Merged
Conversation
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds a new Azure resource adapter plus integration test that provisions and deletes real cloud resources; risk is mainly around discovery correctness and potential test flakiness/cost, with minimal impact on existing adapters. > > **Overview** > Adds first-class discovery support for Azure **Compute Disk Access** resources via a new `NewComputeDiskAccess` wrapper that implements `Get`, `List`, and `ListStream`, and emits linked queries to `ComputeDiskAccessPrivateEndpointConnection` plus related `NetworkPrivateEndpoint` resources. > > Wires the new adapter into Azure manual adapter initialization (`adapters.go`), introduces a thin `DiskAccessesClient` interface + generated mock for testability, expands shared type/model constants to include `ComputeDiskAccessPrivateEndpointConnection`, and adds both unit tests and an end-to-end Azure integration test that provisions a real disk access and validates retrieval/listing/linking. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d849596e95b4332905b1d7a6047f263be3a7e9b5. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: fda086881bcc54eadf23a7c012fff5a2325b0cac
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Medium risk because it removes the legacy `/healthz` endpoint; any deployments or monitors still hitting `/healthz` will start failing until updated, potentially impacting Kubernetes probe behavior and rollout health. > > **Overview** > **Removes the legacy `/healthz` endpoint** from the discovery engine health probe server, leaving only `/healthz/alive` (liveness) and `/healthz/ready` (readiness), and updates the startup log messaging accordingly. > > Updates source-facing docs and CLI help text (AWS/stdlib READMEs, Azure docs, `k8s-source` flag description, `srcman` README) to reference the new probe URLs/semantics and document HTTP `503` on unhealthy responses; also drops backward-compatibility mentions from `srcman` probe constants/tests. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 93f8eb8c5be85a9b6ceff45878abbb90f850b86e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 3d59df20dc735a39b58ca9b493932af745493abe
Add a 30-second maximum timeout to the stdlib DNS adapter to prevent performance degradation from slow DNS lookups, especially during revlink warmup. --- Linear Issue: [ENG-2400](https://linear.app/overmind/issue/ENG-2400/add-a-max-timeout-to-stdlib-dns-adapter) <p><a href="https://cursor.com/background-agent?bcId=bc-7836f055-c6d8-4ca9-8be9-3827fe8e31ee"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-7836f055-c6d8-4ca9-8be9-3827fe8e31ee"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches core DNS lookup paths and adds context-deadline enforcement, which could change failure/latency characteristics for callers; new tests include timing-based behavior that may be flaky across network/CI environments. > > **Overview** > Adds a **hard maximum timeout** (`maxOperationTimeout`, 30s) to `stdlib-source` DNS adapter `Get` and `Search` by wrapping the incoming context, preventing slow DNS lookups from stalling callers. > > Expands `dns_test.go` with new coverage for timeout precedence (adapter cap vs long caller deadline, and short caller deadline still winning), plus small behavioral assertions for `Search` and `List`. Updates the `stdlib-source` CI job `go test` timeout from 30s to 1m to accommodate the new timeout-focused tests. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6d79988df820275555650fdbe81a1b17680c3763. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: carabasdaniel <carabasdaniel@users.noreply.github.com> GitOrigin-RevId: 5cb33abc09e16b0c8ba8c7511ff15f01e80fc40a
Passing Tests: <img width="1249" height="1074" alt="image" src="https://github.com/user-attachments/assets/151a5338-909d-472c-ad3d-55177ebcf2ac" /> <img width="1224" height="1058" alt="image" src="https://github.com/user-attachments/assets/ea500bad-dbd6-44ac-a0ff-802b295d6590" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new Azure resource discovery path and registers it in adapter initialization, which could affect runtime discovery performance/behavior and linked-item graph output; changes are additive and covered by unit/integration tests. > > **Overview** > Adds a new Azure compute adapter for **Dedicated Host Groups** that supports `Get`, `List`, and `ListStream`, and emits linked-item queries to `ComputeDedicatedHost` when host references are present. > > Wires the adapter into `manual/adapters.go` by initializing an `armcompute.DedicatedHostGroupsClient` and registering the wrapper for both real and metadata-only adapter initialization. > > Introduces a small `DedicatedHostGroupsClient` interface (plus generated gomock) to wrap the Azure SDK client for testability, adds a new `ComputeDedicatedHost` item/resource type constant, and includes comprehensive unit tests plus an Azure integration test that provisions a host group and validates `Get`/`List` behavior and item/link correctness. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 647f5c3e3d0ab4d90febee294cf29f7715a8b70a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: bbbb65a63c6a4e5c038f6a941226494ca1be9248
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces a new Azure compute adapter that changes discovery coverage and link graph generation; risk is mainly around correctness of scope parsing, linked queries, and Azure API pagination/edge cases rather than security. > > **Overview** > Adds first-class discovery support for Azure **Capacity Reservation Groups** via a new `NewComputeCapacityReservationGroup` wrapper that implements `Get`, `List`, and `ListStream`, converting ARM responses into `sdp.Item`s and emitting linked queries to associated capacity reservations and virtual machines. > > Plumbs the new adapter into Azure manual adapter initialization (including a new ARM `CapacityReservationGroupsClient`), adds an interface wrapper + generated GoMock for the client, extends Azure shared type/model enums with `ComputeCapacityReservation`, and introduces both unit tests (pager + link behavior) and an end-to-end integration test that creates/reads/lists/tears down a real capacity reservation group. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit c3df38389329b9c2baa1d6d96f5b4ff5f988191e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: a807098afd4da2ee9e772fd767b085906ca05b89
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces a new Azure discovery adapter and changes how several compute resources emit linked-item relationships (including URL/blob parsing), which could affect graph completeness and link correctness across environments. > > **Overview** > Adds a new Azure manual adapter for `ComputeGalleryApplicationVersion`, including a dedicated SDK client wrapper, unit + integration tests, and registration in `manual/adapters.go` so it is discovered across resource groups. > > The new adapter supports `Get` and `Search` and enriches items with linked queries to parent gallery/application plus referenced artifact URLs (HTTP/DNS/IP) and related Azure resources (storage accounts/containers and disk encryption sets), with deduping and cross-scope handling. > > Updates existing compute adapters to link to the new `ComputeGalleryApplicationVersion` type (replacing the previous shared-gallery application version reference), and tweaks Capacity Reservation Group calls to pass `Expand` options for VM association data. > > Improves `ExtractStorageAccountNameFromBlobURI`/`ExtractContainerNameFromBlobURI` to recognize blob endpoints in sovereign clouds via host-based matching, and adjusts VM Run Command link generation to rely on the updated blob detection (emitting storage links when applicable, otherwise HTTP/DNS). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ca3ef78852cc5cf4b28581e031897c95c4fe2d6f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 882529baf9812c6a2aa12b30a2c265493b0429fc
…ificate (#3853) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces new API calls and dependency surface (Certificate Manager) and changes the adapter initialization path, which could impact discovery behavior or startup if the new client fails to initialize. > > **Overview** > Adds a dedicated GCP manual adapter for **Certificate Manager Certificates**, supporting `Get` and location-scoped `Search`, Terraform ID mapping, and link generation to related DNS names plus Certificate Manager DNS authorization and issuance config resources. > > Wires the adapter into `sources/gcp/manual/adapters.go` by initializing a Certificate Manager API client and registering the new wrapper, and extends shared GCP metadata with new item/resource types, a client interface + generated mocks for testing, and the `roles/certificatemanager.viewer` predefined role; also updates `go.mod`/`go.sum` to include the `cloud.google.com/go/certificatemanager` dependency. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 318118d2228eab34c83072ff37f1b0b8e9e8270f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 525fc8c1a5ab977973dea3c76964eb190de6f0ed
…#3835) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Removes blast-radius directionality metadata from many link edges, which could change impact analysis or traversal behavior if no equivalent default/alternative exists. > > **Overview** > **Removes `BlastPropagation` metadata from all `LinkedItemQuery` definitions** across AWS API Gateway adapters (`apigateway-api-key`, `apigateway-stage`) and stdlib adapters (HTTP/DNS/IP/Certificate + RDAP + test fixtures). > > Link creation behavior (which items query/link to) is unchanged, but blast-radius directionality is no longer expressed at the adapter layer, implying downstream graph/blast computations must now rely on defaults or a different mechanism. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 3735c1afb5956744d65156bf210a22537fa8c91d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: ec1a2a9dc20aa1d3fdacbc2daf7ed61eeaa510ae
…s (ENG-2459, ENG-2460) (#3858) ## Summary _As per discussions yesterday this is the first part of Option C to add the mappings immediately._ - Adds Terraform mappings so `google_pubsub_subscription_iam_binding`, `_iam_member`, and `_iam_policy` resolve to the parent Pub/Sub Subscription during change analysis (instead of being skipped as "Unsupported") - Same for `google_pubsub_topic_iam_binding`, `_iam_member`, and `_iam_policy` resolving to the parent Topic - Adds regression tests verifying these and other critical Terraform mappings remain registered in adapter metadata Covers **ENG-2459** and **ENG-2460**. ## Context and design decision GCP IAM binding resources (`google_*_iam_binding`, `_iam_member`, `_iam_policy`) are Terraform-only constructs. There is no standalone GCP API to get or list individual IAM bindings -- the actual API is `getIamPolicy` on the parent resource, which returns the full policy. We evaluated two approaches: ### Approach 1: Interim Terraform mapping to parent resource (this PR) Add `TerraformQueryMap` entries to the existing adapter so that IAM changes resolve to the parent resource. When `google_pubsub_subscription_iam_binding` appears in a plan, the CLI extracts the `subscription` attribute and queries the existing PubSubSubscription adapter. - **Effort**: ~20 lines per adapter, ~120 lines of tests - **Time**: ~1 hour total for both adapters - **Benefit**: Immediately resolves the "Unsupported/Skipped" status in the UI; blast radius analysis works from the parent resource - **Limitation**: The LLM sees "a subscription changed" rather than "an IAM binding on a subscription changed"; no IAM-specific observations (e.g. which service accounts are affected) ### Approach 2: Dedicated IAM binding adapter (future, separate tickets) Build a proper manual adapter with its own item type (`PubSubSubscriptionIAMBinding`), calling the `getIamPolicy` API, with blast propagation linking to specific `IAMServiceAccount` items. - **Effort per adapter**: ~450-550 lines (client interface, adapter, tests) - **Time per adapter**: ~1-1.5 days - **Complication**: `roles/pubsub.viewer` does not include `pubsub.subscriptions.getIamPolicy` -- would require updating the Overmind custom IAM role across `deploy/sources.tf`, documentation, and customer-facing scripts - **Benefit**: Richer, IAM-specific observations (e.g. "service account X will lose `roles/storage.objectViewer` on this subscription") **Decision**: Ship Approach 1 now for immediate customer value. Approach 2 remains in the dedicated adapter tickets (ENG-2459, ENG-2460, ENG-2461) for a future sprint when IAM permission infrastructure can be scoped properly. This follows the same pattern AWS uses -- `aws_s3_bucket_policy.bucket`, `aws_s3_bucket_acl.bucket` etc. all map to the parent S3 bucket adapter. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Metadata-only Terraform mapping additions plus tests; no runtime GCP API behavior or data handling changes beyond improved plan-to-item resolution. > > **Overview** > Pub/Sub IAM-only Terraform resources (e.g. `google_pubsub_*_iam_binding/member/policy`) are now mapped to their parent `PubSubTopic`/`PubSubSubscription` during Terraform plan change analysis, so IAM changes participate in blast radius/risk analysis instead of showing as *Unsupported*. > > Adds adapter-level mappings for both topic and subscription, plus new tests that assert these IAM mappings (and a small set of other customer-critical Terraform mappings) remain registered and correctly parse `TerraformQueryMap` entries. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d85197ec05f980cae0c3255109bd1cd651931a9a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: 53bc03d09c99b3bdae7660b0809b631702bafc4e
…s (#3862) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Mapping-only changes (no new API calls or auth logic) but may affect how Terraform changes are attributed in blast-radius calculations. > > **Overview** > Adds Terraform-to-SDP resolution for `ComputeProject` by mapping `google_project`, Shared VPC host/service project resources, and Terraform-only project IAM resources (`*_iam_binding/member/policy`) back to the project for blast-radius analysis. > > Extends the `StorageBucket` adapter’s Terraform mapping to also resolve Terraform-only bucket IAM resources (`google_storage_bucket_iam_*`) back to the parent bucket. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9d8c5f2fbc183aba507bd8755fe6bae6f2ec9c10. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 5937a229c7bb1ffac178a6b5a76b2bd648611923
## Summary - **Embed available types in system prompt** instead of using a separate `ListAvailableTypes` tool call, so the LLM knows valid SDP types before making any queries - **Improve Query tool error messages** with type validation (Levenshtein-based fuzzy suggestions, Terraform→SDP type translation), method validation, and actionable empty-result messages including usage hints - **Remove scope from LLM input data** to prevent the LLM from confusing Terraform scopes with SDP scopes - **Tighten system prompt guidance** to prevent overly broad fallback mappings (e.g. mapping to VPCs) and encourage retrying with correct query methods before falling back to parent resources - **Simplify architecture** by making tools and typeInfos mandatory parameters (created once per batch), removing test override fields from `ChangeAnalysisCalculationArgs` ## Linear Ticket - **Ticket**: [ENG-2469](https://linear.app/overmind/issue/ENG-2469) — Implement LLM-based mapping ## Changes - `upcycle_tools.go`: Added `typeValidator` with Levenshtein-based fuzzy matching (`fuzzy.LevenshteinDistance`), Terraform type translation, method validation, and `usageHint` for enriched error messages. Removed `ListAvailableTypes` tool. Added `FormatAvailableTypesForPrompt` and `AvailableTypeInfoFromSources` (with Terraform mapping extraction). - `upcycle_prompt.md`: Embedded `{{ .AvailableTypes }}` in system prompt. Tightened fallback guidance (no VPCs). Added retry-with-correct-method instructions. - `upcycle.go`: Tools/typeInfos created once in `processUnmappedItems` and passed down as parameters. Scope stripped from input data to avoid LLM confusion. - `upcycle_test.go`: Flexible test expectations (`mapped_to_one_of`, `results` list). Removed LLM test overrides, replaced with direct `mappedItemToQuery` tests. Added unit tests for type validation, fuzzy suggestions, Terraform type extraction. - `upcycle_manual_cases.yaml`: YAML-driven manual LLM test cases with flexible expectations for multi-scope and parent-resource mappings. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes the control flow for unmapped-item handling and how mappings feed into blast radius analysis; mis-mappings or stricter query validation could alter analysis output for affected changes. > > **Overview** > Improves the *LLM-based upcycle mapping* flow by having the LLM return a **single best `mapped_item`** and converting it into a `MappingQuery`, then running normal blast radius analysis on newly-mapped diffs (instead of doing a separate recursive “affected items” path and merging results). > > Makes LLM querying more reliable by **embedding available SDP types (plus Terraform→SDP mappings)** directly into the system prompt, forcing `Query` to use wildcard scope, stripping `scope` from Terraform item JSON sent to the model, and tightening prompt guidance to prefer specific matches/parents over broad fallbacks. > > Upgrades tooling and tests: removes the `ListAvailableTypes` tool, adds `Query` type/method validation with fuzzy suggestions and richer empty-result guidance, adds YAML-driven manual test cases (`upcycle_manual_cases.yaml`) with flexible expectations, and adds context-based LLM conversation logging plus expanded unit coverage for type extraction/validation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b3e5de86e7c5702ded0ac0aa816b8bd78c8a16cc. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor <cursoragent@cursor.com> Co-authored-by: Elliot Waddington <getinnocuous@users.noreply.github.com> GitOrigin-RevId: 0c3c4fa1476187b9d9f1ac5f1e248518a56878f3
…a (#3864) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/hashicorp/terraform-config-inspect](https://redirect.github.com/hashicorp/terraform-config-inspect) | require | digest | `477360e` → `f4be3ba` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImdvbGFuZyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 12b9430349cde2ac02589bce083d6820c1fe98b0
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [k8s.io/utils](https://redirect.github.com/kubernetes/utils) | require | digest | `914a6e7` → `b8788ab` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImdvbGFuZyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 84f13505cb86a8d243d7c3e2db600f9b06bfb849
…3865) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto) | require | digest | `546029d` → `4cfbd41` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImdvbGFuZyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: 9cd6970532d12e63e1b2755a6d349540d2365af5
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [auth0](https://registry.terraform.io/providers/auth0/auth0) ([source](https://redirect.github.com/auth0/terraform-provider-auth0)) | required_provider | patch | `1.39.0` → `1.39.1` | | [aws](https://registry.terraform.io/providers/hashicorp/aws) ([source](https://redirect.github.com/hashicorp/terraform-provider-aws)) | required_provider | minor | `6.31.0` → `6.32.0` | | [github](https://registry.terraform.io/providers/integrations/github) ([source](https://redirect.github.com/integrations/terraform-provider-github)) | required_provider | patch | `6.11.0` → `6.11.1` | | [google](https://registry.terraform.io/providers/hashicorp/google) ([source](https://redirect.github.com/hashicorp/terraform-provider-google)) | required_provider | minor | `7.18.0` → `7.19.0` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>auth0/terraform-provider-auth0 (auth0)</summary> ### [`v1.39.1`](https://redirect.github.com/auth0/terraform-provider-auth0/blob/HEAD/CHANGELOG.md#v1391) [Compare Source](https://redirect.github.com/auth0/terraform-provider-auth0/compare/v1.39.0...v1.39.1) BUG FIXES: - `resource/auth0_attack_protection` – Improve CAPTCHA provider validation to allow imports with null sensitive fields while still enforcing checks on create/update ([#​1468](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1468)) - `resource/auth0_client_grant` – Make `allow_all_scopes` nullable so it's omitted from API requests when not explicitly set, and fix transitions to specific scopes ([#​1471](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1471)) - `resource/auth0_user_attribute_profile` – Remove redundant `MinItems` constraint from SAML mappings to fix Terraform generation errors ([#​1461](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1461)) NOTES: - `resource/auth0_client` – Update `grant_types` documentation to include Auth0 extension grants ([#​1470](https://redirect.github.com/auth0/terraform-provider-auth0/pull/1470)) </details> <details> <summary>hashicorp/terraform-provider-aws (aws)</summary> ### [`v6.32.0`](https://redirect.github.com/hashicorp/terraform-provider-aws/blob/HEAD/CHANGELOG.md#6320-February-11-2026) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-aws/compare/v6.31.0...v6.32.0) FEATURES: - **New List Resource:** `aws_ecr_repository` ([#​46344](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46344)) - **New List Resource:** `aws_lambda_permission` ([#​46341](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46341)) - **New List Resource:** `aws_route` ([#​46370](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46370)) - **New List Resource:** `aws_route53_resolver_rule_association` ([#​46349](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46349)) - **New List Resource:** `aws_route_table` ([#​46337](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46337)) - **New List Resource:** `aws_s3_directory_bucket` ([#​46373](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46373)) - **New List Resource:** `aws_secretsmanager_secret` ([#​46318](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46318)) - **New List Resource:** `aws_secretsmanager_secret_version` ([#​46342](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46342)) - **New List Resource:** `aws_vpc_security_group_egress_rule` ([#​46368](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46368)) - **New List Resource:** `aws_vpc_security_group_ingress_rule` ([#​46367](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46367)) - **New Resource:** `aws_ec2_secondary_network` ([#​46408](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46408)) - **New Resource:** `aws_ec2_secondary_subnet` ([#​46408](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46408)) ENHANCEMENTS: - resource/aws\_instance: Add `secondary_network_interface` argument ([#​46408](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46408)) - resource/aws\_quicksight\_data\_set: Support `use_as` property to create special RLS rules dataset ([#​42687](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/42687)) BUG FIXES: - data-source/aws\_odb\_network\_peering\_connections: Fix plan phase failure of listing. ([#​46384](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46384)) - list-resource/aws\_s3\_bucket\_policy: Now supports listing Bucket Policies for S3 Directory Buckets ([#​46401](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46401)) - resource/aws\_athena\_workgroup: Allows unsetting `configuration.result_configuration` or child attributes. ([#​46427](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46427)) - resource/aws\_cloudfront\_multitenant\_distribution: Fix the "inconsistent result" error when `custom_error_response` is configured and `custom_error_response.response_code` and `custom_error_response.response_page_path` are omitted ([#​46375](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/46375)) - resource/aws\_grafana\_workspace: Fix perpetual diff when `network_access_control` is configured with empty `prefix_list_ids` and `vpce_ids` ([#​45637](https://redirect.github.com/hashicorp/terraform-provider-aws/issues/45637)) </details> <details> <summary>integrations/terraform-provider-github (github)</summary> ### [`v6.11.1`](https://redirect.github.com/integrations/terraform-provider-github/releases/tag/v6.11.1) [Compare Source](https://redirect.github.com/integrations/terraform-provider-github/compare/v6.11.0...v6.11.1) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### 🐛 Bugfixes - fix: Only send allow\_forking on change by [@​stevehipwell](https://redirect.github.com/stevehipwell) in [#​3174](https://redirect.github.com/integrations/terraform-provider-github/pull/3174) - fix: Type mismatch in `team_id` of `emu_group_mapping` by [@​deiga](https://redirect.github.com/deiga) in [#​3163](https://redirect.github.com/integrations/terraform-provider-github/pull/3163) ##### Maintenance - \[MAINT] Fixup `github_repository_file` by [@​deiga](https://redirect.github.com/deiga) in [#​3175](https://redirect.github.com/integrations/terraform-provider-github/pull/3175) **Full Changelog**: <integrations/terraform-provider-github@v6.11.0...v6.11.1> </details> <details> <summary>hashicorp/terraform-provider-google (google)</summary> ### [`v7.19.0`](https://redirect.github.com/hashicorp/terraform-provider-google/blob/HEAD/CHANGELOG.md#7190-Unreleased) [Compare Source](https://redirect.github.com/hashicorp/terraform-provider-google/compare/v7.18.0...v7.19.0) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsInRlcnJhZm9ybSJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: d74f4530d1e4f3de277d42e601f6d4606e0bc273
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Removes `BlastPropagation` (in/out) semantics from many GCP adapter link definitions and their StaticTests, which can change how dependency/blast-radius relationships are represented downstream even though link discovery remains. > > **Overview** > **Removes blast propagation metadata from GCP dynamic adapters.** Adapter `blastPropagation` maps now only describe *linked resource types* (`ToSDPItemType` + `Description` + optional `IsParentToChild`), dropping per-link `sdp.BlastPropagation` settings. > > **Updates tests and docs accordingly.** StaticTests no longer assert `ExpectedBlastPropagation`, and documentation/rules are revised to require coverage of all linked resources the adapter produces rather than blast-propagation paths. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 758d93a0a8fbd990569cc12575fe62fbc9486eb8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: e1880f9ff9af95275befc7a23ab9068410959d06
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go | `v1.36.11-20251209175733-2a1774d88802.1` → `v1.36.11-20260209202127-80ab13bee0bf.1` |  |  | | [buf.build/go/protovalidate](https://redirect.github.com/bufbuild/protovalidate-go) | `v1.1.0` → `v1.1.2` |  |  | | [cloud.google.com/go/aiplatform](https://redirect.github.com/googleapis/google-cloud-go) | `v1.115.0` → `v1.116.0` |  |  | | [cloud.google.com/go/spanner](https://redirect.github.com/googleapis/google-cloud-go) | `v1.87.0` → `v1.88.0` |  |  | | [github.com/1password/onepassword-sdk-go](https://redirect.github.com/1password/onepassword-sdk-go) | `v0.3.1` → `v0.4.0` |  |  | | [github.com/auth0/go-auth0/v2](https://redirect.github.com/auth0/go-auth0) | `v2.4.0` → `v2.5.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.285.0` → `v1.288.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/eks](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.77.1` → `v1.80.0` |  |  | | [github.com/aws/aws-sdk-go-v2/service/rds](https://redirect.github.com/aws/aws-sdk-go-v2) | `v1.114.0` → `v1.115.0` |  |  | | [github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk) | `v0.7.6` → `v0.7.9` |  |  | | [github.com/kaptinlin/jsonrepair](https://redirect.github.com/kaptinlin/jsonrepair) | `v0.2.7` → `v0.2.8` |  |  | | [github.com/openai/openai-go/v3](https://redirect.github.com/openai/openai-go) | `v3.18.0` → `v3.21.0` |  |  | | [golang.org/x/net](https://pkg.go.dev/golang.org/x/net) | [`v0.49.0` → `v0.50.0`](https://cs.opensource.google/go/x/net/+/refs/tags/v0.49.0...refs/tags/v0.50.0) |  |  | | [golang.org/x/oauth2](https://pkg.go.dev/golang.org/x/oauth2) | [`v0.34.0` → `v0.35.0`](https://cs.opensource.google/go/x/oauth2/+/refs/tags/v0.34.0...refs/tags/v0.35.0) |  |  | | [golang.org/x/text](https://pkg.go.dev/golang.org/x/text) | [`v0.33.0` → `v0.34.0`](https://cs.opensource.google/go/x/text/+/refs/tags/v0.33.0...refs/tags/v0.34.0) |  |  | | [google.golang.org/api](https://redirect.github.com/googleapis/google-api-go-client) | `v0.265.0` → `v0.266.0` |  |  | | [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) | `v1.78.0` → `v1.79.1` |  |  | | [k8s.io/api](https://redirect.github.com/kubernetes/api) | `v0.35.0` → `v0.35.1` |  |  | | [k8s.io/apimachinery](https://redirect.github.com/kubernetes/apimachinery) | `v0.35.0` → `v0.35.1` |  |  | | [k8s.io/client-go](https://redirect.github.com/kubernetes/client-go) | `v0.35.0` → `v0.35.1` |  |  | | [k8s.io/component-base](https://redirect.github.com/kubernetes/component-base) | `v0.35.0` → `v0.35.1` |  |  | | [modernc.org/sqlite](https://gitlab.com/cznic/sqlite) | `v1.44.3` → `v1.45.0` |  |  | | [sigs.k8s.io/structured-merge-diff/v6](https://redirect.github.com/kubernetes-sigs/structured-merge-diff) | `v6.3.2-0.20260122202528-d9cc6641c482` → `v6.3.2` |  |  | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>bufbuild/protovalidate-go (buf.build/go/protovalidate)</summary> ### [`v1.1.2`](https://redirect.github.com/bufbuild/protovalidate-go/releases/tag/v1.1.2) [Compare Source](https://redirect.github.com/bufbuild/protovalidate-go/compare/v1.1.1...v1.1.2) #### What's Changed - Fix base type adapter missing builtin types by [@​rodaine](https://redirect.github.com/rodaine) in [#​305](https://redirect.github.com/bufbuild/protovalidate-go/pull/305) **Full Changelog**: <bufbuild/protovalidate-go@v1.1.1...v1.1.2> ### [`v1.1.1`](https://redirect.github.com/bufbuild/protovalidate-go/releases/tag/v1.1.1) [Compare Source](https://redirect.github.com/bufbuild/protovalidate-go/compare/v1.1.0...v1.1.1) This release is compatible with the [v1.1.0](https://redirect.github.com/bufbuild/protovalidate/releases/tag/v1.1.0) release of Protovalidate. #### What's Changed - Always provide all available variables by [@​srikrsna-buf](https://redirect.github.com/srikrsna-buf) in [#​297](https://redirect.github.com/bufbuild/protovalidate-go/pull/297) - Wrap protoreflect.Map with type information so we don't need to cast to map\[any]any by [@​rodaine](https://redirect.github.com/rodaine) in [#​300](https://redirect.github.com/bufbuild/protovalidate-go/pull/300) - Avoid heap escape on kvPairs evaluation by [@​rodaine](https://redirect.github.com/rodaine) in [#​301](https://redirect.github.com/bufbuild/protovalidate-go/pull/301) - Implement registry chaining for CEL type isolation by [@​rodaine](https://redirect.github.com/rodaine) in [#​302](https://redirect.github.com/bufbuild/protovalidate-go/pull/302) **Full Changelog**: <bufbuild/protovalidate-go@v1.1.0...v1.1.1> </details> <details> <summary>1password/onepassword-sdk-go (github.com/1password/onepassword-sdk-go)</summary> ### [`v0.4.0`](https://redirect.github.com/1Password/onepassword-sdk-go/releases/tag/v0.4.0): Release 0.4.0 [Compare Source](https://redirect.github.com/1password/onepassword-sdk-go/compare/v0.3.1...v0.4.0) ### 1Password Go SDK v0.4.0 #### NEW - **Desktop App integration:** The SDK can now authenticate via an authorization prompt from the 1Password app. - **Vault CRUDL:** You can now fully manage 1Password vaults with the SDK, including creating, reading, updating, deleting and listing. - **Vault group permission management operations:** You can now grant, update and revoke group access to vaults using `grantGroupPermissions`, `updateGroupPermissions`, and `revokeGroupPermissions` functions. - **Item batch management:** You can now retrieve, create, update and delete items in batch, enabling more scalable item management. </details> <details> <summary>auth0/go-auth0 (github.com/auth0/go-auth0/v2)</summary> ### [`v2.5.0`](https://redirect.github.com/auth0/go-auth0/blob/HEAD/CHANGELOG.md#v250-2026-02-11) [Compare Source](https://redirect.github.com/auth0/go-auth0/compare/v2.4.0...v2.5.0) [Full Changelog](https://redirect.github.com/auth0/go-auth0/compare/v2.4.0...v2.5.0) **Changed** - feat!: Consolidate types to root package with consistent naming [#​692](https://redirect.github.com/auth0/go-auth0/pull/692) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) **Fixed** - chore: Add MarshalJSON/UnmarshalJSON to all request content types for correct explicit-field serialization [#​696](https://redirect.github.com/auth0/go-auth0/pull/696) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) - chore: Add pagination for Action Module Versions, enhance social connection options, and fix session signal serialization [#​695](https://redirect.github.com/auth0/go-auth0/pull/695) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) - chore: Improve WireMock test infrastructure and add package-level error codes [#​693](https://redirect.github.com/auth0/go-auth0/pull/693) ([fern-api\[bot\]](https://redirect.github.com/apps/fern-api)) </details> <details> <summary>aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/ec2)</summary> ### [`v1.288.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-02-12) #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.288.0](service/ec2/CHANGELOG.md#v12880-2026-02-12) - **Feature**: Launching nested virtualization. This feature allows you to run nested VMs inside virtual (non-bare metal) EC2 instances. ### [`v1.287.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-02-11) #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/batch`: [v1.60.0](service/batch/CHANGELOG.md#v1600-2026-02-11) - **Feature**: Add support for listing jobs by share identifier and getting snapshots of active capacity utilization by job queue and share. - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.287.0](service/ec2/CHANGELOG.md#v12870-2026-02-11) - **Feature**: R8i instances powered by custom Intel Xeon 6 processors available only on AWS with sustained all-core 3.9 GHz turbo frequency - `github.com/aws/aws-sdk-go-v2/service/eks`: [v1.80.0](service/eks/CHANGELOG.md#v1800-2026-02-11) - **Feature**: This release adds support for Windows Server 2025 in Amazon EKS Managed Node Groups. - `github.com/aws/aws-sdk-go-v2/service/kafkaconnect`: [v1.30.0](service/kafkaconnect/CHANGELOG.md#v1300-2026-02-11) - **Feature**: Support configurable upper limits on task count during autoscaling operations via maxAutoscalingTaskCount parameter. - `github.com/aws/aws-sdk-go-v2/service/s3tables`: [v1.14.0](service/s3tables/CHANGELOG.md#v1140-2026-02-11) - **Feature**: S3 Tables now supports setting partition specifications and sort orders on tables. Partition specs allow users to define how data is organized using transform functions. Sort order configurations enable users to specify sort directions and null ordering preferences for optimized data layout. ### [`v1.286.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-02-10) #### Module Highlights - `github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2`: [v1.11.0](service/connectcampaignsv2/CHANGELOG.md#v1110-2026-02-10) - **Feature**: Add the missing event type for WhatsApp - `github.com/aws/aws-sdk-go-v2/service/ec2`: [v1.286.0](service/ec2/CHANGELOG.md#v12860-2026-02-10) - **Feature**: Amazon Secondary Networks is a networking feature that provides high-performance, low-latency connectivity for specialized workloads. - `github.com/aws/aws-sdk-go-v2/service/eks`: [v1.78.0](service/eks/CHANGELOG.md#v1780-2026-02-10) - **Feature**: Amazon EKS adds a new DescribeUpdate update type, VendedLogsUpdate, to support an integration between EKS Auto Mode and Amazon CloudWatch Vended Logs. - `github.com/aws/aws-sdk-go-v2/service/evidently`: [v1.30.0](service/evidently/CHANGELOG.md#v1300-2026-02-10) - **Feature**: Marked service APIs as deprecated. This service has reached end-of-life. - `github.com/aws/aws-sdk-go-v2/service/imagebuilder`: [v1.51.0](service/imagebuilder/CHANGELOG.md#v1510-2026-02-10) - **Feature**: EC2 Image Builder now supports wildcard patterns in lifecycle policies with recipes and enhances the experience of tag-scoped policies. - `github.com/aws/aws-sdk-go-v2/service/iotanalytics`: [v1.32.0](service/iotanalytics/CHANGELOG.md#v1320-2026-02-10) - **Feature**: Marked service APIs as deprecated. This service has reached end-of-life. - `github.com/aws/aws-sdk-go-v2/service/lakeformation`: [v1.47.1](service/lakeformation/CHANGELOG.md#v1471-2026-02-10) - **Documentation**: Allow cross account v5 in put data lake settings - `github.com/aws/aws-sdk-go-v2/service/neptunedata`: [v1.17.0](service/neptunedata/CHANGELOG.md#v1170-2026-02-10) - **Feature**: Added edgeOnlyLoad boolean parameter to Neptune bulk load request. When TRUE, files are loaded in order without scanning. When FALSE (default), the loader scans files first, then loads vertex files before edge files automatically. - `github.com/aws/aws-sdk-go-v2/service/pcs`: [v1.16.0](service/pcs/CHANGELOG.md#v1160-2026-02-10) - **Feature**: Introduces RESUMING state for clusters, compute node groups, and queues. - `github.com/aws/aws-sdk-go-v2/service/transfer`: [v1.69.1](service/transfer/CHANGELOG.md#v1691-2026-02-10) - **Documentation**: This release adds a documentation update for MdnResponse of type "ASYNC" </details> <details> <summary>harness/harness-go-sdk (github.com/harness/harness-go-sdk)</summary> ### [`v0.7.9`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.8...v0.7.9) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.8...v0.7.9) ### [`v0.7.8`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.7...v0.7.8) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.7...v0.7.8) ### [`v0.7.7`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.6...v0.7.7) [Compare Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.7.6...v0.7.7) </details> <details> <summary>kaptinlin/jsonrepair (github.com/kaptinlin/jsonrepair)</summary> ### [`v0.2.8`](https://redirect.github.com/kaptinlin/jsonrepair/compare/v0.2.7...v0.2.8) [Compare Source](https://redirect.github.com/kaptinlin/jsonrepair/compare/v0.2.7...v0.2.8) </details> <details> <summary>openai/openai-go (github.com/openai/openai-go/v3)</summary> ### [`v3.21.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.21.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.20.0...v3.21.0) #### 3.21.0 (2026-02-10) Full Changelog: [v3.20.0...v3.21.0](https://redirect.github.com/openai/openai-\[go/compare/v3.20.0...v3.21.0]\(https://www.golinks.io/compare/v3.20.0...v3.21.0?trackSource=github\)) ##### Features - **api:** support for images in batch api ([e23aeb1](https://redirect.github.com/openai/openai-\[go/commit/e23aeb1b13bfd089cc73d3097c9635b687446f82]\(https://www.golinks.io/commit/e23aeb1b13bfd089cc73d3097c9635b687446f82?trackSource=github\))) ### [`v3.20.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.20.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.19.0...v3.20.0) #### 3.20.0 (2026-02-10) Full Changelog: [v3.19.0...v3.20.0](https://redirect.github.com/openai/openai-\[go/compare/v3.19.0...v3.20.0]\(https://www.golinks.io/compare/v3.19.0...v3.20.0?trackSource=github\)) ##### Features - **api:** skills and hosted shell ([9e191de](https://redirect.github.com/openai/openai-\[go/commit/9e191de75f67a6a693c8b25ac9ab1b9288673993]\(https://www.golinks.io/commit/9e191de75f67a6a693c8b25ac9ab1b9288673993?trackSource=github\))) ### [`v3.19.0`](https://redirect.github.com/openai/openai-go/releases/tag/v3.19.0) [Compare Source](https://redirect.github.com/openai/openai-go/compare/v3.18.0...v3.19.0) #### 3.19.0 (2026-02-09) Full Changelog: [v3.18.0...v3.19.0](https://redirect.github.com/openai/openai-go/compare/v3.18.0...v3.19.0) ##### Features - **api:** responses context\_management ([199f230](https://redirect.github.com/openai/openai-go/commit/199f23025ab098f2ac0ac9a99dee37235613c287)) </details> <details> <summary>googleapis/google-api-go-client (google.golang.org/api)</summary> ### [`v0.266.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.266.0) [Compare Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.265.0...v0.266.0) ##### Features - **all:** Auto-regenerate discovery clients ([#​3483](https://redirect.github.com/googleapis/google-api-go-client/issues/3483)) ([a3a61ce](https://redirect.github.com/googleapis/google-api-go-client/commit/a3a61ce2214c8d18bb640c724fae2cda8cb77b58)) - **all:** Auto-regenerate discovery clients ([#​3485](https://redirect.github.com/googleapis/google-api-go-client/issues/3485)) ([200d140](https://redirect.github.com/googleapis/google-api-go-client/commit/200d1409ecc830131f0b5b92fd59708fef24dd8e)) - **all:** Auto-regenerate discovery clients ([#​3486](https://redirect.github.com/googleapis/google-api-go-client/issues/3486)) ([870909e](https://redirect.github.com/googleapis/google-api-go-client/commit/870909e466b1bf8172dfe9bd5c096b1df45b0491)) - **all:** Auto-regenerate discovery clients ([#​3487](https://redirect.github.com/googleapis/google-api-go-client/issues/3487)) ([6018e80](https://redirect.github.com/googleapis/google-api-go-client/commit/6018e80ff5cadadb81c7b7be9f5de01b4b4c2132)) - **all:** Auto-regenerate discovery clients ([#​3489](https://redirect.github.com/googleapis/google-api-go-client/issues/3489)) ([402353b](https://redirect.github.com/googleapis/google-api-go-client/commit/402353be95579bccda6b6623e67e9f028163905b)) - **all:** Auto-regenerate discovery clients ([#​3490](https://redirect.github.com/googleapis/google-api-go-client/issues/3490)) ([49c652f](https://redirect.github.com/googleapis/google-api-go-client/commit/49c652fb9c5e08c9d1a2587f41017b6011dc03da)) </details> <details> <summary>grpc/grpc-go (google.golang.org/grpc)</summary> ### [`v1.79.1`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.79.1): Release 1.79.1 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.79.0...v1.79.1) ### Bug Fixes - grpc: Remove the -dev suffix from the User-Agent header ([#​8902](https://redirect.github.com/grpc/grpc-go/pull/8902)) ### [`v1.79.0`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.79.0): Release 1.79.0 [Compare Source](https://redirect.github.com/grpc/grpc-go/compare/v1.78.0...v1.79.0) ### API Changes - mem: Add experimental API `SetDefaultBufferPool` to change the default buffer pool. ([#​8806](https://redirect.github.com/grpc/grpc-go/issues/8806)) - Special Thanks: [@​vanja-p](https://redirect.github.com/vanja-p) - experimental/stats: Update `MetricsRecorder` to require embedding the new `UnimplementedMetricsRecorder` (a no-op struct) in all implementations for forward compatibility. ([#​8780](https://redirect.github.com/grpc/grpc-go/issues/8780)) ### Behavior Changes - balancer/weightedtarget: Remove handling of `Addresses` and only handle `Endpoints` in resolver updates. ([#​8841](https://redirect.github.com/grpc/grpc-go/issues/8841)) ### New Features - experimental/stats: Add support for asynchronous gauge metrics through the new `AsyncMetricReporter` and `RegisterAsyncReporter` APIs. ([#​8780](https://redirect.github.com/grpc/grpc-go/issues/8780)) - pickfirst: Add support for weighted random shuffling of endpoints, as described in [gRFC A113](https://redirect.github.com/grpc/proposal/pull/535). - This is enabled by default, and can be turned off using the environment variable `GRPC_EXPERIMENTAL_PF_WEIGHTED_SHUFFLING`. ([#​8864](https://redirect.github.com/grpc/grpc-go/issues/8864)) - xds: Implement `:authority` rewriting, as specified in [gRFC A81](https://redirect.github.com/grpc/proposal/blob/master/A81-xds-authority-rewriting.md). ([#​8779](https://redirect.github.com/grpc/grpc-go/issues/8779)) - balancer/randomsubsetting: Implement the `random_subsetting` LB policy, as specified in [gRFC A68](https://redirect.github.com/grpc/proposal/blob/master/A68-random-subsetting.md). ([#​8650](https://redirect.github.com/grpc/grpc-go/issues/8650)) - Special Thanks: [@​marek-szews](https://redirect.github.com/marek-szews) - server: Include status detail headers, if available, when terminating a stream during request header processing. ([#​8754](https://redirect.github.com/grpc/grpc-go/issues/8754)) - Special Thanks: [@​joybestourous](https://redirect.github.com/joybestourous) ### Bug Fixes - credentials/tls: Fix a bug where the port was not stripped from the authority override before validation. ([#​8726](https://redirect.github.com/grpc/grpc-go/issues/8726)) - Special Thanks: [@​Atul1710](https://redirect.github.com/Atul1710) - xds/priority: Fix a bug causing delayed failover to lower-priority clusters when a higher-priority cluster is stuck in `CONNECTING` state. ([#​8813](https://redirect.github.com/grpc/grpc-go/issues/8813)) - health: Fix a bug where health checks failed for clients using legacy compression options (`WithDecompressor` or `RPCDecompressor`). ([#​8765](https://redirect.github.com/grpc/grpc-go/issues/8765)) - Special Thanks: [@​sanki92](https://redirect.github.com/sanki92) - transport: Fix an issue where the HTTP/2 server could skip header size checks when terminating a stream early. ([#​8769](https://redirect.github.com/grpc/grpc-go/issues/8769)) - Special Thanks: [@​joybestourous](https://redirect.github.com/joybestourous) ### Performance Improvements - credentials/alts: Optimize read buffer alignment to reduce copies. ([#​8791](https://redirect.github.com/grpc/grpc-go/issues/8791)) - mem: Optimize pooling and creation of `buffer` objects. ([#​8784](https://redirect.github.com/grpc/grpc-go/issues/8784)) - transport: Reduce slice re-allocations by reserving slice capacity. ([#​8797](https://redirect.github.com/grpc/grpc-go/issues/8797)) </details> <details> <summary>kubernetes/api (k8s.io/api)</summary> ### [`v0.35.1`](https://redirect.github.com/kubernetes/api/compare/v0.35.0...v0.35.1) [Compare Source](https://redirect.github.com/kubernetes/api/compare/v0.35.0...v0.35.1) </details> <details> <summary>kubernetes/apimachinery (k8s.io/apimachinery)</summary> ### [`v0.35.1`](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.0...v0.35.1) [Compare Source](https://redirect.github.com/kubernetes/apimachinery/compare/v0.35.0...v0.35.1) </details> <details> <summary>kubernetes/client-go (k8s.io/client-go)</summary> ### [`v0.35.1`](https://redirect.github.com/kubernetes/client-go/compare/v0.35.0...v0.35.1) [Compare Source](https://redirect.github.com/kubernetes/client-go/compare/v0.35.0...v0.35.1) </details> <details> <summary>kubernetes/component-base (k8s.io/component-base)</summary> ### [`v0.35.1`](https://redirect.github.com/kubernetes/component-base/compare/v0.35.0...v0.35.1) [Compare Source](https://redirect.github.com/kubernetes/component-base/compare/v0.35.0...v0.35.1) </details> <details> <summary>cznic/sqlite (modernc.org/sqlite)</summary> ### [`v1.45.0`](https://gitlab.com/cznic/sqlite/compare/v1.44.3...v1.45.0) [Compare Source](https://gitlab.com/cznic/sqlite/compare/v1.44.3...v1.45.0) </details> <details> <summary>kubernetes-sigs/structured-merge-diff (sigs.k8s.io/structured-merge-diff/v6)</summary> ### [`v6.3.2`](https://redirect.github.com/kubernetes-sigs/structured-merge-diff/compare/v6.3.1...v6.3.2) [Compare Source](https://redirect.github.com/kubernetes-sigs/structured-merge-diff/compare/v6.3.1...v6.3.2) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 10am on friday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyIsImdvbGFuZyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> GitOrigin-RevId: ad6782fb125948cd3d4a6ee5e6e1d71d78cfb590
This is based on https://github.com/overmindtech/workspace/pull/3709 and combines all CLI changes from https://github.com/overmindtech/workspace/pull/3701 into a single commit. https://github.com/overmindtech/workspace/pull/3710 needs to be deployed before this can pass the e2e tests. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes behavior of change lifecycle operations (start/end) and modifies worker retry/terminal handling, which can affect state transitions and job/flag correctness if edge cases are missed. > > **Overview** > **CLI start/end-change now runs in the background by default.** `start-change` and `end-change` switch from streaming RPCs to `StartChangeSimple`/`EndChangeSimple`, returning immediately and optionally polling `GetChange` when `--wait-for-snapshot` is set. > > **End-change UUID resolution is made race-safe.** The CLI stops client-side status checking for end-change (adds `getChangeUUID`) and relies on server-side atomic validation/queuing. > > **Snapshot worker failure semantics are unified.** Start/end snapshot workers now use a shared `snapshotWorkerRun` wrapper that treats validation/snapshot/DB errors (and panics) as retryable until the final attempt, then force-completes the status transition and clears in-progress flags; start-change also best-effort consumes any queued end-change on force-complete. GitHub composite actions gain a `wait-for-snapshot` input that forwards to the CLI. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 450bb313724a2f4aea5aa14a8de609750c6b7a99. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: c82af9fd0a6ec952c94cfec93847ec58209f69a7
Implement not-found result caching for GCP dynamic, GCP manual, and stdlib HTTP adapters. This change reduces redundant API calls and improves performance, particularly for LIST operations that return zero items, by caching these "not found" results. This aligns with the caching strategy previously implemented for AWS sources. https://github.com/user-attachments/assets/eac84bff-19d9-4b2e-b772-bb08138555cf --- Linear Issue: [ENG-2369](https://linear.app/overmind/issue/ENG-2369/cache-not-found-results-all-other-adapters) <p><a href="https://cursor.com/background-agent?bcId=bc-8354500b-215a-43c4-bf4a-1c6570776d6c"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-8354500b-215a-43c4-bf4a-1c6570776d6c"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes adapter error semantics (notably HTTP `404/410` now returning `NOTFOUND` errors) and caching behavior, which may affect downstream callers that previously treated these cases as successful items or uncached misses. > > **Overview** > Adds **NOTFOUND caching** to the stdlib `DNSAdapter` and `HTTPAdapter` so repeated lookups for missing resources avoid repeated network calls and return consistent `(nil, NOTFOUND error)` responses. > > In `DNSAdapter`, only `QueryError_NOTFOUND` results are cached (including empty result sets), with updated `QueryError` fields (e.g. `ResponderName`) and tests asserting first vs cached-miss behavior matches for both `Get` and `Search` (including reverse lookups). > > In `HTTPAdapter`, `Get` now treats HTTP `404`/`410` as `QueryError_NOTFOUND` (cached), ensures response bodies are closed, and `Search` propagates NOTFOUND errors instead of converting them to empty results; tests were updated/added to validate cached 404 behavior and adjust the “localhost” test path to a 200 endpoint. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2a486bdf4bb1aae9879223d14d8a3e5d536c1418. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: dfba6a64fe9aa4e5ab8752325778871372e5de1b
Implement not-found result caching across all adapter types to reduce redundant API calls when resources don't exist: Changes: - GCP dynamic adapters: Cache NOTFOUND for GET (404 responses), LIST/SEARCH (0 items returned) - GCP/Azure manual adapters (via transformer.go): Cache NOTFOUND for GET (nil item), LIST/SEARCH (0 items) Benefits: - Reduces API calls by 90%+ for repeated queries that find nothing - Particularly impactful for LIST operations across unused resources - Uses standard NOTFOUND QueryError type for consistency - Maintains backward compatibility (returns empty arrays instead of errors for LIST/SEARCH) - Caches for same duration as successful results (DefaultCacheDuration) Related to ENG-2369 https://github.com/user-attachments/assets/b6931869-466b-45ba-b03d-45d5528bb3fa https://github.com/user-attachments/assets/de174346-9741-4377-82e0-d59b65318a91 <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes caching and error/stream semantics for many GCP adapters; while intended to be backward-compatible for `LIST`/`SEARCH`, mistakes could hide real errors or cause incorrect cache entries (especially around partial pagination or extraction failures). > > **Overview** > Adds **NOTFOUND result caching** to GCP dynamic adapters so repeated `GET`/`LIST`/`SEARCH` queries that return 404 or zero items are stored as `sdp.QueryError_NOTFOUND` and subsequent calls return *empty results* (for `LIST`/`SEARCH`) or the same NOTFOUND error (for `GET`) without re-hitting the API. > > Updates dynamic HTTP/pagination helpers to emit `QueryError_NOTFOUND` on HTTP 404, enrich NOTFOUND errors with scope/adapter metadata, and refine streaming/aggregation to avoid caching NOTFOUND when partial results exist or when extraction errors occurred (and to suppress NOTFOUND errors on streams to match cached behavior). Many manual GCP adapters’ stream listing paths now cache NOTFOUND when no items are produced (with no per-item errors), with extensive new tests validating cache-hit behavior for both wildcard and scoped queries. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 05793ba0e60871a3116621c74722fdc3dc5350e7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f6af5cd49460cac800babb617e09460b2231bf0f
…r role assignments, storage blob containers, and file shares. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes how Azure resources are mapped/resolved from Terraform plans (GET vs SEARCH and name vs id), which may affect plan-to-infra matching correctness across Azure types. > > **Overview** > Extends Terraform plan mapping to include Azure adapter metadata so Azure resources can be resolved into Overmind queries during `submit-plan`. > > Updates Azure Terraform mappings for `azurerm_role_assignment`, `azurerm_storage_container`, and `azurerm_storage_share` to use `QueryMethod_SEARCH` against the Terraform `id` field (resource ID-based resolution), adding a `Search`/`SearchLookups` implementation plus tests for role assignments. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a921860a0774e8cd2033069ae3cbc4a48085d69e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 6d4d71c65c666f9b132e4f3be954a8ddd87e5cfa
… (#3874) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Broad rename across many adapters and shared linker plumbing; behavior should be equivalent but mistakes could silently break auto-link generation and `PotentialLinks` metadata. > > **Overview** > Renames the GCP dynamic linking configuration concept from **blast propagation** to **link rules**, updating adapter registration (`registerableAdapter`), shared globals (`gcpshared.LinkRules`), and linker lookup logic to use the new map. > > Updates dynamic adapter metadata generation to derive `PotentialLinks` from link rules (including the IP/DNS bidirectional special-case), and refreshes adapter tests and internal docs to reference and validate link rules instead of blast propagation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 71974dbe7166ac40b4289e0ec21dff144b9875c7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: d231a00a88a4994d2f6f7408d2472539979098d9
This PR contains a bunch of changes to the cursor rules and skills, as well as a bunch of added docs around architecture and ADR process. All of this is preliminary and draft but should give us a good basis to start for this week. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly documentation and developer-workflow changes, but it modifies CI/codegen and lint tooling (`go generate`, SQLC regeneration, linter switch) which can cause build/CI churn or unexpected diffs if versions or generation steps diverge. > > **Overview** > Introduces a full **ADR process** in-repo (`docs/adr/*` with `INDEX.md`, template, and 17 initial Accepted ADRs), plus new architecture docs (`docs/context-map.md`), a canonical `docs/domain-glossary.md`, and a DDD gaps writeup; internal docs are updated to reference ADRs and current tooling (e.g., frontend stack, logging, SQLC usage). > > Overhauls Cursor automation: adds a `doc-maintainer` agent and documentation workflow rule, refines/retargets many `.cursor/rules/*.mdc` globs and standards (Go/SQL/Frontend/Sources), adds ADR BUGBOT review rules, and removes some legacy rules/scripts. > > Tightens and standardizes dev/CI tooling: pins several devcontainer Go tool versions, switches linting guidance/settings from `golangci-lint-v2` to `golangci-lint` (and sets a default timeout in `.golangci.yml`), updates CI to run `go generate ./...` (with new `*/models/generate.go` wrappers to run `sqlc generate`), and adds a devcontainer mount for host `.cursor` settings. Also includes a small revlink test change to create nodes inside a Neo4j write transaction. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 67809feaf8a032d963406066f4285ff20d7a2cfc. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 2c31acb7bd6f0f8bd5236195fb1a8dff8d8b156e
…ng (#3863) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces new GCP IAM-policy collection and linking plus new IAM permission requirements; mistakes could impact security-scoped discovery results or require additional permissions in customer projects. > > **Overview** > Adds a new GCP manual adapter `StorageBucketIAMPolicy` (one item per bucket) that fetches bucket IAM via the Storage `getIamPolicy` v3 API, serializes bindings, and emits links to related service accounts, custom roles, project principals, and domains. > > Wires this into discovery: initializes a GCS `storage.Client`, registers the adapter, introduces the new item type/resource and linker, and adds parent-to-child linking from `StorageBucket` plus Terraform mappings for `google_storage_bucket_iam_*` resources. > > Updates deployment IAM to grant `storage.buckets.getIamPolicy` via the existing `overmind_custom_role`, and adjusts a few tests (Azure adapter query validation expectations; GCP impersonation integration test credential/token-source handling and softer failure behavior). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 1fe795d139c0793fdfa722846ecded22cd700e6c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Dylan <dylanratcliffe@users.noreply.github.com> GitOrigin-RevId: e02d429b2bb3868ea24de9d2bc76f2ec74007ef1
This pull request contains changes generated by a Cursor Cloud Agent <p><a href="https://cursor.com/background-agent?bcId=bc-1f18c2a4-f19c-44e8-be3b-f80ad59021b6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-1f18c2a4-f19c-44e8-be3b-f80ad59021b6"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Broad, mechanical import/path changes across many packages and CI steps; main risk is missed references causing build/test or workflow failures rather than behavioral changes. > > **Overview** > Updates the repo to use the new Go library layout under `go/` by rewriting imports throughout `aws-source` (and related tests) from `github.com/overmindtech/workspace/{discovery,sdp-go,sdpcache,tracing,...}` to `github.com/overmindtech/workspace/go/...`. > > Adjusts CI path filters and several workflow steps to run tests/codegen from `go/{discovery,features,sdp-go,sdpcache}` instead of the old top-level directories, and aligns lint/sqlc docs/config (e.g. `.golangci.yml` errcheck exclusion and sqlc override examples) with the new import paths. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 19144a2d7a5fe1fbb753379a00320c85c9dbdc97. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 31d333187a3fc28d5e15e3daf3b44a61af911c60
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Adds a new Azure `ComputeSnapshot` discovery adapter and wires it into adapter initialization, which expands discovery surface area. Also changes `ExtractPathParamsFromResourceID` matching semantics (case-insensitive, structural-slot-only), which could affect link extraction across existing adapters. > > **Overview** > Introduces a new `ComputeSnapshot` adapter (with `List`, `ListStream`, and `Get`) that converts Azure snapshots into SDP items, including **health mapping** and extensive **linked-item queries** (disks/snapshots, disk access, encryption sets, storage account/container + HTTP/DNS/IP, gallery images, Elastic SAN snapshots, and Key Vault resources). > > Wires snapshot discovery into `manual/adapters.go` (real and placeholder modes) and adds a `SnapshotsClient` interface + generated gomock for testability. > > Hardens Azure resource ID parsing by making `ExtractPathParamsFromResourceID` case-insensitive and only matching keys in structural path positions, and updates community gallery parsing accordingly; adds unit tests and a full integration test that creates a disk+snapshot and validates `Get`/`List` behavior and links. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit c763c543a66caba6d140138ba1bf945587377f69. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 49020216bbe668de90cd729190b23d0ec63bb067
Remove `/blast-radius` suffix from change URLs in CLI output to provide direct links to changes. --- Linear Issue: [ENG-2479](https://linear.app/overmind/issue/ENG-2479/the-cli-should-show-direct-link-instead-of-blast-radius) <p><a href="https://cursor.com/background-agent?bcId=bc-e5497b97-32b0-4bd8-a64f-ce43f08718e5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-e5497b97-32b0-4bd8-a64f-ce43f08718e5"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Simple URL formatting change in CLI output; no API, auth, or data-handling behavior is modified. > > **Overview** > CLI output links for newly created/updated Changes now point to the Change page directly (e.g. `/changes/<uuid>`) instead of the blast radius view (`/changes/<uuid>/blast-radius`) in both `changes submit-plan` and `terraform plan` flows. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 8cf47c471f78672ae5f1d7cf472125796b86bab7. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Dylan <dylanratcliffe@users.noreply.github.com> GitOrigin-RevId: 5ca2000d75f65f6ece56c3ce849bdc5319cb9707
…all adapter tests (#3890) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Mostly test-only churn, but the `compute-gallery-application-version` change can alter emitted linked-item queries (additional blob-container links), which may affect discovery graph behavior. > > **Overview** > **Linked-item query static tests no longer assert blast propagation.** `shared.QueryTest` drops `ExpectedBlastPropagation`, and `QueryTests.TestLinkedItems` stops comparing `LinkedItemQuery.BlastPropagation`. > > All impacted adapter tests and authoring docs are updated to remove `ExpectedBlastPropagation` expectations and adjust test case formatting/import ordering. Separately, `compute-gallery-application-version` fixes blob URI handling to always emit blob-container links even when the storage account link was already deduped. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit b6f727548ca63304b210204e695ec9320d0d6488. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 30fcb25dee73310556972838172d8f3d923d10bd
<img width="2560" height="1600" alt="image" src="https://github.com/user-attachments/assets/6c6a900f-daaf-4a51-9b70-13c6a761ac88" /> <img width="1412" height="1034" alt="image" src="https://github.com/user-attachments/assets/ab680005-d70f-4e0d-9fa0-1d561abc0677" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Introduces multiple new EC2 discovery paths that can increase API usage and surface edge cases (notably TGW route listing is capped by AWS at 1000 results per table). Integration tests create real AWS networking resources and must be run with care to avoid cost/cleanup issues. > > **Overview** > Adds new EC2 Transit Gateway resource coverage by introducing adapters for `ec2-transit-gateway-route-table`, `ec2-transit-gateway-route-table-association`, `ec2-transit-gateway-route-table-propagation`, and `ec2-transit-gateway-route`, including composite-ID query parsing (supports both `|` and Terraform-style `_`) and graph linking between route tables, attachments, and related resources. > > Wires these adapters into `aws-source/proc` so they are initialized with other EC2 adapters, and adds a full integration-test suite that creates and tears down real TGW infrastructure (TGW, VPC/subnet, VPC attachment, static route). Updates `aws-source/README.md` with how to run the new integration tests and adds corresponding type documentation + metadata JSON entries (including documenting `ec2-managed-prefix-list`, `ec2-transit-gateway-attachment`, and `ec2-transit-gateway-route-table-announcement` link targets). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6efe1f2154555ce7dca02aef6968dae412f743ef. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: ca50c901eb8128e28f2c45cd4d82787829812e88
Add new protobuf messages and fields for the Knowledge feature and regenerate code to support backend, CLI, and frontend development. --- Linear Issue: [ENG-2615](https://linear.app/overmind/issue/ENG-2615/sdp-proto-changes-for-knowledge-feature) <p><a href="https://cursor.com/background-agent?bcId=bc-571a44e3-548f-408f-88f6-ba65dc8664a2"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-571a44e3-548f-408f-88f6-ba65dc8664a2"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Generated protobuf code changes that primarily add new optional/repeated fields; main risk is wire compatibility for clients/servers that haven’t regenerated against the updated schema. > > **Overview** > Adds new protobuf messages `Knowledge` and `KnowledgeReference` and regenerates `changes.pb.go` accordingly. > > Extends `StartChangeAnalysisRequest` with a repeated `knowledge` field to supply knowledge inputs, and extends `HypothesesDetails` with `knowledgeUsed` so responses can reference which knowledge was used during investigation; remaining edits are generated index/descriptor renumbering. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 631134cf6a2a7f50efca5082bcbebd8b0f9b360f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: carabasdaniel <carabasdaniel@users.noreply.github.com> GitOrigin-RevId: c3275ef08ce8b86b85f50248af629250aeecd3dd
Implement CLI knowledge file discovery, validation, and submission to enhance change analysis with contextual information. --- Linear Issue: [ENG-2612](https://linear.app/overmind/issue/ENG-2612/cli-knowledge-implementation) <p><a href="https://cursor.com/background-agent?bcId=bc-5374a2b5-fdb1-43fe-a15d-d097377b15b2"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-5374a2b5-fdb1-43fe-a15d-d097377b15b2"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds new file parsing/validation and increases API request payloads for change analysis; issues could cause knowledge to be skipped or larger requests, but core change submission flow remains intact. > > **Overview** > The CLI now discovers markdown “knowledge” files under `.overmind/knowledge/`, validates required YAML frontmatter (`name`, `description`), enforces naming/size constraints, and deterministically loads/deduplicates them (logging warnings and skipping invalid files). > > Both `changes submit-plan` and `terraform plan` now include the discovered knowledge payload in `StartChangeAnalysisRequest`, allowing change analysis to be enriched with local contextual documentation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f6babb03506a8d4d36f539057b44b0e38f805f26. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 630cafb27f0a29d5a4ce55f6573bf68ccec97c05
…… (#3926) …S external ID Implements adr-external-id: a stable, server-generated UUID per Overmind account for AWS IAM trust policies (confused deputy protection). - Proto: new RPC + messages on ManagementService - Migration: aws_external_id column on accounts table - SQLC: atomic get-or-create with COALESCE, conditional updated_at - Handler: requires source:write/sources:write scope - CreateSource: auto-populates aws-external-id for AWS sources - Tests: idempotency, auth, auto-population, explicit ID preservation <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches API surface area and database schema, and changes source creation behavior for AWS sources; risk is moderate but bounded with idempotent/permission tests and an atomic get-or-create query. > > **Overview** > Adds a new `ManagementService.GetOrCreateAWSExternalId` RPC (and regenerated Go/TS clients) to return a stable, per-account UUID intended for AWS IAM trust policies. > > Persists the value by adding nullable `accounts.aws_external_id` plus an atomic SQLC `GetOrCreateAWSExternalId` query, exposes it via a scope-gated handler (`source:write`/`sources:write`), and updates `CreateSource` to auto-fill `aws-external-id` in AWS source configs when omitted (while preserving explicitly provided IDs). Includes DB migration updates and new tests covering idempotency, auth enforcement, and source config behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit af2b8b5a7d2fa1be09c2640508d083a64aa44bf6. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 0f6fa7a78e4ad2bd868f59738bc524f62db85977
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces new Azure discovery adapters and wiring that will affect adapter registration and API calls during inventory; failures could impact discovery completeness for compute gallery resources. > > **Overview** > Adds new Azure compute adapters for **gallery image definitions** and **shared gallery images**, including `Get`/`Search` support, unique key composition, IAM permissions, Terraform mapping (gallery images only), and linked relationships (parent gallery/shared gallery plus URI-derived network links). > > Updates adapter initialization to create the new Azure SDK clients and register these adapters in both normal and metadata-only modes, and extends Azure item type/resource constants and resource-ID parsing keys for the new gallery image type. > > Refactors gallery application version link extraction by introducing `AppendURILinks` (HTTP + deduped DNS/IP links with configurable blast propagation) and reusing it for blob-source URIs; includes generated mocks and comprehensive tests for the new adapters and link behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 8fed06542c12a92e3fa1a5acb28c29bad9416bdc. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Lionel Wilson <Lionel-Wilson@users.noreply.github.com> GitOrigin-RevId: 4b68038f61ecbefb12eff3cd16b6fd3373b9d8ec
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Test-only change that relaxes assertions around link metadata; low risk aside from potentially reducing coverage for blast propagation behavior. > > **Overview** > Updates Azure compute gallery image unit tests to **stop asserting `BlastPropagation`** on linked `QueryTests` entries. > > This resolves mismatched expectations in `compute-gallery-image_test.go` and `compute-shared-gallery-image_test.go` by only validating type/method/query/scope for the generated links (gallery parent and derived HTTP/DNS searches). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit e8935a9f8e1f46ba083e65ad010f9933831d1bfd. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f0ad140cf2223e9c188b16a396c3a6d998a7d3d9
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone Europe/London, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/overmindtech/workspace). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My4yMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> GitOrigin-RevId: e527ca609e089cdbdeb0e53b8ebb59b0fc910f24
https://github.com/user-attachments/assets/a56fe17e-cb1a-4520-9368-76b965a998e7 <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Touches end-to-end polling/control-flow for change analysis completion and risk retrieval in both CLI UX and server-side run-task execution; mistakes could cause hangs, premature exits, or incorrect failure/retry behavior. > > **Overview** > **Stops using `GetChangeTimelineV2` to detect change-analysis completion** in multiple CLI commands and the API server run-task worker, and instead polls `GetChange` and inspects `change.metadata.change_analysis_status` (handling DONE/SKIPPED/ERROR/in-progress states). > > In `terraform plan` and the run-task flow, **risk extraction is decoupled from timeline entries** by calling `GetChangeRisks` after analysis completes, with added nil checks and updated error handling/messages (including retry vs. fail semantics in the worker). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit cbdf9ebb49ce6eeb6b981499960b665d2c525329. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: fa48bdae414cbba13288d9f798d506abe0017728
Sample LIST all from explore local run with a test snapshot: <img width="3130" height="1852" alt="image" src="https://github.com/user-attachments/assets/47418d50-a70a-4584-8dbd-4a2768e4fb43" /> Implements a new discovery source that serves data from a snapshot file or URL to enable consistent local testing and deterministic v6 investigation reruns. --- Linear Issue: [ENG-2577](https://linear.app/overmind/issue/ENG-2577/implement-snapshot-source-for-local-testing) <p><a href="https://cursor.com/background-agent?bcId=bc-7e959d38-3e56-4248-8491-f1ed0d317700"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-7e959d38-3e56-4248-8491-f1ed0d317700"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Introduces a new discovery source and changes `cli explore` startup behavior when `SNAPSHOT_SOURCE` is set, which could affect local workflows and query results. Runtime risk is mostly around snapshot parsing/indexing correctness and engine startup/shutdown handling rather than security-sensitive logic. > > **Overview** > Adds a new `sources/snapshot` discovery source that loads a protobuf snapshot from a file or HTTP(S) URL, builds an in-memory index (including hydrating `LinkedItems` from snapshot edges), and registers per-type adapters that implement `GET`/`LIST`/`SEARCH` with adapter metadata pulled from an embedded JSON catalog. > > Updates `cli explore` so setting `SNAPSHOT_SOURCE` bypasses all live cloud sources and starts only the snapshot engine, and adds supporting VS Code launch/docs wiring (embedded adapter catalog FS and snapshot source README). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9a8beba18cb5c843a28bd1c1b9b17710175c670d. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: b5bfb065399f74053e579380bb69413c42f04566
## Summary - Implements Phase 3 of ENG-2660: a Terraform/OpenTofu provider (`overmind_aws_source` resource) that lets customers manage Overmind AWS sources as infrastructure-as-code. - Provider authenticates via `OVERMIND_API_KEY` / `OVERMIND_APP_URL`, exchanges the API key for an OAuth token using the shared `auth` package, and calls `ManagementService` over ConnectRPC. - Includes unit tests backed by a mock ConnectRPC server (runs unconditionally via `resource.UnitTest`, no `TF_ACC` or external credentials required). ## Linear Ticket - **Ticket**: [ENG-2660](https://linear.app/overmind/issue/ENG-2660) — Phase 3: Terraform Provider implementation ## Changes New files in `aws-source/module/provider/`: | File | Purpose | | --- | --- | | `main.go` | Provider entry point (`providerserver.Serve`) | | `provider.go` | Provider schema, env-var resolution, auth setup, ManagementService client creation | | `resource_aws_source.go` | `overmind_aws_source` resource — full CRUD + ImportState against ManagementService | | `provider_test.go` | Unit tests (mock ConnectRPC server) and missing-API-key validation test | Other changes: - `aws-source/README.md` — added Terraform Provider section (build, test, config) - `go.mod` / `go.sum` — added `terraform-plugin-framework`, `terraform-plugin-go`, `terraform-plugin-testing` dependencies ## Deviations from plan 1. **`OVERMIND_APP_URL` instead of `OVERMIND_API_URL`**: The plan's task table references `OVERMIND_API_URL`, but the implementation uses `OVERMIND_APP_URL`. This is intentional — the provider resolves the API URL dynamically from the app URL via `sdp.NewOvermindInstance()` (calls `/api/public/instance-data`), following the existing Overmind convention. The plan itself acknowledges this in Decision 9. 2. **Auth uses `auth.NewAPIKeyTokenSource` directly**: The plan describes a "ConnectRPC client wrapper with API key -> OAuth token exchange" as a separate `client.go` concern. In practice, the shared `auth.NewAPIKeyTokenSource` already encapsulates the full token lifecycle (exchange, caching, refresh), so no custom exchange logic was needed and `client.go` was removed — the 3-line HTTP client setup is inlined in `provider.go`'s `Configure` method. ## New commit call-outs - `62fc7c8ad` — Adds baseline OpenTelemetry instrumentation to the provider: startup tracing wiring in `main.go`, provider configure span/context propagation in `provider.go`, and CRUD/import spans in `resource_aws_source.go`; also updates the observability ADR to document internal-vs-customer-run behavior and the unified customer-run binaries pattern. - `225d949fc` — Updates `.cursor/rules/go-standards.mdc` to extend the no-fatal guidance to include `os.Exit` for the same graceful-shutdown/telemetry-flush rationale. - `0b73e34ea` — Replaces `log.Fatal` in the provider entry point with explicit stderr output plus process exit handling to align with project standards. - `d4b2b5314` — Fixes `contextcheck` in tests by using the provided function context in `testProvider.Configure`. - `7669b3fbb` — Refreshes `.cursor/commands/create-implementation-plan.md` via the implementation-plan workflow command (repo command metadata update). ## Test plan - [x] `go test -v ./aws-source/module/provider/` passes (2 unit tests) - [x] `go build ./aws-source/module/provider/` compiles cleanly - [ ] Run full Terraform module against staging instance to validate end-to-end <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Introduces a new customer-facing Terraform provider that performs authenticated remote source CRUD; correctness and error handling impact customer IaC workflows, though changes are mostly additive and covered by unit tests. > > **Overview** > Adds a new Terraform/OpenTofu provider under `aws-source/module/provider` that lets customers manage Overmind AWS sources as IaC via an `overmind_aws_source` resource (CRUD + import) and an `overmind_aws_external_id` data source, backed by ConnectRPC `ManagementService` calls. > > Provider configuration now supports `OVERMIND_API_KEY` and `OVERMIND_APP_URL` (resolving API URL dynamically), includes baseline OpenTelemetry/logrus hook wiring with an opt-out `HONEYCOMB_API_KEY`, and ships unit tests using `terraform-plugin-testing` with a mock ConnectRPC server. Documentation is updated in `aws-source/README.md`, and `go.mod`/`go.sum` add the Terraform plugin framework/testing dependencies. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 510380ddd4385a5693f67339d40a6a02c6656706. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: e27bd430894b02b0ddff29f24e4ef2c091b80b1d
GitOrigin-RevId: fe718a08347d18423354cb344c2facf552aee85f
…r and module (#3958) ## Summary - Add Copybara workflows, GoReleaser config, GPG signing, and GitHub Actions release pipelines to publish the Terraform provider and HCL module to public repos and registries - Provision per-repo GitHub Actions secrets (`OP_RO_TOKEN`, `RELEASE_PAT`) via Terraform, following the existing `homebrew-overmind`/`actions` pattern - Public repos ([terraform-provider-overmind](https://github.com/overmindtech/terraform-provider-overmind), [terraform-overmind-aws-source](https://github.com/overmindtech/terraform-overmind-aws-source)) have been created and seeded with workflow files ## Linear Ticket - **Ticket**: [ENG-2673](https://linear.app/overmind/issue/ENG-2673/phase-5-copybara-and-publishing-for-terraform-provider-and-module) — Phase 5: Copybara and Publishing for Terraform Provider & Module - **Purpose**: Set up the full automated release pipeline from monorepo tags to Terraform/OpenTofu registries - **Plan approval**: [ENG-2674](https://linear.app/overmind/issue/ENG-2674/approve-plan-phase-5-copybara-and-publishing-for-terraform-provider) assigned to Lionel Wilson ## Changes ### Copybara (`copy.bara.sky`) Two new workflows: `terraform-provider` (syncs provider + Go libs with import rewriting) and `terraform-aws-source-module` (syncs HCL module with directory flattening). ### Monorepo sync workflows (`.github/workflows/`) - `terraform-provider-sync.yml` — triggers on `terraform-provider/v*` tags - `terraform-aws-source-module-sync.yml` — triggers on `terraform-aws-source-module/v*` tags ### Provider release files (`aws-source/module/provider/`) - `.goreleaser.yml` — cross-platform builds, zip archives, SHA256 checksums, GPG signing - `terraform-registry-manifest.json` — protocol version 6.0 - `.github/workflows/release.yml` — loads GPG key from 1Password, runs GoReleaser - `.github/workflows/finalize-copybara-sync.yml` — runs `go mod tidy`, creates PR - `.github/workflows/tag-on-merge.yml` — creates version tag on merge ### Module release files (`aws-source/module/terraform/`) - `.github/workflows/finalize-copybara-sync.yml` — creates PR (no `go mod tidy`) - `.github/workflows/tag-on-merge.yml` — creates version tag on merge ### Terraform / secrets - `deploy/1password.tf` — 4 new `github_actions_secret` resources for both public repos - `deploy/variables.tf` — new `terraform_provider_release_pat` and `terraform_module_release_pat` variables - `deploy/.env.op`, `deploy/.github/env/op.local.secret`, `.devcontainer/devcontainer.json` — wire new PAT variables through 1Password and devcontainer ### Provider code - `aws-source/module/provider/main.go` — `const version` changed to `var version = "dev"` for GoReleaser ldflags injection ## Before first release The following manual steps remain (documented in the plan): 1. Create 1Password items: `Terraform Provider Release Github Token`, `Terraform Module Release Github Token`, `Terraform Provider GPG Key` 2. Register GPG public key at registry.terraform.io/settings/gpg-keys 3. After merge, `terraform apply` provisions the repo secrets 4. Push monorepo tags to trigger first automated release 5. Enroll in Terraform Registry and OpenTofu Registry Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Mostly CI/release automation and secret provisioning changes, but misconfiguration could leak or break release/tagging flows for the public Terraform repos. > > **Overview** > Adds end-to-end **Copybara-based publishing pipelines** for the Terraform provider and AWS source Terraform module, driven by new tag-triggered GitHub Actions workflows (`terraform-provider/v*`, `terraform-aws-source-module/v*`) that sync code to public repos on `copybara/vX.Y.Z` branches. > > Introduces release automation in the provider/module repos: Copybara finalization workflows that open PRs from `copybara/v*`, `tag-on-merge` workflows that create version tags using a `RELEASE_PAT`, and (for the provider) a GoReleaser-based release with GPG-signed checksums plus a Terraform registry manifest; provider `main.go` now uses an ldflags-injected `version` variable. > > Updates `copy.bara.sky` with two new workflows (`terraform-provider`, `terraform-aws-source-module`) and wires new Terraform-managed GitHub Actions secrets/inputs (including new PAT variables) through `deploy/` and the devcontainer to support the public repo automation; ADR index is updated to include newly accepted ADRs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d3a131760eadca87088922bf8eca86de2c1be730. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 800dbd7acd6e954106b6a2f1125fc7526c0b2634
Re-do https://github.com/overmindtech/workspace/pull/3959 as the change was merged out of order and got lost in rebasing; this depends on https://github.com/overmindtech/workspace/pull/3958 getting merged first. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Documentation and workflow tooling changes only; no runtime code paths or security-sensitive logic are modified. > > **Overview** > Updates Terraform AWS source module documentation and publishing references to use the new registry address `overmindtech/aws-source/overmind`, and adds clearer module development/testing guidance. > > Adds customer-facing docs at `docs.overmind.tech/docs/sources/aws/terraform.md`, expands the module README with import instructions, and introduces `aws-source/module/.cursor/BUGBOT.md` review rules to keep IAM policy changes read-only and Terraform provider errors using `diag.Diagnostics`. > > Enhances `.cursor/commands/open-pull-request.md` to capture an approved plan from Linear tickets and require a PR section explicitly documenting *deviations from the approved plan*. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9356970fb0d18ac929d804484030d0cafa6621f5. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 1a5dc90ab5d93ecf70bf377cf58172a34f763314
<!-- CURSOR_SUMMARY --> > [!NOTE] > **Low Risk** > Mostly administrative/test-stability changes; the only functional impact is allowing Terraform to use AWS provider v5, which could affect users depending on provider features/behavior. > > **Overview** > Adds Functional Source License (FSL 1.1 with Apache 2.0 future license) `LICENSE` files to the AWS provider and Terraform module directories. > > Relaxes the Terraform module’s AWS provider version constraint from `>= 6.0` to `>= 5.0`, and increases `TestCronJobAdapter`’s wait timeout from 60s to 120s to reduce CronJob-related test flakes. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit dcdd0b5c3c96e5b36e65c56be273f3453bf4cd3c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 9039e065ba8843a9059fc64027b21b8f278de48c
…) (#3962) <!-- CURSOR_SUMMARY --> > [!NOTE] > **Medium Risk** > Introduces new Terraform provider/module wiring and secrets that affect source registration and deploy behavior. Test and CI runner changes are low risk but infra changes could fail applies if misconfigured. > > **Overview** > Adds dogfooding support for the `aws-source` Terraform module by introducing the `overmindtech/overmind` provider, a new sensitive `aws_source_api_key` variable (wired through `.env.op`, `op.local.secret`, and devcontainer env passthrough), and a new `module "aws_source"` invocation in `deploy/sources.tf`. > > Updates the aws-source provider release workflow to run on `depot-ubuntu-24.04-8`, and stabilizes `k8s-source` pod adapter tests by waiting (via `WaitFor`) for the bad pod to reach `HEALTH_ERROR` before asserting. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 90a96f885039e3f8d52e822ff2fa46b05de29ec7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: 31e247ac69bc27f4489a7cda98bdaf0963dd2788
… environments (#3964) ## Summary - Fix dogfood AWS source startup failure caused by the Terraform module hardcoding the prod AWS account (`942836531449`) in the IAM trust policy, while dogfood source pods run in a different account (`944651592624`) - Add a configurable `overmind_aws_account_id` variable (defaulting to prod) and wire it through the deploy module using `var.target_account` ## Linear Ticket - **Ticket**: [ENG-2687](https://linear.app/overmind/issue/ENG-2687/make-aws-trust-policy-account-id-configurable-for-internal) — Make AWS trust policy account ID configurable for internal environments - **Purpose**: Unblock dogfood AWS source by allowing the trust policy to reference the correct AWS account per environment ## Changes Three files changed, all in Terraform HCL: 1. **`aws-source/module/terraform/variables.tf`** — New `overmind_aws_account_id` variable with default `942836531449` and a description marking it as internal-only 2. **`aws-source/module/terraform/main.tf`** — Both `Principal` fields in the trust policy now use `var.overmind_aws_account_id` instead of the hardcoded account ID 3. **`deploy/sources.tf`** — The `aws_source` module block passes `overmind_aws_account_id = var.target_account`, which is `942836531449` for prod and `944651592624` for dogfood ## Deviations from Approved Plan Implementation matches the approved plan — no material deviations. Made with [Cursor](https://cursor.com) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes the IAM role trust policy principal, so a misconfigured `overmind_aws_account_id` could unintentionally allow or block cross-account assume-role access; default preserves current behavior. > > **Overview** > Makes the AWS source Terraform module’s IAM role trust policy principal configurable by replacing the hardcoded Overmind AWS account ID with a new `overmind_aws_account_id` variable (defaulting to the current prod account). > > Wires `deploy/sources.tf` to pass `overmind_aws_account_id = var.target_account` for internal environments, unblocking non-prod deployments where source pods run in a different AWS account. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a2d8557e2c15f145864ca34670b47b45788ba8f7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Cursor <cursoragent@cursor.com> GitOrigin-RevId: 77a572596205e75e7f6cbae84ce7057287834ff5
…frontend (#3963) ## Summary - The Terraform provider serialized `aws-regions` as a comma-separated string, but the frontend Zod schema expects a JSON array, causing "Invalid source data" in the UI for Terraform-created sources. - Fixed Create, Update, and Read paths in the provider to use proper array serialization via `structpb.ListValue`. - Intentionally omitted legacy CSV fallback in Read — existing sources will self-heal on the next `terraform apply`. ## Linear Ticket - **Ticket**: [ENG-2684](https://linear.app/overmind/issue/ENG-2684/fix-terraform-provider-aws-regions-serialization-breaking-frontend) — Fix Terraform provider aws-regions serialization breaking frontend - **Project**: Terraform Module for AWS Source Setup ## Changes **`aws-source/module/provider/resource_aws_source.go`** (core fix): - **Create & Update**: Replaced `strings.Join(regions, ",")` with `toAnySlice(regions)` so `structpb.NewStruct` produces a `ListValue` instead of a `StringValue`. - **Read**: Replaced string-based parsing with `regionsFromStructValue()` which only reads from `ListValue`. No legacy CSV fallback — this forces Terraform to detect drift on existing sources with the old format. Returns an empty slice (not nil) when the value isn't a list, so `ListValueFrom` produces a non-null empty list — correct for a `Required` schema attribute. - **Helpers**: Added `toAnySlice` (converts `[]string` to `[]any`) and `regionsFromStructValue` (extracts regions from protobuf `ListValue`). Removed unused `splitNonEmpty` and `strings` import. **`aws-source/module/provider/.github/workflows/release.yml`**: Minor release pipeline improvement. **`deploy/.terraform.lock.hcl`**: Updated lock file with new overmind provider hash. **`aws-source/README.md`** and **`aws-source/module/terraform/README.md`**: Documented `api_key` provider-block attribute for authentication. All existing provider tests pass without modification. ## Deviations from Approved Plan The plan in ENG-2684 described four changes, all scoped to `resource_aws_source.go`. The implementation includes those four items plus: 1. **Empty slice instead of nil on parse failure** — not in the plan. `regionsFromStructValue` returns `[]string{}` instead of `nil` when the stored value isn't a `ListValue`. This prevents `ListValueFrom` from producing a null list for a `Required` attribute, which could break refresh in future Terraform framework versions. Drift-based self-healing is preserved since an empty list still differs from the configured regions. 2. **`release.yml` pipeline tweak** — not in the plan. Minor CI change to the provider release workflow (1 line). Low risk, bundled for convenience. 3. **`deploy/.terraform.lock.hcl` update** — not in the plan. Updates the lock file to include the new provider version hash. Required for `deploy/` to use the updated provider. 4. **Documentation updates to `aws-source/README.md` and `aws-source/module/terraform/README.md`** — not in the plan. Adds documentation for the `api_key` provider-block attribute. Docs-only, no behavioral change. No planned items were omitted or modified. The core fix (items 1–4 in the plan) matches the approved approach exactly. GitOrigin-RevId: 67c7387e75d8b85bc14095b51d90215ba042da1f
Remove all code references to `BlastPropagation` and `followOnlyBlastPropagation` as they are no longer used for blast radius calculation. These fields were previously used for hardcoded blast radius propagation in adapters but are now obsolete due to the adoption of an AI-driven approach for blast radius calculation. --- Linear Issue: [ENG-2647](https://linear.app/overmind/issue/ENG-2647/remove-all-code-references-to-blastpropagation-and) <p><a href="https://cursor.com/background-agent?bcId=bc-5f03730b-8c14-4f5b-adee-f02e164ce1a0"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a href="https://cursor.com/agents?id=bc-5f03730b-8c14-4f5b-adee-f02e164ce1a0"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Large mechanical change across many adapters; while mostly field removals, it can alter relationship semantics if any runtime logic still depended on `BlastPropagation` being present. > > **Overview** > Removes `BlastPropagation` (and related guidance) from linked item query construction, reflecting that blast radius is no longer hardcoded in adapters. > > Updates internal Cursor docs/rules for Azure and GCP to drop `BlastPropagation` sections and examples, and strips `BlastPropagation` assignments from a wide set of AWS adapters’ `sdp.LinkedItemQuery` links (API Gateway, EC2, ECS/EKS, CloudFront, DirectConnect, etc.), leaving only the underlying `Query` definitions. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit d8a16a43682a8a90b2bf5be2324ad7415e272357. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: 058630c9b24fe6f4cc01905702fc73345203b4ea
Add `SKIPPED` to the `HypothesisStatus` enum to unblock follow-up work for handling skipped hypotheses. --- Linear Issue: [ENG-2717](https://linear.app/overmind/issue/ENG-2717/add-skipped-to-hypothesisstatus-enum) <p><a href="https://cursor.com/agents?id=bc-55ad7a2c-1145-4a60-8e4f-0048dc72c304"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-55ad7a2c-1145-4a60-8e4f-0048dc72c304"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Proto schema changes require coordinated updates across services/clients and can break consumers that assume the previous enum/field set. The server-side logic change is small but affects API output for change timelines. > > **Overview** > Adds a new `HypothesisStatus` enum value `INVESTIGATED_HYPOTHESIS_STATUS_SKIPPED` and extends `InvestigateHypothesesTimelineEntry` with `numSkipped` in `changes.proto` (and regenerated Go/TS protobuf outputs). > > Updates `GetInvestigateHypothesesTimelineEntry` to include skipped hypotheses in the returned summaries and to populate the new `NumSkipped` counter; tests are expanded to cover the new status and adjusted totals. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6f3f9b72a9070913e2bc67bd883175f1d973fd1e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: cd8facfe9540e0d10f13a636af0479a6733a1f85
Reserve `BlastPropagation` and `followOnlyBlastPropagation` fields from SDP protos to maintain wire-format compatibility and update documentation and tests to reflect their deprecation. This PR completes Phase 3 of the "Remove Blast Propagation Information" project (ENG-2404), following the prior code removal (ENG-2647). It ensures that old messages can still be parsed safely and prevents accidental reuse of field numbers. --- Linear Issue: [ENG-2404](https://linear.app/overmind/issue/ENG-2404/sdp-reserve-blastpropagation-and-followonlyblastpropagation-from) <p><a href="https://cursor.com/agents?id=bc-9c62732b-1a27-42af-abf2-8c9866357e8b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-web-light.png"><img alt="Open in Web" width="114" height="28" src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a href="https://cursor.com/background-agent?bcId=bc-9c62732b-1a27-42af-abf2-8c9866357e8b"><picture><source media="(prefers-color-scheme: dark)" srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source media="(prefers-color-scheme: light)" srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img alt="Open in Cursor" width="131" height="28" src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches core protobuf contracts and regenerated client code; downstream services/clients relying on `blastPropagation` fields or reverse-edge filtering may break if not updated in lockstep. > > **Overview** > This PR **deprecates and effectively removes blast-propagation metadata from the SDP surface** by reserving the `BlastPropagation` fields in `sdp/items.proto` and `sdp/revlink.proto` (and regenerating Go/TS protobuf outputs) so old messages can still be parsed without allowing field-number reuse. > > It updates sources and tooling to stop setting/expecting `BlastPropagation` on links (e.g., AWS CloudWatch metric suggested queries, EC2 address links, snapshot edge→linked-item conversion), and strips Azure integration tests and docs/prompting guidance that referenced propagation semantics, reflecting the move to AI-driven blast radius calculation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 58035be2747c0f212919a366e08717efd786b30f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> GitOrigin-RevId: ecdcb08090547689567725f2c37d33617b0456aa
<img width="3456" height="2078" alt="image" src="https://github.com/user-attachments/assets/27146f02-bb4a-4100-b0a2-ff60fe61dfcd" /> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches core Azure discovery execution paths by adding streaming query methods and new linked-item edges, which could affect discovery completeness/performance and error propagation across several adapters. > > **Overview** > Adds first-class discovery for Azure **Compute Galleries** by introducing a `GalleriesClient`, a new `ComputeGallery` listable adapter (Get/List/ListStream), unit tests, and wiring it into `manual/adapters.go`. > > Extends multiple existing Azure adapters to support streaming discovery via new `SearchStream`/`ListStream` methods (including gallery images/application versions, shared gallery images, VM extensions/run commands, SQL databases, PostgreSQL databases, and several storage child resources), and updates linked-item discovery guidance plus runtime behavior by adding **mandatory parent→child SEARCH `LinkedItemQuery` links** (e.g., Key Vault vault → secrets; gallery → gallery images). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 49b55cda6eb063f2a218885a808e6cceccd65c3f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> GitOrigin-RevId: f1b1fef0c94a59a0ae8d9a72af9d96a4eb77e156
…… (#3976)
## Summary
- Add IAM Terraform mappings (`_iam_binding`, `_iam_member`,
`_iam_policy`) for BigQuery Dataset, BigQuery Table, Bigtable Instance,
and Bigtable Table so that IAM changes in Terraform plans resolve to the
parent resource for blast radius analysis
- Register the BigQuery Table adapter in `manual/adapters.go` (was
previously missing from the adapter list despite the adapter code
existing)
- Add all 12 new mappings to `TestCriticalTerraformMappingsRegistered`
to prevent future regressions
## Context
This was prompted by feedback from the Box PoC Data Platform team
(ENG-2644). Their Terraform modules for BigQuery and Bigtable include
IAM binding resources (`google_bigquery_dataset_iam_member`,
`google_bigtable_instance_iam_binding`, etc.) which were previously
showing as "Unsupported" in change analysis. Since IAM bindings are
Terraform-only constructs with no standalone GCP API resource, the
correct approach is to map them back to their parent resource -- the
same pattern we already use for Pub/Sub IAM mappings.
**Resources covered (12 new mappings across 4 adapters):**
| Parent Resource | IAM Terraform Types |
|---|---|
| `gcp-big-query-dataset` |
`google_bigquery_dataset_iam_{binding,member,policy}` |
| `gcp-big-query-table` |
`google_bigquery_table_iam_{binding,member,policy}` |
| `gcp-big-table-admin-instance` |
`google_bigtable_instance_iam_{binding,member,policy}` |
| `gcp-big-table-admin-table` |
`google_bigtable_table_iam_{binding,member,policy}` |
## Bug fix
The BigQuery Table adapter was defined in `big-query-table.go` but never
registered in `manual/adapters.go`, meaning its Terraform mappings
(including the original `google_bigquery_table` mapping) were not
included in adapter metadata. This PR fixes that by adding the
registration line.
## Test plan
- [x] `go build ./sources/gcp/...` passes
- [x] `go test ./sources/gcp/proc/` passes (including
`TestCriticalTerraformMappingsRegistered` with all 12 new entries)
- [x] `go test ./sources/gcp/manual/` passes
- [x] `go test ./sources/gcp/dynamic/...` passes
Ticket:
https://linear.app/overmind/issue/ENG-2696/bigquery-and-bigtable-iam-binding-terraform-mappings-missing-core
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low-risk metadata/mapping changes plus test coverage; main impact is
on how Terraform IAM resources are resolved in change analysis
(GET/SEARCH field selection).
>
> **Overview**
> Improves Terraform plan change analysis by mapping BigQuery and
Bigtable IAM-only Terraform resources (dataset/table and instance/table
`_iam_{binding,member,policy}`) back to their parent GCP resources so
they no longer appear as **Unsupported** and can participate in blast
radius analysis.
>
> Also registers the previously unregistered manual `BigQueryTable`
adapter so its Terraform mappings are included in metadata, and extends
`TestCriticalTerraformMappingsRegistered` to assert all 12 new IAM
mappings (plus the table adapter mapping) stay wired up.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
f69895985a530c640bf60c67f1cb5ea599f0448d. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
GitOrigin-RevId: 520c709437b4045cb7e48b91e6be43d47a92ed45
![https://cursor.com/assets/images/open-in-cursor-dark.png"><source](https://cursor.com/assets/images/open-in-cursor-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-cursor-light.png"><img](https://cursor.com/assets/images/open-in-cursor-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"><source](https://cursor.com/assets/images/open-in-web-dark.png"><source){kind=link}
![https://cursor.com/assets/images/open-in-web-light.png"><img](https://cursor.com/assets/images/open-in-web-light.png"><img){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a></p){kind=link}
![https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a](https://cursor.com/assets/images/open-in-web-dark.png"></picture></a> <a){kind=link}
![https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p](https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a> </p){kind=link}
dylanratcliffe
approved these changes
Feb 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Copybara Sync - Release v1.16.4
This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.
Original author: jameslaneovermind (122231433+jameslaneovermind@users.noreply.github.com)
What happens when this PR is merged?
tag-on-mergeworkflow will automatically create thev1.16.4tag on mainReview Checklist