[refactor] Semantic Function Clustering: Outliers, Duplication, and Organization Improvements #2100
Description
Analysis of repository: github/gh-aw-mcpg — §23267034906
Overview
Analysis of 77 non-test Go files (~568 function declarations) across internal/ and main.go identified four actionable refactoring opportunities — all carried over from the previous run (§23216447319) and still unaddressed. The codebase is well-organized overall; the issues below are localized, low-risk, and quick to fix. No new systemic problems were found in the recent commit (e1bab9d feat(guard): add DIFC labeling for GitHub Projects tools).
The four findings span three packages (mcp, server, config) and together represent ~50 minutes of estimated work at Priority 1.
Full Report
Function Inventory Summary
| Package | Files | Functions (approx) |
|---|---|---|
internal/difc |
7 | ~75 |
internal/logger |
10 | ~60 |
internal/config |
9 | ~60 |
internal/server |
9 | ~55 |
internal/guard |
6 | ~40 |
internal/mcp |
6 | ~35 |
internal/cmd |
7 | ~30 |
internal/launcher |
3 | ~25 |
| Other packages | 9 | ~30 |
Root (main.go) |
1 | ~5 |
| Total | 77 | ~415 |
Identified Issues
1. Redundant Private Wrapper Function
File: internal/mcp/connection.go:40–42
// REDUNDANT — unexported wrapper that only delegates to the exported function
func getAgentTagsSnapshotFromContext(ctx context.Context) (*AgentTagsSnapshot, bool) {
return GetAgentTagsSnapshotFromContext(ctx)
}This unexported function (line 40) is called exactly once at line 296. It provides zero abstraction — it solely calls its exported counterpart GetAgentTagsSnapshotFromContext. The call site can call the exported function directly.
Recommendation: Remove the private wrapper. Update line 296 to call GetAgentTagsSnapshotFromContext directly.
Estimated effort: 5 minutes
Impact: Eliminates unnecessary indirection; removes confusion about why two functions have identical signatures.
2. Missing Named Constant for "backend-id" Context Key
File: internal/server/http_helpers.go:105
// INCONSISTENT — magic string cast, no named constant
ctx = context.WithValue(ctx, mcp.ContextKey("backend-id"), backendID)The other context keys in the mcp package have proper named constants:
mcp.SessionIDContextKey = "awmg-session-id"(mcp/connection.go:29)mcp.AgentTagsSnapshotContextKey = "awmg-agent-tags-snapshot"(mcp/connection.go:32)
But "backend-id" has no named constant — the string is cast inline. If this key ever needs to be read from context elsewhere, there is no single source of truth.
Recommendation: Add a named constant in internal/mcp/connection.go:
// BackendIDContextKey stores the routed server backend ID in context
const BackendIDContextKey ContextKey = "awmg-backend-id"Then update http_helpers.go:105 to use mcp.BackendIDContextKey.
Estimated effort: 10 minutes
Impact: Consistent with the existing context key pattern; improves discoverability and type-safety.
3. authMiddleware Bypasses auth.ValidateAPIKey()
File: internal/server/auth.go:57
The authMiddleware docstring explicitly references auth.ValidateAPIKey() as the validation function to use, but the implementation performs a raw string comparison instead:
// Documented as using auth.ValidateAPIKey() for key validation
// ...
if authHeader != apiKey { // ← bypasses the dedicated functionThe auth.ValidateAPIKey() function encodes the "auth disabled when expected=empty" semantic:
// internal/auth/header.go:97
func ValidateAPIKey(provided, expected string) bool {
if expected == "" {
return true // auth-disabled semantic
}
return provided == expected
}While applyAuthIfConfigured guards against apiKey == "", the raw comparison still bypasses the package's own intended API and creates an inconsistency between documentation and implementation.
Recommendation: Replace the direct comparison in authMiddleware:
if !auth.ValidateAPIKey(authHeader, apiKey) {
// ... error handling
}Estimated effort: 15 minutes
Impact: Aligns implementation with documentation and uses the auth package's intended API.
4. RUNNING_IN_CONTAINER Env Var Not Checked in config/validation_env.go
Files:
internal/tty/container.go:30— checksRUNNING_IN_CONTAINERinternal/config/validation_env.go—detectContainerized()does not check it
Both functions implement container detection using overlapping signals:
| Check | tty/container.go |
config/validation_env.go:detectContainerized() |
|---|---|---|
/.dockerenv file |
✓ | ✓ |
/proc/*/cgroup for docker/containerd |
✓ (proc/1) | ✓ (proc/self) |
RUNNING_IN_CONTAINER env var |
✓ | ✗ missing |
RUNNING_IN_CONTAINER=true is documented (AGENTS.md, README) as the override to force container detection when /.dockerenv and cgroup detection are unavailable. However, detectContainerized() in config/validation_env.go ignores this env var, so --validate-env will fail to detect containerized execution in environments where the documented override is used.
Recommendation: Add the env var check to detectContainerized() in config/validation_env.go:
// Add to detectContainerized(), alongside existing checks:
if os.Getenv("RUNNING_IN_CONTAINER") == "true" {
return true, ""
}Estimated effort: 20 minutes
Impact: Fixes a behavioral gap in --validate-env when RUNNING_IN_CONTAINER=true is set; aligns the two detectors.
Semantic Clusters (Well-Organized Areas)
The following areas are well-organized and require no changes:
✓ String utilities — internal/strutil/truncate.go is a clean central location; all consumers correctly delegate to it.
✓ Logger generics — internal/logger/global_helpers.go uses Go generics to eliminate init*/close* duplication across logger types.
✓ Environment utilities — internal/envutil/envutil.go provides GetEnvString/Int/Bool; config/config_env.go correctly builds domain-specific getters on top of these primitives.
✓ Config validation split — validation.go, validation_env.go, validation_schema.go have clear single responsibilities.
✓ Guard context keys — Separate ContextKey type definitions in guard and mcp are intentional to ensure per-package context key isolation.
✓ Docker utilities — internal/mcp/dockerenv.go (ExpandEnvArgs) and internal/config/docker_helpers.go serve distinct purposes: the former expands env args for MCP backend process launch, the latter validates Docker accessibility during config validation.
✓ Validation functions — The 12 validate* / check* functions in internal/config/ are well-distributed across validation.go, validation_env.go, validation_schema.go, guard_policy.go, and docker_helpers.go with clear per-file scope.
Refactoring Recommendations
Priority 1 — Low effort, high clarity (< 30 min total)
- Remove
getAgentTagsSnapshotFromContextprivate wrapper (mcp/connection.go:40–42, update call at line 296) - Add
BackendIDContextKeyconstant tomcp/connection.go, updateserver/http_helpers.go:105 - Use
auth.ValidateAPIKey()inauthMiddlewareinstead of rawauthHeader != apiKey
Priority 2 — Behavioral fix (< 20 min)
- Add
RUNNING_IN_CONTAINERenv var check toconfig/validation_env.go:detectContainerized()
Implementation Checklist
- Remove
getAgentTagsSnapshotFromContextprivate wrapper (mcp/connection.go:40–42, update call at line 296) - Add
BackendIDContextKeyconstant tomcp/connection.goand updateserver/http_helpers.go:105 - Replace
authHeader != apiKeywith!auth.ValidateAPIKey(authHeader, apiKey)inserver/auth.go:57 - Add
RUNNING_IN_CONTAINERenv var check inconfig/validation_env.go:detectContainerized() - Run
make agent-finishedto verify all changes pass lint, build, and tests
Analysis Metadata
- Total Go files analyzed: 77 (excluding
_test.go) - Total functions cataloged: ~415
- Outliers found: 1 (missing
BackendIDContextKeyconstant) - Behavioral gaps: 1 (
RUNNING_IN_CONTAINERnot checked indetectContainerized) - Redundant wrappers: 1 (
getAgentTagsSnapshotFromContext) - API inconsistencies: 1 (
authMiddlewarebypassesauth.ValidateAPIKey) - New issues from recent commits: 0 (recent
feat(guard)commit touches only Rust guard code) - Detection method: Naming pattern analysis + cross-package function comparison + implementation review
- Analysis date: 2026-03-18
References:
- §23267034906
- §23216447319 (previous run)
Generated by Semantic Function Refactoring · ◷