Merged
Conversation
…#3980) ## Summary - Fix broken CLI releases (v1.16.0–v1.16.2) caused by copybara failing on historical commits in ITERATIVE mode - Wrap all `go/*` import replacements in `core.transform` with `noop_behavior = "IGNORE_NOOP"` so old commits (predating the `go/` directory restructuring) don't cause migration failures - Apply the same fix to the `terraform-provider` workflow which has the same issue ## Linear Ticket - **Ticket**: [ENG-2667](https://linear.app/overmind/issue/ENG-2667/copybara-cli-releases-are-broken) — copybara / CLI releases are broken ## Changes The copybara `default` and `terraform-provider` workflows use ITERATIVE mode, which replays every workspace commit against the destination repo. Commits predating the `go/` directory restructuring (Feb 16, ENG-2422) don't contain import paths like `github.com/overmindtech/workspace/go/auth` — so the replacement rules for those paths were no-ops on old commits, causing copybara to fail with exit code 2. The fix groups all `go/*` replacements (`go/auth`, `go/discovery`, `go/sdp-go`, `go/sdpcache`, `go/tracing`, `go/logging`) into a single `core.transform` block with `noop_behavior = "IGNORE_NOOP"`. This matches the existing pattern already in place for `go/logging`, and is safe because the workspace module enforces correct import paths — any file that compiles uses the new `go/` paths. Replacements for paths that have always existed at the same location (`aws-source`, `sources`, `stdlib-source`, `k8s-source`, `cli`) are left as-is with the default fail-on-noop behaviour. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Config-only change to Copybara transformations that only relaxes behavior for missing historical import paths; it doesn’t alter runtime product code. > > **Overview** > Prevents Copybara `ITERATIVE` migrations from failing on older workspace commits by wrapping all `go/*` import-path `core.replace` rules in a single `core.transform(..., noop_behavior = "IGNORE_NOOP")`. > > Applies this both to the `default` (CLI) workflow and the `terraform-provider` workflow, while keeping non-`go/*` replacements as strict (fail-on-noop). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3ce476f87712de6b3dbb6e59a878222e3d231a19. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: 7b0fa3794a1c65dc9b6d70160c4e703aa39f2d85
Remove all references to "blast propagation" from documentation and cursor rules, as blast radius is now AI-driven only. Previously, adapters required hardcoded blast radius information, but with the new AI-driven approach, these references are obsolete and have been removed across the codebase to reflect the updated system. --- Linear Issue: [ENG-2474](https://linear.app/overmind/issue/ENG-2474/docs-update-all-documentation-and-cursor-rules-to-remove-blast) <p><a href="https://cursor.com/agents/bc-c8424426-87e9-4105-a9d1-070283722ac9"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-c8424426-87e9-4105-a9d1-070283722ac9"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Primarily documentation/comment updates with a small, straightforward helper signature change; minimal risk beyond potential compile breakage where old `AppendURILinks` args were still used. > > **Overview** > Removes remaining *blast propagation* terminology from docs and Cursor rules, standardizing dynamic adapter linking language around `linkRules` and AI-driven blast radius. > > Cleans up a few code comments and call sites to match the new model, including simplifying Azure `AppendURILinks` usage (dropping blast in/out params) and updating snapshot edge hydration comments to no longer mention blast propagation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0f43ba4813a82ccb38f2c59789dc8b28ac0cd404. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 1bbe4ea80eca56a3bb44055cd045170d1d28cd22
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | golang | stage | minor | `1.25-alpine` → `1.26-alpine` | | golang | | minor | `1.25-bookworm` → `1.26-bookworm` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImRvY2tlciJdfQ==--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Toolchain and container base image upgrades can cause subtle build/test failures or behavior changes across all Go services. Renovate/CI changes are straightforward but affect automation and linting consistency. > > **Overview** > **Upgrades the Go toolchain baseline to 1.26** across the repo: `go.mod` now targets Go `1.26.0`, the devcontainer base image moves to `dev-1.26-bookworm` (with cache keys updated), and all build/package Dockerfiles plus gateway compose dev images switch from `golang:1.25-*` to `golang:1.26-*`. > > Also bumps `golangci-lint` from `v2.7.2` to `v2.9.0` in both the devcontainer and CI, and extends `renovate.json` with regex managers so Renovate can track/update the Go devcontainer tag, golangci-lint version, and Go-cache key versions. Azure manual tests are adjusted to stop asserting `ExpectedBlastPropagation` in `QueryTests` fixtures. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f6893ea8e3f8788f4b7f363cf1219429dd6886d4. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: David Schmitt <david.schmitt@overmind.tech> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 0ab86ed3afecb3d30e7f7e090f2d8493ea52a55c
<img width="1005" height="829" alt="image" src="https://github.com/user-attachments/assets/0514e633-040d-45ea-89e7-01997f5ca8a4" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds new discovery surface area and link generation across many Azure network relationships; risk is mainly incorrect type inference or linking causing noisy/missing graph edges rather than security impact. > > **Overview** > Adds a new Azure `NetworkSubnet` searchable adapter (and `SubnetsClient` wrapper) and wires it into `manual/adapters.go` so subnets can be discovered per-virtual-network, including rich linked-item query generation (NSG/route table/NAT gateway/private endpoints/NICs/app gateways and resource navigation/service association links). > > Introduces `shared.ItemTypeFromLinkedResourceID` (with tests) to infer `azure-{api}-{resource}` types from Azure resource IDs, adds missing network item types (`ServiceEndpointPolicy`, `IpAllocation`), and registers subnet path extraction in `GetResourceIDPathKeys`. Also updates compute gallery linking/tests to include gallery applications as child resources. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 375ce66214732222c20756b7c7c7801079693de4. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: be036b8890b6aaa841bb1134525d40bdd9bd12de
<img width="1571" height="947" alt="image" src="https://github.com/user-attachments/assets/53a1cdad-0a55-4a07-85b6-48549117f696" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds a new Azure discovery adapter and wires it into initialization, which may increase API calls and affect discovery/linking behavior, but changes are additive and covered by unit tests. > > **Overview** > Adds first-class support for Azure Compute Shared Image Gallery *applications* by introducing a `GalleryApplicationsClient` wrapper and registering it in `manual/adapters.go` for both real and placeholder adapter initialization. > > Introduces a new `ComputeGalleryApplication` adapter with `Get`/`Search`/streaming search, unique keying by `galleryName+applicationName`, and linked queries to the parent gallery, child application versions, and URI-derived network resources; includes unit tests plus generated GoMock clients, and updates Azure resource-ID path key parsing to recognize `azure-compute-gallery-application`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit eb5ec855013b3a2783fd868617d2d1fd036d9376. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 50ba559650c678bcf33d3d05104328c82bc999d3
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNi41IiwidXBkYXRlZEluVmVyIjoiNDMuMjYuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 274f0481f6976247f3788133c2741c8b70edd9a2
… 2f722ef (#3951) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | require | digest | `4cfbd41` → `2f722ef` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS4xMSIsInVwZGF0ZWRJblZlciI6IjQzLjMyLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImdvbGFuZyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 3c95d4397b7dbd6b25f57035eae721715f784ffe
Removes outdated references to hardcoded blast propagation by updating a comment and cleaning up a frontend Omit type. This PR completes the final cleanup for the "Remove Blast Propagation Information" project (ENG-2748). It updates a misleading comment in the `ec2-security-group` adapter and removes a redundant `'followOnlyBlastPropagation'` field from a frontend `Omit` type, aligning the codebase with the new AI-driven blast radius analysis. --- Linear Issue: [ENG-2748](https://linear.app/overmind/issue/ENG-2748/blast-propagation-removal-final-cleanup-comment-frontend-omit-docs) <p><a href="https://cursor.com/agents/bc-e3101731-e6ac-46dd-867b-a35850bfea18"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-e3101731-e6ac-46dd-867b-a35850bfea18"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Comment-only Go change plus a TypeScript type cleanup; no behavior, auth, or data handling logic is modified. > > **Overview** > Removes stale, hardcoded blast-propagation references. > > Updates the `ec2-security-group` adapter comment to describe linking security groups to network interfaces for traversal to attached instances, and simplifies the frontend run-query helper types by no longer omitting `followOnlyBlastPropagation` from `Query_RecursionBehaviour`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 733dff3fc9dae5a58aa59ba94224942365109300. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 699a548231e5291544299fc2c67b0de72a89134f
<img width="1706" height="1040" alt="image" src="https://github.com/user-attachments/assets/f6864766-2ab6-4a98-be7b-403d4e90669d" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Mostly additive adapter/client code with new SDK client initialization; primary risk is incorrect scoping/query parsing causing missed or mislinked firewall rule items. > > **Overview** > Adds first-class discovery for Azure SQL Server firewall rules. > > Introduces a new `SqlServerFirewallRuleClient` (with generated mock) and a `NewSqlServerFirewallRule` searchable wrapper that supports `Get`/`Search`/`SearchStream`, emits stable composite IDs, and creates links to the parent SQL Server and referenced start/end IPs. > > Wires the new adapter into `manual/adapters.go` (including Azure SDK `FirewallRulesClient` initialization) and updates Azure resource ID path parsing (`GetResourceIDPathKeys`) to support `azure-sql-server-firewall-rule`, with unit tests covering paging and error cases. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 311ce443564a42650b4172b5ca5cfa9c15ebb752. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: b72ee0433b202eb7da5dbc6271cd5c5072b8e9be
https://github.com/user-attachments/assets/cfe3a528-b11f-4874-8cc7-6410c5c87638 ## Summary - Establish bidirectional links between GCP resources that share network tags (instances, firewalls, routes, instance templates) so blast radius is correct when tags or rules change - Add SEARCH-by-tag support to Compute Firewall, Compute Route (dynamic, list+filter), and Compute Instance (manual, aggregated list+filter) - Add `SearchFilterFunc` to the dynamic adapter framework for client-side post-filtering when the GCP API has no server-side tag filter ## Linear Ticket - **Ticket**: [ENG-2763](https://linear.app/overmind/issue/ENG-2763/implement-support-for-network-tag-relationships-eng-2757) — Implement support for network tag relationships (ENG-2757) - **Purpose**: Ensure blast radius correctly reflects network tag dependencies between instances, firewalls, and routes - **Related**: [ENG-2757](https://linear.app/overmind/issue/ENG-2757), [ENG-2756](https://linear.app/overmind/issue/ENG-2756) ## Changes - **`sources/gcp/shared/linker.go`**: Network tag detection (`isNetworkTag`) and SEARCH link emission in `AutoLink` for all four resource types - **`sources/gcp/shared/adapter-meta.go`**: New `SearchFilterFunc` type and field on `AdapterMeta` - **`sources/gcp/dynamic/adapter-searchable-listable.go`**: Apply `SearchFilterFunc` after list in `Search`; fallback to non-streaming in `SearchStream` when filter is set - **`sources/gcp/dynamic/adapters/compute-firewall.go`**: `SearchEndpointFunc`, `SearchFilterFunc` (targetTags/sourceTags), link rules for targetTags/sourceTags - **`sources/gcp/dynamic/adapters/compute-route.go`**: `SearchEndpointFunc`, `SearchFilterFunc` (tags), link rule for tags - **`sources/gcp/dynamic/adapters/compute-instance-template.go`**: Link rule for `properties.tags.items` - **`sources/gcp/manual/compute-instance.go`**: Emit SEARCH links for each network tag; add `Search`/`SearchLookups`/`Scopes` methods for tag-based SEARCH - **Tests**: Unit tests for linker network-tag handling, compute instance tag links, adapter type assertions; integration test (`network-tags_test.go`) ## Deviations from Approved Plan - **Instance template SEARCH resolution deferred (O9)**: As planned, instance templates do not implement SEARCH — only link emission via `properties.tags.items` - **Instance `Search` uses `List` with wildcard scope**: The plan called for `AggregatedList` in the `Search` method. The implementation delegates to `List(ctx, "*")` which internally uses `AggregatedList`, achieving the same result with less code duplication - **`SearchFilterFunc` on `AdapterMeta` instead of only `AdapterConfig`**: The filter is defined on `AdapterMeta` so it can be set declaratively alongside `SearchEndpointFunc` in adapter registration files, then plumbed through `AdapterConfig` — this is a minor structural choice not explicitly specified in the plan - No other material deviations from the approved plan <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches core discovery/linking and search execution paths (including cache/streaming fallbacks) and introduces list+filter tag searches that could affect performance or link correctness on large GCP projects. > > **Overview** > Adds *network tag relationship discovery* for GCP so resources that share tags (Compute Instances, Firewalls, Routes, and Instance Templates) emit bidirectional `SEARCH`-based links, improving blast radius accuracy. > > Implements tag-based `SEARCH` by listing then client-side filtering for dynamic adapters (`ComputeFirewall`, `ComputeRoute`) via a new `SearchFilterFunc` hook, plus a manual `ComputeInstance` `Search` implementation keyed by `networkTag`. Updates the linker (`AutoLink`) and dynamic potential-link calculation to recognize tag attribute keys and produce tag-driven `SEARCH` links, and adds unit + integration tests plus a small fix to the query engine to fall back from `SearchStream` to batch `Search` when streaming isn’t implemented. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 583a57977777df487cc3597fdb9d0406de0d1a80. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: cfa6af5ba89c93a32bd84050fd719e8e6d2fc904
<img width="1694" height="1010" alt="image" src="https://github.com/user-attachments/assets/8bcb27dd-74d6-4012-95ef-8483dbb56864" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk due to the `armnetwork` major-version bump and new network adapter wiring, which could cause compile/runtime incompatibilities with Azure SDK types and discovery link behavior. > > **Overview** > Adds discovery support for Azure **Private Endpoints** by introducing a new `PrivateEndpointsClient` wrapper and a `network-private-endpoint` manual adapter (List/Get/streaming) that emits linked queries to related subnet/VNet, NICs, application security groups, private link services, and stdlib IP/DNS entries. > > Upgrades the Azure Network SDK dependency from `armnetwork/v8` to `armnetwork/v9` across clients, adapters, tests, and generated mocks, and registers the new private endpoint adapter + SDK client in `manual/adapters.go`. Documentation in the cursor skill guide is also updated to emphasize mandatory IP/DNS linking in nested/array fields. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 15a102d915ff606e8cda352926da3d4125961022. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 1c18e8ff0caa8df91287d0387873d0038a36ca0c
## Summary - The CLI now walks up parent directories to find `.overmind/knowledge/` when it's not in the current working directory, stopping at the `.git` boundary to avoid escaping the repository - Fixes the common monorepo/CI pattern where the CLI runs from a subdirectory (e.g. `environments/prod/`) but knowledge files live at the repo root - Adds debug-level logging showing which directory was resolved, so users can verify the behavior with `--log debug` ## Linear Ticket - **Ticket**: [ENG-2781](https://linear.app/overmind/issue/ENG-2781/implement-walk-up-directory-discovery-for-knowledge-files) — Implement walk-up directory discovery for knowledge files - **Purpose**: When running the CLI from a subdirectory, knowledge files at the repo root are silently ignored. This change walks up the directory tree to find them. - **Project**: Tribal Knowledge ## Changes - **`cli/knowledge/discover.go`** — New `FindKnowledgeDir` function that walks up from a start directory checking for `.overmind/knowledge/`, stopping at `.git` boundary or filesystem root. Also adds debug-level logging of the resolved path in `DiscoverAndConvert`. - **`cli/cmd/terraform_plan.go`** — Uses `FindKnowledgeDir(".")` instead of hardcoded `".overmind/knowledge/"` - **`cli/cmd/changes_submit_plan.go`** — Same call site update - **`cli/knowledge/discover_test.go`** — 7 new test cases: CWD, parent, grandparent, `.git` boundary stop, CWD priority, not found, `.git` + knowledge at same level - **`docs.overmind.tech/docs/knowledge/knowledge.md`** — Added discovery rule explaining walk-up behavior ## Deviations from Approved Plan Implementation matches the approved plan — no material deviations. All five parts (FindKnowledgeDir function, call site updates, debug logging, 7 unit tests, docs update) were implemented exactly as specified in the plan approved by Dylan Ratcliffe on ENG-2781. Closes ENG-2781 Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Small, well-tested change to local file discovery paths; primary risk is behavior differences in edge cases (multiple knowledge dirs, missing `.git`) affecting which knowledge files are uploaded. > > **Overview** > The CLI’s knowledge-file discovery now *walks up parent directories* to find `.overmind/knowledge/` (stopping at the `.git` boundary) instead of only looking in the current working directory. > > `overmind terraform plan` and `overmind changes submit-plan` now use this resolved directory when attaching knowledge to `StartChangeAnalysis`, `DiscoverAndConvert` logs the resolved path at debug level, and new unit tests + docs cover the new discovery behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9d98bc3741f75e2bb874d790df1838da255dd0cf. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: c87f8b056fa35558f608f54b7ec122967dfed9f8
This applies the new `go fix` from go 1.26 to our code, cleaning up a
bunch of outdated coding patterns. This PR also contains an update to
golangci-lint to avoid a incompatibility in static check with the new
code. Check out the commit messages for details.
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Primarily mechanical refactors and tooling bumps; functional behavior
changes are minimal aside from the small scope-check helper
simplification.
>
> **Overview**
> **Modernizes Go code and test fixtures** by replacing `interface{}`
with `any`, `map[string]interface{}` with `map[string]any`, and
simplifying scope checks in AWS adapter helpers via `slices.Contains`.
>
> **Removes custom pointer helper functions** used in AWS adapter tests
and updates a large set of test data builders to use `new(T)`-style
pointer creation instead; related Cursor docs/templates are adjusted to
match (including dropping the Azure SDK `to.Ptr` helper guidance).
>
> **Tooling updates**: bumps `golangci-lint` from `v2.9.0` to `v2.10.1`
in both devcontainer and CI, and adds `ripgrep` to the devcontainer
image.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
bf1f8d1c6c0d0f8644627b1eec431f3a9d63386c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
GitOrigin-RevId: d04ca21bb8e1a331035f484b6b0f8076d6c271b5
<img width="1503" height="997" alt="image" src="https://github.com/user-attachments/assets/f547de48-9679-4043-96bb-19646f654738" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new Azure adapter and wires it into global adapter initialization, increasing discovery surface area and Azure API call volume/permissions for storage resources. Logic is read-only and covered by unit tests, but could affect pagination/error handling and linked-resource graphing. > > **Overview** > Adds first-class discovery support for **Azure Storage Encryption Scopes** via a new `EncryptionScopesClient` wrapper and `NewStorageEncryptionScope` adapter (GET by `storageAccount+scopeName`, SEARCH by storage account). > > Wires the new adapter into `manual/adapters.go` (real and placeholder init), links encryption scopes from `storage-account.go` (and updates tests), and extends resource-ID path parsing (`GetResourceIDPathKeys`) to understand `azure-storage-encryption-scope`. Includes generated GoMock client and comprehensive adapter tests (paging, nil-name filtering, and error paths). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit eb69fb4324235c4a3a0de031e325289fe3df6774. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f9b65d20d0c70fc0cb1f56a402dc708b351f2cff
GitOrigin-RevId: ae97ce2892c7961c34eaacb2ba7f01d9968b4bc0
…… (#4013) <img width="3116" height="2049" alt="image" src="https://github.com/user-attachments/assets/aa4dab00-de5c-41da-88c0-50475ff55f2a" /> <img width="2811" height="728" alt="image" src="https://github.com/user-attachments/assets/6b1eff1c-9b0a-4421-87e6-c2fd2214d333" /> ## Summary - Closes the race window where sources report HEALTHY to the API server (via heartbeats and readiness probes) before adapters are registered, which caused silent mapping failures (ENG-2786) - Introduces an `adaptersInitialized` flag (`atomic.Bool`) in the discovery `Engine` that gates both `ReadinessHealthCheck` and `SendHeartbeat` - All source entry points (CLI explore, stdlib, snapshot, and `InitialiseAdapters`) now explicitly mark adapters as initialized after successful setup ## Linear Ticket - **Ticket**: [ENG-2789](https://linear.app/overmind/issue/ENG-2789/source-reports-healthy-before-adapters-are-initialized) — Source reports HEALTHY before adapters are initialized - **Purpose**: Prevent premature healthy status that causes mapping queries to silently return 0 items - **Related**: [ENG-2786](https://linear.app/overmind/issue/ENG-2786/investigate-failed-mappings) (root cause investigation), [ENG-2806](https://linear.app/overmind/issue/ENG-2806) (tracking ticket) ## Changes **Core fix** (`go/discovery/`): - `engine.go`: Added `adaptersInitialized atomic.Bool` field, `MarkAdaptersInitialized()` and `AreAdaptersInitialized()` methods. `ReadinessHealthCheck` returns an error when the flag is unset. `InitialiseAdapters` sets the flag on success. - `heartbeat.go`: `SendHeartbeat` includes "adapters not yet initialized" in the error string while the flag is unset, so the API server marks the source as UNHEALTHY during startup. - `doc.go`: Added "Readiness gating" section documenting the new contract. **Source entry points**: - `stdlib-source/cmd/root.go`: Calls `MarkAdaptersInitialized()` after successful init - `sources/snapshot/cmd/root.go`: Same - `cli/cmd/explore.go`: Calls `MarkAdaptersInitialized()` for all five engine types (snapshot, stdlib, AWS, GCP, Azure) **Tests** (`go/discovery/`): - `engine_initerror_test.go`: 6 new tests covering the flag lifecycle; existing tests updated to call `MarkAdaptersInitialized()` so they isolate `initError` behavior - `heartbeat_test.go`: Existing test updated to initialize the flag in setup Sources that use `InitialiseAdapters` (AWS, GCP, Azure, Harness, k8s) get the flag set automatically — no changes needed. ## Test plan - [x] `go test ./go/discovery/ -run 'TestReadiness|TestHeartbeat|TestInitialiseAdapters' -v` — all pass - [x] `go build ./cli/...` — compiles cleanly - [x] `go vet ./go/discovery/...` — clean - [x] ran everything locally + an extra source, explore worked in the UI - [x] CI passes on all affected packages <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes source health signaling semantics: pods will now report unready/unhealthy until adapter init completes, which could affect rollout behavior or monitoring if any entrypoint forgets to mark initialization. > > **Overview** > Prevents sources from reporting healthy before adapters are registered by introducing an `adaptersInitialized` flag on the discovery `Engine` and gating both `ReadinessHealthCheck` and `SendHeartbeat` on it. > > `InitialiseAdapters` now marks adapters initialized on success, and source entry points (CLI `explore`, `snapshot-source`, `stdlib-source`) explicitly call `MarkAdaptersInitialized()` after successful adapter setup (with snapshot/stdlib also sending an immediate post-init heartbeat). Tests and docs are updated to cover and document the new readiness/heartbeat contract. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit c9af3c42d54ad809c2da9c02d8ab9714256065bd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: af146952982a8552394d0f7c6a8fd7401d0e93de
<img width="1486" height="1010" alt="image" src="https://github.com/user-attachments/assets/25ee3923-22fa-4c6e-8df7-894e977ac2e9" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new Azure discovery adapter that enumerates and fetches virtual network peerings, increasing Azure API surface area and adapter initialization work. Risk is moderate due to new linked-item query generation (including cross-scope links) and potential changes in discovery graph/output, but it is read-only. > > **Overview** > Adds support for discovering Azure **Virtual Network Peerings** by introducing a `VirtualNetworkPeeringsClient` abstraction (with generated GoMock) and a new `NewNetworkVirtualNetworkPeering` searchable wrapper. > > Wires the new adapter into `manual/adapters.go` (including SDK client initialization and placeholder registration), adds linked-item queries from peerings to local/remote VNets and selective subnets with health derived from `ProvisioningState`, and updates shared resource-ID path key extraction to recognize `azure-network-virtual-network-peering`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f6c1b086b4c3086ab9962b558489d693ca631039. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 1593b32b0782e3b9337cdccd7aebc018a0d0c2cb
<img width="1482" height="1004" alt="image" src="https://github.com/user-attachments/assets/d760220d-8851-4f4f-97db-372535db6e09" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds a new Azure discovery adapter and wires it into adapter initialization, increasing API surface and potential for mis-scoped queries or paging-related issues. Risk is mitigated by unit tests and the change being additive (no existing adapters’ logic is modified). > > **Overview** > Adds first-class discovery support for Azure route table routes via a new `NetworkRoute` searchable wrapper, including `Get` and paged list/search (plus streaming) and SDP item mapping (health + links to parent route table and `stdlib.NetworkIP`). > > Introduces a thin `RoutesClient` wrapper around the Azure SDK (with generated mocks), wires the new adapter into `manual/adapters.go` initialization, and updates Azure resource ID path-key extraction to recognize `azure-network-route`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit c022fe6eba559588515ae230931d1bc9bf269747. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 8ba151b02117da4308c0ba0521122a1ee380001c
<img width="1717" height="1050" alt="image" src="https://github.com/user-attachments/assets/316f2056-1c1b-4607-a2f5-3e9336c6a18b" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces a new Azure discovery adapter that lists/gets NSG security rules and wires it into adapter initialization, increasing Azure API surface area and calls during discovery. Changes are isolated to network inventory but could affect discovery performance/permissions if mis-scoped. > > **Overview** > Adds first-class discovery for **Azure NSG `securityRules`** by introducing a `SecurityRulesClient` wrapper and a new `NetworkSecurityRule` searchable adapter (Get/Search/SearchStream) that models rules with a composite unique key (`nsgName + ruleName`). > > Wires the new adapter into `manual/adapters.go` (including placeholder registration) and extends resource-ID path parsing (`shared/utils.go`) to support `azure-network-security-rule`; includes generated GoMock client and comprehensive unit tests for get/search and error cases. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 617bf71d5460099e58869e0fec78509f69241d4a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: eb5f6cfefc8b0d03081e4b47436b926694094cc2
<img width="3228" height="1876" alt="image" src="https://github.com/user-attachments/assets/8573e41d-6397-4ba5-8dd3-40ac0e78f7eb" /> Completes deferred integration tests and documentation for GCP network tag relationships. This PR addresses the remaining work from ENG-2757 by adding integration tests for route-to-instance links, instance template relationships, and full E2E SEARCH resolution for instances, alongside updating user-facing documentation to reflect the new blast radius analysis capabilities. --- Linear Issue: [ENG-2769](https://linear.app/overmind/issue/ENG-2769/follow-up-network-tag-relationship-tests-and-documentation-eng-2757) <p><a href="https://cursor.com/agents/bc-7597c69f-95fc-4df8-a479-8f54d57f0044"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-7597c69f-95fc-4df8-a479-8f54d57f0044"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Documentation-only changes across many GCP type pages; main risk is incorrect or inconsistent link/SEARCH/Terraform mapping guidance due to breadth of edits and a few removals/renames. > > **Overview** > Updates many GCP type docs to standardise formatting (notably supported methods/mappings), expand descriptions, and document additional *resource relationships* used for blast-radius analysis (especially around network tags and routing). > > Adds new type pages for `gcp-certificate-manager-certificate`, `gcp-compute-node-template`, and `gcp-compute-regional-instance-group-manager`, and introduces/expands several new “Possible Links” sections (e.g., routes → forwarding rules via `nextHopIlb`, instance templates/instances → firewalls/routes, load-balancing chain links, and KMS key-version linkages). Also removes the `gcp-big-query-model` and `gcp-compute-region-backend-service` doc pages and updates related docs (e.g., BigQuery dataset linking to routines instead). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit af0298606c9eb842318171ff5e36cd5397e6ed82. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 33503b2d01f32509c4f580050b37bd8fabb39585
<img width="1484" height="1018" alt="image" src="https://github.com/user-attachments/assets/096b3de7-de82-43f7-81e0-d5377c116a63" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Mostly additive wiring for a new read-only Azure resource type; main risk is miswiring the new adapter/client causing discovery/runtime query failures or extra Azure API usage. > > **Overview** > Adds first-class discovery support for Azure SQL Server Virtual Network Rules via a new `SqlServerVirtualNetworkRuleClient` and a `NewSqlServerVirtualNetworkRule` manual adapter implementing `Get`, `Search`, and `SearchStream`. > > Wires the new adapter into Azure `Adapters()` initialization (including a new `armsql.NewVirtualNetworkRulesClient`) and into metadata-only adapter enumeration, and updates Azure resource-id path key mapping for `azure-sql-server-virtual-network-rule`. Includes generated GoMock and unit tests covering happy paths, subnet/vnet linking, and error handling. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ac3a7f2c9dcf2c857f1e2e94b1a6d6227aa05b62. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 092b75194a05270320d39f68938f2f9fa7b3b53d
… a57be14 (#4030) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | require | digest | `2f722ef` → `a57be14` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zNi4yIiwidXBkYXRlZEluVmVyIjoiNDMuMzYuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 12b6ad8bb0959eb7e0f78c6c7baee18bff7ca520
…t to 813a975 (#4029) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/hashicorp/terraform-config-inspect](https://redirect.github.com/hashicorp/terraform-config-inspect) | require | digest | `f4be3ba` → `813a975` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zNi4yIiwidXBkYXRlZEluVmVyIjoiNDMuMzYuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 313b6b8db2626514ba8f5587c0c25763568608c5
…003) ## Summary - Fix the markdownlint `files:` glob in CI that has been broken since Feb 2025 (missing opening quote), meaning markdownlint never ran on any docs. - Resolve all pre-existing markdownlint violations so the step passes cleanly. - Follow-up to #4001 which identified this issue while fixing lychee. ## Changes | Area | Change | | --- | --- | | `docs.overmind.tech/.markdownlintignore` (new) | Exclude `node_modules/` -- eliminates 632 false positives | | `docs.overmind.tech/.markdownlint.json` | Disable MD024 (duplicate headings), MD033 (inline HTML), MD034 (bare URLs -- angle-bracket autolinks break MDX), MD036 (emphasis-as-heading) | | ~8 docs files | Auto-fixed via `markdownlint --fix`: blank lines around lists, indentation, consecutive blank lines, trailing spaces | | 6 docs files | Manual fixes: added `text` language to 9 bare code fences, fixed 1 ordered list prefix | | `.github/workflows/ci.yml` | Fixed `files:` quoting, added explicit `config_file` and `ignore_path` parameters | ## Notes - **MD034 (bare URLs) is disabled** because markdownlint's auto-fix wraps them in `<url>` syntax, which breaks Docusaurus/MDX (it interprets `<` as JSX). The auto-generated source type docs use bare URLs extensively and they render fine in Docusaurus without angle brackets. - The remaining disabled rules (MD024, MD033, MD036) all conflict with Docusaurus conventions or generated docs patterns. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > CI/doc-only changes that primarily affect lint enforcement and markdown formatting, with minimal impact on runtime behavior. > > **Overview** > Re-enables docs markdown linting in CI by fixing the broken `markdownlint-cli` `files` glob and wiring in explicit `config_file` and `ignore_path`. > > Adds/updates markdownlint configuration under `docs.overmind.tech` (new `.markdownlintignore` excluding `node_modules/`, and `.markdownlint.json` disabling several rules) and applies doc formatting fixes (e.g., code fences annotated as `text`, list spacing/numbering) to satisfy the now-enforced lints. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0fa9478c858659e55cb1f06f57a96127fcd33f60. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 148c43d74d2aa242169cca45da70a74672ffc3c4
<img width="1725" height="1008" alt="image" src="https://github.com/user-attachments/assets/f7a9d810-0178-4f91-9047-a73cfd54a419" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Primarily additive discovery support for a new Azure resource type (PostgreSQL Flexible Server firewall rules) with minimal impact on existing adapters; risk is limited to potential integration issues in the new paging/get logic and adapter registration. > > **Overview** > Adds first-class discovery support for Azure PostgreSQL Flexible Server firewall rules via a new `PostgreSQLFlexibleServerFirewallRuleClient` and a `NewDBforPostgreSQLFlexibleServerFirewallRule` searchable wrapper (supports `Get`, `Search`, and `SearchStream`). > > Registers the new adapter in `manual/adapters.go`, wires up the Azure SDK `FirewallRulesClient`, and extends Azure resource-ID path key extraction (`shared/utils.go`) so the new item type can be resolved from IDs. Includes generated GoMock client + unit tests covering happy paths and error handling. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a78c18bf1261b682e38060d6555e88ba3264c89b. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 197c21d49473799e3453aafef48ded8eb154aa8f
<!-- CURSOR_SUMMARY -->
> [!NOTE]
> **Low Risk**
> Mostly adds a CI guardrail and applies mechanical Go modernizations
(e.g., `any`, `reflect.TypeFor`) with no intended behavior change; main
risk is CI becoming stricter and failing when `go fix` output isn’t
committed.
>
> **Overview**
> Adds a new CI job, `go-fix`, that runs `go fix ./...` and fails the
workflow if it produces uncommitted diffs, and wires it into `ci-gate`.
>
> Applies the resulting mechanical Go updates across a few Azure/GCP
files (e.g., `interface{}` → `any`, gomock recorder type registration
using `reflect.TypeFor`, and cleanup of ad-hoc string pointer helpers in
tests).
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
29aee6b9eee814a688e732d35e8ce3415c4dacf4. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
GitOrigin-RevId: 0353d6400711465ee4f8bd9ba5761393074f0932
<img width="1728" height="1009" alt="image" src="https://github.com/user-attachments/assets/4e11cab9-8915-42bd-a87f-1463ac014bcb" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds a new Azure discovery adapter and wires it into adapter initialization, increasing Key Vault API usage and linked-query graph output. Changes are read-only and well-tested but could impact discovery performance/permissions expectations. > > **Overview** > Adds first-class discovery for **Azure Key Vault keys** via a new `KeysClient` wrapper (with generated GoMock) and a `KeyVaultKey` adapter supporting `GET` (vault+key) and `SEARCH` (list keys by vault). > > Wires the new adapter into `manual/adapters.go` (including real `armkeyvault.NewKeysClient` initialization and placeholder registration), and updates Key Vault vault items to also link to child key searches (and include `KeyVaultKey` in `PotentialLinks`). Also extends Azure resource-ID path key mapping with `azure-keyvault-key`, and adds/updates unit tests to cover the new key adapter behavior and the vault’s additional child link. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0b29a2ddc717149176305b54854346583b95bcc7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 2bd99fdce98c081a0e3c43d8653b1e85cdf7804a
This pull request contains changes generated by a Cursor Cloud Agent <p><a href="https://cursor.com/agents/bc-10b2e70d-2441-414b-8fb4-f9413ea7db12"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-10b2e70d-2441-414b-8fb4-f9413ea7db12"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Doc-only changes that mostly adjust Markdown formatting (code fence language, list indentation, trailing newlines) with no runtime impact. Risk is limited to potential minor rendering differences in the docs site. > > **Overview** > Standardizes documentation formatting across the knowledge guide and many GCP `Types` pages. > > Updates include fixing stray/empty list markers, annotating directory-tree code blocks with `text`, normalizing bullet indentation under *Terraform Mappings*, and adding missing trailing newlines to avoid `\ No newline at end of file` issues. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0f79dea5de8251ea40e6feb34517c6da815dd7e8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 0feda22f710d45a1af80217b79d57f20869f2f80
Add an optional `review_prompt` input to the code review workflow for custom prompts and structured, actionable feedback. --- <p><a href="https://cursor.com/agents/bc-82d79754-f716-47c0-a069-c16b27ae32a7"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-82d79754-f716-47c0-a069-c16b27ae32a7"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Primarily CI workflow and documentation updates plus test-only refactors (Go `any`/pointer helper cleanup). Low production risk, but the workflow prompt handling could affect review output formatting if misconfigured. > > **Overview** > Adds an optional `review_prompt` input to the Cursor code review GitHub Action, selecting between a structured default prompt and a user-provided prompt, and passing the effective prompt into the `agent` invocation. > > Records the prompt source/effective prompt into `$GITHUB_ENV` (with a randomized heredoc delimiter) and includes both in the Actions step summary; docs are updated with the new input and CLI example. > > Refactors a few Go tests to use `any` and simplified pointer creation, removing local `stringPtr`/`newPtr` helpers (no functional changes to production code). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 13e5f33401380fd95d9c742ee12168d01ae21659. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: b2e3ef21991eae0ac58a3a9901e044698b2db503
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Low risk: changes are limited to CI/workflow action version pinning, a Terraform cache key fix, and test-only DB migration locking to reduce flakiness. > > **Overview** > **CI/workflow updates:** fixes the Terraform provider cache key to hash `cli/.terraform.lock.hcl` (instead of the repo-root lockfile), and pins previously unversioned GitHub Actions (`depot/*` and `cloudsmith-io/action`) to specific releases. > > **Outage tracker test stability:** wraps River schema migrations in `CreateTestPgPool` with a Postgres `pg_advisory_lock`/`unlock` to prevent concurrent migrations when tests run in parallel against the same database. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit cb80410d44baf85686bc3d461cbba3e84b4da530. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: b6f394e25717a6abb2bd042ca35866ee51d3c468
<img width="1467" height="1009" alt="image" src="https://github.com/user-attachments/assets/312f3f3c-8b37-4430-8ba6-f71e0755140b" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly additive Azure discovery code, but it introduces new Azure SDK client usage and query/linking logic that could affect discovery completeness and required IAM permissions in production subscriptions. > > **Overview** > Adds support for discovering Azure SQL Server *private endpoint connections* via a new searchable wrapper (`NewSQLServerPrivateEndpointConnection`) backed by a dedicated `SQLServerPrivateEndpointConnectionsClient`. > > The new adapter maps provisioning state to item health, sets a composite unique key (`serverName` + connection name), and emits links to the parent `SQLServer` and (when present) the referenced `NetworkPrivateEndpoint` (including cross-resource-group scope extraction). It’s wired into `manual/adapters.go` (real and placeholder adapters), includes generated GoMock client + a full unit test suite, and updates Azure resource-ID path parsing to recognize `azure-sql-server-private-endpoint-connection`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d6daf7588e1000b1ee7c6ce9cf90bb6d3f836d47. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 7a6a980ea78af4f9f0f1cf8424465ef4f48eb00e
…tion adapter (#4092) <img width="1483" height="997" alt="image" src="https://github.com/user-attachments/assets/43f7668d-a33a-4d57-8e12-66bcc762cc1f" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds new Azure discovery adapters and initializes additional Azure SDK clients, which may affect API permissions, paging behavior, and cross-scope linking for newly ingested resources. Other changes are low impact lint/comment cleanups. > > **Overview** > Adds discovery support for Azure *private endpoint connections* on **SQL Servers** and **DB for PostgreSQL Flexible Servers**, including new client wrappers, adapters/wrappers with `Get`/`Search`/streaming implementations, linked-item queries to the parent server and referenced `NetworkPrivateEndpoint` (with scope extraction), and IAM permission declarations. > > Wires the new adapters into the Azure manual adapter set (including placeholder registration), generates new gomock clients, and extends Azure resource-ID path key extraction to recognize the two new item types. > > Separately removes a few `//nolint` suppressions in the k8s `Endpoints` adapter and the gateway `ListenAndServe` startup code without functional changes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit abe886cf7b52c91cbc90ff3c983d8fb35cd53fe4. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: e5d29bb5246bbed785c69103aaf36287ac186377
## Summary - Updated customer-facing Terraform/OpenTofu docs to reflect that the Overmind provider and module are now published on the OpenTofu Registry - Verified `tofu init` installs both with proper GPG signature validation (no "Signature validation was skipped" warning) ## Linear Ticket - **Ticket**: [ENG-2678](https://linear.app/overmind/issue/ENG-2678/do-opentofu-release-process-for-phase-5) — Do OpenTofu release process for Phase 5 - **Purpose**: Complete the OpenTofu Registry enrollment that was deferred from ENG-2673 (Phase 5: Copybara & Publishing) ## Changes Single file change to `docs.overmind.tech/docs/sources/aws/terraform.md`: - **Title**: "Configure with Terraform" -> "Configure with Terraform / OpenTofu" - **Intro**: Updated to mention both registries with links - **Quick Start**: Added `tofu init / plan / apply` commands alongside the existing Terraform commands - **Registry Links**: Replaced "coming soon" placeholder with actual OpenTofu Registry links for both the [provider](https://search.opentofu.org/provider/overmindtech/overmind) and [module](https://search.opentofu.org/module/overmindtech/aws-source/overmind) Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk documentation-only change; updates links and command examples without affecting product code or infrastructure behavior. > > **Overview** > Updates the AWS source setup docs to explicitly cover **OpenTofu** alongside Terraform by renaming the page, adding `tofu init/plan/apply` quick-start commands, and noting `tofu apply` as an alternative. > > Replaces the OpenTofu Registry “coming soon” placeholder with live registry links for both the `overmindtech/overmind` provider and `overmindtech/aws-source` module, and updates the intro to reference availability on both registries. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0e8d5a3ad6941e815c0880f0285e287c400243c0. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: d0d6be741ae527dea3caab6b494a1350ac643c5e
…#4093) <img width="1462" height="991" alt="image" src="https://github.com/user-attachments/assets/77d32b7e-b9a6-46a6-bc0a-a45aaf3d820a" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new Azure adapter plus SDK client initialization to the main `Adapters` wiring, which can affect source startup and discovery behavior if the new client or paging logic misbehaves. Changes are additive/read-only but touch the adapter registration path used for all runs. > > **Overview** > Adds discovery support for **Azure Key Vault Managed HSM private endpoint connections** via a new searchable wrapper (`NewKeyVaultManagedHSMPrivateEndpointConnection`) with `Get`, `Search`, and streaming search. > > Introduces a small Azure SDK client wrapper interface (`KeyVaultManagedHSMPrivateEndpointConnectionsClient`) and generated GoMock, plus unit tests covering lookup behavior, paging, error handling, and linked-item generation (links to `KeyVaultManagedHSM`, `NetworkPrivateEndpoint`, and `ManagedIdentityUserAssignedIdentity`) and health mapping from provisioning state. > > Wires the new adapter into `manual/adapters.go` by creating `armkeyvault.NewMHSMPrivateEndpointConnectionsClient` and registering the adapter in both real and placeholder adapter lists, and updates `shared/utils.go` resource-ID path key mappings for `azure-keyvault-managed-hsm-private-endpoint-connection`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f66a098752cd4c197fe60692a50fec9aab7c21b4. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 40509e2c92720b77f8358877ec8d304145ec8b80
…ans) (#4103) ## Summary - Switch from `exaring/otelpgx` to `overmindtech/otelpgx` fork which removes `pool.acquire` and `prepare` span creation while preserving all metrics - Prepare duration is now recorded as a `pgx.prepare.duration` attribute (Int64, ms) on the parent query span - Remove the now-unnecessary `pool.acquire` sampling rule from `OvermindSampler` ## Linear Ticket - **Ticket**: [ENG-2943](https://linear.app/overmind/issue/ENG-2943/fork-otelpgx-remove-poolacquire-and-prepare-spans) — Fork otelpgx: remove pool.acquire and prepare spans - **Purpose**: Reduce trace noise by eliminating low-value `pool.acquire` and `prepare` child spans, while preserving `db.client.operation.duration` metrics for both operations - **Related**: [ENG-2941](https://linear.app/overmind/issue/ENG-2941) — complementary to the OTEL collector batch size fix ## Changes | File | Change | | --- | --- | | `go.mod` / `go.sum` | `exaring/otelpgx v0.10.0` replaced with `overmindtech/otelpgx` (commit `65bf101`) | | `go/dbkit/connect.go` | Import path updated to `github.com/overmindtech/otelpgx` | | `go/tracing/main.go` | Removed `pool.acquire` sampling rule from `NewOvermindSampler` (no longer needed) | The fork itself ([overmindtech/otelpgx#2](overmindtech/otelpgx#2)) contains the functional changes to otelpgx. ## Deviations from Approved Plan Implementation matches the approved plan -- no material deviations. All seven parts were implemented as described: 1. Fork created at `overmindtech/otelpgx` with two commits (functionality + rename) 2. `pool.acquire` span removed, metrics preserved, rationale documented 3. `prepare` span removed, `pgx.prepare.duration` attribute added to parent query span 4. Unused code cleaned up from simplified methods 5. Two tests added (`TestTraceAcquire_NoSpan`, `TestTracePrepare_NoSpan_SetsAttribute`) 6. Main repo updated (this PR) 7. Upstream PR suggestion deferred to post-validation (as planned) Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes database OpenTelemetry instrumentation and sampling rules, which can affect trace volume/shape and observability expectations, but it is otherwise a small, localized dependency swap. > > **Overview** > Switches PostgreSQL tracing from `github.com/exaring/otelpgx` to the `github.com/overmindtech/otelpgx` fork, updating `dbkit.Connect` to use the new import and bumping module sums accordingly. > > Simplifies tracing sampling by removing the special-case sampler for `pool.acquire` spans (and the now-unused `SpanNameMatcher` helper), reflecting the fork’s reduced span creation. Adds a `//nolint:staticcheck` annotation for the Kubernetes `v1.Endpoints` adapter to suppress deprecation warnings while `EndpointSlice` migration is pending. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2c0f40d231fdad6a06ce4080b1b834cfed6dce42. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: cd50535a27c2563fb4dd32592182711892177b7d
…2 (#4107) <img width="1294" height="427" alt="image" src="https://github.com/user-attachments/assets/944771d9-3209-41b6-8f0b-1481ca3ac587" /> CLI Rendering as per normal ## Summary - Migrate from `github.com/charmbracelet/lipgloss/v2` (v2.0.0-beta.3) to `charm.land/lipgloss/v2` (v2.0.0) after the upstream module path change - Update imports in `cli/cmd/theme.go` and `cli/cmd/terraform_plan.go` - Bump `charmbracelet/x/cellbuf` v0.0.13 → v0.0.15 for transitive dependency compatibility ## Linear Ticket - **Ticket**: [ENG-2893](https://linear.app/overmind/issue/ENG-2893) — Migrate charmbracelet/lipgloss/v2 to charm.land/lipgloss/v2 module path - **Purpose**: The v2.0.0 release changed the Go module path, breaking `go mod download` when pinned to the old path ## Changes - `go.mod` / `go.sum`: Swapped module path and version, bumped cellbuf for compatibility - `cli/cmd/theme.go`: Updated lipgloss import path - `cli/cmd/terraform_plan.go`: Updated lipgloss import path - No API changes required — all lipgloss functions (`HasDarkBackground`, `LightDark`, `Color`, `NewStyle`) are unchanged between beta.3 and v2.0.0 <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: changes are limited to dependency/module-path updates and import rewrites for terminal styling, with no business logic modifications. Main risk is build/runtime regressions from upgraded transitive Charm dependencies affecting CLI rendering. > > **Overview** > **Migrates Lip Gloss v2 to its new Go module path.** Updates CLI imports from `github.com/charmbracelet/lipgloss/v2` to `charm.land/lipgloss/v2`. > > **Bumps dependencies to match the new module.** `go.mod`/`go.sum` move from `lipgloss/v2` beta to `v2.0.0` and update related transitive Charm packages (e.g., `colorprofile`, `x/ansi`, `x/cellbuf`, `x/term`) plus a few indirect terminal-width/text deps. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5bfaf8e33fb04c045864ca433e6d54d21bc7fe8f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: fe4c947e211193e77c8cb0a9be1e4c6f8a96eaa1
- Return ErrInvalidKnowledgeFiles from renderKnowledgeList when any invalid/skipped knowledge files exist so the command can be used as a CI gate. - Always print the full listing (valid + invalid sections) before returning the error so CI logs still show what failed and why. - Tests updated to expect the error and to assert errors.Is(..., ErrInvalidKnowledgeFiles). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes CLI exit behavior by turning discovery warnings into a command error, which may break existing scripts/CI expectations. Scope is limited to `knowledge list` output/error handling and corresponding tests. > > **Overview** > `knowledge list` now treats any invalid/skipped knowledge files as a failure by returning `ErrInvalidKnowledgeFiles` (with a count) when discovery emits warnings. > > The command was adjusted to always print the rendered listing before returning the error so CI logs still include both the valid table and the invalid/skipped reasons; tests were updated to assert `errors.Is(err, ErrInvalidKnowledgeFiles)` when invalid files are present. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e96569773a500d1f4cde2c916d2e8b55be936b11. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: cc79081493018979fca6aeef132dbe9039346772
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> Implement JSON snapshot support for Area51 and the snapshot source to improve consistency, ease of inspection, diffing, and standard tooling for the benchmarking and snapshot pipeline, and enable downloading revlink warmup snapshots as JSON files. --- Linear Issue: [ENG-2901](https://linear.app/overmind/issue/ENG-2901/json-snapshots-for-area51-and-snapshot-source) <p><a href="https://cursor.com/agents/bc-31bcf690-99c1-40ed-b363-5b6ea5a0b84b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-31bcf690-99c1-40ed-b363-5b6ea5a0b84b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_AGENT_PR_BODY_END --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: carabasdaniel <carabasdaniel@users.noreply.github.com> Co-authored-by: David Schmitt <david.schmitt@overmind.tech> GitOrigin-RevId: 90cb509888ed50c26a2df173d1c5d962b88d0e57
<img width="1478" height="993" alt="image" src="https://github.com/user-attachments/assets/8d1d72fd-f6bd-43ed-98c2-c4960e436064" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Introduces a new Azure DNS record set adapter and changes shared Azure terraform-query parsing in `transformer.go`, which could affect how existing Azure resource-ID searches are interpreted and error out. > > **Overview** > Adds first-class discovery for Azure DNS record sets via a new `RecordSetsClient` wrapper and a `NewNetworkDNSRecordSet` manual adapter (Get/Search/SearchStream), including link generation to the parent DNS zone plus related `stdlib` DNS/IP items. > > Extends Azure resource-ID parsing to support the non-standard DNS record set path format and updates `transformer.go` to use `ExtractPathParamsFromResourceIDByType`, returning clearer errors when the adapter type is unknown vs the ID format is invalid. The new adapter is registered in `manual/adapters.go` and covered by unit tests plus a generated GoMock client. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 7f18743a8e898139f65e5a9578e316a6500bec0c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 4646b48a153dec066177e249f731d836d01dea5d
<img width="1465" height="992" alt="image" src="https://github.com/user-attachments/assets/9371b9fc-a2cb-4ece-84a4-6c4a00045f21" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk: introduces a new Azure discovery adapter wired into the main adapter set and slightly changes linked-item query generation for `network-dns-record-set` TargetResource IDs, which could affect downstream graph/linking behavior. > > **Overview** > Adds first-class discovery for Azure **Private DNS Zones** via a new manual adapter (`network-private-dns-zone.go`) that supports `List`/`Get`, sets health from provisioning state, and emits links to stdlib DNS plus child resources (record sets and virtual network links). > > Wires the adapter into Azure manual initialization (`adapters.go`), including a new `armprivatedns` client wrapper (`clients/private-dns-zones-client.go`), dependency updates (`go.mod`/`go.sum`), generated gomock, and comprehensive unit tests. > > Also updates `network-dns-record-set.go` so `TargetResource` linking falls back to `ExtractResourceName` when path-key extraction isn’t available, avoiding missing/empty GET queries for simpler Azure resource IDs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b7235563214325b7435c78c8c123b77537e5bb54. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f18ab3f8621b48c462cdcfa4e3c5d18ed7a38519
<img width="1463" height="1003" alt="image" src="https://github.com/user-attachments/assets/5eb19453-108f-4724-b6cb-b54344d21a4e" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new Azure network resource adapter and wires it into adapter initialization, plus changes core adapter metadata generation to always emit an explicit (possibly empty) `PotentialLinks` list, which may affect downstream metadata consumers. > > **Overview** > Adds discovery support for Azure **Application Security Groups** by introducing a new `ApplicationSecurityGroupsClient` wrapper, a `NetworkApplicationSecurityGroup` manual adapter (Get/List/ListStream), and accompanying gomock + unit tests. > > Wires the new adapter into `manual/adapters.go` by instantiating the Azure SDK ASG client and registering the adapter in both real and placeholder (metadata-only) adapter lists. > > Fixes adapter metadata generation in `sources/transformer.go` to initialize `AdapterMetadata.PotentialLinks` to an empty slice whenever `PotentialLinks()` is non-nil, avoiding a nil field when wrappers return an empty map. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2dd6323205b24e4885bcf5ecceadbd6026e1a2f5. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: d0701a1694a97679bb58058cf65f8ebe514ac47f
…ght (#4119) ## Summary - Wrap `captureGoroutineSummary` in `singleflight.Group` so that when many ExecuteQuery goroutines hit the stuck timeout simultaneously, only one runs the stop-the-world pprof capture - Only the goroutine that performed the capture includes the full profile string in its span event; others emit just the numeric counts — reducing OTel data from 32K × 48KB to 1 × 48KB per stuck event window ## Linear Ticket - **Ticket**: [ENG-2935](https://linear.app/overmind/issue/ENG-2935/add-tracing-instrumentation-for-source-waitgroups-stuck-diagnosis) — Add tracing instrumentation for Source WaitGroups stuck diagnosis - **Purpose**: Fix a thundering herd introduced by #4089 (merged), observed in the first production goroutine dump ## Context A production goroutine dump captured by the new instrumentation showed **32,189 goroutines** simultaneously inside `captureGoroutineSummary`, each calling `pprof.Lookup("goroutine").WriteTo()`. This is a stop-the-world operation that serializes all goroutine stacks — having 32K concurrent instances is catastrophic and amplifies the stuck condition. ## Changes `go/discovery/enginerequests.go`: - Add a package-level `singleflight.Group` (`goroutineProfileGroup`) - `captureGoroutineSummary` now calls `group.Do("goroutine-profile", ...)` — concurrent callers share the result - Returns a `shared` bool; the call site only includes `ovm.stuck.goroutineProfile` in the span event when `shared == false` - Fresh captures still happen for subsequent (non-concurrent) stuck events ## Deviations from Approved Plan This is a follow-up fix not covered by the original plan. The thundering herd was discovered from the first production goroutine dump after the plan was deployed. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Changes are limited to stuck-diagnostics instrumentation in `ExecuteQuery`, reducing profiling/telemetry overhead without affecting normal query execution logic. Main risk is reduced per-span profile detail when multiple timeouts occur concurrently. > > **Overview** > Prevents a *thundering herd* when many `ExecuteQuery` calls hit the stuck waitgroup timeout by wrapping goroutine profile capture (`pprof.Lookup("goroutine")`) in a package-level `singleflight.Group`, so concurrent callers share one capture. > > Adds `compactGoroutineProfile` to strip noisy address/version data from the debug=1 goroutine dump and updates the `waitgroup.stuck` span event to only attach `ovm.stuck.goroutineProfile` for the goroutine that performed the capture (others emit counts only). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit eb63ad458cbed03a1693833da0ae5868184f0be4. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 8072fdcf0acc515f158bc8e61e5d15311ce27256
… compatibility (#4113) ## Summary - Fix the silent bug where the Service adapter linked to type `"Endpoint"` (singular, matches no adapter) instead of `"Endpoints"` (plural) - Add bidirectional Service ↔ EndpointSlice links so the infrastructure graph covers both legacy and modern K8s clusters - Replace the `TODO: migrate` nolint comment with a block comment explaining the backward compatibility strategy for the deprecated `v1.Endpoints` API ## Linear Ticket - **Ticket**: [ENG-2960](https://linear.app/overmind/issue/ENG-2960) — Plan: Fix K8s Endpoints/EndpointSlice adapter links and backward compatibility - **Purpose**: Restore the broken Service → Endpoints link, add EndpointSlice links in both directions, and document why the Endpoints adapter is retained - **Parent**: ENG-2949 ## Changes **`k8s-source/adapters/endpoints.go`** — Replaced the `//nolint:staticcheck // TODO: migrate` directive with a block comment explaining the backward compatibility rationale and a shorter `//nolint:staticcheck // See note at top of file`. **`k8s-source/adapters/service.go`** — Fixed the linked item type from `"Endpoint"` to `"Endpoints"` (GET). Added a new `"EndpointSlice"` SEARCH link using `kubernetes.io/service-name` label selector. Updated `PotentialLinks`. **`k8s-source/adapters/endpointslice.go`** — Added a Service GET link by reading the `kubernetes.io/service-name` label. Added `"Service"` to `PotentialLinks`. **`k8s-source/adapters/service_test.go`** / **`endpointslice_test.go`** — Updated test expectations to match the new links. **Documentation** (`Service.json`, `EndpointSlice.json`, `Service.md`, `EndpointSlice.md`) — Updated `potentialLinks` and added link description sections. **Frontend mocks** (`listActiveSourcesStatus.ts`) — Fixed Service mock `potentialLinks` and added `"Service"` to EndpointSlice mocks. ## Deviations from Approved Plan Implementation matches the approved plan — no material deviations. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: primarily fixes link metadata/type mismatches and adds additional linked-item queries, with no changes to core data processing beyond relationship discovery. > > **Overview** > Fixes a broken Kubernetes relationship by changing the Service adapter to link to `Endpoints` (plural) instead of the non-existent `Endpoint` type. > > Adds **bidirectional** links between `Service` and `EndpointSlice`: Services now search for matching EndpointSlices via the `kubernetes.io/service-name` label selector, and EndpointSlices link back to their parent Service via the same label. > > Updates adapter `PotentialLinks`, unit tests, docs (`Service.md`, `EndpointSlice.md`, and JSON metadata), and frontend source-status mocks to reflect the corrected and expanded link graph, plus clarifies why the deprecated `core/v1.Endpoints` adapter is intentionally retained for backward compatibility. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 14508d01992fc84e8e41c52c362d074422fd0445. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: fd1d88c406097bcbd4eed02c7d7c626b3f57d496
…121)
## Summary
- Replace unconditional `protojson.Format(m)` calls with `proto.Size(m)`
summary in `Publish`, `PublishRequest`, and `Unmarshal` on the SDP
connection hot path
- Eliminates expensive JSON serialization and associated allocations
that ran on every message even though the output was only consumed at
trace log level (disabled in production and dogfood)
- Removes the `protojson` import entirely from `connection.go`
## Changes
The only file changed is `go/sdp-go/connection.go`. Three call sites
that passed `protojson.Format(m)` to `recordMessage` now pass
`fmt.Sprintf("%d bytes", proto.Size(m))` instead. The trace logs and
span events still record message type (via `reflect.TypeOf`) and subject
— only the full JSON body is replaced with a wire-size summary. Two
existing TODO comments acknowledging this problem are removed.
Made with [Cursor](https://cursor.com)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk performance change that only affects trace/span message
payload logging (full JSON replaced with `N bytes`). Main risk is
reduced debugging detail in traces.
>
> **Overview**
> **Reduces SDP connection hot-path overhead** by removing
`protojson.Format` calls from `Publish`, `PublishRequest`, and
`Unmarshal` tracing.
>
> Trace/span logging now records the protobuf *type* plus a `"%d bytes"`
size summary via `proto.Size(m)` instead of the full JSON body, and the
`protojson` import/TODOs are removed.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
8cb4e40af712cbfea96b29e432dda090af825b19. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
GitOrigin-RevId: 6a3bdd992c6447da693c1925403b5db9180e6e34
<img width="1479" height="997" alt="image" src="https://github.com/user-attachments/assets/5666bd6c-50e2-4cdf-bb07-9e637fcfb312" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly additive, but it extends shared Azure item-type/model enums and the global adapter registration list, which could impact compilation or type lookups across the Azure source if misnamed or conflicting. > > **Overview** > Adds discovery support for Azure `PublicIPPrefix` resources by introducing a `PublicIPPrefixesClient` wrapper and a new `NewNetworkPublicIPPrefix` adapter with `List`, `ListStream`, and `Get` implementations. > > The adapter maps `armnetwork.PublicIPPrefix` into SDP items with health derived from provisioning state and emits linked queries to related resources (e.g., `NetworkPublicIPAddress`, `NetworkNatGateway`, `NetworkLoadBalancer`/frontend config, `NetworkCustomIPPrefix`, `ExtendedLocationCustomLocation`, and `stdlib.NetworkIP`). > > Registers the new adapter in `manual/adapters.go`, adds new shared item types/resources for `CustomIPPrefix` and `ExtendedLocation` custom locations, and includes generated GoMock client + comprehensive unit tests for listing, getting, and link generation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ccf1451be1e7916b3d1647513efc661b164fe6d1. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 798b18400c4be3588223e0f84f506a49c65e9e01
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/cache](https://redirect.github.com/actions/cache) | action | major | `v4` → `v5` | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | major | `v4` → `v6` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` → `v7` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v4` → `v7` | | [aws-actions/configure-aws-credentials](https://redirect.github.com/aws-actions/configure-aws-credentials) | action | major | `v5` → `v6` | | [crazy-max/ghaction-import-gpg](https://redirect.github.com/crazy-max/ghaction-import-gpg) | action | major | `v6` → `v7` | | [dawidd6/action-download-artifact](https://redirect.github.com/dawidd6/action-download-artifact) | action | major | `v12` → `v16` | | [docker/login-action](https://redirect.github.com/docker/login-action) | action | major | `v3` → `v4` | | [goreleaser/goreleaser-action](https://redirect.github.com/goreleaser/goreleaser-action) | action | major | `v6` → `v7` | | [hashicorp/setup-terraform](https://redirect.github.com/hashicorp/setup-terraform) | action | major | `v3` → `v4` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>actions/cache (actions/cache)</summary> ### [`v5`](https://redirect.github.com/actions/cache/compare/v4...v5) [Compare Source](https://redirect.github.com/actions/cache/compare/v4...v5) </details> <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v6`](https://redirect.github.com/actions/checkout/compare/v5...v6) [Compare Source](https://redirect.github.com/actions/checkout/compare/v5...v6) ### [`v5`](https://redirect.github.com/actions/checkout/compare/v4...v5) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4...v5) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) </details> <details> <summary>aws-actions/configure-aws-credentials (aws-actions/configure-aws-credentials)</summary> ### [`v6`](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v5...v6) [Compare Source](https://redirect.github.com/aws-actions/configure-aws-credentials/compare/v5...v6) </details> <details> <summary>crazy-max/ghaction-import-gpg (crazy-max/ghaction-import-gpg)</summary> ### [`v7`](https://redirect.github.com/crazy-max/ghaction-import-gpg/compare/v6...v7) [Compare Source](https://redirect.github.com/crazy-max/ghaction-import-gpg/compare/v6...v7) </details> <details> <summary>dawidd6/action-download-artifact (dawidd6/action-download-artifact)</summary> ### [`v16`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v16) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v15...v16) #### What's Changed - build(deps): bump minimatch by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​374](https://redirect.github.com/dawidd6/action-download-artifact/pull/374) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​375](https://redirect.github.com/dawidd6/action-download-artifact/pull/375) **Full Changelog**: <dawidd6/action-download-artifact@v15...v16> ### [`v15`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v15) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v14...v15) #### What's Changed - build(deps): bump [@​actions/artifact](https://redirect.github.com/actions/artifact) from 6.0.0 to 6.1.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​369](https://redirect.github.com/dawidd6/action-download-artifact/pull/369) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​370](https://redirect.github.com/dawidd6/action-download-artifact/pull/370) - build(deps): bump fast-xml-parser from 5.3.4 to 5.3.6 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​371](https://redirect.github.com/dawidd6/action-download-artifact/pull/371) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​372](https://redirect.github.com/dawidd6/action-download-artifact/pull/372) **Full Changelog**: <dawidd6/action-download-artifact@v14...v15> ### [`v14`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v14) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v13...v14) ##### What's Changed - build(deps): bump fast-xml-parser from 5.3.3 to 5.3.4 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​367](https://redirect.github.com/dawidd6/action-download-artifact/pull/367) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​368](https://redirect.github.com/dawidd6/action-download-artifact/pull/368) **Full Changelog**: <dawidd6/action-download-artifact@v13...v14> ### [`v13`](https://redirect.github.com/dawidd6/action-download-artifact/releases/tag/v13) [Compare Source](https://redirect.github.com/dawidd6/action-download-artifact/compare/v12...v13) #### What's Changed - build(deps): bump [@​actions/artifact](https://redirect.github.com/actions/artifact) from 5.0.1 to 5.0.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​350](https://redirect.github.com/dawidd6/action-download-artifact/pull/350) - build(deps): bump [@​actions/github](https://redirect.github.com/actions/github) from 6.0.1 to 7.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​348](https://redirect.github.com/dawidd6/action-download-artifact/pull/348) - build(deps): bump [@​actions/core](https://redirect.github.com/actions/core) from 2.0.1 to 2.0.2 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​349](https://redirect.github.com/dawidd6/action-download-artifact/pull/349) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​351](https://redirect.github.com/dawidd6/action-download-artifact/pull/351) - build(deps): bump lodash from 4.17.21 to 4.17.23 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​353](https://redirect.github.com/dawidd6/action-download-artifact/pull/353) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​354](https://redirect.github.com/dawidd6/action-download-artifact/pull/354) - build(deps): bump [@​actions/github](https://redirect.github.com/actions/github) from 7.0.0 to 8.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​355](https://redirect.github.com/dawidd6/action-download-artifact/pull/355) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​356](https://redirect.github.com/dawidd6/action-download-artifact/pull/356) - build(deps): bump [@​actions/core](https://redirect.github.com/actions/core) from 2.0.2 to 2.0.3 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​359](https://redirect.github.com/dawidd6/action-download-artifact/pull/359) - build(deps): bump [@​actions/artifact](https://redirect.github.com/actions/artifact) from 5.0.2 to 6.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​361](https://redirect.github.com/dawidd6/action-download-artifact/pull/361) - build(deps): bump [@​actions/core](https://redirect.github.com/actions/core) from 2.0.3 to 3.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​360](https://redirect.github.com/dawidd6/action-download-artifact/pull/360) - build(deps): bump [@​actions/github](https://redirect.github.com/actions/github) from 8.0.0 to 9.0.0 by [@​dependabot](https://redirect.github.com/dependabot)\[bot] in [#​357](https://redirect.github.com/dawidd6/action-download-artifact/pull/357) - Convert from CommonJS to ESM by [@​Copilot](https://redirect.github.com/Copilot) in [#​362](https://redirect.github.com/dawidd6/action-download-artifact/pull/362) - Fix ES module imports for [@​actions](https://redirect.github.com/actions) packages by [@​Copilot](https://redirect.github.com/Copilot) in [#​365](https://redirect.github.com/dawidd6/action-download-artifact/pull/365) - node\_modules: update by [@​dawidd6](https://redirect.github.com/dawidd6) in [#​366](https://redirect.github.com/dawidd6/action-download-artifact/pull/366) #### New Contributors - [@​Copilot](https://redirect.github.com/Copilot) made their first contribution in [#​362](https://redirect.github.com/dawidd6/action-download-artifact/pull/362) **Full Changelog**: <dawidd6/action-download-artifact@v12...v13> </details> <details> <summary>docker/login-action (docker/login-action)</summary> ### [`v4`](https://redirect.github.com/docker/login-action/compare/v3...v4) [Compare Source](https://redirect.github.com/docker/login-action/compare/v3...v4) </details> <details> <summary>goreleaser/goreleaser-action (goreleaser/goreleaser-action)</summary> ### [`v7`](https://redirect.github.com/goreleaser/goreleaser-action/compare/v6...v7) [Compare Source](https://redirect.github.com/goreleaser/goreleaser-action/compare/v6...v7) </details> <details> <summary>hashicorp/setup-terraform (hashicorp/setup-terraform)</summary> ### [`v4`](https://redirect.github.com/hashicorp/setup-terraform/compare/v3...v4) [Compare Source](https://redirect.github.com/hashicorp/setup-terraform/compare/v3...v4) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTUuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: bb72c8548df9e4f118d526ca829620e5b6bac39d
<img width="1472" height="994" alt="image" src="https://github.com/user-attachments/assets/aecb0912-3c93-46b1-873e-83fec9847348" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk: introduces new Azure Network API calls and registers an additional adapter in the discovery pipeline, which could affect discovery performance/permissions but doesn’t alter existing resource logic. > > **Overview** > Adds first-class discovery for Azure **DDoS protection plans** via a new `NewNetworkDdosProtectionPlan` wrapper supporting `List`, `ListStream`, and `Get`, mapping plans into SDP items with tags excluded from attributes, health derived from provisioning state, and links to associated VNets and public IPs. > > Wires the new adapter into `manual/adapters.go` by creating an `armnetwork.DdosProtectionPlansClient` during initialization (and adding a placeholder adapter for metadata-only mode), and introduces a small `clients.DdosProtectionPlansClient` wrapper interface plus generated GoMock and unit tests for the new adapter. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b47d21a469cf1d384ee14cd829ec3ebdab4d8a8d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: fe6ea9db02d8e9d9e7ea2dde7527e1f3ca3d619a
<img width="2938" height="1986" alt="image" src="https://github.com/user-attachments/assets/0ca0cd29-ecc3-423a-8e4a-8b38f32fe6b4" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds a new Azure discovery adapter with fairly extensive resource-to-link mapping logic, which could impact graph linking correctness and discovery performance. Changes are additive and scoped to networking resources (no auth or write paths). > > **Overview** > Adds first-class discovery for **Azure Virtual Network Gateways** by introducing a `VirtualNetworkGatewaysClient` wrapper and wiring a new `NewNetworkVirtualNetworkGateway` adapter into Azure adapter initialization (including the placeholder/metadata path). > > The adapter supports `List`/`Get` and enriches gateway items with health plus linked queries to related resources (subnets, public/private IPs, DNS hosts, local network gateways, custom locations, managed identities, VNets, and gateway connections). It also registers new Azure item types/resources for `virtual-network-gateway-connection` and `local-network-gateway`, and includes generated mocks plus unit tests for the new wrapper behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 18d763bcf3688458a6233b14fde93db74a5a3eda. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 1d1f5e8c6be75a7b451cc8cdfd7dc9ffc7fcfe1c
…ter (#4154) ## Summary - Reduces NATS connection mutex contention by changing the ResponseSender heartbeat interval from 5s to 30s, cutting heartbeat publish rate from ~140/s to ~23/s at 700 concurrent queries - Adds +/-10% uniform random jitter per tick to eliminate the thundering herd pattern where all tickers fire simultaneously - Documents ResponseSender message lifecycle, timing, jitter, and stall detection in `sdp/README.md` ## Linear Ticket - **Ticket**: [ENG-2975](https://linear.app/overmind/issue/ENG-2975) — Increase ResponseSender heartbeat interval to 30s with jitter - **Purpose**: Address NATS backpressure from heartbeat volume identified in "Source WaitGroups stuck" production trigger root cause analysis - **Priority**: High ## Changes **`go/sdp-go/progress.go`** - `DefaultResponseInterval` changed from `5 * time.Second` to `30 * time.Second` - Added `math/rand/v2` import - Replaced `time.NewTicker` loop with `time.After` loop that applies +/-10% uniform random jitter per tick (27s–33s range) - `NextUpdateIn` is computed dynamically as 230% of the interval (69s), so gateway and sdp-js stall detection adapts automatically **`sdp/README.md`** - Added "Heartbeat Behavior and NATS Load Management" section with subsections on timing, jitter, stall detection, and the design rule - Includes a table of all ResponseSender message types (WORKING initial, WORKING heartbeat, COMPLETE, ERROR, CANCELLED) **No changes needed in**: gateway, sdp-js, discovery, or tests (all consume `NextUpdateIn` from the protobuf message, and tests use custom intervals) ## Deviations from Approved Plan The implementation matches the approved plan with one minor addition: - **README section is more comprehensive than planned**: The plan specified documenting heartbeat behavior, timing, jitter, stall detection, and the design rule. The implementation additionally includes a table describing all ResponseSender message types (WORKING, COMPLETE, ERROR, CANCELLED) and their lifecycle — not just the WORKING heartbeats. This provides fuller context for engineers reading the docs and was added during implementation review. All four planned parts (constant change, jitter implementation, test verification, hardcoded timing audit) were implemented exactly as specified. No planned work was omitted or deferred. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes responder heartbeat timing from 5s to ~27–33s, which can affect stall/health detection behavior and any components implicitly relying on frequent WORKING updates. The logic is simple but touches core query-progress signaling over NATS, so misconfiguration could delay detection of genuinely stalled responders. > > **Overview** > **ResponseSender heartbeats are now less frequent and de-synchronized to reduce NATS load.** The default `DefaultResponseInterval` is increased from 5s to 30s, and the periodic WORKING publish loop now applies +/-10% uniform random jitter per tick (replacing a fixed `time.NewTicker` cadence). > > Documentation is expanded in `sdp/README.md` to describe the ResponseSender message lifecycle, the new heartbeat timing/jitter behavior, and how `NextUpdateIn`-based stall detection interacts with these settings and NATS connection contention. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9a47505bb89103ae9605d77bec10df75ed1b9f5f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: fb608bd9b05eab9967f1f8e3ff197b28faf91868
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [cloud.google.com/go/aiplatform](https://redirect.github.com/googleapis/google-cloud-go) | `v1.118.0` → `v1.119.0` |  |  | | [cloud.google.com/go/compute](https://redirect.github.com/googleapis/google-cloud-go) | `v1.55.0` → `v1.56.0` |  |  | | [github.com/aws/aws-sdk-go-v2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.2` → `v1.41.3` |  |  | | [github.com/aws/aws-sdk-go-v2/config](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.32.10` → `v1.32.11` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.10` → `v1.19.11` |  |  | | [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.18.18` → `v1.18.19` |  |  | | [github.com/aws/aws-sdk-go-v2/service/apigateway](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.38.5` → `v1.38.6` |  |  | | [github.com/aws/aws-sdk-go-v2/service/autoscaling](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.64.1` → `v1.64.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/cloudfront](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.60.1` → `v1.60.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/cloudwatch](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.55.0` → `v1.55.1` |  |  | | [github.com/aws/aws-sdk-go-v2/service/directconnect](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.38.12` → `v1.38.13` |  |  | | [github.com/aws/aws-sdk-go-v2/service/dynamodb](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.56.0` → `v1.56.1` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.293.0` → `v1.294.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ecs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.73.0` → `v1.73.1` |  |  | | [github.com/aws/aws-sdk-go-v2/service/efs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.11` → `v1.41.12` |  |  | | [github.com/aws/aws-sdk-go-v2/service/eks](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.80.1` → `v1.80.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.33.20` → `v1.33.21` |  |  | | [github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.54.7` → `v1.54.8` |  |  | | [github.com/aws/aws-sdk-go-v2/service/iam](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.53.3` → `v1.53.4` |  |  | | [github.com/aws/aws-sdk-go-v2/service/kms](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.50.1` → `v1.50.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/lambda](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.88.1` → `v1.88.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/networkfirewall](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.59.4` → `v1.59.5` |  |  | | [github.com/aws/aws-sdk-go-v2/service/networkmanager](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.5` → `v1.41.6` |  |  | | [github.com/aws/aws-sdk-go-v2/service/rds](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.116.1` → `v1.116.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/route53](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.62.2` → `v1.62.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/s3](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.96.2` → `v1.96.4` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sesv2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.59.2` → `v1.59.4` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sns](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.39.12` → `v1.39.13` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sqs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.42.22` → `v1.42.23` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ssm](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.68.1` → `v1.68.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sts](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.7` → `v1.41.8` |  |  | | [github.com/brianvoe/gofakeit/v7](https://redirect.github.com/brianvoe/gofakeit) | `v7.14.0` → `v7.14.1` |  |  | | [github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk) | `v0.7.12` → `v0.7.13` |  |  | | [github.com/micahhausler/aws-iam-policy](https://redirect.github.com/micahhausler/aws-iam-policy) | `v0.4.3` → `v0.4.4` |  |  | | [github.com/openai/openai-go/v3](https://redirect.github.com/openai/openai-go) | `v3.24.0` → `v3.26.0` |  |  | | [go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp](https://redirect.github.com/open-telemetry/opentelemetry-go-contrib) | `v0.65.0` → `v0.66.0` |  |  | | [go.opentelemetry.io/otel](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.40.0` → `v1.41.0` |  |  | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.40.0` → `v1.41.0` |  |  | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.40.0` → `v1.41.0` |  |  | | [go.opentelemetry.io/otel/exporters/stdout/stdouttrace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.40.0` → `v1.41.0` |  |  | | [go.opentelemetry.io/otel/sdk](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.40.0` → `v1.41.0` |  |  | | [go.opentelemetry.io/otel/trace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.40.0` → `v1.41.0` |  |  | | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.79.1` → `v1.79.2` |  |  | | [sigs.k8s.io/controller-runtime](https://redirect.github.com/kubernetes-sigs/controller-runtime) | `v0.23.1` → `v0.23.3` |  |  | | [sigs.k8s.io/controller-runtime/tools/setup-envtest](https://redirect.github.com/kubernetes-sigs/controller-runtime) | `v0.0.0-20260216173200-e4c1c38bcbdb` → `v0.0.0-20260305141020-105baa6284da` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. ##⚠️ Warning These modules are almost certainly going to break everything. They do every time they update. If you update even one repo's OTEL modules, go will then pull in new versions due to [MVS](https://research.swtch.com/vgo-mvs) which will cause your repo to break. All [otel pull requests](https://redirect.github.com/pulls?q=is%3Aopen+is%3Apr+user%3Aovermindtech+archived%3Afalse+label%3Aobservability+) need to be merged basically at the same time, and after all of the modules have been updated to be compatible with each other. --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)</summary> ### [`v1.41.3`](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.41.2...v1.41.3) [Compare Source](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.41.2...v1.41.3) </details> <details> <summary>brianvoe/gofakeit (github.com/brianvoe/gofakeit/v7)</summary> ### [`v7.14.1`](https://redirect.github.com/brianvoe/gofakeit/compare/v7.14.0...v7.14.1) [Compare Source](https://redirect.github.com/brianvoe/gofakeit/compare/v7.14.0...v7.14.1) </details> <details> <summary>harness/harness-go-sdk (github.com/harness/harness-go-sdk)</summary> ### [`v0.7.13`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.12...v0.7.13) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.12...v0.7.13) </details> <details> <summary>micahhausler/aws-iam-policy (github.com/micahhausler/aws-iam-policy)</summary> ### [`v0.4.4`](https://redirect.github.com/micahhausler/aws-iam-policy/compare/v0.4.3...v0.4.4) [Compare Source](https://redirect.github.com/micahhausler/aws-iam-policy/compare/v0.4.3...v0.4.4) </details> <details> <summary>openai/openai-go (github.com/openai/openai-go/v3)</summary> ### [`v3.26.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.26.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.25.0...v3.26.0) #### 3.26.0 (2026-03-05) Full Changelog: [v3.25.0...v3.26.0](https://redirect.github.com/openai/openai-\[go/compare/v3.25.0...v3.26.0]\(https://www.golinks.io/compare/v3.25.0...v3.26.0?trackSource=github\)) ##### Features - **api:** The GA ComputerTool now uses the CompuerTool class. The 'computer\_use\_preview' tool is moved to ComputerUsePreview ([347418b](https://redirect.github.com/openai/openai-\[go/commit/347418be8d4fa33881d9ac30f6c7132f2f545f2b]\(https://www.golinks.io/commit/347418be8d4fa33881d9ac30f6c7132f2f545f2b?trackSource=github\))) ### [`v3.25.0`](https://redirect.github.com/openai/openai-go/blob/HEAD/CHANGELOG.md#3250-2026-03-05) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.24.0...v3.25.0) Full Changelog: [v3.24.0...v3.25.0](https://redirect.github.com/openai/openai-go/compare/v3.24.0...v3.25.0) ##### Features - **api:** gpt-5.4, tool search tool, and new computer tool ([101826d](https://redirect.github.com/openai/openai-go/commit/101826dd757a0213aecb4eaa6332866657b9aa83)) - **api:** remove Phase from input/output messages, PromptCacheKey from responses ([961b8ca](https://redirect.github.com/openai/openai-go/commit/961b8ca27923beca8aa08d4a8e3382c2da9d61db)) ##### Bug Fixes - **api:** internal schema fixes ([fe5f7cd](https://redirect.github.com/openai/openai-go/commit/fe5f7cdb34d11dd18caa503716cae1512b245053)) - **api:** manual updates ([70b02c8](https://redirect.github.com/openai/openai-go/commit/70b02c8f63c98a17813dc6cb7f7707fb2bba81c5)) - **api:** readd phase ([548aff8](https://redirect.github.com/openai/openai-go/commit/548aff8ad8b96518f5549ec3bc98da71e9b7f540)) ##### Chores - **internal:** codegen related update ([ab733b9](https://redirect.github.com/openai/openai-go/commit/ab733b91db39e99e292696530340333c065e04b9)) - **internal:** codegen related update ([23d1831](https://redirect.github.com/openai/openai-go/commit/23d1831cb5ca6f61ca8575737cec17e2f347818b)) - **internal:** reduce warnings ([2963312](https://redirect.github.com/openai/openai-go/commit/2963312c075fa9a30abad32b1e90813229b22129)) </details> <details> <summary>open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)</summary> ### [`v1.41.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v1.41.0): /v0.63.0/v0.17.0/v0.0.15 [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v1.40.0...v1.41.0) This release is the last to support [Go 1.24]. The next release will require at least [Go 1.25]. ##### Added - Support testing of [Go 1.26]. ([#​7902](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7902)) ##### Fixed - Update `Baggage` in `go.opentelemetry.io/otel/propagation` and `Parse` and `New` in `go.opentelemetry.io/otel/baggage` to comply with W3C Baggage specification limits. `New` and `Parse` now return partial baggage along with an error when limits are exceeded. Errors from baggage extraction are reported to the global error handler. ([#​7880](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7880)) [Go 1.26]: https://go.dev/doc/go1.26 [Go 1.25]: https://go.dev/doc/go1.25 [Go 1.24]: https://go.dev/doc/go1.24 #### What's Changed - fix(deps): update googleapis to [`ce8ad4c`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/ce8ad4c) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7860](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7860) - chore(deps): update otel/weaver docker tag to v0.21.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7865](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7865) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.51.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7863](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7863) - chore(deps): update golang.org/x/telemetry digest to [`fe4bb1c`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/fe4bb1c) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7861](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7861) - chore(deps): update golang.org/x/telemetry digest to [`aaaaaa5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/aaaaaa5) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7869](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7869) - sdk/log/observ: guard LogProcessed with Enabled by [@​NesterovYehor](https://redirect.github.com/NesterovYehor) in [#​7848](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7848) - stdouttrace observability: skip metric work when instruments are disabled by [@​NesterovYehor](https://redirect.github.com/NesterovYehor) in [#​7853](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7853) - chore(deps): update otel/weaver docker tag to v0.21.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7870](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7870) - fix(deps): update googleapis to [`546029d`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/546029d) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7871](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7871) - stdoutmetric observ: skip metric work when instruments are disabled by [@​NesterovYehor](https://redirect.github.com/NesterovYehor) in [#​7868](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7868) - chore(deps): update fossas/fossa-action action to v1.8.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7879](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7879) - chore(deps): update github/codeql-action action to v4.32.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7878](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7878) - chore(deps): update module github.com/ghostiam/protogetter to v0.3.20 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7877](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7877) - chore(deps): update golang.org/x/telemetry digest to [`86a5c4b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/86a5c4b) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7876](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7876) - fix(deps): update module golang.org/x/sys to v0.41.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7885](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7885) - chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.6.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7884](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7884) - Checked if instrument enabled before measuring in prometheus by [@​itssaharsh](https://redirect.github.com/itssaharsh) in [#​7866](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7866) - exporter/otlploghttp: guard observ metrics with Enabled checks by [@​NesterovYehor](https://redirect.github.com/NesterovYehor) in [#​7813](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7813) - chore(deps): update module github.com/go-git/go-git/v5 to v5.16.5 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7886](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7886) - chore(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7887](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7887) - fix(deps): update golang.org/x by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7890](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7890) - fix(deps): update golang.org/x to [`2842357`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/2842357) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7891](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7891) - fix(deps): update googleapis to [`4cfbd41`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/4cfbd41) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7889](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7889) - Checked if instrument enabled before measuring in `oteltracegrpc` by [@​itssaharsh](https://redirect.github.com/itssaharsh) in [#​7825](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7825) - Checked if Instrument Enabled before measuring in otlpgrpc by [@​itssaharsh](https://redirect.github.com/itssaharsh) in [#​7824](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7824) - chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.27.8 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7892](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7892) - chore(deps): update module github.com/golangci/golines to v0.15.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7893](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7893) - chore(deps): update module github.com/golangci/misspell to v0.8.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7894](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7894) - chore(deps): update golang.org/x/telemetry digest to [`9f66fae`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9f66fae) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7898](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7898) - fix(deps): update module google.golang.org/grpc to v1.79.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7906](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7906) - Support Go 1.26 by [@​dmathieu](https://redirect.github.com/dmathieu) in [#​7902](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7902) - fix(deps): update module google.golang.org/grpc to v1.79.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7908](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7908) - chore(deps): update github/codeql-action action to v4.32.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7909](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7909) - chore(deps): update module github.com/kevinburke/ssh\_config to v1.5.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7911](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7911) - chore(deps): update module github.com/kevinburke/ssh\_config to v1.6.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7913](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7913) - chore(deps): update actions/stale action to v10.2.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7917](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7917) - chore(deps): update module github.com/godoc-lint/godoc-lint to v0.11.2 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7916](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7916) - chore(deps): update module github.com/clipperhouse/uax29/v2 to v2.7.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7915](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7915) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.20 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7918](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7918) - chore(deps): update module github.com/grpc-ecosystem/grpc-gateway/v2 to v2.28.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7921](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7921) - Checked if Operation Enabled in `otlptracehttp` before performing operation by [@​itssaharsh](https://redirect.github.com/itssaharsh) in [#​7881](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7881) - chore(deps): update github/codeql-action action to v4.32.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7936](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7936) - chore(deps): update module github.com/mirrexone/unqueryvet to v1.5.4 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7939](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7939) - chore(deps): update module github.com/uudashr/gocognit to v1.2.1 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7947](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7947) - chore(deps): update module github.com/alexkohler/prealloc to v1.0.3 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7950](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7950) - chore(deps): update module github.com/go-git/go-billy/v5 to v5.8.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7953](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7953) - chore(deps): update lycheeverse/lychee-action action to v2.8.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7959](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7959) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7960](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7960) - chore(deps): update actions/setup-go action to v6.3.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7962](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7962) - Document metric api interfaces that methods need to be safe to be called concurrently by [@​dashpole](https://redirect.github.com/dashpole) in [#​7952](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7952) - ci: add govulncheck job to CI workflow and update lint target by [@​pellared](https://redirect.github.com/pellared) in [#​7971](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7971) - Comply with W3C Baggage specification limits by [@​XSAM](https://redirect.github.com/XSAM) in [#​7880](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7880) - chore(deps): update module github.com/mgechev/revive to v1.14.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7895](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7895) - chore(deps): update github artifact actions (major) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7963](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7963) - chore(deps): update module github.com/kisielk/errcheck to v1.10.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7967](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7967) - chore(deps): update module github.com/protonmail/go-crypto to v1.4.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7969](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7969) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`d566b4d`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d566b4d) by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7972](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7972) - chore(deps): update module github.com/sonatard/noctx to v0.5.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7968](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7968) - chore(deps): update module github.com/daixiang0/gci to v0.14.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7973](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7973) - chore(deps): update module github.com/securego/gosec/v2 to v2.23.0 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7899](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7899) - Generate semconv/v1.40.0 by [@​ChrsMark](https://redirect.github.com/ChrsMark) in [#​7929](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7929) - Revert "Generate semconv/v1.40.0" by [@​dmathieu](https://redirect.github.com/dmathieu) in [#​7978](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7978) - chore(deps): update github/codeql-action action to v4.32.5 by [@​renovate](https://redirect.github.com/renovate)\[bot] in [#​7980](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7980) - fix: add error handling for insecure HTTP endpoints with TLS client configuration by [@​sandy2008](https://redirect.github.com/sandy2008) in [#​7914](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7914) - Release 1.41.0/0.63.0/0.17.0/0.0.15 by [@​pellared](https://redirect.github.com/pellared) in [#​7977](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7977) #### New Contributors - [@​NesterovYehor](https://redirect.github.com/NesterovYehor) made their first contribution in [#​7848](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7848) - [@​sandy2008](https://redirect.github.com/sandy2008) made their first contribution in [#​7914](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7914) **Full Changelog**: <open-telemetry/opentelemetry-go@v1.40.0...v1.41.0> </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.79.2`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.79.2): Release 1.79.2 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.79.1...v1.79.2) ### Bug Fixes - stats: Prevent redundant error logging in health/ORCA producers by skipping stats/tracing processing when no stats handler is configured. ([#​8874](https://redirect.github.com/grpc/grpc-go/pull/8874)) </details> <details> <summary>kubernetes-sigs/controller-runtime (sigs.k8s.io/controller-runtime)</summary> ### [`v0.23.3`](https://redirect.github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.23.3) [Compare Source](https://redirect.github.com/kubernetes-sigs/controller-runtime/compare/v0.23.2...v0.23.3) #### What's Changed - 🐛 Ensure DefaulterRemoveUnknownOrOmitableFields is still working even if objects are equal by [@​k8s-infra-cherrypick-robot](https://redirect.github.com/k8s-infra-cherrypick-robot) in [#​3469](https://redirect.github.com/kubernetes-sigs/controller-runtime/pull/3469) **Full Changelog**: <kubernetes-sigs/controller-runtime@v0.23.2...v0.23.3> ### [`v0.23.2`](https://redirect.github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.23.2) [Compare Source](https://redirect.github.com/kubernetes-sigs/controller-runtime/compare/v0.23.1...v0.23.2) #### What's Changed - 🐛 Fix fake client's SSA status patch resource version check by [@​k8s-infra-cherrypick-robot](https://redirect.github.com/k8s-infra-cherrypick-robot) in [#​3446](https://redirect.github.com/kubernetes-sigs/controller-runtime/pull/3446) - ✨ Reduce memory usage of default webhooks by [@​k8s-infra-cherrypick-robot](https://redirect.github.com/k8s-infra-cherrypick-robot) in [#​3467](https://redirect.github.com/kubernetes-sigs/controller-runtime/pull/3467) **Full Changelog**: <kubernetes-sigs/controller-runtime@v0.23.1...v0.23.2> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIiwib2JzZXJ2YWJpbGl0eSJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 8d1f1654a49db2beee2aa15c7d517b73fd4f6830
## Summary - Introduce `ShardedCache` wrapping 17 independent BoltDB files to eliminate the single-writer bottleneck that caused 345+ goroutines to serialize on one BoltDB write lock in production - GET queries route to exactly one shard via FNV-32a hashing; LIST/SEARCH fan out to all shards in parallel and merge results - `NewCache()` now returns a `ShardedCache` by default — the `Cache` interface is unchanged ## Linear Ticket - **Ticket**: [ENG-2977](https://linear.app/overmind/issue/ENG-2977) — BoltDB Hash-Based Sharding Implementation Plan - **Purpose**: Eliminate BoltDB write contention as a pool-saturation amplifier in source pods (stdlib: 345 blocked goroutines, aws: ~30) - **Priority**: Urgent - **Related**: ENG-2927 (Change analysis graceful timeouts) ## Changes ### New files - **`go/sdpcache/sharded_cache.go`** — `ShardedCache` struct, `NewShardedCache()`, FNV-32a shard routing, fan-out search, OTel attributes (`ovm.cache.shardIndex`, `ovm.cache.shardCount`, `ovm.cache.fanOut`, `ovm.cache.fanOutMaxMs`, `ovm.cache.shardsWithResults`) - **`go/sdpcache/sharded_cache_test.go`** — Shard distribution uniformity (chi-squared), GET routing, LIST fan-out, cross-shard LIST, pendingWork dedup, concurrent write throughput, error routing, benchmark vs single BoltCache ### Modified files - **`go/sdpcache/bolt_cache.go`** — Exported `Search()` method (thin wrapper around internal `search()`) - **`go/sdpcache/cache.go`** — `NewCache()` now calls `newShardedCacheForProduction()` instead of creating a single BoltCache - **`go/sdpcache/cache_test.go`** — Added `ShardedCache` to `cacheImplementations()` and `testSearch()` type switch - **`go/sdpcache/README.md`** — Updated to reflect ShardedCache as the default implementation ## Deviations from Approved Plan Implementation matches the approved plan — no material deviations. Specifically: - All files listed under "Files to Create" and "Files to Modify" were implemented as specified - `DefaultShardCount = 17`, FNV-32a shard routing, parallel fan-out for LIST/SEARCH, shard-0 default for LIST/SEARCH errors — all match the plan - `pendingWork` ownership at ShardedCache level, per-shard `CompactThreshold` scaling (`1GB / 17`), parallel open/close — all match - All OTel attributes from the plan are emitted on the correct spans - All specified tests (distribution uniformity, GET routing, LIST fan-out, cross-shard LIST, pendingWork dedup, concurrent throughput benchmark, CloseAndDestroy cleanup) are present - `go fix` was applied post-implementation, which simplified the `perShardThreshold` clamping to use the built-in `max()` function — a trivial style improvement, not a deviation Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Changes the default production cache backend from a single BoltDB file to a sharded fan-out implementation and refactors shared lookup/dedup logic, which can affect cache hit/miss behavior, result ordering for LIST/SEARCH, and performance under concurrency. > > **Overview** > **`sdpcache.NewCache()` now returns a BoltDB-backed `ShardedCache` by default**, creating multiple BoltDB shard files for improved write concurrency and falling back to `MemoryCache` on initialization failure. > > To support this, BoltDB storage is split into a reusable `boltCacheStore`, and a new `lookupCoordinator` centralizes `Lookup()` behavior (pending-work dedup, re-check logic, GET cardinality enforcement) so shards use raw `Search()` reads and dedup remains top-level. Tests and docs are updated to cover `ShardedCache` (routing, fan-out merge, dedup, purge aggregation, cleanup), and one GCP manual test is relaxed to not assume deterministic LIST ordering. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 952572b1a95a294abb5716323bb01d18c95f0009. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 749c70af4a49b0e842ff46e43cffe2bbef6d0dac
<img width="1488" height="1007" alt="image" src="https://github.com/user-attachments/assets/eb8b7cc0-39a8-4c49-96af-e1fad20f15dc" /> <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Medium risk because it adds a new Azure SDK client and adapter into the main `Adapters()` initialization path, increasing API surface/calls and requiring correct scope/link parsing. Changes are additive and covered by unit tests/mocks. > > **Overview** > **Adds discovery for Azure NAT Gateways.** Introduces `clients.NatGatewaysClient` (with list pager support) plus a generated GoMock, and registers a new `NewNetworkNatGateway` wrapper/adapter. > > The NAT gateway wrapper supports `Get`, `List`, and `ListStream`, maps provisioning state to item health, and emits linked-item queries to related `PublicIPAddress`, `PublicIPPrefix`, `Subnet`, and `VirtualNetwork` resources; `manual/adapters.go` now initializes `armnetwork.NewNatGatewaysClient` and includes the adapter in both real and placeholder adapter lists, with dedicated unit tests validating get/list behavior and link generation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d470996177d2dd3f107bcdd78f0549ca2e2bd3dd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 968c00193a187dfd2fcd95ecf245cac53afb2c20
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/batch/armbatch/v3](https://redirect.github.com/Azure/azure-sdk-for-go) | `v3.0.1` → `v4.0.0` |  |  | | [github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2](https://redirect.github.com/Azure/azure-sdk-for-go) | `v2.1.0` → `v3.0.1` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41NS40IiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Upgrades a major Azure SDK dependency and adjusts Batch adapters to match removed/changed SDK fields, which could affect Azure Batch discovery and linked-item generation at runtime. > > **Overview** > **Upgrades Azure Batch ARM SDK from `armbatch/v3` to `armbatch/v4`** and updates all Batch account/application/pool clients, manual wrappers, integration tests, and generated GoMock stubs to use the new import path. > > Aligns Batch pool linking behavior with SDK changes by **dropping certificate reference linking** (and removing `BatchBatchCertificate` from pool `PotentialLinks`) because `armbatch/v4` no longer exposes pool certificate refs. > > Refreshes `go.mod`/`go.sum` for the dependency upgrade (including new Azure SDK indirect deps and a `jwt/v5` patch bump). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit c3807becb46015c7cfe621c20848e4d2e6ea6c37. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: lionel.wilson <lionel.wilson@overmind.tech> GitOrigin-RevId: 57bdc182de2762672c5aaff70627588886400318
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 9bb7cfcb7fdb5f30b717a8044cae9f25f935505b
…185) singleflight.Group.Do returns shared=true for ALL callers when multiple hit concurrently — including the original. The previous !profileShared gate meant no caller ever stored the profile in the thundering-herd scenario, which is exactly when the diagnostic data is most needed. Removed the shared return value from captureGoroutineSummary since the singleflight still deduplicates the expensive pprof capture itself. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk diagnostic change that only affects stuck waitgroup tracing/logging paths, with a small potential increase in trace payload size. > > **Overview** > When `ExecuteQuery` detects a cancelled context and the adapter waitgroup remains stuck, the `waitgroup.stuck` span event now **always** includes the compacted goroutine pprof summary. > > This simplifies `captureGoroutineSummary` to return only the shared profile string (still singleflight-deduped) and removes the prior conditional that could omit the profile under concurrent callers; it also makes minor formatting/cleanup changes (e.g., grouping atomic counters). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ddd2cddfb4d1c66003535bc296c4b11e9cb377e1. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: db976f32f2cae318e5f8f5637e850e3de21b9440
Integrate MCP Go SDK v1.4.0 with Streamable HTTP (stateless) behind admin:read JWT middleware. Serves Protected Resource Metadata (RFC 9728) at /.well-known/oauth-protected-resource for MCP client OAuth discovery. Handlers mount before the /area51/ catch-all to avoid route shadowing. Devcontainer nginx proxies .well-known endpoints to api-server and Auth0. Using local JWT: <img width="2288" height="1808" alt="image" src="https://github.com/user-attachments/assets/76385f2b-504d-49fd-abd1-59bb603cc36a" /> Using the search accounts tool with mock data: <img width="3430" height="1154" alt="image" src="https://github.com/user-attachments/assets/e05493ed-84fd-424b-a852-8cfd549bb13c" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds new externally reachable endpoints (`/area51/mcp` plus an unauthenticated `/.well-known/oauth-protected-resource`) and adjusts routing/proxying for OAuth discovery, which could impact auth or request routing if misconfigured. > > **Overview** > **Adds an Area51 MCP server skeleton** using the MCP Go SDK via stateless Streamable HTTP, mounting `/area51/mcp` behind the existing JWT middleware and registering an initial read-only `search_accounts` tool with stubbed results (plus tests). > > **Enables OAuth discovery for MCP clients** by serving Protected Resource Metadata at `/.well-known/oauth-protected-resource` (including a configurable pre-registered MCP client ID), wiring new config/env for `API_SERVER_API_DNS` and `API_SERVER_MCP_CLIENT_ID`, and updating the devcontainer nginx proxy to forward `.well-known` discovery endpoints (including proxying Auth0 OIDC metadata) and Cursor MCP config to target the new endpoint. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit cd166b3d4bc2493445c36e38c3158d7d46b874cd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: babc653a2dd493aeee7c3141818f98d7e5d47a1f
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Low risk config-only change; it just updates the `-X` linker flag path used during builds to set the tracing version and should only affect release build metadata. > > **Overview** > Fixes GoReleaser build configuration so the `-X` ldflag that injects the CLI version targets `github.com/overmindtech/cli/go/tracing.version` (instead of the old `github.com/overmindtech/cli/tracing.version`) for both Linux/Windows and macOS builds. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9bc6780a800b9b027088363b3ee96150a2083b5d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 62b1585503d1ff5191efcdd2d3b210f05315b4f8
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v1.16.5
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: TP Honey (thomas.honey@overmind.tech)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev1.16.5tag on mainReview Checklist