal/proxy/handler.go
@@ -18,6 +18,13 @@ import (
 
 var logHandler = logger.New("proxy:handler")
 
+// writeDIFCForbidden writes a 403 JSON response for DIFC policy violations.
+func writeDIFCForbidden(w http.ResponseWriter, message string) {
+	httputil.WriteJSONResponse(w, http.StatusForbidden, map[string]string{
+		"message": message,
+	})
+}
+
 // proxyHandler implements http.Handler and runs the DIFC pipeline on proxied requests.
 type proxyHandler struct {
 	server *Server
@@ -152,9 +159,7 @@ func (h *proxyHandler) handleWithDIFC(w http.ResponseWriter, r *http.Request, pa
 		} else {
 			// Write blocked
 			logHandler.Printf("[DIFC] Phase 2: BLOCKED %s %s — %s", r.Method, path, evalResult.Reason)
-			httputil.WriteJSONResponse(w, http.StatusForbidden, map[string]string{
-				"message": fmt.Sprintf("DIFC policy violation: %s", evalResult.Reason),
-			})
+			writeDIFCForbidden(w, fmt.Sprintf("DIFC policy violation: %s", evalResult.Reason))
 			return
 		}
 	}
@@ -225,10 +230,8 @@ func (h *proxyHandler) handleWithDIFC(w http.ResponseWriter, r *http.Request, pa
 			// Strict mode: block entire response if any item filtered
 			if s.enforcementMode == difc.EnforcementStrict && filtered.GetFilteredCount() > 0 {
 				logHandler.Printf("[DIFC] STRICT: blocking response — %d filtered items", filtered.GetFilteredCount())
-				httputil.WriteJSONResponse(w, http.StatusForbidden, map[string]string{
-					"message": fmt.Sprintf("DIFC policy violation: %d of %d items not accessible",
-						filtered.GetFilteredCount(), filtered.TotalCount),
-				})
+				writeDIFCForbidden(w, fmt.Sprintf("DIFC policy violation: %d of %d items not accessible",
+					filtered.GetFilteredCount(), filtered.TotalCount))
 				return
 			}