Release v1.17.6 by github-actions[bot] · Pull Request #841 · overmindtech/cli

github-actions · 2026-04-07T07:30:43Z

Copybara Sync - Release v1.17.6

This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.

Original author: Dylan (dylan@overmind.tech)

What happens when this PR is merged?

The tag-on-merge workflow will automatically create the v1.17.6 tag on main
This tag will trigger the release workflow, which will:
- Run tests
- Build and publish release binaries via GoReleaser
- Upload packages to Cloudsmith

Review Checklist

Changes look correct and match the expected monorepo sync
Tests pass (see CI checks below)

…ttributes (#4481) Replace the shell-based honeycomb_cleanup.sh with a Go tool that handles API rate limits properly, and fix the three code-level root causes that continuously create stale Honeycomb columns: 1. otellogrus flattening complex objects: LoggingGatewayMessageHandler logged full *sdp.Item protos via WithField("item", item), and config maps were logged via WithFields(MapFromServerConfig(...)). Both get flattened by the otellogrus hook into one Honeycomb column per leaf field — producing ~1500+ stale columns. Items now log only the GloballyUniqueName at normal levels (full proto at debug only), and config maps are rendered as a single "config" string field. 2. Dynamic indexed attribute keys: fmt.Sprintf("prefix.%d", i) in v6.go (hypothesisUpdated/hypothesisStatus) and blast_radius_tools.go (affectedResource) created a new column for each unique index. Replaced with attribute.StringSlice/IntSlice. 3. The gateway's revlink ingest error path logged full proto items/edges as log fields, now logs only the GloballyUniqueName / edge endpoints.  --- > [!NOTE] > **Medium Risk** > Adds a new, potentially destructive Honeycomb column deletion CLI and changes logging/trace attribute shapes across multiple services; misconfiguration could delete more columns than intended or reduce diagnostic detail at non-debug levels. > > **Overview** > **Reduces runaway Honeycomb column creation** by changing structured logs and span attributes that were generating unbounded/dynamic field keys. > > Replaces the shell-based Honeycomb column cleanup scripts with a Go `honeycomb-cleanup` CLI that scans datasets for stale columns and deletes them in parallel with shared rate-limit backoff, conflict (409) handling, progress reporting, and `-dry-run` support. > > Updates multiple services to log configs and gateway items/edges more conservatively (e.g., log a single stringified `config` field, and log `GloballyUniqueName` at normal levels with full protos only at debug), and replaces dynamically-indexed OpenTelemetry attributes with `StringSlice`/`IntSlice` attributes to avoid per-index column churn. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 921cff26ef54dbe3a6b9c9a8a064ae35b2d7f9aa. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: acb1f94431e4ddc6d6d53233934a2eb2f11e422d

…484) ## Summary - Fix orphaned Auth0 identities left behind when admins delete users via Area51, which blocked re-signup with the same email - Wire Auth0 Management API deletion into both the Area51 `usersDeleteHandler` and the server-side `DeleteAccount` flow, fail-closed (no DB delete unless Auth0 succeeds) - Remove the "Delete Empty Account" button from Area51 after discovering that `DeleteAccount` scopes resource cleanup through the caller's JWT, which would delete the *admin's* data instead of the target account's ## Linear Ticket - **Ticket**: [ENG-3408](https://linear.app/overmind/issue/ENG-3408/deleting-a-user-leaves-orphaned-account-blocking-re-signup) — Deleting a user leaves orphaned account blocking re-signup - **Purpose**: Area51 user deletion only removed the Postgres row; Auth0 identity persisted, and empty accounts had no delete UI ## Changes ### Auth0 Management API integration - **Terraform** (`deploy/modules/ovm-centralised/api_server.tf`): New `auth0_client_grant` for the api-server M2M client to call Auth0 Management API with `delete:users` scope - **Config** (`deploy/modules/ovm-services/api_server.tf`, `go/auth/auth.go`, `cmd/root.go`, `cmd/config.go`, `README.md`): Added `AUTH0_MANAGEMENT_AUDIENCE` env var / viper flag / `Auth0Config` field - **Helper** (`service/auth0_management.go`): `DeleteAuth0User` using client credentials + `DELETE /api/v2/users/{id}`, idempotent on 404, fail-closed when config is missing ### User deletion (Area51) - **Wiring** (`area51/users.go`): Auth0 delete called before `DeleteUserByEmail` when `Auth0UserID.Valid` - **Area51 deps** (`service/area51_deps.go`, `area51/app.go`): `deleteAuth0User` injected into `area51App` ### Server-side DeleteAccount - **Wiring** (`service/account.go`): Auth0 delete called before `DeleteUserByEmail` for each active user in the account - **Error handling** (`service/account.go`): `unwrapJoinedErrors` helper to inspect individual errors from `conc` pool — `connect.CodeNotFound` is tolerable, all other errors (including Auth0 failures) halt deletion ### Account deletion removed from Area51 - **Removed** (`area51/accounts.go`): `accountsDeleteHandler` and `POST /{accountName}/delete-account` route removed - **Removed** (`area51/accounts.templ`, `accounts_templ.go`): "Delete Empty Account" button removed - **Removed** (`area51/app.go`, `service/area51_deps.go`): `deleteAccount` field removed from `area51App` struct and `Area51RouterDeps` - **Added** (`area51/accounts.go`): Comment block explaining why account deletion is intentionally not exposed via Area51 (JWT context-scoping bug) ### Tests - **New** (`service/auth0_management_test.go`): 9 test cases covering success, idempotent 404, error propagation, and missing config Reviewers should focus on the Auth0 Management API interaction in `auth0_management.go` and the fail-closed wiring in `account.go` and `users.go`. ## Approved Plan - **Plan approver**: David Schmitt - **Linear ticket**: [ENG-3408](https://linear.app/overmind/issue/ENG-3408/deleting-a-user-leaves-orphaned-account-blocking-re-signup) ## Deployment Notes The Terraform Auth0 grant **must be applied before** the new api-server pods roll out. Otherwise the Management API call will be rejected and the fail-closed behavior will return 500 with no DB delete. Both changes can land in the same PR; the runbook order is: Terraform apply, then api-server deploy. ## Deviations from Approved Plan ### Removal: "Delete Empty Account" button and handler removed from Area51 The plan called for adding a `POST /{accountName}/delete-account` route and "Delete Empty Account" button on the Area51 account detail page. This was implemented in the initial commit, but Bugbot and subsequent investigation revealed a critical context-scoping bug: `Server.DeleteAccount` scopes API-key, change, bookmark, and snapshot cleanup through the caller's JWT context (`AccountNameContextKey` / `UserTokenContextKey`). When called from an Area51 admin session, the context carries the admin's token, causing `ListAPIKeys`, `ListChanges`, and the gateway bookmark/snapshot clients to target the admin's own account — deleting the admin's data while orphaning the target account's resources. This is the same bug documented in `cmd/delete_account.go` that prevented that CLI command from ever being enabled. The route, handler, template button, and `deleteAccount` wiring were removed entirely. The `DeleteAuth0User` wiring (for user-level deletion) is unaffected since it uses M2M client credentials and explicit DB parameters, not JWT context. ### Scope reduction: handler-level tests for accountsDeleteHandler not implemented The plan called for HTTP handler tests covering `accountsDeleteHandler`. Since the handler was removed, these tests are no longer applicable. ### Implementation detail: scheme-parameterized helper for testability The plan described a single `DeleteAuth0User` method. The implementation splits it into a public `DeleteAuth0User` (always `https`) and an internal `deleteAuth0UserWithScheme` to allow unit tests to use plain HTTP test servers. This is a mechanical change that doesn't affect production behavior.  --- > [!NOTE] > **Medium Risk** > Touches account/user deletion flows and introduces Auth0 Management API calls with fail-closed behavior; misconfiguration or Auth0 outages can now block deletions and requires correct M2M grants. > > **Overview** > Fixes orphaned Auth0 identities by adding Auth0 Management API deletion into admin-driven teardown paths. > > The api-server now supports `AUTH0_MANAGEMENT_AUDIENCE` (Terraform grant + config/flags/docs) and adds `Server.DeleteAuth0User`, which uses client-credentials to call `DELETE /api/v2/users/{id}` and treats 404 as success. Area51 user deletion and `Server.DeleteAccount` now delete the Auth0 user first and only remove DB rows if that succeeds, with improved joined-error handling to still tolerate `connect.CodeNotFound` cleanup failures. > > Area51 intentionally does **not** expose account deletion; a new comment documents the JWT-context scoping hazard that could delete the admin’s own resources. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 8838686dd18d158da7bf2075c1c5f8f851f42fbd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: f4c5945dc729b33c189d06b879af49b86e9abd58

…493) Introduce `area51 benchmark compare` CLI command that runs scenarios across multiple model or prompt configurations and produces unified comparison reports (JSON, CSV, summary table). The first config uses ConnectRPC to create the change; subsequent configs re-trigger V6 analysis via Area51 form POST with model/prompt overrides on the same change. Fix three issues discovered during local testing: - V6 form handler used empty prompt templates when fields were omitted, causing investigations to produce zero risks; now falls back to V6 defaults - Auth bypass middleware did not set CurrentSubjectContextKey, breaking Area51 job scheduling in unauthenticated local environments - StartChangeAnalysis did not persist planned changes or set the PlannedChangesStored flag, so V6 re-triggers found no changing items  --- > [!NOTE] > **Medium Risk** > Adds a new CLI workflow that re-triggers V6 analysis via the Area51 admin form and changes auth-bypass and change-analysis persistence behavior; mistakes here could break local benchmarking and affect re-analysis correctness. > > **Overview** > Adds `area51 benchmark compare` to run benchmark scenarios across multiple **models or prompt files**, re-triggering V6 analysis via the Area51 form endpoint and generating unified `comparison.json`/`comparison.csv` plus a stdout summary with deltas/win counts. > > Fixes gaps found during local benchmarking: Area51 V6 form submissions now **fall back to V6 default prompt templates** when fields are omitted, auth bypass now injects a synthetic `CurrentSubjectContextKey` (`"auth-bypass"`), and `StartChangeAnalysis` now **persists request-provided planned changes** (and sets `planned_changes_stored`) so re-analyses can reload changing items. > > Benchmark results now include the raw `risks` in each `Result`, and the local benchmark docker-compose disables GitHub webhooks. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1866bdc27a1ca433aef41d49a68513be3a2df008. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  --------- Co-authored-by: David Schmitt <david.schmitt@overmind.tech> GitOrigin-RevId: b0ac08ece6c59a3d6bdb65002cb70fac8930b22d

## Summary - **Fix broken audit data**: The audit middleware was logging *before* auth ran, so `sub`, `account`, and `scopes` were always empty (`"not set in context"`). Restructured to use a shared `*AuditData` struct in context — audit injects it, auth populates it after JWT validation, audit reads it after the response completes. - **Exclude health checks**: `/healthz` is now excluded from audit logging, eliminating high-volume K8s probe noise with useless empty-identity entries. - **Capture response status**: Audit entries now include the HTTP status code, improving the trail for security review. ## Changes ### `go/audit/main.go` — Core middleware rewrite - Removed direct reads of `auth.CurrentSubjectContextKey{}` etc. (which were always empty at the outer middleware layer) - Added `AuditData` struct and `AuditDataFromContext()` for cross-middleware communication via a shared mutable pointer in context - Moved log emission to **after** `next.ServeHTTP` so auth has populated the data - Added `statusRecorder` wrapper to capture HTTP response status - Added `WithExcludePaths()` option for skipping paths like `/healthz` - Removed import of `go/auth` — dependency direction is now `auth → audit` ### `go/auth/middleware.go` — Populate audit data - Added audit data population in `processOverrides`, which is the final handler before the route handler runs (covers JWT-validated, bypass, and override paths) - When `*AuditData` is present in context, writes `Subject`, `AccountName`, and `Scopes` from the finalized auth context ### Service files (api-server, gateway, revlink) - Added `audit.WithExcludePaths("/healthz")` to all three services ### Tests and docs - Rewrote `go/audit/main_test.go` with 7 focused tests covering: authenticated requests, unauthenticated requests, path exclusion, status code capture, implicit 200, and nil-safety - Updated `go/audit/README.md` to document the new architecture ## Deviations from Approved Plan > No approved plan is associated with this PR. Made with [Cursor](https://cursor.com)  --- > [!NOTE] > **Medium Risk** > Touches cross-middleware auth/audit interaction and wraps `http.ResponseWriter`, which can affect request handling (streaming/WebSocket) if edge cases are missed, though behavior is well-covered by new tests. > > **Overview** > Fixes audit logging to capture authenticated identity by having `audit.NewAuditMiddleware` inject a shared `*AuditData` into request context, letting `auth.NewAuthMiddleware` populate `sub`/`account`/`scopes` after JWT validation, and emitting the audit log **after** the handler completes. > > Audit logs now include the HTTP response `status` (via a `ResponseWriter` recorder that preserves `Hijacker`/`Flusher` behavior) and support `WithExcludePaths` to skip noisy endpoints like `/healthz`; services are updated to exclude health checks, and tests/docs are expanded to cover these behaviors. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 24c0ae98b56bc362e471137ab7cdc14ee5a0a9bb. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>  GitOrigin-RevId: a0424a1d86901cfd20f938291e1874b100408a63

## Summary When a user disables the GitHub integration via the Settings UI, the system now attempts to delete the installation on GitHub's side via `DELETE /app/installations/{id}` before clearing local state. **Error handling**: Non-retryable 4xx errors from GitHub (404 already gone, 403 no permission) are logged and ignored. Retryable errors -- 429 (rate limit), 5xx, and network failures -- block the operation and return `CodeUnavailable` with a fixed customer-facing message to the caller, preventing orphaned installations during transient outages. When the GitHub App PEM is not configured (tests, unconfigured servers), the GitHub API call is skipped gracefully. Also removes the dead `DeleteGithubAppProfileAndGithubInstallationID` RPC from the configuration service (zero callers outside its own tests; confirmed no out-of-repo consumers). ## Changes - **`services/api-server/service/githubapp/githubapp.go`** -- Added `DeleteInstallation` helper using `Apps.DeleteInstallation` from go-github/v84; non-retryable 4xx ignored, 429/5xx/network errors propagated - **`services/api-server/service/managementservice.go`** -- Updated `UnsetGithubInstallationID` to call `DeleteInstallation` before clearing local DB state; skips when PEM not configured; returns fixed error message on failure - **`services/api-server/service/githubapp/githubapp_test.go`** -- Added unit tests for `DeleteInstallation` covering 204, 404, 403, 400, 429, 500, 502, 503, and network error cases - **`sdp/config.proto`** -- Removed `DeleteGithubAppProfileAndGithubInstallationID` RPC and message types - **`services/api-server/service/configservice.go`** -- Removed dead handler - **`services/api-server/service/configservice_test.go`** -- Removed dead tests - Regenerated protobuf code (Go + TypeScript) ## Testing - All `DeleteInstallation` unit tests pass (9 test cases) - `go build ./...` passes across entire workspace - `go vet ./services/api-server/...` clean - TypeScript type check (`tsc --noEmit`) passes for sdp-js - Test binary compilation for `services/api-server/service/` succeeds ## Review feedback addressed **From `/review-changes`:** - **Blocking (429 rate limit)**: Fixed -- `429 Too Many Requests` is now treated as a retryable error (fails hard, like 5xx), not silently ignored. - **Warning (handler test gap)**: Acknowledged -- the `CodeUnavailable` error path is covered by function-level unit tests on `deleteInstallation`; a full handler-level test would require NATS/Postgres mock infrastructure that doesn't exist today. - **Advisory (removed RPC)**: Confirmed zero callers in any consumer; all generated clients are in-repo. **From Technical Review:** - **Warning (error message leaks)**: Fixed -- `CodeUnavailable` now returns a fixed customer-facing message; details remain in logs and Sentry. - **Warning (no auth test)**: Pre-existing gap -- the `admin:write` scope check existed before this PR; no management service RPCs have negative auth tests today. - **Advisory (feature flag)**: Shipping universally was an explicit plan decision. - **Advisory (docs)**: Optional improvement for a follow-up; no existing docs reference the removed RPC or the disable flow.  <div><a href="https://cursor.com/agents/bc-882a28f5-d168-472c-a610-f8b13b4b4d84"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-882a28f5-d168-472c-a610-f8b13b4b4d84"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 85f1a2136feed112fbf44f345b879622c374706c

<img width="2174" height="1962" alt="image" src="https://github.com/user-attachments/assets/5b01dc7a-95fd-43e6-99f2-94630d54abd3" />  ## Summary This PR removes the auto-tagging timeline entry from the change analysis workflow, as all customers have now migrated to CLI version 1.16.4 or later. ## Changes ### Core Changes - **Removed `ChangeTimelineEntryV2IDAutoTagging` from `PopulateChangeTimelineV2`** in `services/api-server/service/changeanalysis/changetimeline.go` - Timeline entries no longer include auto-tagging step - **Removed auto-tagging from `GetChangeTimelineV2`** function - Removed call to `GetAutoTaggingTimelineEntry` - Removed the function `GetAutoTaggingTimelineEntry` entirely - **Removed `TrackChangeTimelineV2Entry` call for auto-tagging** in `services/api-server/service/changeanalysis/change_analysis.go` - Auto-tagging logic now runs without timeline tracking - Added comment noting the timeline entry was removed per ENG-2436 - **Removed auto-tagging label from `resetChangeAnalysisTables`** in `services/api-server/service/changeanalysis/shared.go` - Timeline reset no longer includes auto-tagging entry - **Removed `ChangeTimelineEntryV2IDAutoTagging` constant** from `go/sdp-go/changetimeline.go` - Removed from `allChangeTimelineEntryV2IDs` slice - Kept deprecated fields in change_analysis.go for backward compatibility with old changes ### Test Updates - Updated `TestChangeTimelineV2` to remove auto-tagging test assertions - Updated `TestCreateInstantChangeTimelineEntry` to use change validation instead of auto-tagging - Updated `TestGetChangeTimelineEntryFromDatabase` expected count from 8 to 7 entries - Updated `TestPopulateChangeTimelineV2FeatureFlags` expected count from 9 to 8 entries - Updated `TestGetChangeTimelineV2` expected count from 8 to 7 entries - Removed auto-tagging test case from `go/sdp-go/changetimeline_test.go` ## Testing - ✅ All modified Go packages compile successfully - ✅ Code builds without errors - Tests require database connection (not available in CI-less environment) ## Migration Notes This is a cleanup task following the successful migration of all customers to CLI version 1.16.4+. The auto-tagging functionality itself is preserved; only the timeline entry tracking has been removed. ## Checklist - [x] Removed auto-tagging from PopulateChangeTimelineV2 - [x] Removed auto-tagging from GetChangeTimelineV2 - [x] Removed GetAutoTaggingTimelineEntry function - [x] Removed TrackChangeTimelineV2Entry call in change_analysis.go - [x] Removed auto-tagging from resetChangeAnalysisTables - [x] Removed timeline entry ID constant from SDP - [x] Updated all affected tests - [x] Code compiles successfully  Linear Issue: [ENG-2436](https://linear.app/overmind/issue/ENG-2436/remove-auto-tagging-time-line-entry-now-we-are-fully-adopted) <div><a href="https://cursor.com/agents/bc-7c3f5ddd-33ec-48f9-ae4f-04ecb9a8ce16"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-7c3f5ddd-33ec-48f9-ae4f-04ecb9a8ce16"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> GitOrigin-RevId: ff9c45adb59683fd3523af1c93b663ff3e42b00a

…elhttp (#4510)  ## Summary Create a shared HTTP middleware builder in `go/startup` and apply it to api-server as the first consumer, removing all per-route `otelhttp.NewHandler` wrappers. This ensures every HTTP request — including 404s for unmatched routes — produces telemetry in Honeycomb. Also removes the broken SDK-level health check sampling infrastructure (`OvermindSampler`, `healthTp`) from `go/tracing`. ### Middleware Chain (outer → inner) ``` PostHog (outside builder) → sentryhttp → audit → otelhttp → route attribute → ALB trace ID → inner handler ``` PostHog is applied **outside** `WrapHandler` because it clones the request via `r.WithContext()`, which would break `otelhttp`'s `http.Request.Pattern` detection. ### Changes - **`go/startup/middleware.go`** — New `WrapHandler` function with options for service name, audit logger, and audit exclude paths. Includes custom `SpanNameFormatter` that uses `http.Request.Pattern` for matched routes. - **`go/startup/middleware_test.go`** — 9 tests covering 404 spans, Pattern-based span naming, `http.route` attribute, ALB trace ID capture, audit logging, sentry repanic, and Pattern propagation with/without request cloning. - **`go/tracing/main.go`** — Removed `healthTp`, `HealthCheckTracerProvider()`, `HealthCheckTracer()`, `SamplingRule`, `OvermindSampler`, `UserAgentMatcher`. Simplified `InitTracer` (no custom sampler — SDK default `ParentBased(AlwaysSample)` is correct). Simplified `ShutdownTracer` (single provider). - **`go/tracing/main_test.go`** — Updated tests to remove `healthTp` references. - **`go/startup/health.go`** — Removed per-route `otelhttp.NewHandler` wrapping from `HealthHandler()`. - **`go/discovery/engine.go`** — Replaced `tracing.HealthCheckTracer()` with `tracing.Tracer()` in liveness/readiness probes. - **`services/api-server/service/main.go`** — Removed all 17 per-route `otelhttp.NewHandler` wrappers. Replaced manual sentry+audit+PostHog chain with `startup.WrapHandler` + PostHog outside. Removed unused `otelhttp`, `sentryhttp`, `audit` imports. - **`go/startup/README.md`** — Documented `WrapHandler`, middleware chain, PostHog constraint, and updated health check docs. ### Key Design Decisions 1. **Custom `SpanNameFormatter`**: otelhttp's default formatter ignores `http.Request.Pattern` — it always returns the static operation name. Our custom formatter prefers `Pattern` when set, falling back to the service name for 404s. 2. **`routeAttributeMiddleware`**: otelhttp sets `http.route` from `req.Pattern` at span start, but Pattern is empty at that point with global wrapping. This middleware sets `http.route` post-handler after ServeMux populates Pattern. 3. **No replacement sampler**: Removed `OvermindSampler` entirely. The SDK default `ParentBased(AlwaysSample)` is correct — Phase 5 will add collector-level `tail_sampling`.  <div><a href="https://cursor.com/agents/bc-c4168a70-b1b6-491e-9d2d-80eec3499421"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-c4168a70-b1b6-491e-9d2d-80eec3499421"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 02a81d5de65629cda18089a7932036e799fad7ae

## Summary Implements the Check Run Settings UI and opt-in gate for GitHub App check runs, as specified in ENG-3422. Check runs are now disabled by default and require explicit customer opt-in via the settings page. ## Changes ### Proto (`sdp/config.proto`) - Added `bool check_runs_enabled = 5` to `SignalConfig` (defaults to `false`) - Added `optional bool can_create_checks = 14` to `GithubAppInformation` - Regenerated Go and TypeScript proto code ### Backend — Opt-In Gate (`changesservice.go`) - `checkGithubAppCanCreateChecks` now loads `SignalConfig` from the DB and short-circuits before any GitHub API calls when `check_runs_enabled` is `false` - `getSignalConfigForChangeAnalysis` merges `check_runs_enabled` from the DB config ### Backend — Permission Exposure (`configservice.go`) - `GetGithubAppInformation` now calls `CheckInstallationCanCreateChecks` and exposes `can_create_checks` on the response - Error from the permission check is logged at Warn level (not silently discarded) - `GetSignalConfig` fallback path merges `check_runs_enabled` and `check_run_mode` from partial DB rows alongside preset defaults ### Backend Tests - `TestCheckGithubAppCanCreateChecks_OptInGate`: 3 test cases (no installation, disabled, enabled) - `TestSignalConfig/fallback_path_preserves_check_run_fields`: validates fallback merge ### Frontend — CheckRunSettings Component Three visual states: - **No permission**: Permission prompt when `checks:write` not granted, with link to GitHub App installation settings - **Disabled**: Toggle off with description - **Enabled**: Toggle on with RadioGroup mode selector (Report only / Fail on high-severity / Fail on any risk) Uses optimistic cache updates via `queryClient.setQueryData` on mutation success. ### Frontend — Mocks & Stories - `getGithubAppInformationWithChecksMock` / `getGithubAppInformationNoChecksMock` - `getSignalConfigCheckRunsEnabledMock` - Three Ladle stories: `GitHubCheckRunsNoPermission`, `GitHubCheckRunsDisabled`, `GitHubCheckRunsEnabled` ### Documentation - PRD revision entry for opt-in gate delivery - ADR `adr-checkrun-opt-in` (0024): documents the explicit opt-in decision - Updated `CURRENT_STATE.md` and customer-facing docs ## UI Screenshots **Disabled state** — Toggle off, no mode selector visible: [Check Runs Disabled](https://cursor.com/agents/bc-82fc8433-3e64-4f9f-a012-273e9123f28c/artifacts?path=%2Fopt%2Fcursor%2Fartifacts%2Fscreenshot_check_runs_disabled.png) **Enabled state** — Toggle on with conclusion mode selector: [Check Runs Enabled](https://cursor.com/agents/bc-82fc8433-3e64-4f9f-a012-273e9123f28c/artifacts?path=%2Fopt%2Fcursor%2Fartifacts%2Fscreenshot_check_runs_enabled.png) **No permission state** — Permission prompt with action link: [Check Runs No Permission with Link](https://cursor.com/agents/bc-82fc8433-3e64-4f9f-a012-273e9123f28c/artifacts?path=%2Fopt%2Fcursor%2Fartifacts%2Fscreenshot_no_permission_with_link.png) ## Testing - Frontend lint, prettier, and typecheck all pass - Frontend unit tests: 603/603 passing - Ladle stories build and render correctly in all three states - Backend Go build and vet pass - Backend tests require PostgreSQL (not available in cloud agent) — will pass in CI ## References - Linear: ENG-3422 - ADR: `adr-checkrun-opt-in` (0024) - Related: ENG-3353, ENG-3406 <sub>To show artifacts inline, <a href="https://cursor.com/dashboard/cloud-agents#team-pull-requests">enable</a> in settings.</sub>  Linear Issue: [ENG-3422](https://linear.app/overmind/issue/ENG-3422/check-run-settings-ui-opt-in-gate) <div><a href="https://cursor.com/agents/bc-82fc8433-3e64-4f9f-a012-273e9123f28c"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-82fc8433-3e64-4f9f-a012-273e9123f28c"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: David Schmitt <DavidS-ovm@users.noreply.github.com> GitOrigin-RevId: eb94762f02aeb78a4215a278795377c83dad5bac

## Summary This PR adds a new Azure adapter for **Local Network Gateways** (`Microsoft.Network/localNetworkGateways`). Local Network Gateways represent an on-premises VPN device for cross-premises connectivity and are used in Azure Site-to-Site VPN connections. ## Changes ### New Files - `sources/azure/clients/local-network-gateways-client.go` - Client interface for Azure SDK - `sources/azure/shared/mocks/mock_local_network_gateways_client.go` - Generated mock for testing - `sources/azure/manual/network-local-network-gateway.go` - ListableWrapper adapter implementation - `sources/azure/manual/network-local-network-gateway_test.go` - Unit tests - `sources/azure/integration-tests/network-local-network-gateway_test.go` - Integration tests ### Modified Files - `sources/azure/manual/adapters.go` - Register the new adapter ## Linked Item Queries The adapter creates linked item queries for: - **Gateway IP Address** → `stdlib.NetworkIP` (GET) - **FQDN** → `stdlib.NetworkDNS` (SEARCH) - **BGP Peering Address** → `stdlib.NetworkIP` or `stdlib.NetworkDNS` (depending on whether it's an IP or hostname) - **BGP Peering Addresses[].DefaultBgpIPAddresses** → `stdlib.NetworkIP` (GET) - **BGP Peering Addresses[].CustomBgpIPAddresses** → `stdlib.NetworkIP` (GET) - **BGP Peering Addresses[].TunnelIPAddresses** → `stdlib.NetworkIP` (GET) ## Health Mapping | ProvisioningState | Health Status | | --- | --- | | Succeeded | HEALTH_OK | | Creating, Updating, Deleting | HEALTH_PENDING | | Failed, Canceled | HEALTH_ERROR | | default | HEALTH_UNKNOWN | ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/localNetworkGateways/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 6 link types verified (GatewayIPAddress, Fqdn, BgpPeeringAddress, DefaultBgpIPAddresses, CustomBgpIPAddresses, TunnelIPAddresses). IP and DNS links present. - [x] **PotentialLinks**: 2 types listed (`stdlib.NetworkIP`, `stdlib.NetworkDNS`), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Get_WithFqdn, Get_WithBgpSettings, GetWithEmptyName, ErrorHandling, List, ListStream, List_NilNameSkipped, GetLookups, PotentialLinks) - [x] **Integration test**: All sub-tests passing (Setup, Run, Teardown) against live Azure APIs All checklist items passed. Ready for review.  Linear Issue: [ENG-3543](https://linear.app/overmind/issue/ENG-3543/create-azure-adapter-networklocalnetworkgateway) <div><a href="https://cursor.com/agents/bc-f2cb6f1e-dfd8-4891-af28-8d705d452ba6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-f2cb6f1e-dfd8-4891-af28-8d705d452ba6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: e1e80aab0cd436a294c2a43dcd58fc3e099c053a

## Summary This PR adds a new Azure adapter for discovering **Network Watcher** resources (`NetworkNetworkWatcher` type). Network Watchers provide network monitoring, diagnostic, and analytics capabilities in Azure. ## Changes ### New Files - **`sources/azure/clients/network-watchers-client.go`** - Client interface wrapping `armnetwork.WatchersClient` - **`sources/azure/manual/network-network-watcher.go`** - Adapter implementation - **`sources/azure/manual/network-network-watcher_test.go`** - Unit tests - **`sources/azure/integration-tests/network-network-watcher_test.go`** - Integration test - **`sources/azure/shared/mocks/mock_network_watchers_client.go`** - Generated mock ### Modified Files - **`sources/azure/manual/adapters.go`** - Registered the new adapter ## Implementation Details - **ListableWrapper** adapter type for top-level resources - Health mapping from `ProvisioningState` to SDP health - Links to child `NetworkFlowLog` resources via SEARCH query - Requires `Microsoft.Network/networkWatchers/read` permission ## Self-Review Checklist - [x] Item type defined in `shared/item-types.go` - [x] Lookups properly defined - [x] Client interface with mockable methods - [x] Error handling with `azureshared.QueryError` - [x] Exhaustive `ProvisioningState` switch - [x] Unit tests pass - [x] Integration test handles Azure one-per-region limit - [x] Linting passes ## Related Closes ENG-3542  Linear Issue: [ENG-3542](https://linear.app/overmind/issue/ENG-3542/create-azure-adapter-networknetworkwatcher) <div><a href="https://cursor.com/agents/bc-057597d0-12b0-4d84-91db-ef70f46a6bc4"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-057597d0-12b0-4d84-91db-ef70f46a6bc4"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 7e331567dfaacbc260feaef53acbb575f8cbcfa3

…4533)  ## Summary This PR implements a new Azure adapter for PostgreSQL Flexible Server Virtual Endpoints. Virtual endpoints are used in read scale-out scenarios where traffic can be distributed between primary and replica servers. ## Changes ### New Files - `sources/azure/clients/dbforpostgresql-flexible-server-virtual-endpoint-client.go` - Client interface for VirtualEndpointsClient - `sources/azure/shared/mocks/mock_dbforpostgresql_flexible_server_virtual_endpoint_client.go` - Generated mock - `sources/azure/manual/dbforpostgresql-flexible-server-virtual-endpoint.go` - SearchableWrapper adapter implementation - `sources/azure/manual/dbforpostgresql-flexible-server-virtual-endpoint_test.go` - Comprehensive unit tests - `sources/azure/integration-tests/dbforpostgresql-flexible-server-virtual-endpoint_test.go` - Integration test ### Modified Files - `sources/azure/manual/adapters.go` - Register the new adapter ## Implementation Details - **Wrapper Type**: `SearchableWrapper` - Virtual endpoints are child resources of Flexible Server - **Item Type**: `DBforPostgreSQLFlexibleServerVirtualEndpoint` (already defined in `item-types.go`) - **Parent Adapter**: `dbforpostgresql-flexible-server.go` (already has SEARCH link to this child type) - **SDK Package**: `armpostgresqlflexibleservers/v5` (already in go.mod) ### Linked Item Queries 1. **Parent server** - GET link to the PostgreSQL Flexible Server containing this endpoint 2. **Member servers** - GET links to all servers referenced in the `Members` field 3. **DNS endpoints** - SEARCH links to NetworkDNS for each virtual endpoint FQDN ### Methods Implemented - `Get(ctx, scope, serverName, virtualEndpointName)` - Get a specific virtual endpoint - `Search(ctx, scope, serverName)` - List all virtual endpoints for a server - `SearchStream(ctx, stream, cache, cacheKey, scope, serverName)` - Streaming variant of Search ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.DBforPostgreSQL/flexibleServers/virtualEndpoints/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 3 types verified (parent server, member servers, DNS endpoints) - [x] **PotentialLinks**: 2 types listed (`DBforPostgreSQLFlexibleServer`, `NetworkDNS`), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, edge cases) - [x] **Integration test**: Skips when PostgreSQL credentials are not set (same pattern as other PostgreSQL child resource tests) All checklist items passed. Ready for review. ## Testing ### Unit Tests All unit tests pass: ``` === RUN TestDBforPostgreSQLFlexibleServerVirtualEndpoint --- PASS: TestDBforPostgreSQLFlexibleServerVirtualEndpoint (0.03s) --- PASS: Get, StaticTests, GetWithInsufficientQueryParts, GetWithEmptyServerName, GetWithEmptyVirtualEndpointName, Search, SearchStream, SearchWithInsufficientQueryParts, SearchWithEmptyServerName, ErrorHandling_Get, ErrorHandling_Search, PotentialLinks ``` ### Integration Test The integration test requires `AZURE_POSTGRESQL_SERVER_ADMIN_LOGIN` and `AZURE_POSTGRESQL_SERVER_ADMIN_PASSWORD` environment variables (same as other PostgreSQL child resource tests). When not set, it correctly skips. ### Linting ``` golangci-lint run ./sources/azure/... 0 issues. ``` Closes ENG-3549  Linear Issue: [ENG-3549](https://linear.app/overmind/issue/ENG-3549/create-azure-adapter-dbforpostgresqlflexibleservervirtualendpoint) <div><a href="https://cursor.com/agents/bc-b283f2db-00ed-4336-9db1-01b49504929d"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-b283f2db-00ed-4336-9db1-01b49504929d"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: d67cbe2919ab4791f0be91c978002e13e2c4b02d

## Summary This PR adds a new Azure adapter for Batch Private Endpoint Connections (`Microsoft.Batch/batchAccounts/privateEndpointConnections`). The adapter is a child resource of Batch Account and implements `SearchableWrapper`, enabling Get, Search, and SearchStream operations. ## Changes ### New Files - `sources/azure/clients/batch-private-endpoint-connection-client.go` - Client interface wrapping the Azure SDK - `sources/azure/manual/batch-private-endpoint-connection.go` - Adapter implementation - `sources/azure/manual/batch-private-endpoint-connection_test.go` - Comprehensive unit tests - `sources/azure/integration-tests/batch-private-endpoint-connection_test.go` - Integration test - `sources/azure/shared/mocks/mock_batch_private_endpoint_connection_client.go` - Generated mock ### Modified Files - `sources/azure/manual/adapters.go` - Register the new adapter ## Features - **SearchableWrapper Implementation**: Get by account name + connection name, Search by account name - **Health Mapping**: Maps `ProvisioningState` to SDP health states (Succeeded → OK, Creating/Updating/Deleting → PENDING, Failed/Cancelled → ERROR) - **Linked Items**: - GET link to parent Batch Account - GET link to Network Private Endpoint (when present, with cross-resource-group support) - **Validation**: Empty string validation for all required query parts in Get, Search, and SearchStream ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Batch/batchAccounts/privateEndpointConnections/read` - [x] **PredefinedRole**: Present, uses `Azure Batch Account Reader` - [x] **LinkedItemQueries**: 2 links verified (BatchAccount GET, NetworkPrivateEndpoint GET when present). No IP/DNS fields in this resource. - [x] **PotentialLinks**: 2 types listed (BatchBatchAccount, NetworkPrivateEndpoint), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Get_WithPrivateEndpointLink, GetWithInsufficientQueryParts, GetWithEmptyAccountName, GetWithEmptyConnectionName, Search, SearchStream, Search_NilNameSkipped, Search_InvalidQueryParts, SearchWithEmptyAccountName, ErrorHandling_Get, PotentialLinks, HealthMapping) - [x] **Integration test**: Present with Setup/Run/Teardown structure (skipped due to Azure Batch quota limits in test subscription - this is expected behavior) - [x] **Parent adapter link**: Parent adapter `batch-batch-accounts.go` already has SEARCH link to `BatchBatchPrivateEndpointConnection` (line 297) and includes it in `PotentialLinks` (line 423) All checklist items passed. Ready for review. Closes ENG-3547  Linear Issue: [ENG-3547](https://linear.app/overmind/issue/ENG-3547/create-azure-adapter-batchbatchprivateendpointconnection) <div><a href="https://cursor.com/agents/bc-962f4192-05ab-424a-b453-0ac3e0244364"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-962f4192-05ab-424a-b453-0ac3e0244364"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 38814ee770c275eded54d223bbf259929e15f322

## Summary This PR adds a new Azure adapter for PostgreSQL Flexible Server Administrators (Microsoft Entra integration). The adapter enables discovery and linking of Microsoft Entra administrators configured on PostgreSQL Flexible Servers. ## Changes ### New Files - `sources/azure/clients/dbforpostgresql-flexible-server-administrator-client.go` - Client interface wrapping Azure SDK - `sources/azure/shared/mocks/mock_dbforpostgresql_flexible_server_administrator_client.go` - Generated mock for testing - `sources/azure/manual/dbforpostgresql-flexible-server-administrator.go` - SearchableWrapper adapter implementation - `sources/azure/manual/dbforpostgresql-flexible-server-administrator_test.go` - Unit tests - `sources/azure/integration-tests/dbforpostgresql-flexible-server-administrator_test.go` - Integration test ### Modified Files - `sources/azure/manual/adapters.go` - Registered the new adapter ## Adapter Details **Wrapper Type**: SearchableWrapper (child resource of Flexible Server) **Methods**: - `Get(scope, serverName, objectId)` - Retrieves a single administrator - `Search(scope, serverName)` - Lists all administrators for a server - `SearchStream` - Streaming variant of Search **Unique Attribute**: Composite key of `serverName|objectId` **Linked Items**: - GET link to parent `DBforPostgreSQLFlexibleServer` The parent adapter (`dbforpostgresql-flexible-server.go`) already has a SEARCH link to this child type. ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.DBforPostgreSQL/flexibleServers/administrators/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 1 link verified (GET link to parent PostgreSQL Flexible Server) - [x] **PotentialLinks**: 1 type listed (`DBforPostgreSQLFlexibleServer`), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, GetWithInsufficientQueryParts, GetWithEmptyServerName, GetWithEmptyObjectId, SearchWithEmptyServerName, SearchWithNoQueryParts, Search_AdminWithNilName) - [x] **Integration test**: Present with Setup/Run/Teardown structure, correctly skips when credentials not available All checklist items passed. Ready for review. ## Testing Unit tests pass: ``` === RUN TestDBforPostgreSQLFlexibleServerAdministrator --- PASS: TestDBforPostgreSQLFlexibleServerAdministrator (0.03s) ``` Integration test skips gracefully when required environment variables are not set (requires `AZURE_POSTGRESQL_ENTRA_ADMIN_*` variables for Entra authentication testing).  Linear Issue: [ENG-3548](https://linear.app/overmind/issue/ENG-3548/create-azure-adapter-dbforpostgresqlflexibleserveradministrator) <div><a href="https://cursor.com/agents/bc-a72a018f-143a-4c0e-9dcc-04fca792e369"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-a72a018f-143a-4c0e-9dcc-04fca792e369"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 97440233d5d3bbe46e4b3758da0b86d134255adb

## Summary This PR adds a new Azure adapter for Elastic SAN Volumes (`ElasticSanVolume`), following the azure-adapter-creation skill workflow. ## Changes ### Client Interface - `sources/azure/clients/elastic-san-volume-client.go`: Client interface wrapping Azure SDK's `VolumesClient` - `sources/azure/shared/mocks/mock_elastic_san_volume_client.go`: Generated mock for testing ### Adapter Implementation - `sources/azure/manual/elastic-san-volume.go`: SearchableWrapper implementation for ElasticSanVolume - `Get`: Retrieves a single volume by elasticSanName, volumeGroupName, volumeName - `Search`: Lists all volumes under a volume group - `SearchStream`: Streaming variant of Search - Linked item queries to parent ElasticSan, VolumeGroup, source snapshot/volume, ManagedBy VM, and DNS hostname ### Registration - `sources/azure/manual/adapters.go`: Added client creation and adapter registration ### Tests - `sources/azure/manual/elastic-san-volume_test.go`: Unit tests with mocks - `sources/azure/integration-tests/elastic-san-volume_test.go`: Integration tests against real Azure APIs ## Linked Item Queries The adapter creates linked item queries for: - **Parent ElasticSan** (GET) - **Parent ElasticSanVolumeGroup** (GET with composite key) - **Source ElasticSanVolumeSnapshot** (GET when created from snapshot) - **Source ElasticSanVolume** (GET when cloned from volume) - **ManagedBy ComputeVirtualMachine** (GET when managed by VM) - **StorageTarget DNS hostname** (SEARCH via NetworkDNS) ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.ElasticSan/elasticSans/volumegroups/volumes/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 6 link types verified (ElasticSan, VolumeGroup, VolumeSnapshot, Volume, VM, DNS). DNS link for StorageTarget hostname included. - [x] **PotentialLinks**: 6 types listed (ElasticSan, ElasticSanVolumeGroup, ElasticSanVolumeSnapshot, ElasticSanVolume, ComputeVirtualMachine, NetworkDNS), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, GetWithLinks, GetWithInsufficientQueryParts, GetWithEmpty*, ErrorHandling, Search, SearchWithEmpty*, SearchStream, StaticTests) - [x] **Integration test**: All sub-tests passing (Setup, Run/GetVolume, Run/SearchVolumes, Run/VerifyLinkedItems, Run/VerifyItemAttributes, Teardown) against live Azure APIs All checklist items passed. Ready for review. ## Related - Linear Issue: ENG-3546 - Parent Adapter: `elastic-san-volume-group.go` (already has SEARCH link to ElasticSanVolume)  Linear Issue: [ENG-3546](https://linear.app/overmind/issue/ENG-3546/create-azure-adapter-elasticsanvolume) <div><a href="https://cursor.com/agents/bc-2a755c21-1fe0-4be9-b498-c4f3f7520652"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-2a755c21-1fe0-4be9-b498-c4f3f7520652"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 2708a089bc7b13fbe57e03128564d18e60201374

## Summary Adds a new Azure adapter for IP Groups, which are collections of IP addresses and CIDR ranges used for firewall rules. ## Changes - **Client Interface**: Added `IPGroupsClient` interface in `sources/azure/clients/ip-groups-client.go` - **Adapter**: Implemented `NetworkIPGroup` ListableWrapper in `sources/azure/manual/network-ip-group.go` - **Item Types**: Added `NetworkIPGroup`, `NetworkFirewall`, and `NetworkFirewallPolicy` item types - **Registration**: Registered the adapter in `adapters.go` - **Unit Tests**: Comprehensive unit tests covering Get, List, ListStream, error handling, health status mapping, and interface compliance - **Integration Test**: Integration test verified against live Azure APIs ## Linked Items The adapter creates linked item queries for: - **IP addresses**: Each IP address/CIDR in the IP Group links to `stdlib.NetworkIP` (GET, global scope) - **Firewalls**: References to Azure Firewalls using this IP Group (via `NetworkFirewall`) - **Firewall Policies**: References to Firewall Policies using this IP Group (via `NetworkFirewallPolicy`) ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/ipGroups/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 3 link types verified (IP addresses, Firewalls, FirewallPolicies) - [x] **PotentialLinks**: 3 types listed (stdlib.NetworkIP, NetworkFirewall, NetworkFirewallPolicy), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, StaticTests, GetWithEmptyName, NilName handling, List, ListStream, ErrorHandling, InterfaceCompliance, HealthStatus) - [x] **Integration test**: All sub-tests passing (Setup, Run/GetIPGroup, Run/ListIPGroups, Run/VerifyItemAttributes, Run/VerifyLinkedItems, Teardown) against live Azure APIs All checklist items passed. Ready for review. Closes ENG-3553  Linear Issue: [ENG-3553](https://linear.app/overmind/issue/ENG-3553/create-azure-adapter-networkipgroup) <div><a href="https://cursor.com/agents/bc-f157a60b-3abd-47df-9039-cce55f589931"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-f157a60b-3abd-47df-9039-cce55f589931"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: cf27e510842cad09cabf630c052f2e7ec00cf07c

## Summary Creates a new Azure adapter for SQL Server Failover Groups, following the azure-adapter-creation skill workflow. ## Changes ### New Files - `sources/azure/clients/sql-failover-groups-client.go` - Client interface for Azure SQL Failover Groups SDK - `sources/azure/manual/sql-server-failover-group.go` - SearchableWrapper adapter implementation - `sources/azure/manual/sql-server-failover-group_test.go` - Unit tests - `sources/azure/integration-tests/sql-server-failover-group_test.go` - Integration tests (requires SQL admin credentials) - `sources/azure/shared/mocks/mock_sql_failover_groups_client.go` - Generated mock ### Modified Files - `sources/azure/manual/adapters.go` - Registered the adapter ## Implementation Details - **Wrapper type**: SearchableWrapper (client.Get takes resourceGroupName, serverName, failoverGroupName) - **UniqueAttribute**: Composite key via `shared.CompositeLookupKey(serverName, failoverGroupName)` - **SDK package**: `armsql/v2` (already in go.mod) - **Parent adapter**: `sql-server.go` already has SEARCH link to this child type ### Linked Items - Parent SQL Server (GET) - Partner servers (GET with cross-resource-group scope extraction) - Databases in the failover group (GET with composite key) - Read-only endpoint target server (GET) ### Health Mapping - Empty string / normal → HEALTH_OK - CATCH_UP, PENDING, SEEDING → HEALTH_PENDING - SUSPENDED → HEALTH_WARNING - Unknown states → HEALTH_UNKNOWN ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Sql/servers/failoverGroups/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 4 link types verified (parent server, partner servers, databases, target server) - [x] **PotentialLinks**: 2 types listed (SQLServer, SQLDatabase), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, edge cases) - [x] **Integration test**: Present and structurally correct (skips when SQL admin credentials not available) All checklist items passed. Ready for review. ## Testing Unit tests pass: ``` === RUN TestSqlServerFailoverGroup --- PASS: TestSqlServerFailoverGroup (0.03s) --- PASS: TestSqlServerFailoverGroup/Get --- PASS: TestSqlServerFailoverGroup/Get_WithInsufficientQueryParts --- PASS: TestSqlServerFailoverGroup/GetWithEmptyServerName --- PASS: TestSqlServerFailoverGroup/GetWithEmptyFailoverGroupName --- PASS: TestSqlServerFailoverGroup/Search --- PASS: TestSqlServerFailoverGroup/SearchStream --- PASS: TestSqlServerFailoverGroup/SearchWithEmptyServerName --- PASS: TestSqlServerFailoverGroup/Search_InvalidQueryParts --- PASS: TestSqlServerFailoverGroup/Search_WithNilName --- PASS: TestSqlServerFailoverGroup/ErrorHandling_Get --- PASS: TestSqlServerFailoverGroup/ErrorHandling_Search --- PASS: TestSqlServerFailoverGroup/InterfaceCompliance ``` Linting passes: ``` golangci-lint run ./sources/azure/... 0 issues. ``` Resolves ENG-3551  Linear Issue: [ENG-3551](https://linear.app/overmind/issue/ENG-3551/create-azure-adapter-sqlserverfailovergroup) <div><a href="https://cursor.com/agents/bc-395e64c7-6cd3-437f-ac44-70ac02f0a153"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-395e64c7-6cd3-437f-ac44-70ac02f0a153"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: b1a861686385e61721059943f5ab67671b29a93b

## Summary This PR adds a new Azure adapter for Private Link Services (`NetworkPrivateLinkService`). The adapter discovers Azure Private Link Service resources and creates linked item queries to related resources. ## Changes ### New Files - `sources/azure/clients/private-link-services-client.go` - Client interface for Azure Private Link Services - `sources/azure/shared/mocks/mock_private_link_services_client.go` - Generated mock for testing - `sources/azure/manual/network-private-link-service.go` - Adapter implementation - `sources/azure/manual/network-private-link-service_test.go` - Unit tests - `sources/azure/integration-tests/network-private-link-service_test.go` - Integration tests ### Modified Files - `sources/azure/manual/adapters.go` - Registration of the new adapter ## Linked Items The adapter creates linked item queries to the following resource types: | Linked Resource Type | Source Field | Method | | --- | --- | --- | | NetworkSubnet | IPConfigurations[].Properties.Subnet | GET | | NetworkVirtualNetwork | (parent of subnet) | GET | | NetworkLoadBalancerFrontendIPConfiguration | LoadBalancerFrontendIPConfigurations | GET | | NetworkLoadBalancer | (parent of frontend IP config) | GET | | NetworkNetworkInterface | NetworkInterfaces | GET | | NetworkPrivateEndpoint | PrivateEndpointConnections[].PrivateEndpoint | GET | | ExtendedLocationCustomLocation | ExtendedLocation.Name (when customLocations) | GET | | stdlib.NetworkIP | IPConfigurations[].Properties.PrivateIPAddress, DestinationIPAddress | GET | | stdlib.NetworkDNS | Fqdns, Alias | SEARCH | ## Health Status Mapping Maps `ProvisioningState` to SDP health: - `Succeeded` → HEALTH_OK - `Creating`, `Updating`, `Deleting` → HEALTH_PENDING - `Failed`, `Canceled` → HEALTH_ERROR - Default → HEALTH_UNKNOWN ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/privateLinkServices/read` - [x] **PredefinedRole**: Present, uses `Network Contributor` - [x] **LinkedItemQueries**: 9 link types verified (Subnet, VirtualNetwork, LoadBalancerFrontendIPConfiguration, LoadBalancer, NetworkInterface, PrivateEndpoint, ExtendedLocationCustomLocation, IP, DNS). DNS includes both Fqdns and Alias fields. - [x] **PotentialLinks**: 9 types listed, matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, List, ListStream, StaticTests, ErrorHandling, Get_EmptyName, List_WithNilName, PotentialLinks) - [x] **Integration test**: All sub-tests passing (Setup, Run, Teardown) against live Azure APIs All checklist items passed. Ready for review. ## Related Issue ENG-3552  Linear Issue: [ENG-3552](https://linear.app/overmind/issue/ENG-3552/create-azure-adapter-networkprivatelinkservice) <div><a href="https://cursor.com/agents/bc-48fc0407-80ce-4546-a7d7-135b42dfe4ba"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-48fc0407-80ce-4546-a7d7-135b42dfe4ba"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 62a0ffaa26a4afd7fa103668d183fb68148d129c

## Summary This PR creates an Azure adapter for Network Interface IP Configurations, which are child resources of Network Interfaces. The adapter follows the SearchableWrapper pattern since the SDK's `client.Get()` method requires both `networkInterfaceName` and `ipConfigurationName` parameters. ## Changes ### New Files - `sources/azure/clients/interface-ip-configurations-client.go` - Client interface for InterfaceIPConfigurationsClient - `sources/azure/manual/network-network-interface-ip-configuration.go` - Adapter implementation - `sources/azure/manual/network-network-interface-ip-configuration_test.go` - Unit tests - `sources/azure/integration-tests/network-network-interface-ip-configuration_test.go` - Integration test - `sources/azure/shared/mocks/mock_interface_ip_configurations_client.go` - Generated mock ### Modified Files - `sources/azure/manual/adapters.go` - Registered the new adapter ## Features - **Get** by composite key (`networkInterfaceName|ipConfigurationName`) - **Search** by networkInterfaceName to list all IP configurations under a NIC - **SearchStream** for streaming results with caching - **Health status** mapping from ProvisioningState (Succeeded→OK, Updating/Deleting/Creating→PENDING, Failed/Canceled→ERROR) ### Linked Items - Parent NetworkInterface (GET) - Subnet (GET with composite key) - Public IP Address (GET) - Private IP Address (stdlib.NetworkIP) - Application Security Groups (GET) - Load Balancer Backend Address Pools (GET with composite key) - Load Balancer Inbound NAT Rules (GET with composite key) - Application Gateway Backend Address Pools (GET with composite key) - Gateway Load Balancer Frontend IP Configuration (GET with composite key) - Virtual Network Taps (GET) - FQDNs from PrivateLinkConnectionProperties (stdlib.NetworkDNS) ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Network/networkInterfaces/ipConfigurations/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 11 link types verified (parent NIC, subnet, public IP, private IP, ASGs, LB pools, NAT rules, App Gateway pools, Gateway LB, VNet taps, FQDNs). IP and DNS links present. - [x] **PotentialLinks**: 11 types listed, matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Search, SearchStream, StaticTests, ErrorHandling, empty name validation, health status, ASG links, FQDN links) - [x] **Integration test**: All sub-tests passing (Setup, Run/GetIPConfiguration, Run/SearchIPConfigurations, Run/VerifyLinkedItems, Run/VerifyItemAttributes, Teardown) against live Azure APIs All checklist items passed. Ready for review. ## Testing Unit tests: ``` === RUN TestNetworkNetworkInterfaceIPConfiguration --- PASS: TestNetworkNetworkInterfaceIPConfiguration (0.03s) --- PASS: TestNetworkNetworkInterfaceIPConfiguration/Get --- PASS: TestNetworkNetworkInterfaceIPConfiguration/GetWithInsufficientQueryParts --- PASS: TestNetworkNetworkInterfaceIPConfiguration/GetWithEmptyNetworkInterfaceName --- PASS: TestNetworkNetworkInterfaceIPConfiguration/GetWithEmptyIPConfigName --- PASS: TestNetworkNetworkInterfaceIPConfiguration/Search --- PASS: TestNetworkNetworkInterfaceIPConfiguration/SearchWithEmptyNetworkInterfaceName --- PASS: TestNetworkNetworkInterfaceIPConfiguration/SearchWithNoQueryParts --- PASS: TestNetworkNetworkInterfaceIPConfiguration/Search_IPConfigWithNilName --- PASS: TestNetworkNetworkInterfaceIPConfiguration/ErrorHandling_Get --- PASS: TestNetworkNetworkInterfaceIPConfiguration/ErrorHandling_Search --- PASS: TestNetworkNetworkInterfaceIPConfiguration/InterfaceCompliance --- PASS: TestNetworkNetworkInterfaceIPConfiguration/HealthStatus_Pending --- PASS: TestNetworkNetworkInterfaceIPConfiguration/HealthStatus_Error --- PASS: TestNetworkNetworkInterfaceIPConfiguration/GetWithApplicationSecurityGroups --- PASS: TestNetworkNetworkInterfaceIPConfiguration/GetWithFQDNs ``` Integration test: ``` === RUN TestNetworkNetworkInterfaceIPConfigurationIntegration --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration (22.58s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Setup (6.06s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Run (0.82s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Run/GetIPConfiguration (0.31s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Run/SearchIPConfigurations (0.10s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Run/VerifyLinkedItems (0.30s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Run/VerifyItemAttributes (0.11s) --- PASS: TestNetworkNetworkInterfaceIPConfigurationIntegration/Teardown (15.70s) ``` ## Related Issue ENG-3556  Linear Issue: [ENG-3556](https://linear.app/overmind/issue/ENG-3556/create-azure-adapter-networknetworkinterfaceipconfiguration) <div><a href="https://cursor.com/agents/bc-7f1f252a-0ab0-4121-b5e9-c47d9bfa0425"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-7f1f252a-0ab0-4121-b5e9-c47d9bfa0425"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: f9e085f9873d4fbe8680e7deb1f2dc6e7aeafcb0

## Summary This PR adds a new Azure adapter for `FederatedIdentityCredential` resources, which are child resources of User Assigned Identities. Federated Identity Credentials enable workload identity federation, allowing external identities (like GitHub Actions, Kubernetes, or other identity providers) to authenticate to Azure without needing to manage secrets. ## Changes ### New Files - `sources/azure/clients/federated-identity-credentials-client.go` - Client interface wrapping the Azure SDK `FederatedIdentityCredentialsClient` - `sources/azure/manual/managedidentity-federated-identity-credential.go` - SearchableWrapper adapter implementation with Get/Search/SearchStream - `sources/azure/manual/managedidentity-federated-identity-credential_test.go` - Comprehensive unit tests - `sources/azure/integration-tests/managedidentity-federated-identity-credential_test.go` - Integration test against live Azure APIs - `sources/azure/shared/mocks/mock_federated_identity_credentials_client.go` - Generated mock for testing ### Modified Files - `sources/azure/manual/adapters.go` - Register the new adapter - `.cursor/skills/azure-adapter-creation/SKILL.md` - Updated skill to better document URL field handling for DNS links ### Key Implementation Details - **Wrapper Type**: `SearchableWrapper` (child resource requiring identity name + credential name for Get) - **Parent Resource**: `ManagedIdentityUserAssignedIdentity` (already has SEARCH link to this child type) - **UniqueAttribute**: Composite key via `shared.CompositeLookupKey(identityName, credentialName)` - **Linked Items**: - GET link back to parent `ManagedIdentityUserAssignedIdentity` - DNS link for `Issuer` URL hostname (e.g., `token.actions.githubusercontent.com`) - **IAM Permission**: `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read` - **Predefined Role**: `Reader` ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 2 links verified (GET link to parent ManagedIdentityUserAssignedIdentity, DNS link for Issuer URL hostname) - [x] **PotentialLinks**: 2 types listed (`ManagedIdentityUserAssignedIdentity`, `stdlib.NetworkDNS`), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, GetWithInsufficientQueryParts, GetWithEmptyIdentityName, GetWithEmptyCredentialName, Search, SearchStream, SearchWithEmptyIdentityName, SearchWithNoQueryParts, Search_CredentialWithNilName, ErrorHandling_Get, ErrorHandling_Search, StaticTests) - [x] **Integration test**: All sub-tests passing (Setup, Run/GetFederatedIdentityCredential, Run/SearchFederatedIdentityCredentials, Run/VerifyLinkedItems, Run/VerifyItemAttributes, Teardown) against live Azure APIs All checklist items passed. Ready for review. ## Skill Update Updated `.cursor/skills/azure-adapter-creation/SKILL.md` to better document URL field handling: - Added `Issuer`, `IssuerUri`, `Authority`, `TenantUri` to the list of commonly missed URL field names - Clarified that URL fields need DNS links even when the field name doesn't contain "DNS" or "FQDN" - Referenced `azureshared.ExtractDNSFromURL()` helper for extracting hostnames from URLs ## Testing ``` === RUN TestManagedIdentityFederatedIdentityCredentialIntegration --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration (11.32s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Setup (6.13s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Run (0.78s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Run/GetFederatedIdentityCredential (0.36s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Run/SearchFederatedIdentityCredentials (0.13s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Run/VerifyLinkedItems (0.14s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Run/VerifyItemAttributes (0.15s) --- PASS: TestManagedIdentityFederatedIdentityCredentialIntegration/Teardown (4.41s) PASS ``` Closes ENG-3545  Linear Issue: [ENG-3545](https://linear.app/overmind/issue/ENG-3545/create-azure-adapter-managedidentityfederatedidentitycredential) <div><a href="https://cursor.com/agents/bc-1d4b9337-65c1-4b3c-947d-9a305d3ca59b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-1d4b9337-65c1-4b3c-947d-9a305d3ca59b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> GitOrigin-RevId: ab6d8c9b866ae1a050fcb0055ccc9afa2df09f09

## Summary Creates a new Azure adapter for `OperationalInsightsWorkspace` (Log Analytics Workspace) resources. ## Changes ### New Files - `sources/azure/clients/operational-insights-workspace-client.go` - Client interface wrapping Azure SDK - `sources/azure/shared/mocks/mock_operational_insights_workspace_client.go` - Generated mock client - `sources/azure/manual/operational-insights-workspace.go` - Adapter implementation using `ListableWrapper` - `sources/azure/manual/operational-insights-workspace_test.go` - Unit tests - `sources/azure/integration-tests/operational-insights-workspace_test.go` - Integration tests ### Modified Files - `sources/azure/shared/models.go` - Added `Insights` API, `Cluster` and `PrivateLinkScopeScopedResource` resource constants - `sources/azure/shared/item-types.go` - Added `OperationalInsightsWorkspace`, `OperationalInsightsCluster`, and `InsightsPrivateLinkScopeScopedResource` item types - `sources/azure/manual/adapters.go` - Registered the new adapter - `go.mod` / `go.sum` - Added `armoperationalinsights` SDK dependency ## Adapter Details - **Type**: `ListableWrapper` (top-level resource scoped to resource groups) - **Category**: `ADAPTER_CATEGORY_OBSERVABILITY` - **Health Mapping**: Maps `ProvisioningState` to SDP health status - **Linked Items**: - `OperationalInsightsCluster` - via `Properties.Features.ClusterResourceID` - `InsightsPrivateLinkScopeScopedResource` - via `Properties.PrivateLinkScopedResources[].ResourceID` (using composite lookup key for child resource) - **IAM Permission**: `Microsoft.OperationalInsights/workspaces/read` - **Predefined Role**: `Log Analytics Reader` ## Testing - Unit tests cover Get, List, ListStream, error handling, health state mapping, and cross-resource-group links - Integration test creates actual Azure resources and verifies adapter behavior (skips gracefully if service principal lacks permissions) - All tests pass locally  Linear Issue: [ENG-3550](https://linear.app/overmind/issue/ENG-3550/create-azure-adapter-operationalinsightsworkspace) <div><a href="https://cursor.com/agents/bc-061cf487-00ae-466f-932e-7aef5591cc06"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-061cf487-00ae-466f-932e-7aef5591cc06"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 70d59ce34a023205779927eb148648f51f837eba

## Summary Add a new Azure adapter for SQL Server Keys (child resource of SQL Server), following the SearchableWrapper pattern for child resources. ## Changes ### New Files - `sources/azure/clients/sql-server-keys-client.go` - Client interface for Azure SDK ServerKeysClient - `sources/azure/manual/sql-server-key.go` - Adapter implementation - `sources/azure/manual/sql-server-key_test.go` - Unit tests - `sources/azure/integration-tests/sql-server-key_test.go` - Integration tests - `sources/azure/shared/mocks/mock_sql_server_keys_client.go` - Generated mock ### Modified Files - `sources/azure/manual/adapters.go` - Register the new adapter ## Implementation Details ### Wrapper Type SearchableWrapper - because `client.Get()` requires `resourceGroupName`, `serverName`, and `keyName` (parent name + child name) ### Linked Items 1. **SQL Server (parent)** - GET link back to the parent SQL Server 2. **Key Vault Key** - GET link when the key type is `AzureKeyVault` (extracted from the URI field) ### Key Types Supported - **ServiceManaged** - Default key managed by Azure, no Key Vault link - **AzureKeyVault** - Customer-managed key with link to Key Vault Key ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Sql/servers/keys/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: 2 links verified (SQLServer parent GET, KeyVaultKey GET when URI present) - [x] **PotentialLinks**: 2 types listed (SQLServer, KeyVaultKey), matches LinkedItemQueries - [x] **Unit tests**: All passing (Get, Get_WithKeyVaultKey, GetWithInsufficientQueryParts, GetWithEmptyServerName, GetWithEmptyKeyName, Search, SearchStream, Search_WithNilName, Search_InvalidQueryParts, SearchWithEmptyServerName, ErrorHandling_Get, ErrorHandling_Search, InterfaceCompliance) - [x] **Integration test**: All sub-tests passing (Setup, Run/GetSQLServerKey, Run/SearchSQLServerKeys, Run/VerifyLinkedItems, Run/VerifyItemAttributes, Teardown) against live Azure APIs All checklist items passed. Ready for review. ## Testing ### Unit Tests ``` === RUN TestSqlServerKey --- PASS: TestSqlServerKey (0.03s) --- PASS: TestSqlServerKey/Get (0.03s) --- PASS: TestSqlServerKey/Get_WithKeyVaultKey (0.00s) --- PASS: TestSqlServerKey/GetWithInsufficientQueryParts (0.00s) --- PASS: TestSqlServerKey/GetWithEmptyServerName (0.00s) --- PASS: TestSqlServerKey/GetWithEmptyKeyName (0.00s) --- PASS: TestSqlServerKey/Search (0.00s) --- PASS: TestSqlServerKey/SearchStream (0.00s) --- PASS: TestSqlServerKey/Search_WithNilName (0.00s) --- PASS: TestSqlServerKey/Search_InvalidQueryParts (0.00s) --- PASS: TestSqlServerKey/SearchWithEmptyServerName (0.00s) --- PASS: TestSqlServerKey/ErrorHandling_Get (0.00s) --- PASS: TestSqlServerKey/ErrorHandling_Search (0.00s) --- PASS: TestSqlServerKey/InterfaceCompliance (0.00s) ``` ### Integration Tests ``` === RUN TestSQLServerKeyIntegration --- PASS: TestSQLServerKeyIntegration (1.79s) --- PASS: TestSQLServerKeyIntegration/Setup (1.08s) --- PASS: TestSQLServerKeyIntegration/Run (0.71s) --- PASS: TestSQLServerKeyIntegration/Run/GetSQLServerKey (0.17s) --- PASS: TestSQLServerKeyIntegration/Run/SearchSQLServerKeys (0.12s) --- PASS: TestSQLServerKeyIntegration/Run/VerifyLinkedItems (0.32s) --- PASS: TestSQLServerKeyIntegration/Run/VerifyItemAttributes (0.11s) --- PASS: TestSQLServerKeyIntegration/Teardown (0.00s) ``` ## Notes - The parent SQL Server adapter already has the SEARCH link to SQLServerKey (verified in `sql-server.go` line 190 and `sql-server_test.go` line 137) - The item type `SQLServerKey` was already defined in `sources/azure/shared/item-types.go` - Integration tests reuse existing SQL Server resources when admin credentials are not available, making them more robust  Linear Issue: [ENG-3559](https://linear.app/overmind/issue/ENG-3559/create-azure-adapter-sqlserverkey) <div><a href="https://cursor.com/agents/bc-b8746e97-787a-4da0-a218-707478f892ef"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-b8746e97-787a-4da0-a218-707478f892ef"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: c9ac2c26c66d9f10c613dd4b8927bba5262d9b91

## Summary This PR adds a new Azure adapter for Role Definitions (`AuthorizationRoleDefinition`), enabling discovery of Azure RBAC role definitions at the subscription scope. ## Changes - **Client interface**: `sources/azure/clients/role-definitions-client.go` - Interface wrapping the Azure SDK `RoleDefinitionsClient` - **Mock**: `sources/azure/shared/mocks/mock_role_definitions_client.go` - Generated mock for unit testing - **Adapter**: `sources/azure/manual/authorization-role-definition.go` - Subscription-scoped `ListableWrapper` implementation - **Registration**: Updated `sources/azure/manual/adapters.go` to register the adapter - **Unit tests**: `sources/azure/manual/authorization-role-definition_test.go` - Comprehensive test coverage - **Integration test**: `sources/azure/integration-tests/authorization-role-definition_test.go` - Tests against live Azure APIs - **New item types**: Added `ResourcesSubscription` and `ResourcesResourceGroup` for linked item queries - **New helper**: Added `ExtractResourceGroupFromResourceID` utility function ## Implementation Details - **Wrapper type**: `ListableWrapper` with `SubscriptionBase` (subscription-scoped resource) - **Item type**: `AuthorizationRoleDefinition` (already defined in `item-types.go`) - **API**: Uses `client.Get(ctx, scope, roleDefinitionID, options)` and `client.NewListPager(scope, options)` where `scope` is the Azure resource scope string (e.g., `/subscriptions/{sub}`) - **Unique attribute**: `name` (the role definition GUID) - **Linked items**: Links to `ResourcesSubscription` and `ResourcesResourceGroup` from the `AssignableScopes` field ## Self-Review Checklist - [x] **IAMPermissions**: Present, references `Microsoft.Authorization/roleDefinitions/read` - [x] **PredefinedRole**: Present, uses `Reader` - [x] **LinkedItemQueries**: Links to subscriptions and resource groups from `AssignableScopes` field - [x] **PotentialLinks**: Includes `ResourcesSubscription` and `ResourcesResourceGroup` - [x] **Unit tests**: All passing (Get, List, ListStream, error handling, interface compliance, StaticTests) - [x] **Integration test**: All sub-tests passing (Setup, Run, Teardown) against live Azure APIs - verified Reader, Contributor, Owner built-in roles All checklist items passed. Ready for review. ## Related - Linear issue: ENG-3557 - Reference adapter: `authorization-role-assignment.go` (same `armauthorization` package)  Linear Issue: [ENG-3557](https://linear.app/overmind/issue/ENG-3557/create-azure-adapter-authorizationroledefinition) <div><a href="https://cursor.com/agents/bc-fb889427-749c-4076-837f-c450b24babe0"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-fb889427-749c-4076-837f-c450b24babe0"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> GitOrigin-RevId: 9f62e2c0d39496048e9fb6325869ba03107320b6

…ck (#4556)  ## Problem The `gcp-source` dataset in dogfood Honeycomb shows ~600 disconnected `HTTP GET` spans per hour — orphan root spans from `otelhttp` client instrumentation on the GCP REST client (`cloudresourcemanager.googleapis.com`). These spans are disconnected because the calling contexts carry no active trace: 1. **Heartbeat readiness check** (every 30s per pod) — `SendHeartbeat` reads a span from context via `trace.SpanFromContext(ctx)` but never starts one. The heartbeat context is derived from `context.WithCancel(backgroundJobContext)` which has no trace parent. 2. **Startup health check** (one-time per pod) — `InitializeAdapters` calls `healthChecker.Check(ctx)` with the process signal context (no trace). K8s probe handlers are **not** affected — `ReadinessProbeHandlerFunc` and `LivenessProbeHandlerFunc` already start their own spans. ## Changes ### `go/discovery/heartbeat.go` - Replace `span := trace.SpanFromContext(ctx)` with `ctx, span := tracer.Start(ctx, "SendHeartbeat")` + `defer span.End()` so every heartbeat creates a trace root. All downstream work (readiness check, CRM HTTP GET, management API call) becomes children. - Remove unused `go.opentelemetry.io/otel/trace` import. ### `sources/gcp/proc/proc.go` - Wrap the startup `healthChecker.Check(ctx)` call in a `tracing.Tracer().Start(ctx, "InitializeAdapters.HealthCheck")` span so init-time CRM GETs are also connected. - Add `go/tracing` import. ## Verification After deploying, in Honeycomb dogfood: ``` dataset: gcp-source filter: name = "HTTP GET" filter: trace.parent_id does-not-exist time_range: 1h calculation: COUNT ``` The count of parentless `HTTP GET` spans should drop to near zero. ## Testing - `go build ./go/discovery/...` — passes - `go build ./sources/gcp/proc/...` — passes - `go vet ./go/discovery/...` — clean - `go vet ./sources/gcp/proc/...` — clean - `go test ./go/discovery/... -run TestSendHeartbeat` — passes - `go test ./sources/gcp/proc/...` — passes  <div><a href="https://cursor.com/agents/bc-b90faebb-ce75-4de7-b3f1-e57113804156"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-b90faebb-ce75-4de7-b3f1-e57113804156"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> GitOrigin-RevId: 938505e97d32191d2953ed1afb82d2cd2e0afa96

… 9d38bb4 (#4558) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | require | digest | `d00831a` → `9d38bb4` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace).  GitOrigin-RevId: d4f3f19c0dcd704c6375797c8d9d0cd06880e002

…urity] (#4568) This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/go-jose/go-jose/v4](https://redirect.github.com/go-jose/go-jose) | `v4.1.3` → `v4.1.4` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fgo-jose%2fgo-jose%2fv4/v4.1.4?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fgo-jose%2fgo-jose%2fv4/v4.1.3/v4.1.4?slim=true) | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-34986](https://redirect.github.com/go-jose/go-jose/security/advisories/GHSA-78h2-9frx-2jm8) ### Impact Decrypting a JSON Web Encryption (JWE) object will panic if the `alg` field indicates a key wrapping algorithm ([one ending in `KW`](https://pkg.go.dev/github.com/go-jose/go-jose/v4#pkg-constants), with the exception of `A128GCMKW`, `A192GCMKW`, and `A256GCMKW`) and the `encrypted_key` field is empty. The panic happens when `cipher.KeyUnwrap()` in `key_wrap.go` attempts to allocate a slice with a zero or negative length based on the length of the `encrypted_key`. This code path is reachable from `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` followed by `Decrypt()` on the resulting object. Note that the parse functions take a list of accepted key algorithms. If the accepted key algorithms do not include any key wrapping algorithms, parsing will fail and the application will be unaffected. This panic is also reachable by calling `cipher.KeyUnwrap()` directly with any `ciphertext` parameter less than 16 bytes long, but calling this function directly is less common. Panics can lead to denial of service. ### Fixed In 4.1.4 and v3.0.5 ### Workarounds If the list of `keyAlgorithms` passed to `ParseEncrypted()` / `ParseEncryptedJSON()` / `ParseEncryptedCompact()` does not include key wrapping algorithms (those ending in `KW`), your application is unaffected. If your application uses key wrapping, you can prevalidate to the JWE objects to ensure the `encrypted_key` field is nonempty. If your application accepts JWE Compact Serialization, apply that validation to the corresponding field of that serialization (the data between the first and second `.`). ### Thanks Go JOSE thanks Datadog's Security team for finding this issue. --- ### Release Notes <details> <summary>go-jose/go-jose (github.com/go-jose/go-jose/v4)</summary> ### [`v4.1.4`](https://redirect.github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4) [Compare Source](https://redirect.github.com/go-jose/go-jose/compare/v4.1.3...v4.1.4) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace).  GitOrigin-RevId: 3c8e03dca7e9129b62d388c1b3f10391b5469d12

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [auth0](https://registry.terraform.io/providers/auth0/auth0) ([source](https://redirect.github.com/auth0/terraform-provider-auth0)) | required_provider | minor | `1.41.0` → `1.42.0` | | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://redirect.github.com/hashicorp/terraform-provider-aws)) | required_provider | minor | `6.38.0` → `6.39.0` | | [google](https://registry.terraform.io/providers/hashicorp/google) ([source](https://redirect.github.com/hashicorp/terraform-provider-google)) | required_provider | minor | `7.25.0` → `7.26.0` | | [kubectl](https://registry.terraform.io/providers/alekc/kubectl) ([source](https://redirect.github.com/alekc/terraform-provider-kubectl)) | required_provider | minor | `2.1.6` → `2.2.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. --- ### Release Notes <details> <summary>auth0/terraform-provider-auth0 (auth0)</summary> ### [`v1.42.0`](https://redirect.github.com/auth0/terraform-provider-auth0/blob/HEAD/CHANGELOG.md#v1420) [Compare Source](https://redirect.github.com/auth0/terraform-provider-auth0/compare/v1.41.0...v1.42.0) FEATURES: - `resource/auth0_prompt_screen_partials` – Add `passkeys` into list of supported prompts for partials ([#1504](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1504)) - `resource/auth0_connection` – Add support for configuring `dpop_signing_alg` for Okta and OIDC connections ([#1516](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1516)) BUG FIXES: - `resource/auth0_tenant` – Introduce default value for `enable_client_connections` flag ([#1515](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1515)) </details> <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.39.0`](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6390-April-1-2026) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-aws/compare/v6.38.0...v6.39.0) NOTES: - data-source/aws\_eks\_access\_entry: The `tags_all` attribute is deprecated and will be removed in a future major version ([#47133](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47133)) FEATURES: - **New Data Source:** `aws_iam_role_policies` ([#46936](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46936)) - **New Data Source:** `aws_iam_role_policy_attachments` ([#47119](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47119)) - **New Data Source:** `aws_networkmanager_core_network` ([#45798](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45798)) - **New Data Source:** `aws_uxc_services` ([#47115](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47115)) - **New List Resource:** `aws_eks_cluster` ([#47133](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47133)) - **New List Resource:** `aws_organizations_aws_service_access` ([#46993](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46993)) - **New List Resource:** `aws_sagemaker_training_job` ([#46892](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46892)) - **New List Resource:** `aws_workmail_group` ([#47131](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47131)) - **New List Resource:** `aws_workmail_user` ([#47131](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47131)) - **New Resource:** `aws_organizations_aws_service_access` ([#46993](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46993)) - **New Resource:** `aws_sagemaker_training_job` ([#46892](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46892)) - **New Resource:** `aws_uxc_account_customizations` ([#47115](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47115)) - **New Resource:** `aws_workmail_group` ([#47131](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47131)) - **New Resource:** `aws_workmail_user` ([#47131](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47131)) ENHANCEMENTS: - data-source/aws\_outposts\_asset: Add `instance_families` attribute ([#47153](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47153)) - resource/aws\_eks\_cluster: Add resource identity support ([#47133](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47133)) - resource/aws\_eks\_cluster: Support `tier-8xl` as a valid value for `control_plane_scaling_config.tier` ([#46976](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46976)) - resource/aws\_network\_acl\_rule: Add Resource Identity support ([#47090](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47090)) - resource/aws\_observabilityadmin\_centralization\_rule\_for\_organization: Add `source.source_logs_configuration.data_source_selection_criteria` argument. Change `source.source_logs_configuration.log_group_selection_criteria` to Optional ([#47154](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47154)) - resource/aws\_prometheus\_scraper: Add `source.vpc` argument. Change `source.eks` to Optional ([#47155](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47155)) - resource/aws\_s3\_bucket\_metric: Support bucket metrics for directory buckets ([#47184](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47184)) - resource/aws\_s3control\_storage\_lens\_configuration: Add `storage_lens_configuration.account_level.advanced_performance_metrics` and `storage_lens_configuration.account_level.bucket_level.advanced_performance_metrics` arguments ([#46865](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46865)) BUG FIXES: - data-source/aws\_eks\_access\_entry: Fixed tags not being returned ([#47133](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47133)) - data-source/aws\_service\_principal: Fix service principal names for EC2 and S3 in the `aws-cn` partition ([#47141](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47141)) - resource/aws\_config\_organization\_conformance\_pack: Fix creation timeout when using a delegated administrator account ([#47072](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47072)) - resource/aws\_dynamodb\_table: Fix `Error: waiting for creation AWS DynamoDB Table (xxxxx): couldn't find resource` in highly active accounts by restoring `5s` delay before polling for table status. This fixes a regression introduced in [v6.28.0](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/main/CHANGELOG.md#6280-january-7-2026). ([#47143](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47143)) - resource/aws\_eks\_cluster: Set `bootstrap_self_managed_addons` to `true` when importing ([#47133](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47133)) - resource/aws\_elasticache\_serverless\_cache: Fix `InvalidParameterCombination` error when `cache_usage_limits` is removed ([#46134](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46134)) - resource/aws\_glue\_catalog\_table: Detect and report failed view creation ([#47101](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/47101)) </details> <details> <summary>hashicorp/terraform-provider-google (google)</summary> ### [`v7.26.0`](https://redirect.github.com/hashicorp/terraform-provider-google/blob/HEAD/CHANGELOG.md#7260-Unreleased) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-google/compare/v7.25.0...v7.26.0) </details> <details> <summary>alekc/terraform-provider-kubectl (kubectl)</summary> ### [`v2.2.0`](https://redirect.github.com/alekc/terraform-provider-kubectl/releases/tag/v2.2.0) [Compare Source](https://redirect.github.com/alekc/terraform-provider-kubectl/compare/v2.1.6...v2.2.0) #### Changelog - [`1194f86`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/1194f869b044fad3854d5f4518ec2dfa470233bf) Dependencies: Bump actions/setup-go in the github-actions group - [`1cd083e`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/1cd083ecb6178fe0193856ca00a8e7267199a5f3) Allow upgrading api\_version ([#244](https://redirect.github.com/alekc/terraform-provider-kubectl/issues/244)) - [`6e0d77f`](https://redirect.github.com/alekc/terraform-provider-kubectl/commit/6e0d77fdd2be59ccd6d99e1060b4e9d739bd4b81) Dependencies: Bump the gomod group with 6 updates </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace).  GitOrigin-RevId: 43a8f49977aadd08e2ced3b70b8d7ae15725488e

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [go.opentelemetry.io/otel](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/go.opentelemetry.io%2fotel/v1.43.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/go.opentelemetry.io%2fotel/v1.42.0/v1.43.0?slim=true) | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/go.opentelemetry.io%2fotel%2fexporters%2fotlp%2fotlptrace/v1.43.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/go.opentelemetry.io%2fotel%2fexporters%2fotlp%2fotlptrace/v1.42.0/v1.43.0?slim=true) | | [go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/go.opentelemetry.io%2fotel%2fexporters%2fotlp%2fotlptrace%2fotlptracehttp/v1.43.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/go.opentelemetry.io%2fotel%2fexporters%2fotlp%2fotlptrace%2fotlptracehttp/v1.42.0/v1.43.0?slim=true) | | [go.opentelemetry.io/otel/exporters/stdout/stdouttrace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/go.opentelemetry.io%2fotel%2fexporters%2fstdout%2fstdouttrace/v1.43.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/go.opentelemetry.io%2fotel%2fexporters%2fstdout%2fstdouttrace/v1.42.0/v1.43.0?slim=true) | | [go.opentelemetry.io/otel/sdk](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/go.opentelemetry.io%2fotel%2fsdk/v1.43.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/go.opentelemetry.io%2fotel%2fsdk/v1.42.0/v1.43.0?slim=true) | | [go.opentelemetry.io/otel/trace](https://redirect.github.com/open-telemetry/opentelemetry-go) | `v1.42.0` → `v1.43.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/go.opentelemetry.io%2fotel%2ftrace/v1.43.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/go.opentelemetry.io%2fotel%2ftrace/v1.42.0/v1.43.0?slim=true) | --- > [!WARNING] > Some dependencies could not be looked up. Check the [Dependency Dashboard](../issues/370) for more information. ## ⚠️ Warning These modules are almost certainly going to break everything. They do every time they update. If you update even one repo's OTEL modules, go will then pull in new versions due to [MVS](https://research.swtch.com/vgo-mvs) which will cause your repo to break. All [otel pull requests](https://redirect.github.com/pulls?q=is%3Aopen+is%3Apr+user%3Aovermindtech+archived%3Afalse+label%3Aobservability+) need to be merged basically at the same time, and after all of the modules have been updated to be compatible with each other. --- ### Release Notes <details> <summary>open-telemetry/opentelemetry-go (go.opentelemetry.io/otel)</summary> ### [`v1.43.0`](https://redirect.github.com/open-telemetry/opentelemetry-go/releases/tag/v1.43.0) [Compare Source](https://redirect.github.com/open-telemetry/opentelemetry-go/compare/v1.42.0...v1.43.0) #### Added - Add `IsRandom` and `WithRandom` on `TraceFlags`, and `IsRandom` on `SpanContext` in `go.opentelemetry.io/otel/trace` for [W3C Trace Context Level 2 Random Trace ID Flag](https://www.w3.org/TR/trace-context-2/#random-trace-id-flag) support. ([#8012](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8012)) - Add service detection with `WithService` in `go.opentelemetry.io/otel/sdk/resource`. ([#7642](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7642)) - Add `DefaultWithContext` and `EnvironmentWithContext` in `go.opentelemetry.io/otel/sdk/resource` to support plumbing `context.Context` through default and environment detectors. ([#8051](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8051)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Support attributes with empty value (`attribute.EMPTY`) in `go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Add support for per-series start time tracking for cumulative metrics in `go.opentelemetry.io/otel/sdk/metric`. Set `OTEL_GO_X_PER_SERIES_START_TIMESTAMPS=true` to enable. ([#8060](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8060)) - Add `WithCardinalityLimitSelector` for metric reader for configuring cardinality limits specific to the instrument kind. ([#7855](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7855)) #### Changed - Introduce the `EMPTY` Type in `go.opentelemetry.io/otel/attribute` to reflect that an empty value is now a valid value, with `INVALID` remaining as a deprecated alias of `EMPTY`. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) - Refactor slice handling in `go.opentelemetry.io/otel/attribute` to optimize short slice values with fixed-size fast paths. ([#8039](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8039)) - Improve performance of span metric recording in `go.opentelemetry.io/otel/sdk/trace` by returning early if self-observability is not enabled. ([#8067](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8067)) - Improve formatting of metric data diffs in `go.opentelemetry.io/otel/sdk/metric/metricdata/metricdatatest`. ([#8073](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8073)) #### Deprecated - Deprecate `INVALID` in `go.opentelemetry.io/otel/attribute`. Use `EMPTY` instead. ([#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8038)) #### Fixed - Return spec-compliant `TraceIdRatioBased` description. This is a breaking behavioral change, but it is necessary to make the implementation [spec-compliant](https://opentelemetry.io/docs/specs/otel/trace/sdk/#traceidratiobased). ([#8027](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8027)) - Fix a race condition in `go.opentelemetry.io/otel/sdk/metric` where the lastvalue aggregation could collect the value 0 even when no zero-value measurements were recorded. ([#8056](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8056)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - Limit HTTP response body to 4 MiB in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to mitigate excessive memory usage caused by a misconfigured or malicious server. Responses exceeding the limit are treated as non-retryable errors. ([#8108](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8108)) - `WithHostID` detector in `go.opentelemetry.io/otel/sdk/resource` to use full path for `kenv` command on BSD. ([#8113](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8113)) - Fix missing `request.GetBody` in `go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp` to correctly handle HTTP2 GOAWAY frame. ([#8096](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/8096)) #### What's Changed - chore(deps): update module github.com/jgautheron/goconst to v1.9.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8014](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8014) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`190d7d4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/190d7d4) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8013](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8013) - chore(deps): update module go.yaml.in/yaml/v2 to v2.4.4 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8016](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8016) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8011](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8011) - fix(deps): update golang.org/x by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8023](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8023) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.2 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8020](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8020) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.21 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8017](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8017) - chore(deps): update module codeberg.org/chavacava/garif to v0.2.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8019](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8019) - Add doc on how to upgrade to new semconv by [@jmmcorreia](https://redirect.github.com/jmmcorreia) in [#7807](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7807) - fix(deps): update module go.opentelemetry.io/proto/otlp to v1.10.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8028](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8028) - resource: add WithService detector option by [@codeboten](https://redirect.github.com/codeboten) in [#7642](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7642) - fix(deps): update googleapis to [`a57be14`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/a57be14) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8031](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8031) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.3 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8032](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8032) - chore(deps): update module github.com/prometheus/procfs to v0.20.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8034](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8034) - chore(deps): update github.com/securego/gosec/v2 digest to [`8895462`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/8895462) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8036](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8036) - chore(deps): update module github.com/sonatard/noctx to v0.5.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8040](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8040) - chore(deps): update github.com/securego/gosec/v2 digest to [`6e66a94`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/6e66a94) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8043](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8043) - docs(otlp): document HTTP/protobuf insecure env vars by [@marcschaeferger](https://redirect.github.com/marcschaeferger) in [#8037](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8037) - Rebuild semconvkit and verifyreadmes on changes by [@MrAlias](https://redirect.github.com/MrAlias) in [#7995](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7995) - chore(sdk/trace): join errors properly by [@ash2k](https://redirect.github.com/ash2k) in [#8030](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8030) - fix(deps): update googleapis to [`84a4fc4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/84a4fc4) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8048](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8048) - attribute: change INVALID Type to EMPTY and mark INVALID as deprecated by [@pellared](https://redirect.github.com/pellared) in [#8038](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8038) - fix(sdk/trace): return spec-compliant TraceIdRatioBased description by [@ash2k](https://redirect.github.com/ash2k) in [#8027](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8027) - linting: add depguard rule to enforce semconv version by [@ajuijas](https://redirect.github.com/ajuijas) in [#8041](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8041) - chore(deps): update actions/download-artifact action to v8.0.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8046](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8046) - chore(deps): update github.com/securego/gosec/v2 digest to [`b7b2c7b`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b7b2c7b) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8044](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8044) - fix(deps): update golang.org/x by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8045](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8045) - Optimize attribute slice conversion by [@MrAlias](https://redirect.github.com/MrAlias) in [#8039](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8039) - Add benchmarks for end-to-end metrics SDK usage by [@dashpole](https://redirect.github.com/dashpole) in [#7768](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7768) - fix(deps): update golang.org/x by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8052](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8052) - chore(deps): update github.com/securego/gosec/v2 digest to [`befce8d`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/befce8d) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8053](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8053) - trace: add Random Trace ID Flag by [@yuanyuanzhao3](https://redirect.github.com/yuanyuanzhao3) in [#8012](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8012) - Improve aggregation concurrent safe tests by [@dashpole](https://redirect.github.com/dashpole) in [#8021](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8021) - Add tests for exponential histogram concurrent-safety edge-cases by [@dashpole](https://redirect.github.com/dashpole) in [#8024](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8024) - exphist: replace min, max, sum, and count with atomics by [@dashpole](https://redirect.github.com/dashpole) in [#8025](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8025) - chore(deps): update github.com/securego/gosec/v2 digest to [`c2dfcec`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c2dfcec) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8055](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8055) - chore(deps): update otel/weaver docker tag to v0.22.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8058](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8058) - chore(deps): update github.com/securego/gosec/v2 digest to [`dec52c4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/dec52c4) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8063](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8063) - chore(deps): update otel/weaver docker tag to v0.22.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8061](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8061) - chore(deps): update github/codeql-action action to v4.33.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8065](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8065) - Fix race in the lastvalue aggregation where 0 could be observed by [@dashpole](https://redirect.github.com/dashpole) in [#8056](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8056) - chore(deps): update github.com/securego/gosec/v2 digest to [`744bfb5`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/744bfb5) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8064](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8064) - Migrate to new bare metal runner (Ubuntu 24) by [@trask](https://redirect.github.com/trask) in [#8068](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8068) - sdk/resource: add WithContext variants for Default and Environment ([#7808](https://redirect.github.com/open-telemetry/opentelemetry-go/issues/7808)) by [@ajuijas](https://redirect.github.com/ajuijas) in [#8051](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8051) - Use atomics for exponential histogram buckets by [@dashpole](https://redirect.github.com/dashpole) in [#8057](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8057) - Added the `internal/observ` package to stdoutlog by [@yumosx](https://redirect.github.com/yumosx) in [#7735](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7735) - Add support for the development per-series starttime feature by [@dashpole](https://redirect.github.com/dashpole) in [#8060](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8060) - sdk/trace/internal/observ: guard SpanStarted and spanLive with Enabled by [@kouji-yoshimura](https://redirect.github.com/kouji-yoshimura) in [#8067](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8067) - Cleanup exemplar featuregate readme by [@dashpole](https://redirect.github.com/dashpole) in [#8072](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8072) - chore(deps): update codecov/codecov-action action to v5.5.3 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8080](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8080) - chore(deps): update module github.com/ryanrolds/sqlclosecheck to v0.6.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8083](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8083) - fix(deps): update github.com/opentracing-contrib/go-grpc/test digest to [`de6f1cc`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/de6f1cc) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8082](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8082) - chore(deps): update module go.opentelemetry.io/collector/featuregate to v1.54.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8085](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8085) - chore(deps): update module github.com/securego/gosec/v2 to v2.25.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8084](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8084) - chore(deps): update module github.com/protonmail/go-crypto to v1.4.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8081](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8081) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.54.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8086](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8086) - chore(deps): update actions/cache action to v5.0.4 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8079](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8079) - chore(deps): update module github.com/fatih/color to v1.19.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8087](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8087) - fix(deps): update googleapis to [`d00831a`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d00831a) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8078](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8078) - chore(deps): update golang.org/x/telemetry digest to [`b6b0c46`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/b6b0c46) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8076](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8076) - fix(deps): update module google.golang.org/grpc to v1.79.3 \[security] by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8075](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8075) - sdk/metric: Support specifying cardinality limits per instrument kinds by [@petern48](https://redirect.github.com/petern48) in [#7855](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7855) - chore(deps): update github/codeql-action action to v4.34.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8088](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8088) - chore(deps): update codspeedhq/action action to v4.12.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8089](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8089) - chore(deps): update github/codeql-action action to v4.34.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8090](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8090) - fix(deps): update module github.com/golangci/golangci-lint/v2 to v2.11.4 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8092](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8092) - chore: fix noctx issues by [@mmorel-35](https://redirect.github.com/mmorel-35) in [#8008](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8008) - chore(deps): update module github.com/pelletier/go-toml/v2 to v2.3.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8095](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8095) - chore(deps): update codecov/codecov-action action to v5.5.4 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8097](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8097) - chore(deps): update codecov/codecov-action action to v6 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8098](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8098) - chore(deps): update module github.com/tetafro/godot to v1.5.6 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8099](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8099) - chore(deps): update module github.com/butuzov/ireturn to v0.4.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8100](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8100) - chore(deps): update github/codeql-action action to v4.35.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8101](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8101) - chore(deps): update actions/setup-go action to v6.4.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8107](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8107) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8106](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8106) - chore(deps): update module github.com/lucasb-eyer/go-colorful to v1.4.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8103](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8103) - chore(deps): update github/codeql-action action to v4.35.1 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8102](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8102) - chore(deps): update module github.com/hashicorp/go-version to v1.9.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8109](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8109) - metricdatatest: Improve printing of diffs by [@dashpole](https://redirect.github.com/dashpole) in [#8073](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8073) - fix(deps): update googleapis to [`d5a96ad`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/d5a96ad) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8112](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8112) - chore(deps): update codspeedhq/action action to v4.13.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8114](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8114) - fix(deps): update module go.opentelemetry.io/collector/pdata to v1.55.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8119](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8119) - chore(deps): update fossas/fossa-action action to v1.9.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8118](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8118) - chore(deps): update module github.com/go-git/go-git/v5 to v5.17.2 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8115](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8115) - fix(deps): update googleapis to [`9d38bb4`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/9d38bb4) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8117](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8117) - fix: support getBody in otelploghttp by [@Tpuljak](https://redirect.github.com/Tpuljak) in [#8096](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8096) - fix(deps): update module google.golang.org/grpc to v1.80.0 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8121](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8121) - Use an absolute path when calling bsd kenv by [@dmathieu](https://redirect.github.com/dmathieu) in [#8113](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8113) - limit response body size for OTLP HTTP exporters by [@pellared](https://redirect.github.com/pellared) in [#8108](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8108) - chore(deps): update github.com/golangci/dupl digest to [`c99c5cf`](https://redirect.github.com/open-telemetry/opentelemetry-go/commit/c99c5cf) by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8122](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8122) - chore(deps): update module github.com/mattn/go-runewidth to v0.0.22 by [@renovate](https://redirect.github.com/renovate)\[bot] in [#8131](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8131) - Release v1.43.0 / v0.65.0 / v0.19.0 by [@dmathieu](https://redirect.github.com/dmathieu) in [#8128](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8128) #### New Contributors - [@jmmcorreia](https://redirect.github.com/jmmcorreia) made their first contribution in [#7807](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/7807) - [@marcschaeferger](https://redirect.github.com/marcschaeferger) made their first contribution in [#8037](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8037) - [@ajuijas](https://redirect.github.com/ajuijas) made their first contribution in [#8041](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8041) - [@yuanyuanzhao3](https://redirect.github.com/yuanyuanzhao3) made their first contribution in [#8012](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8012) - [@kouji-yoshimura](https://redirect.github.com/kouji-yoshimura) made their first contribution in [#8067](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8067) - [@Tpuljak](https://redirect.github.com/Tpuljak) made their first contribution in [#8096](https://redirect.github.com/open-telemetry/opentelemetry-go/pull/8096) **Full Changelog**: <open-telemetry/opentelemetry-go@v1.42.0...v1.43.0> </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace).  GitOrigin-RevId: dfc201fa3d3972b3de5696d742e459cbc895f8e9

## Summary Restructures all 12 Go Dockerfiles and 2 frontend Dockerfiles to improve Depot build caching, based on a Depot build-time analysis of the `build-containers` CI step. ### Changes **Go Dockerfiles (12 files):** - Add `go.mod`/`go.sum` layer with `go mod download` before source copy — isolates module resolution from source changes (~5-15s savings per build when go.mod unchanged) - Replace `COPY . .` with explicit per-service dependency COPYs — prevents cross-service cache busting (e.g., a frontend change no longer invalidates the aws-source build) - Move tool installs (templ, atlas, tailwindcss, nsc) to independent parallel stages in api-server, gateway, outage-tracker — bumping one tool version no longer invalidates other tools' cache layers **Frontend Dockerfiles (2 files):** - Add `--mount=type=cache,target=/pnpm/store` with explicit `--store-dir /pnpm/store` — caches pnpm store across builds, avoiding re-downloading ~1,574 packages (~5-7s savings) ### Per-Service Dependency Map | Service | COPY lines (after `go mod download`) | | --- | --- | | aws-source | `go/`, `aws-source/` | | harness-source | `go/`, `harness-source/` | | k8s-source | `go/`, `k8s-source/` | | stdlib-source | `go/`, `stdlib-source/` | | sources/azure | `go/`, `sources/` | | sources/gcp | `go/`, `sources/` | | sources/snapshot | `go/`, `sources/`, `docs.overmind.tech/docs/sources/` | | services/api-server | `go/`, `services/api-server/`, `services/srcman/`, `cli/tfutils/`, `aws-source/`, `k8s-source/`, `sources/` | | services/gateway | `go/`, `services/gateway/` | | services/outage-tracker | `go/`, `services/outage-tracker-service/` | | services/revlink | `go/`, `services/revlink/` | | services/srcman | `go/`, `services/srcman/`, `sources/` | Note: api-server's large dependency set comes from `service/runtask.go` importing `cli/tfutils`, which transitively imports adapter registration from aws-source, k8s-source, and sources (azure/gcp). ### Maintenance Rule When a developer adds a new cross-package import (e.g., srcman starts importing `k8s-source/`), the Dockerfile must be updated with an additional COPY line. CI catches omissions immediately with a `package not found` build failure. ### Risk - No application code changes — same binaries, same runtime images, same entrypoints - No CI workflow or bake configuration changes - Version pins unchanged: templ `v0.3.1001`, atlas `v1.1.0`, tailwindcss `v3.3.5`, nsc `v2.12.2` - Rollback: revert this PR  <div><a href="https://cursor.com/agents/bc-5cd3cbe0-63e4-4e43-b4ff-7bd8bf9f0dfd"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-5cd3cbe0-63e4-4e43-b4ff-7bd8bf9f0dfd"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 63deb9468dce2d6ca991352906d58b484e45ad15

…pler (#4572)  ## Summary Replace the `filter/low-duration-cache-spans` processor with a `probabilistic_sampler` that keeps 10% of high-volume sdpcache spans and annotates survivors with `SampleRate=10` for Honeycomb weight correction. Errored cache spans bypass sampling entirely for 100% error visibility. ## Design The `probabilistic_sampler` applies to all spans in its pipeline, so the single `traces` pipeline is split into two with complementary filter processors: - **`traces/cache`**: routes the six high-volume cache spans (non-errored only) through `probabilistic_sampler/cache` at 10%, then `transform/cache-sample-rate` sets `SampleRate=10` - **`traces/main`**: routes everything else through the existing `tail_sampling` (healthz 99% drop) and `transform/sample-rate` — including errored cache spans at 100% fidelity Exceptional/error-path cache spans (`BoltCache.compact`, `BoltCache.deleteCacheFile`, `BoltCache.deleteCacheFileLocked`, `BoltCache.purgeLocked`) flow through the main pipeline at full fidelity. Cache spans with `STATUS_CODE_ERROR` also bypass sampling. ### Error recording improvements Added `RecordError` + `SetStatus` for all physical errors on the six sampled cache spans that were previously silent: - `boltStore.Search`: BoltDB read transaction failures - `boltStore.storeResult`: protobuf serialization failures - `boltStore.purgeLocked`: BoltDB View/Update transaction failures - `boltStore.Purge`: added `SetStatus` to compaction failure (already had `RecordError`) This enables the collector filter conditions to distinguish errored spans from healthy ones using `span.status.code != STATUS_CODE_ERROR`. ### Sampled span names - `ShardedCache.Lookup` (34.1% of cache volume) - `BoltCache.Purge` (32.5%) - `BoltCache.StoreItem` (22.2%) - `BoltCache.StoreUnavailableItem` (6.4%) - `BoltCache.Lookup` (2.9%) - `ShardedCache.Purge` (1.9%) ### Sampling behavior - Uses default `hash_seed` mode (seed 0) which hashes the TraceID -- for a given trace, either all its cache spans are kept or all are dropped, consistent across DaemonSet instances - `SampleRate=10` tells Honeycomb each surviving span represents 10 originals, so COUNT/SUM aggregations remain accurate - Errored cache spans (`STATUS_CODE_ERROR`) always pass through the main pipeline at 100% - Estimated monthly volume reduction: ~23.4M to ~2.3M cache spans (healthy only; errors preserved) ## Changes - `go/sdpcache/boltstore.go`: added `RecordError`/`SetStatus` for physical errors on Search, storeResult, purgeLocked, and Purge - `app-of-apps/otel-collectors/base/node-values.yaml` (GKE): replaced `filter/low-duration-cache-spans` with dual-pipeline probabilistic sampling with error passthrough - `app-of-apps/otel-collectors/base-eks/node-values.yaml` (EKS): same changes - `docs/research/sdpcache-otel-spans-research.md`: comprehensive research document covering span inventory, production frequencies, collector pipeline architecture, and available capabilities ## Validation - `kustomize build --enable-helm` succeeds for both `base` and `base-eks` - `extract_collector_config.py` successfully extracts node and cluster configs from both rendered manifests - Rendered configs verified to contain `traces/cache` and `traces/main` pipelines with correct filter conditions including `STATUS_CODE_ERROR` passthrough - `go test ./go/sdpcache/...` passes - `go build ./go/sdpcache/` compiles cleanly  <div><a href="https://cursor.com/agents/bc-52100a8a-8a71-45af-a017-3fb2bf97f119"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-52100a8a-8a71-45af-a017-3fb2bf97f119"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </div> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: bcc28aff35d116377494909ee6d85696dce2ffb9

## Summary - Stop embedding GoReleaser changelog in winget locale manifests (`release_notes: "{{.Changelog}}"`), which triggered WinGet YAML / IEDS issues on [microsoft/winget-pkgs#353821](microsoft/winget-pkgs#353821). - Add `release_notes_url` pointing at public GitHub releases on `overmindtech/cli` (`{{ .Tag }}`), so manifests carry **ReleaseNotesUrl** only and omit **ReleaseNotes** (GoReleaser `omitempty`). ## Linear Ticket - **Ticket**: [ENG-3584](https://linear.app/overmind/issue/ENG-3584/unblock-winget-pkgs-pr-overmindcli-1173-manifest-validation-ieds) — Unblock winget-pkgs PR: OvermindCLI 1.17.3 manifest validation (IEDS / ReleaseNotes YAML) - **Purpose**: Fix winget manifest generation so Microsoft validation can succeed; follow up with a **new** CLI release and fresh winget-pkgs PR (abandon stuck 1.17.3 PR per plan). ## Changes - [`cli/.goreleaser.yaml`](cli/.goreleaser.yaml): remove `release_notes`; add `release_notes_url: "https://github.com/overmindtech/cli/releases/tag/{{ .Tag }}"`. ## Approved Plan - **Plan approver**: James Lane - **Linear ticket**: [ENG-3584](https://linear.app/overmind/issue/ENG-3584/unblock-winget-pkgs-pr-overmindcli-1173-manifest-validation-ieds) (implementation plan appended in ticket description) > Deviation analysis and reviewer assignment are handled automatically by the > pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md). ## Deviations from Approved Plan > Implementation matches the approved plan — no material deviations. Made with [Cursor](https://cursor.com)  --- > [!NOTE] > **Low Risk** > Low risk: only adjusts GoReleaser WinGet manifest metadata, affecting release note linking but not build artifacts or runtime code. > > **Overview** > Updates the WinGet packaging config in `cli/.goreleaser.yaml` to **stop embedding generated changelog text** in manifests and instead publish only a `release_notes_url` pointing to the matching GitHub release tag (`https://github.com/overmindtech/cli/releases/tag/{{ .Tag }}`). This changes WinGet output to reference release notes externally rather than inlining them. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 0456efb0e875b063aac6f3d94a2f46a0dd4b8036. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup>  GitOrigin-RevId: 81205189238f96e19ee6c83b8aee9e89df65af99

DavidS-ovm and others added 30 commits April 7, 2026 07:29

DavidS-ovm and others added 3 commits April 7, 2026 07:30

Run go mod tidy

2ab23a0

carabasdaniel merged commit cfcbeee into main Apr 7, 2026

carabasdaniel deleted the copybara/v1.17.6 branch April 7, 2026 07:38

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release v1.17.6#841

Release v1.17.6#841
carabasdaniel merged 33 commits intomainfrom
copybara/v1.17.6

github-actions bot commented Apr 7, 2026 •

edited by carabasdaniel

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

github-actions bot commented Apr 7, 2026 • edited by carabasdaniel Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Copybara Sync - Release v1.17.6

What happens when this PR is merged?

Review Checklist

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

github-actions bot commented Apr 7, 2026 •

edited by carabasdaniel

Loading