Merged
Conversation
## Summary - Harden the shared Go tracing module to reduce SDK-side span loss before data reaches the collector. - Add structured OpenTelemetry SDK error reporting and improve tracer-provider lifecycle handling for the main and health pipelines. - Tune batching/export behavior for production resilience while avoiding CI hangs from collector-unavailable environments. ## Linear Ticket - **Ticket**: [ENG-3151](https://linear.app/overmind/issue/ENG-3151/harden-go-otel-sdk-against-span-loss) - Harden Go OTel SDK Against Span Loss - **Purpose**: Eliminate silent span-loss vectors in the shared Go OTel SDK setup and improve reliability/visibility of tracing failures. - **Blocks**: None ## Changes - `go/tracing/main.go` - Registers a custom OTel error handler (`otel.SetErrorHandler`) that routes SDK errors to logrus (`OpenTelemetry SDK error`). - Introduces shared `batcherOpts` with `WithMaxQueueSize(8192)` and `WithExportTimeout(60s)`; applies them to OTLP and stdout batchers. - Creates a separate OTLP exporter for `healthTp` to avoid shared-exporter lifecycle coupling. - Refactors shutdown to run `ForceFlush`/`Shutdown` for `tp` and `healthTp` in parallel via `errgroup` with a 10s timeout. - `go/tracing/main_test.go` - Adds tests for shutdown behavior/idempotency, error-handler routing, batcher queue-size configuration, and `InitTracer` error-handler setup. ## Deviations from Approved Plan - **Approach change: queue-full handling** - **Planned**: Use `sdktrace.WithBlocking()` to stop silent drops via backpressure. - **Implemented**: No blocking mode; instead `WithMaxQueueSize(8192)` (4x default) plus `WithExportTimeout(60s)`. - **Why**: Blocking mode caused test/CI hangs when no collector is reachable (each `span.End()` can block while exporter retries). Larger queue materially reduces drop risk without introducing request-path blocking in collector-unavailable environments. - **Test plan adjustment** - **Planned**: Add a blocking-behavior test asserting non-drop behavior under queue pressure. - **Implemented**: Replaced with queue-size configuration coverage and additional shutdown/idempotency/error-handler tests. - **Why**: With blocking mode removed, blocking-specific tests were no longer representative; coverage was redirected to the implemented resiliency strategy. - **Shutdown state handling** - **Planned**: Nil tracer provider globals after shutdown. - **Implemented**: Keep `tp`/`healthTp` references and rely on SDK stop-once semantics for safe repeated shutdown. - **Why**: Nilling globals introduced a race/panic risk for concurrent callers (e.g., health-check probes) during shutdown windows. --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: b48c49666f1db350b0751cf8336ebde6b279facf
…ith BatchApplicationPackage adapter (#4287) ## Summary - Adds Step 10 (self-review and fix) to the Azure adapter creation skill, providing a structured 6-item quality checklist that agents run against their own output before opening a PR. - Extends BUGBOT rules to enforce IAMPermissions, PredefinedRole, and PotentialLinks completeness on all Azure adapters. - Validates the updated workflow end-to-end by creating a new Azure Batch Application Package adapter (deeply nested SearchableWrapper with 3 query parts). ## Linear Ticket - **Ticket**: [ENG-3154](https://linear.app/overmind/issue/ENG-3154/phase-2-self-review-and-pr-checklist) — Phase 2: Self-review and PR checklist - **Purpose**: Add a self-review quality gate to the Azure adapter creation workflow so autonomous adapter creation produces PRs that humans can confidently approve. - **Project**: Azure Adapter Creation Automation (v2) ## Changes ### Skill and documentation updates - **`.cursor/skills/azure-adapter-creation/SKILL.md`** — Added Step 10 (self-review and fix) with 6 checklist items: IAMPermissions, PredefinedRole, LinkedItemQueries completeness, PotentialLinks completeness, unit tests, and integration test structure. Updated File Checklist and Cloud Agent delegation sections to reference Step 10. Enhanced Step 8 from "Lint" to "Format, fix, and lint" (gofumpt + go fix before golangci-lint). Expanded DNS linking guidance to cover URL/endpoint fields (e.g. `StorageUrl`, `Endpoint`). Added pitfall: "Never implement TerraformMappings()". - **`.cursor/skills/azure-adapter-creation/references/AZURE-ADAPTER-PATTERNS.md`** — Removed obsolete TerraformMappings section (now AI-resolved). Removed Terraform registry URL reference comment pattern. - **`.cursor/skills/azure-adapter-creation/references/LINKED-ITEM-DISCOVERY.md`** — Expanded DNS section to cover URL/endpoint fields with `url.Parse()` hostname extraction example. - **`.cursor/skills/azure-adapter-creation/templates/adapter.go.tmpl`** — Removed `TerraformMappings()` method from template. - **`sources/.cursor/BUGBOT.md`** — Added rules for IAMPermissions/PredefinedRole enforcement and PotentialLinks completeness validation. ### New BatchApplicationPackage adapter (validation resource) - **`sources/azure/clients/batch-application-package-client.go`** — Client interface wrapping `armbatch.ApplicationPackageClient` with Get and List methods. - **`sources/azure/shared/mocks/mock_batch_application_package_client.go`** — Generated mock (mockgen). - **`sources/azure/manual/batch-batch-application-package.go`** — SearchableWrapper adapter: Get (accountName|applicationName|versionName), Search (accountName|applicationName), health mapping from PackageState, linked items to parent BatchApplication (GET), parent BatchAccount (GET), and DNS from StorageURL hostname (SEARCH). - **`sources/azure/manual/batch-batch-application-package_test.go`** — 16 unit test cases covering Get, Search, SearchStream, error handling, health states, PotentialLinks, nil-name skipping, and static link verification. - **`sources/azure/integration-tests/batch-batch-application-package_test.go`** — Integration test with Setup/Run/Teardown: creates storage account, batch account, batch application, and application package; verifies Get, Search, linked items, and item attributes; tears down in reverse order. - **`sources/azure/manual/adapters.go`** — SDK client creation and adapter registration (live + placeholder). - **`sources/azure/shared/utils.go`** — Added `pathKeysMap` entry for `azure-batch-batch-application-package` with keys `{"batchAccounts", "applications", "versions"}`. Applied gofumpt formatting. ### Reviewer focus areas - Step 10 checklist completeness in `SKILL.md` — does it catch the issues we've seen in prior adapter PRs? - BUGBOT rules wording — will these fire correctly on real adapter reviews? - BatchApplicationPackage linked items — 3 links (parent app, parent account, DNS from StorageURL). The DNS link uses `url.Parse()` to extract the hostname, which is the pattern the updated skill now teaches. ## Deviations from Approved Plan ### Addition: Removed TerraformMappings from skill, references, and template The plan did not include removing TerraformMappings guidance. During the skill update, TerraformMappings were identified as obsolete — they are now resolved automatically using AI. The outdated guidance would confuse future adapter creation agents into implementing a method that is no longer needed. Removed from SKILL.md (added as a pitfall), AZURE-ADAPTER-PATTERNS.md, and adapter.go.tmpl. ### Addition: Expanded DNS linking guidance to cover URL/endpoint fields The plan's LinkedItemQueries checklist item mentions verifying DNS links, but did not call out updating the SKILL.md Step 2 guidance or the LINKED-ITEM-DISCOVERY.md reference. During validation with BatchApplicationPackage (which has a `StorageURL` field), this gap was discovered: URL fields containing hostnames were not covered by the existing DNS linking instructions. The expanded guidance with `url.Parse()` + `Hostname()` prevents this pattern from being missed in future adapters. ### Addition: Enhanced Step 8 (Lint to Format, fix, and lint) The plan's post-checklist actions mention running gofumpt and go fix after self-review, but did not call out updating Step 8 itself. Moving these tools earlier in the workflow (Step 8, before Step 9 integration tests) reduces friction and catches formatting issues before test runs. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Medium risk due to adding a new Azure adapter wired into `manual/adapters.go` plus a new integration test and `GetResourceIDPathKeys` mapping, which could affect discovery and CI behavior if misconfigured. > > **Overview** > Adds a new Azure `BatchBatchApplicationPackage` `SearchableWrapper` (Batch account → application → package version) with a dedicated client interface, generated mocks, unit tests, and an end-to-end integration test. The adapter exposes `Get`/`Search` over a 3-part composite key, links back to the parent Batch application/account, and adds a global DNS link by parsing `Properties.StorageURL` hostnames. > > Updates the Azure adapter creation skill/docs to add a Step 10 self-review checklist, expand DNS linking guidance to include URL/endpoint hostname extraction, require format/fix before linting, and explicitly discourage implementing `TerraformMappings()`. Also extends `BUGBOT.md` to enforce `IAMPermissions`, `PredefinedRole`, and `PotentialLinks` completeness, and registers the new adapter + resource ID path key mapping (`azure-batch-batch-application-package`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit c1b4e86d92501397387503eb2b02aadabc74c451. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> Co-authored-by: David Schmitt <david.schmitt@overmind.tech> GitOrigin-RevId: d5ecc9ec30b5008e660838abd5aaf508eabe6e93
… (#4302) ## Summary - Add a GCP Dataflow Job dynamic adapter that discovers Dataflow jobs and links them to Pub/Sub topics/subscriptions, BigQuery tables/datasets, Spanner instances, Bigtable instances, Compute networks/subnetworks, IAM service accounts, and KMS crypto keys - This is the first step toward detecting outages like ISSUE-7070 where a missing Pub/Sub subscription caused a Dataflow job failure — the Pub/Sub links are the most critical piece - Adds `roles/dataflow.viewer` to all IAM role configuration surfaces and enables `dataflow.googleapis.com` in deployment config ## Linear Ticket - **Ticket**: [ENG-3222](https://linear.app/overmind/issue/ENG-3222/gcp-dataflow-job-adapter) — GCP Dataflow Job Adapter - **Purpose**: Enable infrastructure discovery for GCP Dataflow jobs so Overmind can map their dependencies and detect blast radius from changes to connected resources - **Related**: [ENG-3217](https://linear.app/overmind/issue/ENG-3217) — the original outage where a missing Pub/Sub subscription broke a Dataflow job ## Changes **New files:** - `sources/gcp/dynamic/adapters/dataflow-job.go` — Dynamic adapter with 12 link rules across Pub/Sub, BigQuery, Spanner, Bigtable, networking, and IAM - `sources/gcp/dynamic/adapters/dataflow-job_test.go` — Tests for Get, Search, ErrorHandling, and StaticTests validating all link rules - `docs.overmind.tech/docs/sources/gcp/Types/gcp-dataflow-job.md` — Type documentation page - `docs.overmind.tech/docs/sources/gcp/data/gcp-dataflow-job.json` — Type metadata **Modified files:** - `sources/gcp/shared/models.go` — `Dataflow` API and `Job` resource constants - `sources/gcp/shared/item-types.go` — `DataflowJob` item type - `sources/gcp/shared/predefined-roles.go` — `roles/dataflow.viewer` with permissions - `deploy/modules/ovm-services/gke.tf` — Enable `dataflow.googleapis.com` - `docs.overmind.tech/docs/sources/gcp/configuration.md` — Role in docs table and services list - `services/frontend/src/features/settings/sources/details/gcp-scripts.ts` — Role in setup scripts - `sources/gcp/setup/scripts/overmind-gcp-roles.sh` — Role in shell script **Known limitation:** `spannerDetails.databaseId` and `bigTableDetails.tableId` return plain names (not resource URIs) in the Dataflow API, so those links won't auto-resolve for compound-key target types. Link rules are kept for documentation and `PotentialLinks` registration. The critical Pub/Sub links work correctly. ## Approved Plan - **Plan approver**: Elliot - **Linear ticket**: [ENG-3222](https://linear.app/overmind/issue/ENG-3222/gcp-dataflow-job-adapter) (contains the approved plan) > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). ## Pre-PR Review <details> <summary>Review findings: 0 Blocking, 1 Warning, 4 Advisories, 0 Failed</summary> ### Security Review (P0) **Blocking: 0 | Warning: 0** No security findings. URL construction uses fixed `dataflow.googleapis.com` host. No new endpoints, no secrets, no auth changes. ### Architecture / Scope Review (P1) **Advisory: 3** 1. Cross-cutting scope — PR touches 4 top-level directories (sources/, deploy/, docs.overmind.tech/, services/frontend/) 2. New adapter is not behind a feature flag — acceptable for additive discovery capability 3. Existing customers who already ran setup will need to re-grant `roles/dataflow.viewer` to discover Dataflow jobs ### DevOps / Deployment Review (P1) **Warning: 1 | Advisory: 1** 1. (Warning) Infrastructure change without documented rollback — enabling `dataflow.googleapis.com` is low-risk and revertible via PR revert + terraform apply 2. (Advisory) Consider validating in dogfood before production rollout </details> Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new GCP discovery adapter plus new IAM role and API enablement across setup surfaces; risk is mainly around permission rollout and correctness of new link rules affecting dependency mapping (no write access or auth flow changes). > > **Overview** > Adds support for discovering **GCP Dataflow Jobs** via a new dynamic adapter (`gcp-dataflow-job`) with `GET` and location-scoped `SEARCH`, plus link rules to map job dependencies to Pub/Sub, BigQuery, Spanner, Bigtable, networking, IAM service accounts, and KMS keys. > > Wires this new resource into the system by introducing the `Dataflow` API / `Job` resource constants and `DataflowJob` item type, adding `roles/dataflow.viewer` (and required permissions) to predefined roles and all customer setup script surfaces (frontend templates, shell scripts, and docs), and enabling `dataflow.googleapis.com` in Terraform deployment config. Includes comprehensive adapter tests and new type metadata/docs for the Dataflow Job resource. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d203d8485f5af18538afd47a02e6ab1ba6f153a7. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f5918383aeae36e45e60c5f3f3abc7ec0b129bc3
<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary
Implements all-locations LIST support for 8 GCP adapters as specified in
ENG-3225, enabling parameterless LIST queries to return resources across
all locations without requiring location-specific queries.
## Changes
### Adapters Updated
Added `ListEndpointFunc` with wildcard location support (`-`) for:
- `cloudfunctions-function`
- `container-cluster`
- `eventarc-trigger`
- `redis-instance` (with placeholder filtering)
- `file-instance`
- `logging-bucket`
- `logging-saved-query`
- `sql-admin-backup-run` (uses instance wildcard)
### Implementation Details
- All adapters use `gcpshared.ProjectLevelListFunc` with wildcard `-` in
location path
- **Redis placeholder filtering**: Added `ListFilterFunc` framework to
filter out phantom placeholder entries that GCP returns for unavailable
locations (entries with names ending in `/instances/-`)
- SQL Admin backup runs use project-wide instance wildcard
(`projects/{project}/instances/-/backupRuns`)
- Existing GET/SEARCH behavior preserved
- `sql-admin-backup-run` now classified as SearchableListable adapter
(updated test expectations)
### Framework Enhancements
- Added `ListFilterFunc` type to `adapter-meta.go` for filtering LIST
results
- Implemented filtering support in `ListableAdapter.List()` and
`ListStream()` methods
- Similar pattern to existing `SearchFilterFunc` for consistency
### Tests
- Added LIST test cases for all adapters
- Added mock responses for wildcard endpoints
- Added test for Redis placeholder filtering to verify phantom entries
are excluded
- Added comprehensive test coverage for eventarc-trigger adapter (GET,
Search, List, ErrorHandling)
- Updated adapter type test to reflect sql-admin-backup-run as
SearchableListable
- All tests pass successfully with race detector
## Validation
✅ All adapter tests pass
✅ Full gcp source test suite passes (3161 test cases)
✅ No lint issues
✅ Existing GET/SEARCH functionality preserved
✅ LIST returns items without requiring location parameters
✅ Redis placeholder entries are properly filtered
✅ Test expectations updated for adapter type classification
## Review Feedback Addressed
1. ✅ **Redis placeholder filtering**: Implemented `ListFilterFunc` to
filter out placeholder entries with names ending in `/instances/-`
2. ✅ **Eventarc test coverage**: Added comprehensive test file with GET,
Search, List, and ErrorHandling tests
3. ℹ️ **SQLAdminBackupRun**: This adapter has documented issues with
extraction that exist independent of LIST support. The LIST endpoint is
correct per GCP API docs and aligns with other adapters. Addressing the
extraction issue is out of scope for this PR.
## Related
Closes #ENG-3225
<!-- CURSOR_AGENT_PR_BODY_END -->
Linear Issue:
[ENG-3225](https://linear.app/overmind/issue/ENG-3225/implement-all-locations-list-for-supported-gcp-adapters)
<div><a
href="https://cursor.com/agents/bc-e1effc5e-fdd9-4f85-93f8-27d2a52f9db1"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a
href="https://cursor.com/background-agent?bcId=bc-e1effc5e-fdd9-4f85-93f8-27d2a52f9db1"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div>
GitOrigin-RevId: e47ccfb5b53f9b28717554481a4b1eb1e4da19ec
## Summary - Add `LIST` support to the GCP Dataflow job dynamic adapter using the Dataflow aggregated endpoint so jobs can be enumerated project-wide. - Preserve existing `GET` and location-based `SEARCH` behaviour while extending adapter capability to `SearchableListable`. - Add focused unit test coverage for the new list path and endpoint wiring. ## Linear Ticket - **Ticket**: [ENG-3227](https://linear.app/overmind/issue/ENG-3227/support-list-for-gcp-dataflow-jobs-via-aggregated-endpoint) — Support LIST for GCP Dataflow jobs via aggregated endpoint - **Purpose**: Enable project-wide Dataflow job discovery using the API's `jobs:aggregated` endpoint. - **Blocks**: None ## Changes Updated `sources/gcp/dynamic/adapters/dataflow-job.go` to add `ListEndpointFunc` with `https://dataflow.googleapis.com/v1b3/projects/%s/jobs:aggregated`, and updated `sources/gcp/dynamic/adapters/dataflow-job_test.go` with aggregated endpoint mocks and a new `List` test. Existing `GET`/`SEARCH` endpoints and metadata remain intact. ## Approved Plan - **Plan approver**: David Schmitt - **Linear ticket**: [ENG-3227](https://linear.app/overmind/issue/ENG-3227/support-list-for-gcp-dataflow-jobs-via-aggregated-endpoint) > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). ## Pre-PR Review <details> <summary>Review findings: 0 Blocking, 0 Warnings, 3 Advisories, 0 Failed</summary> ## Pre-PR Review Summary **Groups run:** Security, Architecture **Groups failed:** none **Result:** 0 Blocking, 0 Warnings, 3 Advisories, 0 Failed ### Advisory (consider) - [Security] Project ID interpolation in list URL construction is acceptable due to scope validation; aligns with existing adapter patterns. - [Architecture] Docs currently still show LIST struck through for `gcp-dataflow-job`; should be regenerated/synchronised. - [Architecture] LIST is an additive user-visible behaviour change; consider release note/customer communication. ### Clean Areas - [Security] No injection, XSS, SSRF, secrets exposure, broken access control, crypto, or dependency issues found. - [Architecture] Scope is limited to adapter+tests, no ADR conflicts, and pattern aligns with existing GCP adapters. </details> Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new project-wide LIST code path for Dataflow jobs using the `jobs:aggregated` endpoint, which could change discovery volume and behavior compared to location-scoped search/get. > > **Overview** > Enables **project-wide enumeration** of GCP Dataflow jobs by adding `ListEndpointFunc` wiring to the Dataflow job dynamic adapter, using the Dataflow `projects/%s/jobs:aggregated` API endpoint while preserving existing location-based `GET` and `SEARCH` endpoints. > > Extends unit tests to mock the aggregated endpoint and adds a new `List` test asserting the adapter implements `discovery.ListableAdapter` and returns the expected items/unique attributes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit dc0ff93d244d89c12de006107e982131e718fde4. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: faf029ba13f122eca1e44544c943103673546e87
…(#4300) ## Summary - Renames 6 non-persisted proto fields in SDP for improved naming consistency, reducing ambiguity between `Reference` fields and the full `Item` message type — critical for LLM-assisted coding accuracy - No database migration required (protobuf wire format uses field numbers, not names) - This PR should land **before** the companion DB-migration ticket ([ENG-3148](https://linear.app/overmind/issue/ENG-3148)) to reduce that PR's diff surface ## Linear Ticket - **Ticket**: [ENG-3147](https://linear.app/overmind/issue/ENG-3147/sdp-naming-consistency-non-persisted-fields-no-db-migration) — SDP naming consistency — non-persisted fields (no DB migration) - **Purpose**: Rename 6 proto fields whose type is `Reference` but were named `item` (or similar), causing confusion with the full `Item` message type - **Blocks**: [ENG-3148](https://linear.app/overmind/issue/ENG-3148) — SDP naming consistency — persisted fields (DB migration required) ## Changes ### Proto Field Renames | Proto File | Message | Before | After | | --- | --- | --- | --- | | `items.proto` | `Expand` | `Reference item = 1;` | `Reference itemRef = 1;` | | `changes.proto` | `ItemDiffSummary` | `Reference item = 1;` | `Reference itemRef = 1;` | | `changes.proto` | `Risk` | `repeated Reference relatedItems = 4;` | `repeated Reference relatedItemRefs = 4;` | | `signal.proto` | `GetItemSignalDetailsRequest` | `Reference item = 1;` | `Reference itemRef = 1;` | | `revlink.proto` | `GetReverseEdgesRequest` | `Reference item = 2;` | `Reference itemRef = 2;` | | `gateway.proto` | `GatewayResponse` | `Reference deleteItem = 7;` | `Reference deleteItemRef = 7;` | ### Affected Components (48 files) - **Proto**: 5 `.proto` files renamed - **Generated code**: Regenerated Go (`.pb.go`) and TS (`_pb.ts`) bindings - **go/sdp-go**: `changes.go`, `sdpws/client.go` - **services/api-server**: `changesservice_test.go`, `signalservice.go`, `signalservice_test.go`, `changevalidation/`, `area51/changes.go`, `models/changes.go`, `runtask.go` - **services/gateway**: `request_session.go`, `graphstatetracker.go`, `prompts/change_details.tmpl`, tests - **services/revlink**: `connect_server.go`, `connect_server_test.go` - **Frontend**: `ChangeRisks.tsx`, `RiskCard.tsx`, `RiskDescriptionMarkdown.tsx`, `riskDescriptionTokens.ts`, `useRiskDisplay.tsx`, `RisksProvider.tsx`, `ItemSignalDetails.tsx`, `ItemSignalsAccordion.tsx`, stories & tests - **sdp-js**: `gateway-session.ts`, test helpers - **Test fixtures**: `v6/*.json` - **Documentation**: `extracting_data.md` ## Deviation Analysis vs [ENG-3147 Plan](https://linear.app/overmind/issue/ENG-3147/sdp-naming-consistency-non-persisted-fields-no-db-migration) ### Files in plan but NOT changed in this PR These files were listed in the plan but did not require changes — either because they don't actually reference the 6 renamed fields, or their references belong to the companion DB-migration ticket (ENG-3148: `ItemDiff.item`, `LinkedItem.item`): | Planned file | Reason not changed | | --- | --- | | `go/sdp-go/graph/main.go` | No references to renamed fields | | `go/sdp-go/progress.go` | No references to renamed fields | | `services/api-server/service/changesservice.go` | References are to `ItemDiff.item` / `LinkedItem.item` (ENG-3148 scope) | | `services/api-server/service/changeanalysis/*.go` (6 files) | References are to `ItemDiff.item` / `LinkedItem.item` (ENG-3148 scope) | | `services/api-server/area51/signals.go` | No references to renamed fields | | `services/api-server/service/routine/routine.go` | No references to renamed fields | | `go/discovery/`, `sources/snapshot/`, `stdlib-source/`, `cli/` | No references to renamed fields | | `services/frontend/.../renderableItem.ts` | No references to renamed fields | | `docs/domain-glossary.md` | No glossary entries for these field names | | `v6_benchmark_scenarios/**/scenario.json`, `README.md` | Fixtures use `ItemDiff.item` (ENG-3148 scope) | ### Files NOT in plan but changed in this PR These files contained references to the renamed fields but were not listed in the plan: | File | Reason changed | | --- | --- | | `go/sdp-go/sdpws/client.go` | Uses `deleteItemRef` (was `deleteItem`) | | `sdp-js/src/__tests__/gateway.test.ts` | Test references to `deleteItemRef` | | `sdp-js/src/__tests__/sampledata.helper.ts` | Test fixture with `deleteItemRef` | | `services/frontend/.../RiskDescriptionMarkdown.tsx` | Uses `itemRef` in risk description rendering | | `services/frontend/.../ItemSignalDetails.tsx` | Uses `itemRef` field | | `services/frontend/.../ItemSignalsAccordion.tsx` | Uses `itemRef` field | | `services/gateway/service/prompts/change_details.tmpl` | Go template references `RelatedItemRefs` | | `services/gateway/service/tools_test.go` | Test references to renamed fields | ### Summary of deviations The plan over-estimated the scope in `changeanalysis/` and several other Go packages — those files reference `ItemDiff.item` and `LinkedItem.item` which are **persisted** field renames deferred to ENG-3148. Conversely, the plan under-estimated the scope in `sdp-js` tests, gateway templates, and several frontend signal/risk components that also reference the renamed fields. **Net effect: 48 files changed vs ~60 estimated; all 6 field renames are complete.** ## Testing - ✅ Go code compiles successfully - ✅ Frontend TypeScript typechecks pass - ✅ sdp-js builds successfully ## Risk **Low.** No database migration, no stored data at risk. Protobuf wire format uses field numbers not names, so older CLI binaries remain compatible. Fixes ENG-3147 GitOrigin-RevId: 6d2d7ee0919759fe5399293835a1e8e3cce0b48b
…, and Plumbing (#4312) <!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Phase 1 of the [GitHub App Installation Requests](https://linear.app/overmind/issue/ENG-3233) project. Adds the data foundation for tracking pending GitHub App installation requests from non-admin org members. ### Changes **Database (migration + schema)** - Add 5 nullable columns to `accounts`: `github_requested_org_id`, `github_requested_org_name`, `github_requested_at`, `github_requested_by`, `github_requested_user_id` - All columns have `COMMENT ON COLUMN` documentation **SQL queries (SQLC)** - `SetAccountGithubPendingRequest` — store pending request fields - `ClearAccountGithubPendingRequest` — null out all pending request fields - `GetAccountByGithubRequestedOrgID` — lookup by org ID (for webhook matching in Phase 3) - `GetAccountGithubPendingRequest` — lookup by account name **Proto (SDP)** - Add `optional string requestedOrgName`, `optional google.protobuf.Timestamp requestedAt`, `optional string requestedBy` to `GithubAppInformation` (field numbers 10-12) **Config plumbing** - Add `GithubClientID`, `GithubClientSecret`, `GithubWebhookSecret` to `ServerConfig` - Add viper bindings, CLI flags, and secret redaction in `MapFromServerConfig` - Add 1Password references in `.devcontainer/env/op.local.env` - Add `${localEnv:...}` passthrough in `.devcontainer/devcontainer.json` remoteEnv **API server behavior** - `GetGithubAppInformation` now returns pending request fields when no installation ID exists but a pending request is stored **Documentation** - Add GitHub App env vars to the API server README config table ### No user-facing behavior changes This is pure infrastructure. Phases 2-4 build on top of this. ### Related - Project plan: `docs/plans/github-app-installation-requests.md` - Sentry: [FRONTEND-NJ](https://overmindtech.sentry.io/issues/FRONTEND-NJ) - Linear: [ENG-3233](https://linear.app/overmind/issue/ENG-3233) <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-7fdb73b9-67f8-4d5d-a5f5-d07f5b6e8632"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-7fdb73b9-67f8-4d5d-a5f5-d07f5b6e8632"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 0586d483e565c41de6eebdd9f4e9086bfbb7f85b
… (#4328) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.79.2` → `v1.79.3` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-33186](https://redirect.github.com/grpc/grpc-go/security/advisories/GHSA-p77j-4mvh-x3m3) ### Impact _What kind of vulnerability is it? Who is impacted?_ It is an **Authorization Bypass** resulting from **Improper Input Validation** of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. **Who is impacted?** This affects gRPC-Go servers that meet both of the following criteria: 1. They use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`. 2. Their security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the issue has been patched. The fix ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. Users should upgrade to the following versions (or newer): * **v1.79.3** * The latest **master** branch. It is recommended that all users employing path-based authorization (especially `grpc/authz`) upgrade as soon as the patch is available in a tagged release. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: #### 1. Use a Validating Interceptor (Recommended Mitigation) Add an "outermost" interceptor to your server that validates the path before any other authorization logic runs: ```go func pathValidationInterceptor(ctx context.Context, req any, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) { if info.FullMethod == "" || info.FullMethod[0] != '/' { return nil, status.Errorf(codes.Unimplemented, "malformed method name") } return handler(ctx, req) } // Ensure this is the FIRST interceptor in your chain s := grpc.NewServer( grpc.ChainUnaryInterceptor(pathValidationInterceptor, authzInterceptor), ) ``` #### 2. Infrastructure-Level Normalization If your gRPC server is behind a reverse proxy or load balancer (such as Envoy, NGINX, or an L7 Cloud Load Balancer), ensure it is configured to enforce strict HTTP/2 compliance for pseudo-headers and reject or normalize requests where the `:path` header does not start with a leading slash. #### 3. Policy Hardening Switch to a "default deny" posture in your authorization policies (explicitly listing all allowed paths and denying everything else) to reduce the risk of bypasses via malformed inputs. --- ### Release Notes <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.79.3`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.79.3): Release 1.79.3 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.79.2...v1.79.3) ### Security - server: fix an authorization bypass where malformed :path headers (missing the leading slash) could bypass path-based restricted "deny" rules in interceptors like `grpc/authz`. Any request with a non-canonical path is now immediately rejected with an `Unimplemented` error. ([#​8981](https://redirect.github.com/grpc/grpc-go/issues/8981)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 9f42af848b86d574c8b74b26de541b844706029e
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Adds a new Azure adapter for **NetworkFlowLog** resources (`Microsoft.Network/networkWatchers/flowLogs`). Flow Logs are child resources of Network Watchers that capture network traffic information for NSGs, VNets, or Subnets. ## Changes ### New files - `sources/azure/clients/flow-logs-client.go` — Client interface with `Get` and `NewListPager` - `sources/azure/shared/mocks/mock_flow_logs_client.go` — Generated mock - `sources/azure/manual/network-flow-log.go` — SearchableWrapper adapter (child of NetworkWatcher) - `sources/azure/manual/network-flow-log_test.go` — Unit tests (20 test cases) - `sources/azure/integration-tests/network-flow-log_test.go` — Integration test (Setup/Run/Teardown) ### Modified files - `sources/azure/shared/models.go` — Added `NetworkWatcher` resource constant, `OperationalInsights` API, `Workspace` resource - `sources/azure/shared/item-types.go` — Added `NetworkNetworkWatcher`, `OperationalInsightsWorkspace` item types - `sources/azure/shared/utils.go` — Added `pathKeysMap` entry for `azure-network-flow-log` - `sources/azure/manual/adapters.go` — Registered adapter in both live and metadata-only blocks ### Adapter details - **Wrapper type**: `SearchableWrapper` (child of NetworkWatcher) - **Get params**: `networkWatcherName`, `flowLogName` - **Unique attribute**: composite key via `CompositeLookupKey(networkWatcherName, flowLogName)` - **Health mapping**: ProvisioningState → SDP Health (Succeeded/Creating/Updating/Deleting/Failed/Canceled) - **Polymorphic TargetResourceID**: Detects NSG, VNet, or Subnet from ARM path segments ### Linked items (7 types) 1. **NetworkWatcher** (parent, GET) 2. **NetworkSecurityGroup** (via TargetResourceID, GET) 3. **VirtualNetwork** (via TargetResourceID, GET) 4. **Subnet** (via TargetResourceID, GET with composite key) 5. **StorageAccount** (via StorageID, GET) 6. **OperationalInsightsWorkspace** (via WorkspaceResourceID in Traffic Analytics config, GET) 7. **ManagedIdentityUserAssignedIdentity** (via Identity.UserAssignedIdentities, GET) ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/networkWatchers/flowLogs/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 7 links verified (NetworkWatcher parent, polymorphic TargetResourceID for NSG/VNet/Subnet, StorageAccount, OperationalInsights workspace, user-assigned managed identities). No IP/DNS fields in FlowLog struct. - [x] **PotentialLinks**: 7 types listed, matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Get_VNetTarget, Get_SubnetTarget, Get_EmptyFlowLogName, Get_EmptyNetworkWatcherName, Get_InsufficientQueryParts, Search, Search_InvalidQueryParts, Search_FlowLogWithNilName, ErrorHandling_Get, ErrorHandling_Search, HealthMapping x4, Get_NoLinks, StaticTests) - [x] **Integration test**: Present, follows Setup/Run/Teardown structure All checklist items passed. Ready for review. <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-09f0d4e2-8363-4c23-8023-9a87b4d50d70"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-09f0d4e2-8363-4c23-8023-9a87b4d50d70"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursor@overmind.tech> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 1623143537d7d3600e3711b750af1bf67dd771a1
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Resolves ENG-2676. Pins the GoReleaser version from `latest` to the exact version `v2.14.3` in all workflow files that use `goreleaser/goreleaser-action`, and adds a Renovate custom regex manager so version bumps are proposed automatically. ## Changes ### Version pinning All three `goreleaser-action` usages had `version: latest` replaced with `version: "v2.14.3"`: | File | Usage | | --- | --- | | `aws-source/module/provider/.github/workflows/release.yml` | Terraform provider release | | `cli/.github/workflows/release.yml` | CLI release | | `.github/workflows/ci.yml` | CI dry-run build | Each location includes a `# renovate: datasource=github-releases depName=goreleaser/goreleaser` comment hint above the `version:` line. ### Renovate support A new custom regex manager was added to `.github/renovate.json` that: - Scans `**/.github/workflows/*.yml` (covering root, `cli/`, and `aws-source/module/provider/` workflow directories) - Matches the `# renovate:` comment + `version:` line pattern - Uses the `github-releases` datasource for `goreleaser/goreleaser` This means Renovate will automatically open PRs when new GoReleaser releases are published. <!-- CURSOR_AGENT_PR_BODY_END --> Linear Issue: [ENG-2676](https://linear.app/overmind/issue/ENG-2676/pin-goreleaser-version-in-terraform-provider-release-workflow) <div><a href="https://cursor.com/agents/bc-da41845f-eb32-4f09-8435-ee546f468e1c"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-da41845f-eb32-4f09-8435-ee546f468e1c"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: David Schmitt <DavidS-ovm@users.noreply.github.com> GitOrigin-RevId: 3013c59e82ae4b1a67aa313be0a0ba6baaa3842e
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces new cloud-agent secret/env templates and a workflow for resolving Azure credentials via `inject-secrets`, which could affect how integration tests authenticate and increases the chance of accidental credential leakage if misused. > > **Overview** > Adds Cloud Agent support files to run Azure integration tests by resolving 1Password `op://...` references at runtime: new `.github/env/op.azure-cloud-agent.secret` (Azure SP + subscription IDs) and `.github/env/op.azure-cloud-agent.env` (enables tests). > > Updates Azure integration test docs with Cloud Agent setup, manual `inject-secrets` invocation, and security guidance, and ignores the generated resolved env output (`.env.azure-cloud-agent`) to prevent committing real credentials. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit cd999e1ccb7fc7eca180a207ada4a45dc5b4b53d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 07940caa380eefdf5ff95738f50f4867fdf48355
<!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Add a new SearchableWrapper adapter for Azure PostgreSQL Flexible Server Backups using the `BackupsAutomaticAndOnDemandClient` from `armpostgresqlflexibleservers/v5`. ## Changes - **Client interface** (`sources/azure/clients/dbforpostgresql-flexible-server-backup-client.go`): Wraps `BackupsAutomaticAndOnDemandClient` with `Get` and `ListByServer` methods - **Adapter** (`sources/azure/manual/dbforpostgresql-flexible-server-backup.go`): SearchableWrapper implementation with Get, Search, SearchStream - Composite unique attribute (`serverName` + `backupName`) - GET link to parent `DBforPostgreSQLFlexibleServer` - **Registration** (`sources/azure/manual/adapters.go`): Live and placeholder registrations - **pathKeysMap** (`sources/azure/shared/utils.go`): Entry for `flexibleServers/backups` resource ID resolution - **Unit tests** (`sources/azure/manual/dbforpostgresql-flexible-server-backup_test.go`): Full coverage - **Integration test** (`sources/azure/integration-tests/dbforpostgresql-flexible-server-backup_test.go`): Setup/Run/Teardown structure ## Notes - Item type `DBforPostgreSQLFlexibleServerBackup` and resource constant `FlexibleServerBackup` already existed in `shared/item-types.go` and `shared/models.go` - The parent `DBforPostgreSQLFlexibleServer` adapter already had a SEARCH link and PotentialLinks entry for the backup type - The `BackupAutomaticAndOnDemand` struct has no IPs, DNS names, URLs, or references to other Azure resources beyond the parent server ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.DBforPostgreSQL/flexibleServers/backups/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 1 link verified (parent Flexible Server via GET). No IPs/DNS — struct has only `BackupType`, `CompletedTime`, `Source` fields. - [x] **PotentialLinks**: 1 type listed (`DBforPostgreSQLFlexibleServer`), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, GetWithInsufficientQueryParts, GetWithEmptyServerName, GetWithEmptyBackupName, Search, SearchStream, SearchWithInsufficientQueryParts, ErrorHandling_Get, ErrorHandling_Search, PotentialLinks, StaticTests) - [x] **Integration test**: Present, follows Setup/Run/Teardown structure All checklist items passed. Ready for review. <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-4198abea-6c30-421b-ba96-b995a0ddbba5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-4198abea-6c30-421b-ba96-b995a0ddbba5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 86c926d761e9a5e417d804f7e5966f1c4fb22ef0
<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary
This PR implements Phase 1 of the snapshot source Docker image support,
enabling the snapshot source to run as a container in the benchmark
environment.
## Changes
- **Created `sources/snapshot/build/package/Dockerfile`**: Follows the
established pattern from GCP and Azure sources with multi-stage build
- **Updated `build/images-bake.hcl`**: Added "snapshot" to the source
matrix, enabling CI builds
- **Updated `sources/snapshot/README.md`**: Added comprehensive Docker
usage documentation with build and run examples
- **Updated `docs/ARCHITECTURE.md`**: Added snapshot-source to the
components list
- **Fixed `.dockerignore`**: Added exception to include
`docs.overmind.tech/docs/sources/` in Docker build context
## CI Fix
The initial commit had a Docker build failure because `.dockerignore`
was excluding the entire `docs.overmind.tech/` directory. The snapshot
source needs access to `docs.overmind.tech/docs/sources/` which contains
embedded adapter catalog data (JSON files with metadata like category,
descriptive names, etc.).
**Solution**: Modified `.dockerignore` to add an exception using
`!docs.overmind.tech/docs/sources/` to allow this directory to be
included in the Docker build context while still excluding the rest of
`docs.overmind.tech/`.
## Validation
All validation criteria from the implementation plan have been met:
✅ **Dockerfile builds successfully**
- Verified the Dockerfile follows the same pattern as `sources/gcp` and
`sources/azure`
- Docker build now succeeds with catalog data properly embedded
- Multi-stage build produces a minimal alpine-based runtime image
✅ **Binary runs with required environment variables**
- Tested with `SNAPSHOT_SOURCE=/data/snapshot.json` environment variable
- Verified NATS connection configuration works (requires
`OVERMIND_MANAGED_SOURCE=true` with `NATS_SERVICE_HOST` and
`NATS_SERVICE_PORT` for local NATS, or uses production NATS URL for
cloud deployments)
- Confirmed snapshot loading from test data file
✅ **Health check endpoint responds**
- Tested `/healthz/alive` and `/healthz/ready` endpoints
- Endpoints respond correctly on the configured port (default 8089,
configurable via `--health-check-port`)
- Returns appropriate status messages based on NATS connection and
adapter initialization state
✅ **Image appears in CI build matrix**
- Added to the `source` target matrix in `build/images-bake.hcl`
- Will be built automatically on push to main alongside azure-source and
gcp-source
- Tagged as `ghcr.io/overmindtech/workspace/snapshot-source:${TAG}`
✅ **Tests pass**
- All snapshot adapter unit tests pass
- Adapter metadata correctly sourced from embedded catalog
✅ **CI builds pass**
- All 46 CI jobs passing including Docker build
## Testing
```bash
# Build the binary
go build -o snapshot-source sources/snapshot/main.go
# Run with test snapshot
ALLOW_UNAUTHENTICATED=true \
SNAPSHOT_SOURCE=/workspace/services/api-server/service/changeanalysis/testdata/snapshot.json \
./snapshot-source --health-check-port=9999
# Test health checks
curl http://localhost:9999/healthz/alive
curl http://localhost:9999/healthz/ready
# Run tests
cd sources/snapshot/adapters && go test -v
```
## Docker Usage
```bash
# Build the image
docker buildx bake snapshot-source
# Run the container
docker run --rm \
-v /path/to/snapshot.json:/data/snapshot.json:ro \
-e SNAPSHOT_SOURCE=/data/snapshot.json \
-e NATS_SERVICE_HOST=nats \
-e NATS_SERVICE_PORT=4222 \
-e OVERMIND_MANAGED_SOURCE=true \
-e ALLOW_UNAUTHENTICATED=true \
ghcr.io/overmindtech/workspace/snapshot-source:dev
```
## Related Issues
- Closes ENG-3240
- Part of the "Improve local feedback cycles" project for LLM-based v6
change analysis benchmarking
Linear Issue:
[ENG-3240](https://linear.app/overmind/issue/ENG-3240/phase-1-snapshot-source-docker-image)
<!-- CURSOR_AGENT_PR_BODY_END -->
Linear Issue:
[ENG-3240](https://linear.app/overmind/issue/ENG-3240/phase-1-snapshot-source-docker-image)
<div><a
href="https://cursor.com/agents/bc-18a45891-db10-44db-8523-bf9556848e40"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a
href="https://cursor.com/background-agent?bcId=bc-18a45891-db10-44db-8523-bf9556848e40"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div>
---------
Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: carabasdaniel <carabasdaniel@users.noreply.github.com>
GitOrigin-RevId: e55b0de25a597ca8e813d7be3003f27de06ce2be
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Low risk: small CLI behavior change gated behind a new flag, with no changes to secret resolution or output formatting unless `--no-ping` is used. > > **Overview** > `inject-secrets` now supports a `--no-ping` flag that skips the startup health check reading `op://global/PING/text`, allowing use with service-account tokens that can’t access the global vault. > > Updates the Azure integration test README to include `--no-ping` in the manual credential injection example. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 4d1d7872ab5326be96e6279c35097bdc6989db00. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 176cfdce7974f4441fbdb2e85caab571a4366743
…4322) <!-- CURSOR_AGENT_PR_BODY_BEGIN --> ## Summary Add a SearchableWrapper adapter for Azure Load Balancer Frontend IP Configurations, enabling discovery and dependency tracking of this child resource of Load Balancers. ## Changes ### New files - `sources/azure/clients/load-balancer-frontend-ip-configurations-client.go` — client interface wrapping `armnetwork.LoadBalancerFrontendIPConfigurationsClient` - `sources/azure/shared/mocks/mock_load_balancer_frontend_ip_configurations_client.go` — generated mock - `sources/azure/manual/network-load-balancer-frontend-ip-configuration.go` — SearchableWrapper adapter implementation - `sources/azure/manual/network-load-balancer-frontend-ip-configuration_test.go` — unit tests (13 test cases) - `sources/azure/integration-tests/network-load-balancer-frontend-ip-configuration_test.go` — integration test (Setup/Run/Teardown) ### Modified files - `sources/azure/manual/adapters.go` — register the new adapter (init + placeholder) - `sources/azure/shared/utils.go` — add `pathKeysMap` entry for `loadBalancers/frontendIPConfigurations` ### Linked resources (10 types) | Link | Type | Method | Notes | | --- | --- | --- | --- | | Parent Load Balancer | `NetworkLoadBalancer` | GET | Always present | | Public IP Address | `NetworkPublicIPAddress` | GET | Cross-RG aware | | Subnet | `NetworkSubnet` | GET | Cross-RG aware, composite key | | Public IP Prefix | `NetworkPublicIPPrefix` | GET | Cross-RG aware | | Gateway LB Frontend IP | `NetworkLoadBalancerFrontendIPConfiguration` | GET | Self-referencing for chained LBs | | Inbound NAT Rules | `NetworkLoadBalancerInboundNatRule` | GET | Read-only refs from Azure | | Inbound NAT Pools | `NetworkLoadBalancerInboundNatPool` | GET | Read-only refs from Azure | | Outbound Rules | `NetworkLoadBalancerOutboundRule` | GET | Read-only refs from Azure | | Load Balancing Rules | `NetworkLoadBalancerLoadBalancingRule` | GET | Read-only refs from Azure | | Private IP Address | `stdlib.NetworkIP` | GET | Global scope | ### Parent adapter The existing `network-load-balancer.go` already has GET links to `NetworkLoadBalancerFrontendIPConfiguration` children (iterating inline `FrontendIPConfigurations`), and includes `NetworkLoadBalancerFrontendIPConfiguration` in its `PotentialLinks()`. No parent-side changes needed. ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/loadBalancers/frontendIPConfigurations/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 10 link types verified (parent LB, PublicIP, Subnet, PublicIPPrefix, GatewayLB FrontendIP, InboundNatRules, InboundNatPools, OutboundRules, LoadBalancingRules, PrivateIP). IP links present. - [x] **PotentialLinks**: 10 types listed, matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, StaticTests, Get_WithInsufficientQueryParts, Get_WithEmptyLoadBalancerName, Get_WithEmptyFrontendIPConfigName, Search, Search_WithNilName, Search_InvalidQueryParts, ErrorHandling_Get, ErrorHandling_Search, Get_CrossResourceGroupLinks, Get_NoProperties) - [x] **Integration test**: Present, follows Setup/Run/Teardown structure All checklist items passed. Ready for review. <!-- CURSOR_AGENT_PR_BODY_END --> <div><a href="https://cursor.com/agents/bc-bd2675cc-773e-4da8-a0a7-c484ce8d7883"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-bd2675cc-773e-4da8-a0a7-c484ce8d7883"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Cursor Agent <cursor@overmind.tech> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: b259eea6ec0448d38c676c6f7140013ecf3723c6
…layers (#4175) ## Summary - Restructure the sdpcache package after ENG-2977 (ShardedCache) into focused files with clean layering: storage → scheduling → Cache interface - Extract shared `lookupCoordinator` and `purger` structs to eliminate duplicated orchestration and scheduling code - Add 26 table-driven contract tests that validate all Cache methods across all implementations ## Changes 9 commits across 8 phases, touching 19 files (+3479 / -2860 lines). The diff is large but every commit is a self-contained, reviewable step. **Reviewers should focus on:** - `purger.go` — the extracted scheduling struct that all Cache implementations embed - `bolt.go` — BoltCache now owns its purger and wraps StoreItem/StoreError - `sharded.go` — single purger goroutine replaces 17, plus OTel span on Purge - `cache_contract_test.go` — the interface contract that all implementations must satisfy --- # Implementation Plan: sdpcache Refactor **Branch:** `refactor-cache` **Base:** `749c70af4` ([ENG-2977] Implement BoltDB hash-based sharding for sdpcache) **Goal:** After ENG-2977 landed ShardedCache, the sdpcache package had grown organically into two large files (`cache.go` ~1200 lines, `bolt_cache.go` ~800 lines) with duplicated lookup orchestration, duplicated purger scheduling, inconsistent test coverage, and a blurred boundary between storage and scheduling concerns. This plan restructures the package into focused, testable units with a clean layering: storage → scheduling → Cache interface. ## Background ENG-2977 added `ShardedCache` as the production default, wrapping N `boltStore` instances behind FNV-32a shard routing. The implementation was correct but introduced several maintenance hazards: 1. **Lookup orchestration duplicated** across BoltCache, ShardedCache, and MemoryCache — each had its own copy of the pending-work deduplication + search + retry flow 2. **Purger scheduling duplicated** between MemoryCache and boltStore — identical timer/goroutine/min-wait logic copied character-for-character 3. **ShardedCache started N purger goroutines** (17 in production) instead of coordinating a single purger at the cache level 4. **boltStore mixed storage and scheduling** — it embedded the purger but only worked correctly when wrapped by BoltCache; inside ShardedCache the per-shard purgers were dead weight 5. **All implementations and tests lived in two files** — cache.go and cache_test.go were ~2000 lines each 6. **No contract tests** — each implementation was tested independently with no shared assertion of Cache interface semantics ## Decisions | # | Decision | Choice | Rationale | | --- | --- | --- | --- | | 1 | Lookup dedup approach | Extract `lookupCoordinator` struct used by all three Cache implementations | Eliminates triplicated lookup orchestration; each Cache only defines `Search` | | 2 | File layout | One file per implementation (`memory.go`, `boltstore.go`, `bolt.go`, `sharded.go`) + shared types in `cache.go` | Each file under 500 lines; reviewable in isolation | | 3 | Purger dedup approach | Extract `purger` struct with callback injection, embed in Cache implementations | Eliminates duplicated timer/goroutine/scheduling code between MemoryCache and boltStore | | 4 | ShardedCache purger model | Single goroutine at ShardedCache level calling `sc.Purge` (fan-out) | Replaces N independent per-shard purgers; aligns with MemoryCache/BoltCache model | | 5 | Where purger lives | Cache implementations own scheduling; boltStore is pure storage + purge execution | boltStore no longer pretends to self-schedule; avoids dead purger structs in ShardedCache shards | | 6 | MinWaitTime configuration | Hardcoded in production constructor; no option func | `WithMinWaitTime` had exactly one call site with a hardcoded 30s value; option removed | | 7 | boltStore TTL floor | Remove the 100ms minimum TTL enforced in `StoreItem`/`StoreError` | Violated the Cache interface contract; other implementations didn't enforce it | | 8 | Test strategy | Table-driven contract tests covering all Cache methods for all stateful implementations; implementation-specific tests remain in dedicated `*_test.go` files | Contract tests catch interface drift; impl tests cover storage-specific edge cases | | 9 | OTel on ShardedCache.Purge | Add wrapping span with aggregate stats | Gives top-level observability for the combined purge; per-shard spans nest underneath | | 10 | Go idioms | Use `new(expr)` (Go 1.26) for pointer literals; `wg.Go` for goroutine fan-out | Reduces boilerplate in tests and production code | ## Phases ### Phase 1 — Centralize lookup deduplication **Commit:** `84e13827e` **What:** Extract `lookupCoordinator` into `lookup_coordinator.go`. It encapsulates the pending-work check → Search → retry flow. BoltCache, ShardedCache, and MemoryCache each pass themselves as a `cacheSearcher` and get dedup for free. **Files:** | File | Action | | --- | --- | | `lookup_coordinator.go` | **New** — `lookupCoordinator` struct, `cacheSearcher` interface, `Lookup` method | | `lookup_common_test.go` | **New** — Tests for coordinator edge cases (nil pending, unknown method) | | `cache.go` | Remove duplicated lookup logic; MemoryCache delegates to coordinator | | `bolt_cache.go` | Remove duplicated lookup logic; BoltCache delegates to coordinator | | `sharded_cache.go` | Remove duplicated lookup logic; ShardedCache delegates to coordinator | **Validation:** All existing tests pass unchanged. ### Phase 2 — Split implementations into focused files **Commit:** `a40975259` **What:** Extract `boltStore` into `boltstore.go`, `MemoryCache` into `memory.go`, and their tests into `boltstore_test.go` / `memory_test.go`. Inline the `boltLookupObserver` abstraction (was unnecessary indirection). Rename `sharded_cache.go` → `sharded.go`, `bolt_cache.go` → `bolt.go`. `cache.go` retains only shared types (`CacheKey`, `SST`, `Cache` interface, `NoOpCache`, `NewCache`). **Files:** | File | Action | | --- | --- | | `memory.go` | **New** — `MemoryCache` implementation extracted from `cache.go` | | `memory_test.go` | **New** — MemoryCache-specific tests extracted from `cache_test.go` | | `boltstore.go` | **Renamed** from `bolt_cache.go` — `boltStore` storage implementation | | `boltstore_test.go` | **New** — boltStore/BoltCache-specific tests extracted from `cache_test.go` | | `bolt.go` | **New** — thin `BoltCache` wrapper (Lookup + constructor) | | `sharded.go` | **Renamed** from `sharded_cache.go` | | `sharded_test.go` | **Renamed** from `sharded_cache_test.go` | | `cache.go` | Reduced to shared types and interface | | `cache_test.go` | Reduced to cross-cutting tests | **Validation:** All existing tests pass; `go vet` clean. `cache.go` drops from ~1200 to ~320 lines. ### Phase 3 — Housekeeping (goroutine patterns, interface asserts) **Commits:** `13da03978`, `231b58727` **What:** Modernize goroutine fan-out patterns to use `wg.Go` (Go 1.22+), add compile-time `var _ Cache = (*Impl)(nil)` assertions for all four implementations. **Files:** Multiple files, small mechanical changes. **Validation:** `go vet` clean; all tests pass. ### Phase 4 — Cache contract test suite **Commit:** `7444e17fb` **What:** Add comprehensive table-driven contract tests that run every Cache method against MemoryCache, BoltCache, and ShardedCache. NoOpCache gets its own dedicated test file. Document the Cache interface contract inline (state matrix, done() obligations, ignoreCache, GET cardinality, error precedence, TTL, copy semantics). Remove 7 tests from `cache_test.go` that are superseded by the contract suite. Update README to match current interface. **Files:** | File | Action | | --- | --- | | `cache_contract_test.go` | **New** — 26 contract tests covering Lookup, StoreItem, StoreError, Delete, Clear, Purge, GetMinWaitTime, StartPurger | | `noop_cache_test.go` | **New** — NoOpCache-specific tests | | `cache.go` | Normalize interface doc comments | | `cache_test.go` | Remove superseded tests, add file-level classification comments | | `README.md` | Update to match current interface | **Validation:** All contract tests pass for all three stateful implementations. `go vet` clean. ### Phase 5 — Fix boltStore TTL floor contract violation **Commit:** `7d377b27b` **What:** boltStore enforced a 100ms minimum TTL in `StoreItem` and `StoreError`, silently clamping caller-provided durations. No other implementation did this, violating the Cache interface contract. Remove the floor. **Files:** `boltstore.go` — remove the `if duration < 100*time.Millisecond` blocks. **Validation:** Contract tests and `go vet` pass. Short-TTL items now expire as requested. ### Phase 6 — Extract purger struct **Commit:** `5ed83de9a` **What:** MemoryCache and boltStore had character-for-character identical purger scheduling code (StartPurger, setNextPurgeFromStats, setNextPurgeIfEarlier, GetMinWaitTime, plus the fields they operate on). Extract into a `purger` struct in `purger.go` with a `purgeFunc` callback for storage-specific work. Both implementations embed `purger`. Move `PurgeStats` and `MinWaitDefault` to `purger.go`. **Files:** | File | Action | | --- | --- | | `purger.go` | **New** — `purger` struct, `PurgeStats`, `MinWaitDefault`, scheduling methods | | `memory.go` | Remove duplicated fields/methods; embed `purger`; constructor sets `purgeFunc = c.Purge` | | `boltstore.go` | Remove duplicated fields/methods; embed `purger`; constructor sets `purgeFunc = c.Purge` | | `memory_test.go` | Update `MinWaitTime` → `minWaitTime` (promoted unexported field) | **Validation:** All tests pass including contract suite. `go vet` clean. ### Phase 7 — Unify ShardedCache to single purger goroutine **Commit:** `0282f7f2c` **What:** ShardedCache.StartPurger previously delegated to each of its N boltStore shards, creating N independent goroutines and timers (17 in production). Embed `purger` directly in ShardedCache with `purgeFunc = sc.Purge` (the existing fan-out method). Remove `StartPurger` and `GetMinWaitTime` overrides (promoted from embedded purger). Add `setNextPurgeIfEarlier` calls in `StoreItem`/`StoreError` to poke the cache-level timer. Add OTel `"ShardedCache.Purge"` span with `ovm.cache.shardCount`, `ovm.cache.numPurged`, `ovm.cache.purgeDurationMs` attributes. Per-shard boltStore purger timers stay nil (never started), so shard-level `setNextPurgeIfEarlier` calls in `storeResult` are safe no-ops. **Files:** | File | Action | | --- | --- | | `sharded.go` | Embed `purger`; remove `StartPurger`/`GetMinWaitTime` overrides; add timer pokes in `StoreItem`/`StoreError`; add OTel span to `Purge` | **Validation:** All tests pass unchanged. Single goroutine replaces 17. ### Phase 8 — Move purge scheduling out of boltStore **Commit:** `c67e4e049` **What:** boltStore embedded `purger` and poked its own timer in `storeResult`, but this only worked when wrapped by BoltCache. Inside ShardedCache the per-shard purger was dead weight (nil timer, no-op pokes, 17 unused purger structs). Make boltStore a pure storage + purge-execution layer. BoltCache now embeds `purger` directly and adds `StoreItem`/`StoreError` wrappers. Remove `WithMinWaitTime` option (single call site); hardcode `minWaitTime = 30s` in the production constructor. All three Cache implementations (BoltCache, ShardedCache, MemoryCache) now uniformly own their scheduling. boltStore handles only storage and purge execution. **Files:** | File | Action | | --- | --- | | `boltstore.go` | Remove `purger` embedding, `purgeFunc` init, `setNextPurgeIfEarlier` from `storeResult`, `WithMinWaitTime` option | | `bolt.go` | Embed `purger`; wire `purgeFunc = c.boltStore.Purge`; add `StoreItem`/`StoreError` wrappers | | `sharded.go` | Remove `minWaitTime` copy from `shards[0]`; hardcode `30s` in production constructor; remove `WithMinWaitTime` from option list | | `README.md` | Remove `WithMinWaitTime` documentation | **Validation:** All tests pass. `go vet` clean. ## Final Architecture ``` ┌─────────────────────────────────────────────────────┐ │ Cache interface │ │ Lookup · StoreItem · StoreError · Delete · Clear │ │ Purge · GetMinWaitTime · StartPurger │ ├──────────┬───────────────┬──────────────┬───────────┤ │MemoryCache│ BoltCache │ ShardedCache │ NoOpCache │ │embed: │embed: │embed: │(all no-op)│ │ purger │ purger │ purger │ │ │ btrees │ *boltStore │ []*boltStore│ │ │ pending │ pending │ pending │ │ │ lookup │ lookup │ lookup │ │ ├───────────┴───────────────┴──────────────┘ │ │ purger (purger.go) │ │ StartPurger · GetMinWaitTime · timer lifecycle │ │ purgeFunc callback → storage-specific Purge() │ ├──────────────────────────────────────────────────────┤ │ boltStore (boltstore.go) │ │ Pure storage: Search · StoreItem · StoreError │ │ Purge execution: Purge · purgeLocked · compact │ │ No scheduling, no timer, no goroutines │ └──────────────────────────────────────────────────────┘ ``` ## Test Structure | File | Scope | | --- | --- | | `cache_contract_test.go` | 26 interface contract tests × 3 implementations | | `noop_cache_test.go` | NoOpCache-specific no-op semantics | | `memory_test.go` | MemoryCache internals (concurrent purge, stop/restart, dedup) | | `boltstore_test.go` | boltStore/BoltCache internals (persistence, compaction, disk-full) | | `sharded_test.go` | ShardedCache internals (distribution, fan-out, error routing, bounds) | | `lookup_common_test.go` | lookupCoordinator edge cases | | `cache_test.go` | Cross-cutting tests (unexpired overwrite logging) | | `cache_stuck_test.go` | Stuck goroutine detection | | `cache_benchmark_test.go` | Performance benchmarks | ## Risks and Mitigations | Risk | Mitigation | | --- | --- | | Removing boltStore TTL floor changes observable behaviour | Contract tests verify short TTLs work; the floor was undocumented and violated the interface | | ShardedCache single purger changes timing of compaction checks | Compaction remains per-shard inside `boltStore.Purge`; only scheduling is unified | | `WithMinWaitTime` removal breaks external callers | No external callers exist — package is self-contained with `NewCache(ctx)` as sole entry point | | Per-shard `setNextPurgeIfEarlier` calls become no-ops | `purger.setNextPurgeIfEarlier` checks `purgeTimer == nil` and returns early; verified in code and tests | Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Refactors core cache storage/lookup/purge scheduling paths (including TTL semantics and ShardedCache purge concurrency), which could affect cache hit/miss behavior and purge timing despite added contract coverage. > > **Overview** > Refactors `sdpcache` into cleaner layers by extracting shared `lookupCoordinator` (pending-work dedup + retry + GET cardinality) and `purger` (timer-based purge scheduling) and moving each cache implementation into its own focused file. > > Changes `BoltCache` to wrap a pure `boltStore` (storage + purge execution only) while `BoltCache`/`MemoryCache`/`ShardedCache` embed `purger`; `ShardedCache` now runs a **single** cache-level purger goroutine, adds top-level OTel span/attributes for `Purge`, and ensures shard reads use `Search` to avoid stacked dedup. > > Updates cache behavior/docs by removing the Bolt TTL floor (no minimum TTL), dropping `WithMinWaitTime` from bolt options, and expanding `Cache` contract documentation; adds a large table-driven `cache_contract_test.go` suite plus reorganized backend-specific tests/benchmarks and README updates. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 874d1043cd559bc1381e45aa5e1ed7eebcacee14. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: David Schmitt <DavidS-ovm@users.noreply.github.com> GitOrigin-RevId: 4ae942c5c812bdcc7d0fc5b11b643e31a3d8b229
… install flow (#4338) ## Summary - Replace the non-functional cookie-based CSRF mechanism with a database-backed opaque UUID `state` parameter for the GitHub App install OAuth flow - Add `CreateGithubInstallURL` RPC so the frontend can request a signed install URL rather than constructing one client-side - Add River periodic cleanup job (12h interval) for expired state tokens (7-day TTL) ## Linear Ticket - **Ticket**: [ENG-3281](https://linear.app/overmind/issue/ENG-3281) — Phase 2a: DB-backed state parameter (backend + DB) - **Purpose**: Fix the broken CSRF protection in the GitHub App install callback by replacing cookie-based state with a server-generated, DB-backed UUID - **Blocks**: [ENG-3282](https://linear.app/overmind/issue/ENG-3282) (Phase 2b: Frontend — activate DB-backed state flow) ## Changes **Database:** - New `github_oauth_states` table with UUID primary key, account_name FK, and created_at timestamp - Atlas migration for the new table - SQLC queries: `CreateGithubOAuthState`, `ConsumeGithubOAuthState`, `CleanupExpiredGithubOAuthStates` - Changed `UpdateAccountGithubInstallationID` and `SetAccountGithubPendingRequest` to `:execrows` for zero-row detection **Protobuf:** - New `CreateGithubInstallURL` RPC in `ConfigurationService` with request/response messages - Regenerated Go and TypeScript protobuf code **Backend:** - `CreateGithubInstallURL` handler: creates DB state row, builds install URL with state UUID - New callback handler (`GET /api/github/callback`): consumes DB state for account identity, handles install/request/update flows - OAuth helpers: code exchange, user lookup, installations list, pending request disambiguation (most recent by `created_at`) - Unique constraint violation on `github_requested_org_id` handled with `?error=org_already_claimed` redirect - `InstallationValidator` function type for testable GitHub App-level validation - River periodic cleanup job for expired states - `GithubAppName` config wired through Viper flags, config, and Terraform **Tests:** - 7 callback handler test cases with mock GitHub server and DB-backed state - 4 OAuth helper unit tests including disambiguation logic - All tests pass with `-race`; atomic counter for unique installation IDs ## Approved Plan - **Plan approver**: Daniel Carabas - **Linear ticket**: [ENG-3281](https://linear.app/overmind/issue/ENG-3281/phase-2a-db-backed-state-parameter-backend-db) (plan in description) > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). ## Pre-PR Review <details> <summary>Review findings: 0 Blocking, 5 Warnings, 5 Advisories, 0 Failed</summary> ### Security Review (0 Blocking, 4 Warning) - [Warning] No auth tests for `CreateGithubInstallURL` — other config RPCs have unauthenticated/wrong-scope tests; this new RPC does not. Consider adding in Phase 2b or a follow-up. - [Warning] `GithubAppName` not validated for URL-unsafe characters — consider restricting to alphanumeric/hyphen. - [Warning] Unauthenticated callback endpoint `GET /api/github/callback` — intentional (OAuth redirect from GitHub); does not expose internal data; account identity from DB-backed single-use state UUID. - [Warning] No rate limiting on callback endpoint — consider adding for DoS resilience. Verified secure: `CreateGithubInstallURL` enforces `config:write` scope; callback only redirects with fixed error codes; state is consumed once; SQL is parameterized; no SSRF (URLs from config); no XSS (error codes URL-escaped). ### Database Review (0 Blocking, 1 Warning) - [Warning] No index on `github_oauth_states.created_at` — cleanup query filters on this column; acceptable for a small, short-lived table but consider adding if it grows. All blocking checks pass: no manually edited .sql.go files, no destructive migrations, account_name filtering appropriate for internal-only table. ### Architecture Review (5 Advisory) - [Advisory] Cross-cutting scope — changes span `.devcontainer/`, `go/sdp-go/`, `sdp/`, `sdp-js/`, `services/api-server/`, `deploy/`. - [Advisory] New user flow without feature flag — acceptable as a security fix for broken CSRF. - [Advisory] Customer-facing workflow changes — frontend will need to call `CreateGithubInstallURL` (Phase 2b). - [Advisory] No ADR conflicts detected. - [Advisory] Consider monitoring/alerting on high error rates for callback handler and cleanup worker. ### DevOps Review (0 Blocking, 0 Warning after fix) - ~~[Warning] `GithubAppName` env var not wired through Viper/Terraform~~ — **Fixed** in follow-up commit. - [Advisory] Span name `CleanupGithubOAuthStates` could use `ovm.` prefix for consistency. - [Advisory] OTel attributes correctly use `ovm.` prefix and camelCase. </details> ## Deviations from Approved Plan > Implementation matches the approved plan — no material deviations. The `GithubAppName` Viper/Terraform wiring was implicit in the plan (which specified adding the config field and env var) but was missed in the initial commit. Fixed in a follow-up commit before PR creation. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Adds a new unauthenticated GitHub OAuth callback endpoint plus new DB tables/queries and account-write paths for storing installations/requests, so mistakes could impact account linking and security of the install flow. > > **Overview** > Implements a DB-backed `state` token for the GitHub App installation OAuth flow and exposes a new `ConfigurationService.CreateGithubInstallURL` RPC (Go + TS generated clients) so the frontend can request a server-built install URL. > > Adds a new `github_oauth_states` table with sqlc queries and a River periodic cleanup worker (7-day TTL, runs every 12h) to manage single-use state tokens. > > Introduces `GET /api/github/callback` to consume/validate state, exchange the OAuth code, verify user identity (GitHub verified email vs Auth0 user in account), and then either store the installation ID or record a pending org request with clear redirect error codes and unique-violation handling. > > Wires new `github-app-name`/`API_SERVER_GITHUB_APP_NAME` config through dev env + Terraform, adds `dbkit.IsUniqueViolation`, and updates sqlc account update queries to return `RowsAffected` for not-found detection. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 67a083c2cc06494f93d965d304a4534bf786cc48. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 18c0e3cb962efbc72544cc41c16422abaad3906d
….4.1 [security] (#4347) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/modelcontextprotocol/go-sdk](https://redirect.github.com/modelcontextprotocol/go-sdk) | `v1.4.0` → `v1.4.1` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. ### GitHub Vulnerability Alerts #### [GHSA-q382-vc8q-7jhj](https://redirect.github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-q382-vc8q-7jhj) The Go SDK recently transitioned to the `segmentio/encoding` library for JSON parsing in version 1.3.1. While this change addressed both case-insensitivity and ASCII folding issues, the new parser implemented aggressive key matching that treated keys with `null` Unicode characters appended at the end as equivalent to their base strings. #### Impact When combined with duplicate keys, the described behavior leads to a "last key wins" resolution that could override the intended MCP message. This had the potential for: - **Bypassing intermediary inspection:** Proxies or policy layers that matched on exact field names may have failed to detect or filter these messages. - **Cross-implementation inconsistency:** Other MCP SDKs (TypeScript, Python) use case-sensitive parsing and would reject the same messages, creating potential security-boundary confusion. #### Fix: The `segmentio/encoding` package was patched with a fix in segmentio/encoding@7d5a25d and a new version of the package was released (`v0.5.4`). The SDK switched to the patched version of the dependency in 724dd47aa. Users are advised to update to v1.4.1 to resolve this issue. #### Credits: Thank you to Francesco Lacerenza (Doyensec) for reporting this issue. --- ### Release Notes <details> <summary>modelcontextprotocol/go-sdk (github.com/modelcontextprotocol/go-sdk)</summary> ### [`v1.4.1`](https://redirect.github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.1) [Compare Source](https://redirect.github.com/modelcontextprotocol/go-sdk/compare/v1.4.0...v1.4.1) ***This release is a patch release for v1.4.0.*** It contains cherry-picks for several security improvements. Security advisories will follow. ### Fixes #### Update of the `segmentio/encoding` module version The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version. #### Cross-origin requests protection We have added additional protection against cross origin requests. From now on, we verify that `Content-Type` for JSON-RPC `POST` requests is set to `application/json` and use the new `http.CrossOriginProtection` functionality to verify the origin of the request. Usage of this functionality required **increasing the required Go version to 1.25**, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured `http.CrossOriginProtection` object to `StreamableHTTPOptions`. Since this is a behavior change, we introduced a compatibility parameter `disablecrossoriginprotection` that will allow to temporarily disable it. It will be removed in `v1.6.0` version of the SDK. See [here](https://redirect.github.com/modelcontextprotocol/go-sdk/blob/main/docs/mcpgodebug.md) for more details about behavior changes and a history of compatibility parameters across SDK versions. #### Allowing customization of `http.Client` for client-side OAuth We have introduced an optional `http.Client` parameter to `AuthorizationCodeHandlerConfig`. This allows customization of the transport, for example implementing environment specific protection against [Server-Side Request Forgery](https://modelcontextprotocol.io/docs/tutorials/security/security_best_practices#server-side-request-forgery-ssrf). ### Pull requests - internal: fix Unicode zero character handling by [@​maciej-kisiel](https://redirect.github.com/maciej-kisiel) in [#​841](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/841) - auth: allow passing custom http.Client to AuthorizationCodeHandler by [@​maciej-kisiel](https://redirect.github.com/maciej-kisiel) in [#​840](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/840) - mcp: verify 'Origin' and 'Content-Type' headers by [@​maciej-kisiel](https://redirect.github.com/maciej-kisiel) in [#​842](https://redirect.github.com/modelcontextprotocol/go-sdk/pull/842) **Full Changelog**: <modelcontextprotocol/go-sdk@v1.4.0...v1.4.1> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 25faf3a4f8dc8c406e86a6df26dfc1813eb42795
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [cloud.google.com/go/bigtable](https://redirect.github.com/googleapis/google-cloud-go) | `v1.42.0` → `v1.43.0` |  |  | | [github.com/aws/aws-sdk-go-v2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.3` → `v1.41.4` |  |  | | [github.com/aws/aws-sdk-go-v2/config](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.32.11` → `v1.32.12` |  |  | | [github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.19.11` → `v1.19.12` |  |  | | [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.18.19` → `v1.18.20` |  |  | | [github.com/aws/aws-sdk-go-v2/service/apigateway](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.38.6` → `v1.39.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/autoscaling](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.64.2` → `v1.64.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/cloudfront](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.60.2` → `v1.60.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/cloudwatch](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.55.1` → `v1.55.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/directconnect](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.38.13` → `v1.38.14` |  |  | | [github.com/aws/aws-sdk-go-v2/service/dynamodb](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.56.1` → `v1.56.2` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.294.0` → `v1.296.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ecs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.73.1` → `v1.74.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/efs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.12` → `v1.41.13` |  |  | | [github.com/aws/aws-sdk-go-v2/service/eks](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.81.0` → `v1.81.1` |  |  | | [github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.33.21` → `v1.33.22` |  |  | | [github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.54.8` → `v1.54.9` |  |  | | [github.com/aws/aws-sdk-go-v2/service/iam](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.53.5` → `v1.53.6` |  |  | | [github.com/aws/aws-sdk-go-v2/service/kms](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.50.2` → `v1.50.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/lambda](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.88.2` → `v1.88.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/networkfirewall](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.59.5` → `v1.59.6` |  |  | | [github.com/aws/aws-sdk-go-v2/service/networkmanager](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.6` → `v1.41.7` |  |  | | [github.com/aws/aws-sdk-go-v2/service/rds](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.116.2` → `v1.116.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/route53](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.62.3` → `v1.62.4` |  |  | | [github.com/aws/aws-sdk-go-v2/service/s3](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.97.0` → `v1.97.1` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sesv2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.60.0` → `v1.60.1` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sns](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.39.13` → `v1.39.14` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sqs](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.42.23` → `v1.42.24` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ssm](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.68.2` → `v1.68.3` |  |  | | [github.com/aws/aws-sdk-go-v2/service/sts](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.41.8` → `v1.41.9` |  |  | | [github.com/googleapis/gax-go/v2](https://redirect.github.com/googleapis/gax-go) | `v2.18.0` → `v2.19.0` |  |  | | [github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk) | `v0.7.15` → `v0.7.16` |  |  | | [github.com/nats-io/jwt/v2](https://redirect.github.com/nats-io/jwt) | `v2.8.0` → `v2.8.1` |  |  | | [github.com/openai/openai-go/v3](https://redirect.github.com/openai/openai-go) | `v3.26.0` → `v3.29.0` |  |  | | [github.com/resend/resend-go/v3](https://redirect.github.com/resend/resend-go) | `v3.1.1` → `v3.2.0` |  |  | | [google.golang.org/api](https://redirect.github.com/googleapis/google-api-go-client) | `v0.271.0` → `v0.272.0` |  |  | | [k8s.io/api](https://redirect.github.com/kubernetes/api) | `v0.35.2` → `v0.35.3` |  |  | | [k8s.io/apimachinery](https://redirect.github.com/kubernetes/apimachinery) | `v0.35.2` → `v0.35.3` |  |  | | [k8s.io/client-go](https://redirect.github.com/kubernetes/client-go) | `v0.35.2` → `v0.35.3` |  |  | | [k8s.io/component-base](https://redirect.github.com/kubernetes/component-base) | `v0.35.2` → `v0.35.3` |  |  | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `v1.46.1` → `v1.47.0` |  |  | | [sigs.k8s.io/controller-runtime/tools/setup-envtest](https://redirect.github.com/kubernetes-sigs/controller-runtime) | `v0.0.0-20260311125736-37c380b7405b` → `v0.0.0-20260318145839-6c9615a2a166` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2)</summary> ### [`v1.41.4`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2024-03-25) [Compare Source](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.41.3...v1.41.4) #### General Highlights - **Dependency Update**: Updated to the latest SDK module versions #### Module Highlights - `github.com/aws/aws-sdk-go-v2/feature/dynamodb/attributevalue`: [v1.13.12](feature/dynamodb/attributevalue/CHANGELOG.md#v11312-2024-03-25) - **Bug Fix**: Removes some duplicated reflection-based calls in the marshaler. - `github.com/aws/aws-sdk-go-v2/service/codebuild`: [v1.32.0](service/codebuild/CHANGELOG.md#v1320-2024-03-25) - **Feature**: Supporting GitLab and GitLab Self Managed as source types in AWS CodeBuild. - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.153.0](service/ec2/CHANGELOG.md#v11530-2024-03-25) - **Feature**: Added support for ModifyInstanceMetadataDefaults and GetInstanceMetadataDefaults to set Instance Metadata Service account defaults - `github.com/aws/aws-sdk-go-v2/service/ecs`: [v1.41.4](service/ecs/CHANGELOG.md#v1414-2024-03-25) - **Documentation**: Documentation only update for Amazon ECS. - `github.com/aws/aws-sdk-go-v2/service/emrcontainers`: [v1.26.0](service/emrcontainers/CHANGELOG.md#v1260-2024-03-25) - **Feature**: This release increases the number of supported job template parameters from 20 to 100. - `github.com/aws/aws-sdk-go-v2/service/globalaccelerator`: [v1.23.0](service/globalaccelerator/CHANGELOG.md#v1230-2024-03-25) - **Feature**: AWS Global Accelerator now supports cross-account sharing for bring your own IP addresses. - `github.com/aws/aws-sdk-go-v2/service/medialive`: [v1.49.0](service/medialive/CHANGELOG.md#v1490-2024-03-25) - **Feature**: Exposing TileMedia H265 options - `github.com/aws/aws-sdk-go-v2/service/sagemaker`: [v1.134.0](service/sagemaker/CHANGELOG.md#v11340-2024-03-25) - **Feature**: Introduced support for the following new instance types on SageMaker Studio for JupyterLab and CodeEditor applications: m6i, m6id, m7i, c6i, c6id, c7i, r6i, r6id, r7i, and p5 </details> <details> <summary>googleapis/gax-go (github.com/googleapis/gax-go/v2)</summary> ### [`v2.19.0`](https://redirect.github.com/googleapis/gax-go/releases/tag/v2.19.0): v2: v2.19.0 [Compare Source](https://redirect.github.com/googleapis/gax-go/compare/v2.18.0...v2.19.0) ##### Features - update WithLogger to WithLoggerContext. ([#​478](https://redirect.github.com/googleapis/gax-go/issues/478)) ([1cb70baf](https://redirect.github.com/googleapis/gax-go/commit/1cb70baf)) - pass logger to downstream via context ([#​474](https://redirect.github.com/googleapis/gax-go/issues/474)) ([434fa676](https://redirect.github.com/googleapis/gax-go/commit/434fa676)) - add WithClientMetrics CallOption ([#​479](https://redirect.github.com/googleapis/gax-go/issues/479)) ([76f0284e](https://redirect.github.com/googleapis/gax-go/commit/76f0284e)) - add TransportTelemetryData for dynamic transport attributes ([#​481](https://redirect.github.com/googleapis/gax-go/issues/481)) ([8a7caf00](https://redirect.github.com/googleapis/gax-go/commit/8a7caf00)) - add ClientMetrics initialization core ([#​473](https://redirect.github.com/googleapis/gax-go/issues/473)) ([f53618c2](https://redirect.github.com/googleapis/gax-go/commit/f53618c2)) ##### Bug Fixes - lazy initialization and getters for ClientMetrics ([#​485](https://redirect.github.com/googleapis/gax-go/issues/485)) ([fb6c5f4d](https://redirect.github.com/googleapis/gax-go/commit/fb6c5f4d)) </details> <details> <summary>harness/harness-go-sdk (github.com/harness/harness-go-sdk)</summary> ### [`v0.7.16`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.15...v0.7.16) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.15...v0.7.16) </details> <details> <summary>nats-io/jwt (github.com/nats-io/jwt/v2)</summary> ### [`v2.8.1`](https://redirect.github.com/nats-io/jwt/releases/tag/v2.8.1) [Compare Source](https://redirect.github.com/nats-io/jwt/compare/v2.8.0...v2.8.1) #### What's Changed - fix: allow import of same service subject from different accounts by [@​choufraise](https://redirect.github.com/choufraise) in [#​243](https://redirect.github.com/nats-io/jwt/pull/243) - added a check when generating creds that the specified key is valid for the JWT provided. by [@​aricart](https://redirect.github.com/aricart) in [#​242](https://redirect.github.com/nats-io/jwt/pull/242) - bump dependencies, streamline test matrix by [@​aricart](https://redirect.github.com/aricart) in [#​244](https://redirect.github.com/nats-io/jwt/pull/244) - ci: enable claude by [@​aricart](https://redirect.github.com/aricart) in [#​246](https://redirect.github.com/nats-io/jwt/pull/246) - fix: make DecorateSeed more resilient in case of short input by [@​aricart](https://redirect.github.com/aricart) in [#​245](https://redirect.github.com/nats-io/jwt/pull/245) - fix: ensure that weighted mappings don't exceed 100 by [@​aricart](https://redirect.github.com/aricart) in [#​247](https://redirect.github.com/nats-io/jwt/pull/247) - fix: added a check for the size of JWT token by [@​aricart](https://redirect.github.com/aricart) in [#​248](https://redirect.github.com/nats-io/jwt/pull/248) #### New Contributors - [@​choufraise](https://redirect.github.com/choufraise) made their first contribution in [#​243](https://redirect.github.com/nats-io/jwt/pull/243) **Full Changelog**: <nats-io/jwt@v2.8.0...v2.8.1> </details> <details> <summary>openai/openai-go (github.com/openai/openai-go/v3)</summary> ### [`v3.29.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.29.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.28.0...v3.29.0) #### 3.29.0 (2026-03-17) Full Changelog: [v3.28.0...v3.29.0](https://redirect.github.com/openai/openai-go/compare/v3.28.0...v3.29.0) ##### Features - **api:** 5.4 nano and mini model slugs ([c4ebb48](https://redirect.github.com/openai/openai-go/commit/c4ebb48b3314d41ae1ca8006ccf7d5b9facad61e)) - **api:** add in and nin values to comparison filter type ([d060d44](https://redirect.github.com/openai/openai-go/commit/d060d4473d6ca87e0427eea709f87d5edd0e7c78)) ##### Chores - **internal:** tweak CI branches ([6379626](https://redirect.github.com/openai/openai-go/commit/63796269b563770b6cbb24144edade0e57051e50)) ### [`v3.28.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.28.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.27.0...v3.28.0) #### 3.28.0 (2026-03-14) Full Changelog: [v3.27.0...v3.28.0](https://redirect.github.com/openai/openai-go/compare/v3.27.0...v3.28.0) ##### Features - **api:** add /v1/videos endpoint option to batch ([7b2d67e](https://redirect.github.com/openai/openai-go/commit/7b2d67e3d65737572d89536d16ed81a3ce39688f)) - **api:** add defer\_loading field to function tools ([6d4b683](https://redirect.github.com/openai/openai-go/commit/6d4b6833e5b0b29a9b1d0c99062a231290e8b93f)) - **api:** custom voices ([d00b782](https://redirect.github.com/openai/openai-go/commit/d00b782c32db4c953b8e39edc5a77504693c70f3)) ##### ⚠ BREAKING CHANGES - **api:** The `voice` param and resouce has changed from a `string` to a `string | {id: string}`. This is a breaking change for Go. ### [`v3.27.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.27.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.26.0...v3.27.0) #### 3.27.0 (2026-03-13) Full Changelog: [v3.26.0...v3.27.0](https://redirect.github.com/openai/openai-go/compare/v3.26.0...v3.27.0) ##### Features - **api:** add video character/edit/extend, remove Azure/webhook/polling/accumulator ([20da043](https://redirect.github.com/openai/openai-go/commit/20da043643286aa444450f4bf4ab6f68c5401455)) - **api:** add video edits/extensions/character, remove Azure/webhook/polling helpers ([fa9413f](https://redirect.github.com/openai/openai-go/commit/fa9413f9b7c00ec36b124c4b3714daf2b2cd978d)) - **api:** api update ([c88c6c9](https://redirect.github.com/openai/openai-go/commit/c88c6c9732f7b7a8cd739b8006a56d564ab59183)) - **api:** sora api improvements: character api, video extensions/edits, higher resolution exports. ([93f6779](https://redirect.github.com/openai/openai-go/commit/93f6779c0c2a1beb7f68b570c61aae8fda52fd1f)) ##### Chores - **internal:** codegen related update ([d531232](https://redirect.github.com/openai/openai-go/commit/d5312325255bcac5934636d320653c338bb9622e)) - **internal:** codegen related update ([1748c11](https://redirect.github.com/openai/openai-go/commit/1748c114b2d642b38fdacfef7823cbd4130c29c5)) - **internal:** codegen related update ([531ece1](https://redirect.github.com/openai/openai-go/commit/531ece1703028189ba6081a168f3a979481dcf0c)) - **internal:** codegen related update ([ce9f435](https://redirect.github.com/openai/openai-go/commit/ce9f4357c22b533fff0d3385058dbadc033928e8)) </details> <details> <summary>resend/resend-go (github.com/resend/resend-go/v3)</summary> ### [`v3.2.0`](https://redirect.github.com/resend/resend-go/releases/tag/v3.2.0) [Compare Source](https://redirect.github.com/resend/resend-go/compare/v3.1.1...v3.2.0) #### What's Changed - feat: add last\_used\_at field to ApiKey by [@​drish](https://redirect.github.com/drish) in [#​104](https://redirect.github.com/resend/resend-go/pull/104) **Full Changelog**: <resend/resend-go@v3.1.1...v3.2.0> </details> <details> <summary>googleapis/google-api-go-client (google.golang.org/api)</summary> ### [`v0.272.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.272.0) [Compare Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.271.0...v0.272.0) ##### Features - **all:** Auto-regenerate discovery clients ([#​3534](https://redirect.github.com/googleapis/google-api-go-client/issues/3534)) ([b4d37a1](https://redirect.github.com/googleapis/google-api-go-client/commit/b4d37a1279665d52b8b4672a6a91732ae8eb3cf6)) - **all:** Auto-regenerate discovery clients ([#​3536](https://redirect.github.com/googleapis/google-api-go-client/issues/3536)) ([549ef3e](https://redirect.github.com/googleapis/google-api-go-client/commit/549ef3e69575edbe4fee27bc485a093dc88b90b3)) - **all:** Auto-regenerate discovery clients ([#​3537](https://redirect.github.com/googleapis/google-api-go-client/issues/3537)) ([6def284](https://redirect.github.com/googleapis/google-api-go-client/commit/6def284013185ab4ac2fa389594ee6013086d5d0)) - **all:** Auto-regenerate discovery clients ([#​3538](https://redirect.github.com/googleapis/google-api-go-client/issues/3538)) ([319b5ab](https://redirect.github.com/googleapis/google-api-go-client/commit/319b5abcbc42b77f6acc861e45365b65695e8096)) - **all:** Auto-regenerate discovery clients ([#​3539](https://redirect.github.com/googleapis/google-api-go-client/issues/3539)) ([73bcfcf](https://redirect.github.com/googleapis/google-api-go-client/commit/73bcfcf9b2fd8def3aec1cdff10e6d4ee646af41)) - **all:** Auto-regenerate discovery clients ([#​3541](https://redirect.github.com/googleapis/google-api-go-client/issues/3541)) ([6374c49](https://redirect.github.com/googleapis/google-api-go-client/commit/6374c496fde577aa9f5b32470e45676ff4f69dde)) </details> <details> <summary>kubernetes/api (k8s.io/api)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/api/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/api/compare/v0.35.2...v0.35.3) </details> <details> <summary>kubernetes/apimachinery (k8s.io/apimachinery)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.2...v0.35.3) </details> <details> <summary>kubernetes/client-go (k8s.io/client-go)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.2...v0.35.3) </details> <details> <summary>kubernetes/component-base (k8s.io/component-base)</summary> ### [`v0.35.3`](https://redirect.github.com/kubernetes/component-base/compare/v0.35.2...v0.35.3) [Compare Source](https://redirect.github.com/kubernetes/component-base/compare/v0.35.2...v0.35.3) </details> <details> <summary>cznic/sqlite (modernc.org/sqlite)</summary> ### [`v1.47.0`](https://gitlab.com/cznic/sqlite/compare/v1.46.2...v1.47.0) [Compare Source](https://gitlab.com/cznic/sqlite/compare/v1.46.2...v1.47.0) ### [`v1.46.2`](https://gitlab.com/cznic/sqlite/compare/v1.46.1...v1.46.2) [Compare Source](https://gitlab.com/cznic/sqlite/compare/v1.46.1...v1.46.2) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> GitOrigin-RevId: 201a51620caa28cde3a3caaa6518624f7608383e
… d00831a (#4348) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | require | digest | `0b37fe3` → `d00831a` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiZ29sYW5nIl19--> GitOrigin-RevId: 0a1e9e58d73c42d7efca6eadb2c7cbb9ba90f811
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://redirect.github.com/hashicorp/terraform-provider-aws)) | required_provider | minor | `6.36.0` → `6.37.0` | | [google](https://registry.terraform.io/providers/hashicorp/google) ([source](https://redirect.github.com/hashicorp/terraform-provider-google)) | required_provider | minor | `7.23.0` → `7.24.0` | | [kubectl](https://registry.terraform.io/providers/alekc/kubectl) ([source](https://redirect.github.com/alekc/terraform-provider-kubectl)) | required_provider | patch | `2.1.5` → `2.1.6` | | [overmind](https://registry.terraform.io/providers/overmindtech/overmind) ([source](https://redirect.github.com/overmindtech/terraform-provider-overmind)) | required_provider | patch | `0.1.1` → `0.1.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.37.0`](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6370-March-18-2026) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-aws/compare/v6.36.0...v6.37.0) BREAKING CHANGES: - resource/aws\_lakeformation\_opt\_in: Rename `resource_data.lf_tag.value` to `resource_data.lf_tag.values` and change to a set of string values ([#​46788](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46788)) NOTES: - data-source/aws\_savingsplan\_savingsplan: The `offering_id` attribute is deprecated. Use `savings_plan_offering_id` instead. ([#​46959](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46959)) - resource/aws\_savingsplan\_savingsplan: Because we cannot easily test this functionality, it is best effort and we ask for community help in testing ([#​46959](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46959)) - resource/aws\_savingsplan\_savingsplan: The `offering_id` attribute is deprecated. Use `savings_plan_offering_id` instead. ([#​46959](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46959)) FEATURES: - **New List Resource:** `aws_ec2_transit_gateway_metering_policy` ([#​46812](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46812)) - **New List Resource:** `aws_iam_user` ([#​46869](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46869)) - **New List Resource:** `aws_s3_bucket_ownership_controls` ([#​46832](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46832)) - **New List Resource:** `aws_wafv2_web_acl_rule` ([#​46682](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46682)) - **New List Resource:** `aws_workmail_organization` ([#​46692](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46692)) - **New Resource:** `aws_ec2_transit_gateway_metering_policy` ([#​46812](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46812)) - **New Resource:** `aws_ec2_transit_gateway_metering_policy_entry` ([#​46812](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46812)) - **New Resource:** `aws_wafv2_web_acl_rule` ([#​46682](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46682)) - **New Resource:** `aws_workmail_organization` ([#​46692](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46692)) ENHANCEMENTS: - resource/aws\_datasync\_task: Add `schedule.status` argument ([#​46037](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46037)) - resource/aws\_docdbelastic\_cluster: Add `shard_instance_count` argument ([#​46938](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46938)) - resource/aws\_iam\_user: Add resource identity support ([#​46869](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46869)) - resource/aws\_s3\_bucket: Add `bucket_namespace` argument in support of [account regional namespaces for general purpose buckets](https://docs.aws.amazon.com/AmazonS3/latest/userguide/gpbucketnamespaces.html#account-regional-gp-buckets) ([#​46917](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46917)) BUG FIXES: - data-source/aws\_savingsplan\_savingsplan: Properly set `savings_plan_offering_id` during read ([#​46959](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46959)) - resource/aws\_bedrockagentcore\_gateway: Fix "Unable to Convert Configuration" error caused by schema/model mismatch in `authorizer_configuration.custom_jwt_authorizer`. This fixes a regression introduced in [v6.36.0](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6360-march-11-2026) ([#​46908](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46908)) - resource/aws\_cloudfrontkeyvaluestore\_key: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS ([#​46898](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46898)) - resource/aws\_cloudfrontkeyvaluestore\_keys\_exclusive: Fix issue where values were incorrectly JSON-encoded, resulting in extra quotes being stored in AWS ([#​46899](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46899)) - resource/aws\_datasync\_agent: Support activation of advanced mode agents. Previously, attempting to activate advanced mode agents would result in `EOF` errors when retrieving the activation key ([#​46958](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46958)) - resource/aws\_dynamodb\_table: Fix GSI removal with `key_schema` syntax deleting all GSIs ([#​46602](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46602)) - resource/aws\_instance: Fix ` MissingParameter: When specifying CpuOptions you must specify both CoreCount and ThreadsPerCore` errors when updating `cpu_options.core_count` or `cpu_options.threads_per_core` ([#​46879](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46879)) - resource/aws\_lakeformation\_opt\_in: Rename `resource_data.lf_tag.value` to `resource_data.lf_tag.values` and change to a set of string values. Previously, attempting to use `resource_data.lf_tag.value` would result in `missing required field` errors ([#​46788](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46788)) - resource/aws\_msk\_cluster: Properly handle removal of the `client_authentication.sasl` block ([#​42163](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/42163)) - resource/aws\_msk\_cluster: Properly handle removal of the `client_authentication.tls` block ([#​42163](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/42163)) - resource/aws\_msk\_cluster: Suppress persistent differences in unset `client_authentication.sasl` blocks ([#​42163](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/42163)) - resource/aws\_msk\_cluster: Suppress persistent differences in unset `client_authentication.tls` blocks ([#​42163](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/42163)) - resource/aws\_s3\_bucket\_lifecycle\_configuration: Fix "Missing Resource Identity After Read" error when resource created with provider version < 6.34.0 is deleted outside Terraform ([#​46674](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46674)) - resource/aws\_savingsplan\_savingsplan: Properly set `savings_plan_offering_id` during read to prevent forced replacement following import ([#​46959](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46959)) - resource/aws\_wafv2\_web\_acl: Fix `enable_machine_learning` in `aws_managed_rules_bot_control_rule_set` incorrectly defaulting to `false` instead of reflecting the AWS default of `true` ([#​46682](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46682)) </details> <details> <summary>hashicorp/terraform-provider-google (google)</summary> ### [`v7.24.0`](https://redirect.github.com/hashicorp/terraform-provider-google/blob/HEAD/CHANGELOG.md#7240-Mar-17-2026) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-google/compare/v7.23.0...v7.24.0) DEPRECATIONS: - iamworkforcepool: deprecated `extended_attributes_oauth2_client` on `google_iam_workforce_pool_provider`. Use `scim_usage` instead. ([#​26388](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26388)) FEATURES: - **New Resource:** `google_biglake_iceberg_table` ([#​26394](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26394)) - **New Resource:** `google_contact_center_insights_auto_labeling_rule` ([#​26426](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26426)) - **New Resource:** `google_observability_trace_scope` ([#​26428](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26428)) - **New Resource:** `google_sql_provision_script` ([#​26432](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26432)) IMPROVEMENTS: - ces: added Service Account OAuth `scopes` fields to `google_ces_toolset` resource ([#​26368](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26368)) - cloudrunv2: added `DISK` fields to `google_cloud_run_v2_service` resource ([#​26418](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26418)) - cloudsql: added `max_custom_on_demand_retention_days` field to `sqladmin` resource ([#​26407](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26407)) - compute: added `ForwardProxy` field in `google_compute_region_backend_service` resource ([#​26449](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26449)) - compute: added `accelerator_topology_mode` field to `google_compute_resource_policy` resource ([#​26383](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26383)) - compute: added `target_type` and `target_forwarding_rules` on `google_compute_region_network_firewall_policy_rule` resource ([#​26369](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26369)) - compute: promoted the `endpoint_url` field in `google_compute_service_attachment` to GA ([#​26434](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26434)) - container: marked `subnetwork` as settable in `google_container_node_pool` ([#​26416](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26416)) - container: added `disruption_budget` field to `google_container_cluster` resource ([#​26425](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26425)) - discoveryengine: added `search_engine_config.required_subscription_tier ` field to `google_discovery_engine_search_engine` resource ([#​26398](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26398)) - discoveryengine: marked `content_config` as optional field in `google_discovery_engine_data_store` ([#​26398](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26398)) - memorystore: added `server_ca_mode` and `server_ca_pool` fields to `google_memorystore_instance` resource ([#​26437](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26437)) - networkservices: relaxed `authority` validation in `google_network_services_authz_extension` for different target types ([#​26386](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26386)) - redis: added `server_ca_mode` and `server_ca_pool` fields to `google_redis_cluster` resource ([#​26437](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26437)) - sql: added `clone_context.source_project` field to `google_sql_database_instance` resource to support cross project clone (beta) ([#​26384](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26384)) - transport: added automatic retry for GCE 403 errors with reason `CONCURRENT_OPERATIONS_QUOTA_EXCEEDED` ([#​26417](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26417)) BUG FIXES: - compute: fixed perpetual diff for `oauth2_client_id` in `iap` block of `google_compute_backend_service` and `google_compute_region_backend_service` when disabling IAP ([#​26385](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26385)) - datastream: fixed an issue in `google_datastream_stream` where `source_config.mysql_source_config.binary_log_position` would show a diff when unset ([#​26435](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26435)) - workbench: marked `install-nvidia-driver` metadata key as settable for `google_workbench_instance` ([#​26402](https://redirect.github.com/hashicorp/terraform-provider-google/pull/26402)) </details> <details> <summary>alekc/terraform-provider-kubectl (kubectl)</summary> ### [`v2.1.6`](https://redirect.github.com/alekc/terraform-provider-kubectl/releases/tag/v2.1.6) [Compare Source](https://redirect.github.com/alekc/terraform-provider-kubectl/compare/v2.1.5...v2.1.6) #### Changelog - [`7dd757a`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/7dd757ab08048fe7d3490c4570cdb0c09a779c0b) Dependencies: Bump actions/setup-go from 5.3.0 to 6.3.0 - [`45affe4`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/45affe4cba95e1bb90a5a97f780e33d1375b55e0) Dependencies: Bump google.golang.org/grpc from 1.79.2 to 1.79.3 - [`c5855f1`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/c5855f1939a56b94a74830141f599d74a2aebc9a) Dependencies: Bump the github-actions group with 2 updates - [`2e03a6c`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/2e03a6c8a36e23d1aeda0f5116a8e728f4c143cf) Dependencies: Bump github.com/zclconf/go-cty in the gomod group - [`ee6a733`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/ee6a73365fadd248864f83baecad2a0c648feb6a) Dependencies: Bump actions/upload-artifact from 4.6.0 to 7.0.0 - [`0a0f5c7`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/0a0f5c7177fad1308cd39eaf70580b646003d3eb) Dependencies: Bump goreleaser/goreleaser-action from 6.1.0 to 7.0.0 - [`a2d9887`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/a2d98872c90fad75f977ff84f1c736d50648b533) Dependencies: Bump actions/checkout from 4.2.2 to 6.0.2 - [`a41b1e7`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/a41b1e7149c79c5ceb46669539f13c55cf25da68) Dependencies: Bump crazy-max/ghaction-import-gpg from 6.2.0 to 7.0.0 </details> <details> <summary>overmindtech/terraform-provider-overmind (overmind)</summary> ### [`v0.1.2`](https://redirect.github.com/overmindtech/terraform-provider-overmind/releases/tag/v0.1.2) [Compare Source](https://redirect.github.com/overmindtech/terraform-provider-overmind/compare/v0.1.1...v0.1.2) #### Changelog - [`93d2011`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/93d2011067059389b1bf54ea6412d93e2531c6b2) Add Azure Private Endpoint Client and Adapter ([#​3998](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3998)) - [`2264623`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/22646231f0404236673e7c3220db4d4117c90df6) Blast propagation cleanup ([#​3940](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3940)) - [`e8b7517`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/e8b75177643d0874c8d51ede52bc88a1d40dae30) Blast propagation proto removal ([#​3971](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3971)) - [`833f8ef`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/833f8ef17d425fed169ea020673393472399f62b) ENG-2804 add webflow changelog webhook handler to api server ([#​4189](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4189)) - [`8057b0d`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/8057b0d835e366fb9047778550ca8ceb8171ddb9) ENG-3061 Risk feedback backend ([#​4208](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4208)) - [`687919b`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/687919b1014b9477e0353f244d0fa9cda986f4f0) Eng 2204 create microsoftnetworkprivatednszones adapter ([#​4111](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4111)) - [`04bb119`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/04bb11938ee41dc6c03eacf3037eb1ef23eddd77) Eng 2708 create documentdbprivateendpointconnection adapter ([#​4060](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4060)) - [`4c88748`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/4c88748ed8e6f444e7c03ba27e796b1ac1958474) GitHub Actions script injection ([#​4088](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4088)) - [`47cf715`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/47cf7155898851a77c98b9eb002228131611a98c) GitHub library upgrades ([#​4200](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4200)) - [`aec32b9`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/aec32b9cb8cb1ee85ce67d90aedd166707e4a2b2) Go fix ([#​3996](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3996)) - [`8921b21`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/8921b2178de5896d10f80b1980bb1e61e0fa15d8) Go library updates ([#​4083](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4083)) - [`d029119`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/d02911948c885592ffc2091002a82bc486f87a9a) Hypothesis status skipped state ([#​3973](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3973)) - [`ad625a9`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/ad625a9f136913a36f44ca76acce3c737988ff04) Merge pull request [#​6](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/6) from overmindtech/copybara/v0.1.2 - [`5c65d4d`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/5c65d4df3b52f77c1a9836aa6c2867f72795fdab) Otel SDK span loss ([#​4286](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4286)) - [`7dee3e5`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/7dee3e565651dd6c99d2e57b71dd36c1185683fe) Pin GoReleaser version to v2.14.3 in all workflows ([#​4333](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4333)) - [`effc8cc`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/effc8cc02a5589dd649ef4df77fc11ae20abe12b) Run go mod tidy - [`ed24f34`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/ed24f3425797b7407ea4b92426353413756bea03) \[ENG-2893] Migrate charmbracelet/lipgloss/v2 to charm.land/lipgloss/v2 ([#​4107](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4107)) - [`dd6d20e`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/dd6d20e9934e15ed53a580710cd9e66e3edfe72c) \[ENG-2943] Switch to overmindtech/otelpgx fork (no acquire/prepare spans) ([#​4103](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4103)) - [`cd21f20`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/cd21f20723dc42ef79d5e1c32375d9cb072f3142) \[ENG-2975] Increase ResponseSender heartbeat interval to 30s with jitter ([#​4154](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4154)) - [`7c9963c`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/7c9963cf0b1c96339ba99f1ad8435a20e5b03d86) \[ENG-3098] Phase 1: Backend -- Accumulate Partial Plans ([#​4233](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4233)) - [`5169f50`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/5169f50e43e290a593dfd93a4f8d2543fe6720f2) \[ENG-3113] GitHub App PR commenting for change analysis results ([#​4231](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4231)) - [`b60b80f`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/b60b80fee957c3a9ad89007bf42f3d770fea9eb4) \[ENG-3233] Phase 1: GitHub App Installation Requests — Schema, Config, and Plumbing ([#​4312](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4312)) - [`029ad2a`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/029ad2aa1356fb40e84e8c40d57f628c056bb5fe) chore(deps): update dependency golangci/golangci-lint to v2.11.3 ([#​4261](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4261)) - [`95e3fc1`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/95e3fc1aad4ad133ffd439dd648531cb0723bad3) chore(deps): update github actions (major) ([#​4139](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4139)) - [`62325c8`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/62325c8d2d954e4e9e031a73e8044a7a5c5f2693) chore(deps): update golang docker tag to v1.26 ([#​3869](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3869)) - [`2b0f032`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/2b0f032f3c9ca087dbe4fe7762fd012c59fea2de) feat(sdp): add mappedItemRef to ItemDiff for LLM-mapped blast radius … ([#​4059](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4059)) - [`465e437`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/465e437e0f5a72f88d2f9c900d4e289b87de16a5) feat: Implement all-locations LIST support for 8 GCP adapters ([#​4305](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4305)) - [`bcceade`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/bcceade09fd5b065bdd17881dc2320e9ab834790) feat: add MCP server skeleton with OAuth PRM and JWT auth ([#​4131](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4131)) - [`f818f27`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/f818f27a465dd8ebf1fd72ac2e99fb23070f9668) feat: add RFC 9728 resource\_metadata to MCP 401 responses ([#​4234](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4234)) - [`c632c8c`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/c632c8c436624ed81b64f7651caaa2c24a2f2edd) feat: create Elastic SAN volume snapshot adapter ([#​4209](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4209)) - [`41d29d0`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/41d29d00aece3ea5025895f0910b3ff6d01ff957) feat: rename SDP proto fields for naming consistency (non-persisted) ([#​4300](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4300)) - [`4a28713`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/4a28713429b546b94fc8b9bf8f073e30866036df) fix(deps): update azure-sdk-for-go monorepo (major) ([#​4144](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4144)) - [`892c5be`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/892c5be5bcd6f6e094f79358bff68ef0e16e2869) fix(deps): update github.com/hashicorp/terraform-config-inspect digest to [`813a975`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/813a975) ([#​4029](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4029)) - [`a51101c`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/a51101c00aba4f1f2b466430c88b61ce05581625) fix(deps): update go ([#​3952](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3952)) - [`4289cfd`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/4289cfdfa55570bab1ea4a2a638b392fad28e95f) fix(deps): update go ([#​4163](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4163)) - [`888ae39`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/888ae3941de4cb1d29e24b626ee9dd2d65f6da41) fix(deps): update go ([#​4260](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4260)) - [`a86e503`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/a86e5032bbb021ccda884bbc575471637599c145) fix(deps): update google.golang.org/genproto/googleapis/rpc digest to [`2f722ef`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/2f722ef) ([#​3951](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/3951)) - [`0d738bd`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/0d738bd8880f3e0e40023a3ccc7cda2e7216090b) fix(deps): update google.golang.org/genproto/googleapis/rpc digest to [`84a4fc4`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/84a4fc4) ([#​4253](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4253)) - [`eba6d31`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/eba6d31102128ed0d62044327d0d9887341b5783) fix(deps): update google.golang.org/genproto/googleapis/rpc digest to [`a57be14`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/a57be14) ([#​4030](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4030)) - [`94d6d6b`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/94d6d6bc8b1b0e23526fe50d5f4e1102b4e3179a) fix(deps): update module github.com/auth0/go-jwt-middleware/v2 to v3 ([#​4145](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4145)) - [`b8d3403`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/b8d3403a140dc252b65df241124fa78f51644ec0) fix(deps): update module google.golang.org/grpc to v1.79.3 \[security] ([#​4328](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4328)) - [`5314378`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/5314378c4b4c78f5172f198ab91fb73bb0e02f91) maint, add a BUGBOT rule to keep go.mod clean ([#​4198](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4198)) - [`15360fc`](https://redirect.github.com/overmindtech/terraform-provider-overmind/commit/15360fc15f5dcb5a59db42d1eb24003f6f1b1158) perf: replace protojson.Format with proto.Size in publish tracing ([#​4121](https://redirect.github.com/overmindtech/terraform-provider-overmind/issues/4121)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwidGVycmFmb3JtIl19--> GitOrigin-RevId: c4c63138ac77d0943488e50e05da2d44a5cf793a
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Mostly test/documentation changes, but it also alters the Capacity Reservation Group adapter to stop sending unsupported `$expand` options, which could change returned data and behavior in production. Risk is moderate due to touching live Azure API call parameters and broad test-suite behavior. > > **Overview** > **Improves Azure integration test stability** by adding consistent `setupCompleted` gating (skip `Run` when `Setup` didn’t finish), adding preflight `Get` checks for resources that may be pre-provisioned, and introducing wait/poll helpers to handle eventual consistency (role assignments, Key Vault secrets) and long-running operations/timeouts (Key Vault creation, PostgreSQL, bounded deletes). > > **Handles common Azure failure modes explicitly**: treats `409 Conflict` as non-success unless a subsequent `Get` confirms the resource exists (VM/VM extension/run-command, role assignments), fails fast on repeated `404`s during wait loops, and skips tests on external conditions like Batch quota exhaustion and NSG flow log retirement. > > **Aligns unique-attribute expectations** in storage integration tests with composite key usage (e.g., blob containers) and updates guidance/docs (`SKILL.md`, integration test `README.md`, `BUGBOT.md`) to codify these patterns. Also updates the `compute-capacity-reservation-group` adapter (and its unit test helper) to pass `nil` `Get` options instead of an `$expand` that can trigger `400 Bad Request`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 15a3d13d7673f090b478441cadc09a3f78a14d61. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> <img width="1058" height="654" alt="image" src="https://github.com/user-attachments/assets/89d7ff94-9655-4bc8-94bb-a400e6d7fc90" /> GitOrigin-RevId: 52434ebdb6ab5beb8a842e630b79266866fc61e1
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div){kind=link}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v1.17.2
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: David Schmitt (david.schmitt@overmind.tech)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev1.17.2tag on mainReview Checklist