carverauto/serviceradar

Fork 0

Updates/systemactor module #2656

Merged

mfreeman451 merged 9 commits from refs/pull/2656/head into staging

2026-01-12 18:21:51 +00:00

mfreeman451 commented

2026-01-12 18:00:23 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2273
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2273
Original created: 2026-01-12T18:00:23Z
Original updated: 2026-01-12T18:21:53Z
Original head: carverauto/serviceradar:updates/systemactor-module
Original base: staging
Original merged: 2026-01-12T18:21:51Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Refactoring, Tests

Description

Introduced SystemActor module for background operations with for_tenant/2 and platform/1 functions to replace unsafe authorize?: false patterns throughout the codebase
Replaced authorize?: false with actor-based authorization across 30+ modules including event processors, workers, seeders, and infrastructure components
Added Credo configuration and custom check to detect and warn about authorize?: false usage, guiding developers to use SystemActor instead
Comprehensive code refactoring across event processors, workers, and core modules with extracted helper functions for improved readability and maintainability
Refactored complex functions into smaller, focused helper functions in modules like stateful_alert_engine, stats_aggregator, sweep_results_ingestor, and many event processors
Improved code formatting with underscore separators in numeric literals and consistent alias ordering
Added comprehensive test suite for the new SystemActor module covering tenant-scoped and platform-wide operations
Simplified conditional logic by replacing cond with if-else, using Enum.empty?() instead of length() checks, and extracting pattern matching into separate function clauses

Diagram Walkthrough

flowchart LR
  A["authorize?: false<br/>patterns"] -->|"Replace with"| B["SystemActor module"]
  B -->|"for_tenant/2"| C["Tenant-scoped<br/>operations"]
  B -->|"platform/1"| D["Platform-wide<br/>operations"]
  E["Complex functions"] -->|"Extract helpers"| F["Focused<br/>helper functions"]
  G["Credo check"] -->|"Detects"| A
  G -->|"Guides to"| B
  H["Code quality"] -->|"Improved by"| F
  H -->|"Improved by"| I["Better formatting<br/>& organization"]

File Walkthrough

Relevant files

Enhancement

48 files

stateful_alert_engine.ex `SystemActor integration and code refactoring for authorization` elixir/serviceradar_core/lib/serviceradar/observability/stateful_alert_engine.ex Replaced `authorize?: false` with `actor: actor` using `SystemActor.for_tenant()` for authorization Refactored nested `Enum.each` loops into dedicated helper functions (`process_log_rules`, `process_event_rules`, `maybe_process_log_rule`, `maybe_process_event_rule`) Extracted complex matching logic into separate functions (`log_matches?`, `event_matches?`, `fetch_attr`) Simplified conditional logic and improved code organization with helper functions for record processing	+211/-140
stats_aggregator.ex `Code refactoring for improved readability and maintainability` elixir/serviceradar_core/lib/serviceradar/core/stats_aggregator.ex Refactored device snapshot building into dedicated functions (`build_snapshot_from_devices`, `update_device_stats`, `device_active?`) Extracted record selection logic into separate functions (`record_key`, `canonical_record?`, `upsert_canonical_record`, `upsert_fallback_record`) Simplified capability counting with helper functions (`maybe_increment_collectors`, `increment_capability`, `has_collector?`) Improved logging logic with extracted functions (`should_log_snapshot?`, `stats_changed?`, `meta_changed?`, `maybe_log_non_canonical`)	+183/-169
sweep_results_ingestor.ex `Code refactoring for better function decomposition` elixir/serviceradar_core/lib/serviceradar/sweep_jobs/sweep_results_ingestor.ex Extracted device record building into `build_unknown_device_records` and `insert_unknown_device_records` functions Refactored host result processing with helper functions (`result_available?`, `host_status`, `device_id_for_ip`, `build_host_record`, `response_time_ms`, `open_ports`, `parse_integer`, `valid_port?`) Simplified device availability updates with extracted functions (`result_ips_for_status`, `device_uids_for_ips`, `update_device_statuses`, `maybe_add_sweep_source`) Improved code organization by breaking down complex logic into smaller, focused functions	+195/-209
alias_events.ex `Code refactoring for improved function decomposition` elixir/serviceradar_core/lib/serviceradar/identity/alias_events.ex Refactored `from_metadata` to use helper functions (`build_alias_record`, `build_alias_maps`, `seed_service_aliases`, `seed_ip_aliases`, `update_alias_maps`) Extracted alias processing logic into `update_service_alias` and `update_ip_alias` functions Simplified metadata building with `maybe_put` and `maybe_put_map` helper functions Refactored device alias event building with `build_device_alias_events` and `alias_values` functions	+179/-216
sweep.ex `SystemActor integration and code refactoring` elixir/serviceradar_core/lib/serviceradar/event_writer/processors/sweep.ex Added `SystemActor` alias and integrated it for authorization instead of `authorize?: false` Extracted message parsing into `build_rows` and `insert_sweep_rows` functions Refactored inventory update processing with `process_execution_results` function Simplified device availability updates with `update_availability`, `update_available_devices`, `update_unavailable_devices` functions Added helper functions for sweep result parsing (`status_from_icmp`, `protocol_from_icmp`)	+120/-91
log_promotion.ex `SystemActor integration and code refactoring` elixir/serviceradar_core/lib/serviceradar/observability/log_promotion.ex Replaced `authorize?: false` with `actor: actor` using `SystemActor.for_tenant()` for authorization Added `@severity_text_map` module attribute for severity mapping Extracted event building logic into helper functions (`event_message`, `event_status_id`, `event_status`, `event_actor`, `event_log_name`, `event_log_provider`, `event_log_level`, `event_log_time`, `event_uids`) Refactored alert creation with `update_alert_counts` and `maybe_emit_alert_metrics` functions Simplified severity mapping using map lookup instead of case statement	+122/-72
provision_collector_worker.ex `SystemActor integration and code refactoring` elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex Replaced `authorize?: false` with `actor: actor` using `SystemActor.for_tenant()` and `SystemActor.platform()` for authorization Extracted TLS certificate generation logic into `decrypt_private_key`, `build_ca_data`, `generate_component_cert` functions Simplified private key decryption with dedicated helper function Updated all Ash operations to use `actor` parameter instead of `authorize?: false`	+67/-49
device_lookup.ex `Code refactoring for improved function decomposition` elixir/serviceradar_core/lib/serviceradar/identity/device_lookup.ex Refactored cache hit fetching into `fetch_cache_hits` and `cache_db_results` functions Extracted identity key normalization into `normalize_key_entry` and `maybe_add_ip_hint` functions Refactored device lookup logic with `cached_record_for_key`, `handle_lookup_miss`, `cache_lookup_result` functions Simplified partition matching with `partition_matches?` helper function Improved device selection with `maybe_record_for_ip` function	+91/-78
onboarding_packages.ex `SystemActor integration and code formatting` elixir/serviceradar_core/lib/serviceradar/edge/onboarding_packages.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with `actor: actor` using `SystemActor.for_tenant()` and `SystemActor.platform()` Updated TenantCA retrieval and Tenant operations to use proper actor-based authorization Reformatted large numbers with underscore separators (e.g., `86400` to `86_400`)	+17/-11
template_seeder.ex `Replace authorize false with SystemActor and refactor seeding` elixir/serviceradar_core/lib/serviceradar/observability/template_seeder.ex Introduced `SystemActor.platform/1` for cross-tenant seeding operations instead of `authorize?: false` Introduced `SystemActor.for_tenant/2` for tenant-scoped seeding instead of manual actor maps Extracted template creation logic into `seed_template_if_missing/5` and `create_template/4` functions Extracted zen template creation into `seed_zen_template_if_missing/4` and `create_zen_template/4` functions Extracted legacy template renaming into `maybe_rename_legacy_template/3`, `rename_template_if_missing/5`, and `do_rename_template/6` functions	+93/-65
sync_ingestor_queue.ex `Replace authorize false with SystemActor in sync queue` elixir/serviceradar_core/lib/serviceradar/inventory/sync_ingestor_queue.ex Introduced `SystemActor.for_tenant/2` to replace manual actor map construction Extracted available slots calculation into `available_slots/2` function Extracted ingestion result handling into `apply_ingestion_result/1` function Refactored sync recording into `with_sync_service/4` and `update_sync_source/7` helper functions Replaced `authorize?: false` with proper actor-based authorization	+63/-81
sweep_compiler.ex `Replace authorize false with SystemActor in sweep compiler` elixir/serviceradar_core/lib/serviceradar/agent_config/compilers/sweep_compiler.ex Introduced `SystemActor.for_tenant/2` to replace manual actor map construction Removed `build_system_actor/1` function in favor of `SystemActor` module Replaced `authorize?: false` with proper actor-based authorization in Ash queries Removed try-rescue wrapper around main compilation logic	+40/-50
tenant.ex `Replace authorize false with SystemActor in tenant module` elixir/serviceradar_core/lib/serviceradar/identity/tenant.ex Introduced `SystemActor.platform/1` for platform-level operations (CA generation, tenant registration) Replaced `authorize?: false` with actor-based authorization throughout Extracted platform actor creation for CA generation, tenant registration, and bootstrap operations Updated function signatures to pass actor parameter through helper functions	+34/-17
system_actor.ex `New SystemActor module for background operations` elixir/serviceradar_core/lib/serviceradar/actors/system_actor.ex New module providing `for_tenant/2` function for tenant-scoped system actors New module providing `platform/1` function for platform-wide system actors Added `system_actor?/1` predicate function to identify system actors Comprehensive documentation explaining usage patterns and security benefits	+169/-0
zen_rule_seeder.ex `Replace authorize false with SystemActor in zen rule seeder` elixir/serviceradar_core/lib/serviceradar/observability/zen_rule_seeder.ex Introduced `SystemActor.platform/1` for cross-tenant seeding operations Introduced `SystemActor.for_tenant/2` for tenant-scoped seeding Extracted rule creation logic into `seed_rule_if_missing/4` and `create_rule/3` functions Extracted legacy rule renaming into `rename_legacy_rule/3`, `rename_rule_if_missing/4`, and `do_rename_rule/6` functions Replaced `authorize?: false` with proper actor-based authorization	+71/-51
agent_gateway_sync.ex `Replace authorize false with SystemActor in gateway sync` elixir/serviceradar_core/lib/serviceradar/edge/agent_gateway_sync.ex Introduced `SystemActor.for_tenant/2` to replace manual actor map construction Removed `system_actor/1` function in favor of `SystemActor` module Replaced `authorize?: false` with proper actor-based authorization in Ash operations Reordered alias imports for consistency	+13/-21
sweep_monitor_worker.ex `Replace authorize false with SystemActor in sweep monitor` elixir/serviceradar_core/lib/serviceradar/sweep_jobs/sweep_monitor_worker.ex Introduced `SystemActor.for_tenant/2` for sweep monitoring operations Extracted schedule checking logic into `check_group_schedule/4` function with pattern matching Refactored `parse_interval_to_seconds/1` into `parse_interval_string/1`, `unit_seconds/1`, and `parse_interval_fallback/1` helpers Improved numeric formatting with underscores for readability (e.g., `86_400`)	+72/-53
operator_bootstrap.ex `Replace authorize false with SystemActor in operator bootstrap` elixir/serviceradar_core/lib/serviceradar/nats/operator_bootstrap.ex Introduced `SystemActor.platform/1` for platform-level NATS operations Replaced `authorize?: false` with proper actor-based authorization Extracted tenant account provisioning into `handle_tenants_needing_accounts/1` and `enqueue_tenant_account/1` functions Simplified `oban_running?/0` by removing try-rescue wrapper	+44/-34
create_account_worker.ex `Replace authorize false with SystemActor in account worker` elixir/serviceradar_core/lib/serviceradar/nats/workers/create_account_worker.ex Introduced `SystemActor.platform/1` to replace manual actor map construction Replaced `authorize?: false` with proper actor-based authorization throughout Simplified `oban_running?/0` by removing try-rescue wrapper Updated actor creation for all tenant-related operations	+32/-18
zen_rule_sync.ex `Replace authorize false with SystemActor in zen rule sync` elixir/serviceradar_core/lib/serviceradar/observability/zen_rule_sync.ex Introduced `SystemActor.for_tenant/2` for zen rule sync operations Added `actor` field to module struct for GenServer state Extracted rule synchronization logging into `sync_rule_with_logging/2` function Extracted actor-aware sync into `sync_rule_with_actor/2` function Replaced `authorize?: false` with proper actor-based authorization	+42/-24
nats_leaf_server.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/edge/nats_leaf_server.ex Added `SystemActor` alias and replaced `authorize?: false` with actor-based authorization Added `ProvisionLeafWorker` alias to simplify module references Refactored `parse_cert_expiry/1` to use rescue clause instead of try-catch block Added system actor bypass policy allowing `:system` role to perform all operations	+23/-17
tenant_resolver.ex `Refactor to use SystemActor and extract helper functions` elixir/serviceradar_core/lib/serviceradar/edge/tenant_resolver.ex Added `SystemActor` and `TenantCAGenerator` aliases for cleaner code Replaced `authorize?: false` with platform actor in tenant lookup and CA operations Extracted certificate extraction logic into separate `cowboy_cert/1` and `bandit_cert/1` helper functions Simplified module references using aliases instead of full paths	+28/-18
identity_reconciler.ex `Refactor device reconciliation with helper functions` elixir/serviceradar_core/lib/serviceradar/inventory/identity_reconciler.ex Refactored device ID resolution logic using `with` statement for better readability Extracted `resolve_fallback_device_id/3` helper function Simplified `lookup_by_strong_identifiers/2` conditional logic Extracted `lookup_identifier/3` helper to reduce nesting in identifier lookup loop Changed `lookup_by_ip/2` condition logic for clarity Replaced `length(seeds) > 0` with `not Enum.empty?(seeds)` for idiomatic Elixir	+40/-36
provision_leaf_worker.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_leaf_worker.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with platform/tenant-specific actors in resource loading Updated `get_tenant_ca/2` to use tenant-scoped actor instead of bypassing authorization Modified `update_leaf_server_status/5` to use actor-based authorization	+19/-6
health_tracker.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/infrastructure/health_tracker.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with tenant-scoped actors in all Ash operations Extracted `build_summary/1` helper function to reduce nesting in `summary/1`	+33/-27
sync_ingestor.ex `Refactor with Enum.empty and helper functions` elixir/serviceradar_core/lib/serviceradar/inventory/sync_ingestor.ex Replaced `length(list) > 0` checks with `Enum.empty?()` for idiomatic Elixir Simplified function clause patterns for `bulk_lookup_identifiers/2` and `bulk_lookup_by_ip/2` Extracted `cached_device_id/2` and `existing_device_id/3` helper functions Refactored device ID resolution logic for better readability	+29/-30
authorize_false_usage.ex `Add Credo check for authorize false usage` elixir/serviceradar_core/lib/serviceradar/credo/check/warning/authorize_false_usage.ex New Credo check to detect and warn about `authorize?: false` usage in production code Provides guidance to use `SystemActor.for_tenant/2` or `SystemActor.platform/1` instead Skips checks in test files and documentation Implements pattern matching for various AST representations of `authorize?: false`	+103/-0
rule_seeder.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/observability/rule_seeder.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with platform/tenant-scoped actors Extracted `seed_rule_if_missing/5` and `create_rule/4` helper functions Simplified rule seeding logic with better separation of concerns	+33/-22
client.ex `Extract configuration helper functions` elixir/serviceradar_core/lib/serviceradar/data_service/client.ex Extracted `config_value/5`, `config_value_int/5`, and `config_value_bool/5` helper functions Simplified configuration resolution logic by reducing repetitive `\|\|` chains Improved code readability and maintainability	+39/-21
tenant_worker.ex `Refactor tenant worker with helper functions` elixir/serviceradar_core/lib/serviceradar/oban/tenant_worker.ex Refactored `execute_with_tenant/3` to extract result handling logic Extracted `handle_perform_result/4`, `maybe_on_success/3`, and `maybe_on_failure/4` helpers Improved error handling with cleaner separation of concerns Moved rescue clause to top level for better exception handling	+42/-36
tenant_registry.ex `Extract helper functions for registry operations` elixir/serviceradar_core/lib/serviceradar/cluster/tenant_registry.ex Extracted `find_parent_supervisor/2`, `resolve_ancestor_pid/1`, and `maybe_child_pid/2` helpers Extracted `tenant_registries/1` helper function for cleaner list comprehension Improved code readability by reducing nesting	+35/-27
event_publisher.ex `Refactor event messages and add SystemActor` elixir/serviceradar_core/lib/serviceradar/infrastructure/event_publisher.ex Added `SystemActor` alias for authorization Refactored `message_for_event/4` into separate clauses for each event type Replaced `authorize?: false` with platform actor in tenant lookup Improved code organization and readability	+28/-22
tenant_queues.ex `Replace authorize false and extract queue helpers` elixir/serviceradar_core/lib/serviceradar/oban/tenant_queues.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with platform actor in tenant provisioning Extracted `fetch_queue_stats/2`, `queue_stats/2`, `queue_counts/2`, `normalize_queue_counts/1`, and `empty_tenant_stats/1` helpers Simplified queue statistics collection logic	+42/-26
assign_tenant_id.ex `Add aliases and extract tenant ID helpers` elixir/serviceradar_core/lib/serviceradar/changes/assign_tenant_id.ex Added aliases for `Ash.Changeset` and `Ash.Resource.Info` for cleaner code Extracted `actor_tenant_id/1` and `changeset_tenant_id/1` helper functions Simplified tenant ID resolution logic	+20/-18
platform_service_certificates.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/edge/platform_service_certificates.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with tenant-scoped actors throughout Updated actor creation from string `"system"` to proper `SystemActor.for_tenant/2`	+8/-5
cluster_status.ex `Refactor cluster status with helper functions` elixir/serviceradar_core/lib/serviceradar/cluster/cluster_status.ex Reordered aliases alphabetically Refactored `coordinator_health/0` to use if-else instead of cond Extracted `find_remote_coordinator/0` and `coordinator_node?/1` helper functions Simplified `get_local_health/0` by removing try-catch wrapper	+29/-27
config_server.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/agent_config/config_server.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with tenant-scoped actor in database loading Extracted `compile_cache_miss/6` helper function for cleaner cache handling	+19/-13
compile_zen_rule.ex `Extract zen rule compilation helpers` elixir/serviceradar_core/lib/serviceradar/observability/changes/compile_zen_rule.ex Extracted `apply_compiled_jdm/2`, `jdm_definition_present?/1`, and `atomic_payload/3` helpers Refactored atomic change logic using `with` statement Improved code organization and readability	+34/-24
generator.ex `Replace authorize false and format numbers` elixir/serviceradar_core/lib/serviceradar/edge/tenant_ca/generator.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with platform actor in tenant loading Reformatted large numbers with underscore separators (e.g., `65537` to `65_537`)	+8/-4
reserved_tenant_slug.ex `Extract slug and platform flag helpers` elixir/serviceradar_core/lib/serviceradar/identity/validations/reserved_tenant_slug.ex Extracted `changeset_slug/1`, `data_slug/1`, `normalize_slug/1` helpers Extracted `platform_flag_from_data/1` helper function Simplified slug and platform flag resolution logic	+29/-35
alert.ex `Add module aliases and system actor policy` elixir/serviceradar_core/lib/serviceradar/monitoring/alert.ex Added aliases for nested modules to simplify references Added system actor bypass policy allowing `:system` role to perform all operations Refactored duration calculation logic to check `is_nil(resolved_at)` instead of negation	+25/-10
collector_package.ex `Replace authorize false and add SystemActor` elixir/serviceradar_core/lib/serviceradar/edge/collector_package.ex Added `SystemActor` and `PubSub` aliases Replaced `authorize?: false` with tenant-scoped actors in credential operations Added system actor bypass policy allowing `:system` role to perform all operations Simplified PubSub broadcast calls using alias	+15/-6
health_check_registrar.ex `Extract service configuration helpers` elixir/serviceradar_core/lib/serviceradar/infrastructure/health_check_registrar.ex Extracted `map_service_config/3` and `basic_service_config/4` helper functions Simplified service configuration logic by reducing repetitive map construction	+27/-27
nats_credential.ex `Add PubSub alias and system actor policy` elixir/serviceradar_core/lib/serviceradar/edge/nats_credential.ex Added `PubSub` alias for cleaner code Added system actor bypass policy allowing `:system` role to perform all operations Reformatted multi-line changeset operations for better readability Simplified PubSub broadcast calls using alias	+17/-4
agent_config_generator.ex `Reorder aliases and simplify error handling` elixir/serviceradar_core/lib/serviceradar/edge/agent_config_generator.ex Reordered aliases alphabetically Removed try-catch wrapper from `load_agent_checks/2` function Simplified error handling with rescue clause at function level	+25/-27
device.ex `Replace authorize false with SystemActor pattern` elixir/serviceradar_core/lib/serviceradar/actors/device.ex Added `SystemActor` alias for authorization Replaced `authorize?: false` with tenant-scoped actors in device operations Changed `length(state.events) > 0` to `Enum.empty?(state.events)` for idiomatic Elixir	+7/-4
pipeline.ex `Refactor batcher determination with rules` elixir/serviceradar_core/lib/serviceradar/event_writer/pipeline.ex Reordered aliases alphabetically Refactored `determine_batcher/1` to use `Enum.find_value/3` with rule list Extracted `batcher_rules/0` helper function for cleaner subject matching	+19/-14
spiffe.ex `Refactor SPIFFE verification with helpers` elixir/serviceradar_core/lib/serviceradar/spiffe.ex Refactored `verify_peer_callback/3` into separate function clauses for each event type Extracted `verify_spiffe_id/2` helper function Improved code organization and readability	+24/-28

Formatting

6 files

agent_registry_test.exs `Test code formatting and idiomatic improvements` elixir/serviceradar_core/test/serviceradar/registry/agent_registry_test.exs Reformatted port numbers using underscore separators (e.g., `50051` to `50_051`) for readability Replaced `length(list) >= 1` checks with `refute Enum.empty?(list)` for better idiomatic Elixir Replaced `length(list) >= 2` with pattern matching `[_first, _second \| _]` for clarity	+25/-25
agent_health_test.exs `Format numeric literals with underscores` elixir/serviceradar_core/test/serviceradar/infrastructure/agent_health_test.exs Updated numeric literals to use underscore separators for readability (e.g., `50_051` instead of `50051`) Applied consistent formatting across all port number assignments in test fixtures	+14/-14
otel_traces_test.exs `Format numeric literals with underscores` elixir/serviceradar_core/test/serviceradar/event_writer/processors/otel_traces_test.exs Updated numeric literals to use underscore separators for readability (e.g., `1_705_315_800_000_000_000`) Applied consistent formatting across all large number assignments in test data	+13/-13
tenant_schemas.ex `Add module aliases for SQL and error handling` elixir/serviceradar_core/lib/serviceradar/cluster/tenant_schemas.ex Added aliases for `Ecto.Adapters.SQL` and `Postgrex.Error` for cleaner code Replaced all `Ecto.Adapters.SQL` calls with `SQL` alias Replaced `Postgrex.Error` with `PostgrexError` alias throughout	+11/-9
agent_test.exs `Format port numbers with underscore separators` elixir/serviceradar_core/test/serviceradar/infrastructure/agent_test.exs Reformatted port numbers using underscore separators (e.g., `50051` to `50_051`) Applied consistent formatting across multiple test cases	+12/-12
cross_tenant_access_test.exs `Reorder aliases and format port numbers` elixir/serviceradar_core/test/serviceradar/security/cross_tenant_access_test.exs Reordered aliases alphabetically Reformatted port numbers using underscore separators (e.g., `50051` to `50_051`)	+6/-6

Refactoring

7 files

events.ex `Refactor event processing with extracted helper functions` elixir/serviceradar_core/lib/serviceradar/event_writer/processors/events.ex Extracted row building and insertion logic into separate private functions `build_rows/1` and `insert_event_rows/2` Refactored `parse_message/1` to use `with` pattern matching instead of nested `if/case` statements Extracted required field validation into `required_event_fields/1` function Added helper functions `jsonb_or_empty_map/1`, `jsonb_or_empty_list/1`, and `parse_string_or/2` to reduce duplication	+96/-64
netflow.ex `Refactor netflow processing with helper functions` elixir/serviceradar_core/lib/serviceradar/event_writer/processors/netflow.ex Added `@direction_map` module attribute to consolidate direction string mappings Extracted row building and insertion logic into `build_rows/1` and `insert_netflow_rows/2` functions Refactored `parse_message/1` to use `with` pattern matching for cleaner error handling Added `flow_value/4` helper function to reduce duplication in field extraction logic Simplified `parse_direction/1` to use map lookup instead of case statement	+51/-40
result_processor.ex `Refactor result processor with extracted helper functions` elixir/serviceradar_core/lib/serviceradar/core/result_processor.ex Replaced `length(list) > 0` checks with `Enum.empty?/1` for consistency Extracted canonical snapshot application into separate functions `apply_canonical_device_id/2`, `apply_snapshot_mac/2`, `apply_snapshot_hostname/2`, and `apply_snapshot_attributes/2` Extracted attribute copying logic into `copy_attribute_if_empty/3` function Refactored `has_strong_identity?/1` to use helper functions `has_attribute?/2` and `has_value?/1`	+71/-71
poll_orchestrator.ex `Refactor gateway finding with pattern matching` elixir/serviceradar_core/lib/serviceradar/monitoring/poll_orchestrator.ex Refactored `find_gateway/1` into separate clauses for each assignment mode (`:any`, `:partition`, `:domain`, `:specific`) Extracted gateway PID resolution into `resolve_gateway_pid/2` and `resolve_gateway_pid_from_registry/2` functions Extracted gateway ID resolution into `resolve_gateway_id/2` function Improved code readability by using pattern matching in function heads	+83/-72
logs.ex `Refactor log processing with extracted helper functions` elixir/serviceradar_core/lib/serviceradar/event_writer/processors/logs.ex Extracted row building and insertion logic into `build_rows/1` and `insert_log_rows/2` functions Refactored `parse_message/1` to use `with` pattern matching for cleaner error handling Extracted log payload parsing into `parse_log_payload/4` function Extracted ingest metadata building into `build_ingest_metadata/1` and `merge_ingest_metadata/2` functions Added `merge_ingest_value/2` helper for conditional map merging	+54/-39
alert_generator.ex `Refactor alert generator with extracted helper functions` elixir/serviceradar_core/lib/serviceradar/monitoring/alert_generator.ex Extracted stats alert skipping logic into `skip_stats_alert?/4` function Extracted stats alert sending into `maybe_send_stats_alert/4` function Extracted alert building into `build_stats_alert/4` and `build_stats_alert_details/3` functions Refactored `severity_from_event/1` to use helper function `severity_for_id/1` with pattern matching	+60/-45
cluster_health.ex `Simplify cluster health check logic` elixir/serviceradar_core/lib/serviceradar/cluster/cluster_health.ex Simplified health check logic by replacing `cond` with `if-else` statement Improved readability by inverting condition to check healthy state first	+6/-8

Configuration

1 files

.credo.exs

Add Credo configuration for code quality

elixir/serviceradar_core/.credo.exs

New Credo configuration file for code quality checks
Includes custom check for authorize?: false usage detection
Configures standard Elixir code style checks and refactoring
suggestions
Sets max line length to 120 characters

+120/-0

Tests

1 files

system_actor_test.exs

Add SystemActor module tests

elixir/serviceradar_core/test/serviceradar/actors/system_actor_test.exs

New comprehensive test suite for SystemActor module
Tests for for_tenant/2 function with various component names
Tests for platform/1 function
Tests for system_actor?/1 predicate with multiple actor types
Tests for actor structure and required fields

+135/-0

Additional files

98 files

serviceradar-core-lint.yml	+59/-0
Makefile	+2/-0
CLAUDE.md	+101/-0
create_version_history.ex	+17/-2
config_cache.ex	+8/-8
config_instance.ex	+5/-0
config_template.ex	+5/-0
config_version.ex	+5/-0
tenant_guard.ex	+4/-6
tenant_registry_loader.ex	+5/-1
agent_process.ex	+4/-3
edge_site.ex	+8/-1
gateway_process.ex	+1/-1
onboarding_package.ex	+5/-0
tenant_ca.ex	+5/-0
health.ex	+1/-1
otel_metrics.ex	+19/-12
otel_traces.ex	+19/-12
telemetry.ex	+19/-12
audit_writer.ex	+2/-3
health_writer.ex	+1/-1
internal_log_publisher.ex	+5/-1
job_writer.ex	+1/-1
onboarding_writer.ex	+10/-2
api_token.ex	+5/-0
assign_default_tenant.ex	+4/-6
identity_cache.ex	+11/-13
send_magic_link_email.ex	+9/-2
tenant_membership.ex	+5/-0
user.ex	+5/-0
users.ex	+4/-6
unique_platform_tenant.ex	+6/-1
agent.ex	+8/-5
checker.ex	+8/-3
gateway.ex	+8/-3
health_check_runner.ex	+16/-20
health_event.ex	+12/-3
nats_operator.ex	+4/-1
nats_platform_token.ex	+7/-2
partition.ex	+9/-7
state_monitor.ex	+3/-11
integration_source.ex	+9/-1
sync_config_generator.ex	+8/-3
device.ex	+9/-3
device_group.ex	+5/-0
ocsf_event.ex	+5/-0
poll_job.ex	+5/-0
polling_schedule.ex	+5/-0
service_check.ex	+5/-0
webhook_notifier.ex	+6/-8
account_client.ex	+21/-18
router.ex	+11/-10
sync_zen_rule.ex	+21/-20
log.ex	+5/-0
log_promotion_rule.ex	+5/-0
log_promotion_rule_template.ex	+5/-0
otel_trace.ex	+5/-4
otel_trace_summary.ex	+1/-4
stateful_alert_cleanup_worker.ex	+8/-5
stateful_alert_rule.ex	+5/-0
stateful_alert_rule_history.ex	+5/-0
stateful_alert_rule_state.ex	+5/-0
stateful_alert_rule_template.ex	+5/-0
sync_log_writer.ex	+4/-1
window_bucket.ex	+15/-14
zen_rule.ex	+5/-0
zen_rule_template.ex	+5/-0
nats_account.pb.ex	+0/-1
agent_registry.ex	+8/-3
sweep_data_cleanup_worker.ex	+10/-1
sweep_group.ex	+5/-0
sweep_group_execution.ex	+5/-0
sweep_host_result.ex	+5/-0
sweep_profile.ex	+5/-0
target_criteria.ex	+15/-19
client.ex	+1/-1
telemetry.ex	+8/-12
cross_tenant_isolation_test.exs	+1/-1
config_test.exs	+1/-1
logs_test.exs	+2/-2
otel_metrics_test.exs	+1/-1
agent_tenant_isolation_test.exs	+8/-8
health_tracker_test.exs	+1/-1
state_machine_test.exs	+1/-1
poll_job_integration_test.exs	+1/-1
account_client_test.exs	+4/-4
log_promotion_test.exs	+6/-4
registry_sync_test.exs	+6/-8
edge_isolation_test.exs	+4/-4
status_handler_integration_test.exs	+1/-1
sweep_compiler_test.exs	+2/-2
telemetry_test.exs	+2/-2
proposal.md	+78/-0
tasks.md	+94/-0
design.md	+217/-0
proposal.md	+100/-0
tasks.md	+63/-0
index.ex	+1/-1

Imported from GitHub pull request. Original GitHub pull request: #2273 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2273 Original created: 2026-01-12T18:00:23Z Original updated: 2026-01-12T18:21:53Z Original head: carverauto/serviceradar:updates/systemactor-module Original base: staging Original merged: 2026-01-12T18:21:51Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Refactoring, Tests ___ ### **Description** - **Introduced `SystemActor` module** for background operations with `for_tenant/2` and `platform/1` functions to replace unsafe `authorize?: false` patterns throughout the codebase - **Replaced `authorize?: false` with actor-based authorization** across 30+ modules including event processors, workers, seeders, and infrastructure components - **Added Credo configuration and custom check** to detect and warn about `authorize?: false` usage, guiding developers to use `SystemActor` instead - **Comprehensive code refactoring** across event processors, workers, and core modules with extracted helper functions for improved readability and maintainability - **Refactored complex functions** into smaller, focused helper functions in modules like `stateful_alert_engine`, `stats_aggregator`, `sweep_results_ingestor`, and many event processors - **Improved code formatting** with underscore separators in numeric literals and consistent alias ordering - **Added comprehensive test suite** for the new `SystemActor` module covering tenant-scoped and platform-wide operations - **Simplified conditional logic** by replacing `cond` with `if-else`, using `Enum.empty?()` instead of `length()` checks, and extracting pattern matching into separate function clauses ___ ### Diagram Walkthrough ```mermaid flowchart LR A["authorize?: false patterns"] -->|"Replace with"| B["SystemActor module"] B -->|"for_tenant/2"| C["Tenant-scoped operations"] B -->|"platform/1"| D["Platform-wide operations"] E["Complex functions"] -->|"Extract helpers"| F["Focused helper functions"] G["Credo check"] -->|"Detects"| A G -->|"Guides to"| B H["Code quality"] -->|"Improved by"| F H -->|"Improved by"| I["Better formatting & organization"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Enhancement</td><td><details><summary>48 files</summary><table> <tr> <td> <details> <summary>stateful_alert_engine.ex<dd><code>SystemActor integration and code refactoring for authorization</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/stateful_alert_engine.ex <ul><li>Replaced <code>authorize?: false</code> with <code>actor: actor</code> using <code>SystemActor.for_tenant()</code> for authorization <li> Refactored nested <code>Enum.each</code> loops into dedicated helper functions (<code>process_log_rules</code>, <code>process_event_rules</code>, <code>maybe_process_log_rule</code>, <code>maybe_process_event_rule</code>) <li> Extracted complex matching logic into separate functions (<code>log_matches?</code>, <code>event_matches?</code>, <code>fetch_attr</code>) <li> Simplified conditional logic and improved code organization with helper functions for record processing</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-bae3a52db882de8c947e62f219a95dff8db4e155e37d9a361dbe14ec25fcd3bd">+211/-140</a></td> </tr> <tr> <td> <details> <summary>stats_aggregator.ex<dd><code>Code refactoring for improved readability and maintainability</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/core/stats_aggregator.ex <ul><li>Refactored device snapshot building into dedicated functions (<code>build_snapshot_from_devices</code>, <code>update_device_stats</code>, <code>device_active?</code>) <li> Extracted record selection logic into separate functions (<code>record_key</code>, <code>canonical_record?</code>, <code>upsert_canonical_record</code>, <code>upsert_fallback_record</code>) <li> Simplified capability counting with helper functions (<code>maybe_increment_collectors</code>, <code>increment_capability</code>, <code>has_collector?</code>) <li> Improved logging logic with extracted functions (<code>should_log_snapshot?</code>, <code>stats_changed?</code>, <code>meta_changed?</code>, <code>maybe_log_non_canonical</code>)</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-1f4ac8290be7d27cac0ed660e51a9b3b23a219a6bb43b3735f3c5a9768321031">+183/-169</a></td> </tr> <tr> <td> <details> <summary>sweep_results_ingestor.ex<dd><code>Code refactoring for better function decomposition</code>              </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/sweep_jobs/sweep_results_ingestor.ex <ul><li>Extracted device record building into <code>build_unknown_device_records</code> and <code>insert_unknown_device_records</code> functions <li> Refactored host result processing with helper functions (<code>result_available?</code>, <code>host_status</code>, <code>device_id_for_ip</code>, <code>build_host_record</code>, <code>response_time_ms</code>, <code>open_ports</code>, <code>parse_integer</code>, <code>valid_port?</code>) <li> Simplified device availability updates with extracted functions (<code>result_ips_for_status</code>, <code>device_uids_for_ips</code>, <code>update_device_statuses</code>, <code>maybe_add_sweep_source</code>) <li> Improved code organization by breaking down complex logic into smaller, focused functions</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-06f4b3bf56e5f1d122b25040ea7f321125d6cae20606811dc0b2a0ddc7a66226">+195/-209</a></td> </tr> <tr> <td> <details> <summary>alias_events.ex<dd><code>Code refactoring for improved function decomposition</code>          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/identity/alias_events.ex <ul><li>Refactored <code>from_metadata</code> to use helper functions (<code>build_alias_record</code>, <code>build_alias_maps</code>, <code>seed_service_aliases</code>, <code>seed_ip_aliases</code>, <code>update_alias_maps</code>) <li> Extracted alias processing logic into <code>update_service_alias</code> and <code>update_ip_alias</code> functions <li> Simplified metadata building with <code>maybe_put</code> and <code>maybe_put_map</code> helper functions <li> Refactored device alias event building with <code>build_device_alias_events</code> and <code>alias_values</code> functions</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-bc3743067ea774f59bc5665770f7110a2d6e90f6e1156a7717a1c287f8979d28">+179/-216</a></td> </tr> <tr> <td> <details> <summary>sweep.ex<dd><code>SystemActor integration and code refactoring</code>                          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/event_writer/processors/sweep.ex <ul><li>Added <code>SystemActor</code> alias and integrated it for authorization instead of <code>authorize?: false</code> <li> Extracted message parsing into <code>build_rows</code> and <code>insert_sweep_rows</code> functions <li> Refactored inventory update processing with <code>process_execution_results</code> function <li> Simplified device availability updates with <code>update_availability</code>, <code>update_available_devices</code>, <code>update_unavailable_devices</code> functions <li> Added helper functions for sweep result parsing (<code>status_from_icmp</code>, <code>protocol_from_icmp</code>)</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ac15b7f40862a0f6bab14cfaf84ae8776c232baa90166014e34159a81427811e">+120/-91</a></td> </tr> <tr> <td> <details> <summary>log_promotion.ex<dd><code>SystemActor integration and code refactoring</code>                          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/log_promotion.ex <ul><li>Replaced <code>authorize?: false</code> with <code>actor: actor</code> using <code>SystemActor.for_tenant()</code> for authorization <li> Added <code>@severity_text_map</code> module attribute for severity mapping <li> Extracted event building logic into helper functions (<code>event_message</code>, <code>event_status_id</code>, <code>event_status</code>, <code>event_actor</code>, <code>event_log_name</code>, <code>event_log_provider</code>, <code>event_log_level</code>, <code>event_log_time</code>, <code>event_uids</code>) <li> Refactored alert creation with <code>update_alert_counts</code> and <code>maybe_emit_alert_metrics</code> functions <li> Simplified severity mapping using map lookup instead of case statement</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-5e3c4560ef4f82f26d916b0f27a243aaf6e141b373a14b4cca4e31ad607ca836">+122/-72</a></td> </tr> <tr> <td> <details> <summary>provision_collector_worker.ex<dd><code>SystemActor integration and code refactoring</code>                          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex <ul><li>Replaced <code>authorize?: false</code> with <code>actor: actor</code> using <code>SystemActor.for_tenant()</code> and <code>SystemActor.platform()</code> for authorization <li> Extracted TLS certificate generation logic into <code>decrypt_private_key</code>, <code>build_ca_data</code>, <code>generate_component_cert</code> functions <li> Simplified private key decryption with dedicated helper function <li> Updated all Ash operations to use <code>actor</code> parameter instead of <code>authorize?: false</code></ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-7ff3df8f584638f1a5e4a5b4676e90267a4a4558726f42fb88e8e2455b584a81">+67/-49</a>  </td> </tr> <tr> <td> <details> <summary>device_lookup.ex<dd><code>Code refactoring for improved function decomposition</code>          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/identity/device_lookup.ex <ul><li>Refactored cache hit fetching into <code>fetch_cache_hits</code> and <code>cache_db_results</code> functions <li> Extracted identity key normalization into <code>normalize_key_entry</code> and <code>maybe_add_ip_hint</code> functions <li> Refactored device lookup logic with <code>cached_record_for_key</code>, <code>handle_lookup_miss</code>, <code>cache_lookup_result</code> functions <li> Simplified partition matching with <code>partition_matches?</code> helper function <li> Improved device selection with <code>maybe_record_for_ip</code> function</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c988811f2daa9cbfc0d4c14744db9cca59117cd35d6bcd2dcc74245b15c3c479">+91/-78</a>  </td> </tr> <tr> <td> <details> <summary>onboarding_packages.ex<dd><code>SystemActor integration and code formatting</code>                            </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/onboarding_packages.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with <code>actor: actor</code> using <code>SystemActor.for_tenant()</code> and <code>SystemActor.platform()</code> <li> Updated TenantCA retrieval and Tenant operations to use proper actor-based authorization <li> Reformatted large numbers with underscore separators (e.g., <code>86400</code> to <code>86_400</code>)</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e4fe8e19bc324416302bb4c962f57133b3f62eb82053766844d881c522a473e5">+17/-11</a>  </td> </tr> <tr> <td> <details> <summary>template_seeder.ex<dd><code>Replace authorize false with SystemActor and refactor seeding</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/template_seeder.ex <ul><li>Introduced <code>SystemActor.platform/1</code> for cross-tenant seeding operations instead of <code>authorize?: false</code> <li> Introduced <code>SystemActor.for_tenant/2</code> for tenant-scoped seeding instead of manual actor maps <li> Extracted template creation logic into <code>seed_template_if_missing/5</code> and <code>create_template/4</code> functions <li> Extracted zen template creation into <code>seed_zen_template_if_missing/4</code> and <code>create_zen_template/4</code> functions <li> Extracted legacy template renaming into <code>maybe_rename_legacy_template/3</code>, <code>rename_template_if_missing/5</code>, and <code>do_rename_template/6</code> functions</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-23e36dfd159d88c93b9115b3a2879574bbf840e8177043375926287f7b06be0b">+93/-65</a>  </td> </tr> <tr> <td> <details> <summary>sync_ingestor_queue.ex<dd><code>Replace authorize false with SystemActor in sync queue</code>      </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/inventory/sync_ingestor_queue.ex <ul><li>Introduced <code>SystemActor.for_tenant/2</code> to replace manual actor map construction <li> Extracted available slots calculation into <code>available_slots/2</code> function <li> Extracted ingestion result handling into <code>apply_ingestion_result/1</code> function <li> Refactored sync recording into <code>with_sync_service/4</code> and <code>update_sync_source/7</code> helper functions <li> Replaced <code>authorize?: false</code> with proper actor-based authorization</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-297852dbd2cd497d38d586c8ccec0989d17ddf9c88570f0517798351fa25fe2e">+63/-81</a>  </td> </tr> <tr> <td> <details> <summary>sweep_compiler.ex<dd><code>Replace authorize false with SystemActor in sweep compiler</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/agent_config/compilers/sweep_compiler.ex <ul><li>Introduced <code>SystemActor.for_tenant/2</code> to replace manual actor map construction <li> Removed <code>build_system_actor/1</code> function in favor of <code>SystemActor</code> module <li> Replaced <code>authorize?: false</code> with proper actor-based authorization in Ash queries <li> Removed try-rescue wrapper around main compilation logic</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-fd107fcbfd91022cd5377ad79bcce1796630a25c17386187f4fbf90b35f2c941">+40/-50</a>  </td> </tr> <tr> <td> <details> <summary>tenant.ex<dd><code>Replace authorize false with SystemActor in tenant module</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/identity/tenant.ex <ul><li>Introduced <code>SystemActor.platform/1</code> for platform-level operations (CA generation, tenant registration) <li> Replaced <code>authorize?: false</code> with actor-based authorization throughout <li> Extracted platform actor creation for CA generation, tenant registration, and bootstrap operations <li> Updated function signatures to pass actor parameter through helper functions</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-9d0658a5118ece5eac7a6326788fdf59407a52f87c4b9c9ac69e6900bc04dc2a">+34/-17</a>  </td> </tr> <tr> <td> <details> <summary>system_actor.ex<dd><code>New SystemActor module for background operations</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/actors/system_actor.ex <ul><li>New module providing <code>for_tenant/2</code> function for tenant-scoped system actors <li> New module providing <code>platform/1</code> function for platform-wide system actors <li> Added <code>system_actor?/1</code> predicate function to identify system actors <li> Comprehensive documentation explaining usage patterns and security benefits</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f3ebf5072e8a72e025076ca013e6726fb23a0169e9e8c9b0089489a4cf17a73d">+169/-0</a>  </td> </tr> <tr> <td> <details> <summary>zen_rule_seeder.ex<dd><code>Replace authorize false with SystemActor in zen rule seeder</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/zen_rule_seeder.ex <ul><li>Introduced <code>SystemActor.platform/1</code> for cross-tenant seeding operations <li> Introduced <code>SystemActor.for_tenant/2</code> for tenant-scoped seeding <li> Extracted rule creation logic into <code>seed_rule_if_missing/4</code> and <code>create_rule/3</code> functions <li> Extracted legacy rule renaming into <code>rename_legacy_rule/3</code>, <code>rename_rule_if_missing/4</code>, and <code>do_rename_rule/6</code> functions <li> Replaced <code>authorize?: false</code> with proper actor-based authorization</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-020128ea25bd10b783725e19d2de73d039c5bfb116a80f13702617bf278e6801">+71/-51</a>  </td> </tr> <tr> <td> <details> <summary>agent_gateway_sync.ex<dd><code>Replace authorize false with SystemActor in gateway sync</code>  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/agent_gateway_sync.ex <ul><li>Introduced <code>SystemActor.for_tenant/2</code> to replace manual actor map construction <li> Removed <code>system_actor/1</code> function in favor of <code>SystemActor</code> module <li> Replaced <code>authorize?: false</code> with proper actor-based authorization in Ash operations <li> Reordered alias imports for consistency</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-9b32fb2972aa43999e1afb261429b23bcba6a8868eab704270158bb12e1825be">+13/-21</a>  </td> </tr> <tr> <td> <details> <summary>sweep_monitor_worker.ex<dd><code>Replace authorize false with SystemActor in sweep monitor</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/sweep_jobs/sweep_monitor_worker.ex <ul><li>Introduced <code>SystemActor.for_tenant/2</code> for sweep monitoring operations <li> Extracted schedule checking logic into <code>check_group_schedule/4</code> function with pattern matching <li> Refactored <code>parse_interval_to_seconds/1</code> into <code>parse_interval_string/1</code>, <code>unit_seconds/1</code>, and <code>parse_interval_fallback/1</code> helpers <li> Improved numeric formatting with underscores for readability (e.g., <code>86_400</code>)</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c25f50cc2e496fc7f8f883a12098f278c56ae1d2d42d4d2af4200d364e2ef9a8">+72/-53</a>  </td> </tr> <tr> <td> <details> <summary>operator_bootstrap.ex<dd><code>Replace authorize false with SystemActor in operator bootstrap</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/nats/operator_bootstrap.ex <ul><li>Introduced <code>SystemActor.platform/1</code> for platform-level NATS operations <li> Replaced <code>authorize?: false</code> with proper actor-based authorization <li> Extracted tenant account provisioning into <code>handle_tenants_needing_accounts/1</code> and <code>enqueue_tenant_account/1</code> functions <li> Simplified <code>oban_running?/0</code> by removing try-rescue wrapper</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2acadd3d5a8123ab300055446a70406baa1ac7abbe77eeadd1398edb8002d110">+44/-34</a>  </td> </tr> <tr> <td> <details> <summary>create_account_worker.ex<dd><code>Replace authorize false with SystemActor in account worker</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/nats/workers/create_account_worker.ex <ul><li>Introduced <code>SystemActor.platform/1</code> to replace manual actor map construction <li> Replaced <code>authorize?: false</code> with proper actor-based authorization throughout <li> Simplified <code>oban_running?/0</code> by removing try-rescue wrapper <li> Updated actor creation for all tenant-related operations</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-752dc6f45f4c7cbfcb6fd7a4a78aa5b00db2ca592ba0486d26644a40f6826f4e">+32/-18</a>  </td> </tr> <tr> <td> <details> <summary>zen_rule_sync.ex<dd><code>Replace authorize false with SystemActor in zen rule sync</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/zen_rule_sync.ex <ul><li>Introduced <code>SystemActor.for_tenant/2</code> for zen rule sync operations <li> Added <code>actor</code> field to module struct for GenServer state <li> Extracted rule synchronization logging into <code>sync_rule_with_logging/2</code> function <li> Extracted actor-aware sync into <code>sync_rule_with_actor/2</code> function <li> Replaced <code>authorize?: false</code> with proper actor-based authorization</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-d5f190f1d1692ffe3e1dba929363e6ff1ecbd70ddcb1f6f2240473466fe4ec8a">+42/-24</a>  </td> </tr> <tr> <td> <details> <summary>nats_leaf_server.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/nats_leaf_server.ex <ul><li>Added <code>SystemActor</code> alias and replaced <code>authorize?: false</code> with actor-based authorization <li> Added <code>ProvisionLeafWorker</code> alias to simplify module references <li> Refactored <code>parse_cert_expiry/1</code> to use rescue clause instead of try-catch block <li> Added system actor bypass policy allowing <code>:system</code> role to perform all operations</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-1238b18bd9a2ef7a69301b9ea9263b06955dfffe19ab65ecba6045661039a1a3">+23/-17</a>  </td> </tr> <tr> <td> <details> <summary>tenant_resolver.ex<dd><code>Refactor to use SystemActor and extract helper functions</code>  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/tenant_resolver.ex <ul><li>Added <code>SystemActor</code> and <code>TenantCAGenerator</code> aliases for cleaner code <li> Replaced <code>authorize?: false</code> with platform actor in tenant lookup and CA operations <li> Extracted certificate extraction logic into separate <code>cowboy_cert/1</code> and <code>bandit_cert/1</code> helper functions <li> Simplified module references using aliases instead of full paths</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-13d528b4123c11b4be7479e60f13d8f81a7f1d7886761e6154afc131f80da45e">+28/-18</a>  </td> </tr> <tr> <td> <details> <summary>identity_reconciler.ex<dd><code>Refactor device reconciliation with helper functions</code>          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/inventory/identity_reconciler.ex <ul><li>Refactored device ID resolution logic using <code>with</code> statement for better readability <li> Extracted <code>resolve_fallback_device_id/3</code> helper function <li> Simplified <code>lookup_by_strong_identifiers/2</code> conditional logic <li> Extracted <code>lookup_identifier/3</code> helper to reduce nesting in identifier lookup loop <li> Changed <code>lookup_by_ip/2</code> condition logic for clarity <li> Replaced <code>length(seeds) > 0</code> with <code>not Enum.empty?(seeds)</code> for idiomatic Elixir</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-44e54b676a35477750df6e011b27591e81673e1542a0cd24594d31994e3f27ff">+40/-36</a>  </td> </tr> <tr> <td> <details> <summary>provision_leaf_worker.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_leaf_worker.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with platform/tenant-specific actors in resource loading <li> Updated <code>get_tenant_ca/2</code> to use tenant-scoped actor instead of bypassing authorization <li> Modified <code>update_leaf_server_status/5</code> to use actor-based authorization</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-42b9bbc172177f5b86b48c4f46fa9464d07616261e7e1e4f5ce7a3036c4ce2a5">+19/-6</a>    </td> </tr> <tr> <td> <details> <summary>health_tracker.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/infrastructure/health_tracker.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with tenant-scoped actors in all Ash operations <li> Extracted <code>build_summary/1</code> helper function to reduce nesting in <code>summary/1</code></ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-51e82fcb12ce016dad558a5dcc0e17c2c58454af416f01a7ddb6668d9e5c6670">+33/-27</a>  </td> </tr> <tr> <td> <details> <summary>sync_ingestor.ex<dd><code>Refactor with Enum.empty and helper functions</code>                        </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/inventory/sync_ingestor.ex <ul><li>Replaced <code>length(list) > 0</code> checks with <code>Enum.empty?()</code> for idiomatic Elixir <li> Simplified function clause patterns for <code>bulk_lookup_identifiers/2</code> and <code>bulk_lookup_by_ip/2</code> <li> Extracted <code>cached_device_id/2</code> and <code>existing_device_id/3</code> helper functions <li> Refactored device ID resolution logic for better readability</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-fdf70a310cef758f735fae943c2a33bc7f851a1c3d1ba66499e911fd2bc5611a">+29/-30</a>  </td> </tr> <tr> <td> <details> <summary>authorize_false_usage.ex<dd><code>Add Credo check for authorize false usage</code>                                </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/credo/check/warning/authorize_false_usage.ex <ul><li>New Credo check to detect and warn about <code>authorize?: false</code> usage in production code <li> Provides guidance to use <code>SystemActor.for_tenant/2</code> or <code>SystemActor.platform/1</code> instead <li> Skips checks in test files and documentation <li> Implements pattern matching for various AST representations of <code>authorize?: false</code></ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-461a355aa3aa0a078274fb8d735d14bd1d120468a2c810713f043e655307d0ba">+103/-0</a>  </td> </tr> <tr> <td> <details> <summary>rule_seeder.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/rule_seeder.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with platform/tenant-scoped actors <li> Extracted <code>seed_rule_if_missing/5</code> and <code>create_rule/4</code> helper functions <li> Simplified rule seeding logic with better separation of concerns</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-0518d428a7d0e3836a352c170a073dbc94bda8e024047f96a0e66ec4b892c166">+33/-22</a>  </td> </tr> <tr> <td> <details> <summary>client.ex<dd><code>Extract configuration helper functions</code>                                      </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/data_service/client.ex <ul><li>Extracted <code>config_value/5</code>, <code>config_value_int/5</code>, and <code>config_value_bool/5</code> helper functions <li> Simplified configuration resolution logic by reducing repetitive <code>||</code> chains <li> Improved code readability and maintainability</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-503e195ad79e05e12d7ad03a675f6e35ffdfc201b8571b0d30a220fe036e03a1">+39/-21</a>  </td> </tr> <tr> <td> <details> <summary>tenant_worker.ex<dd><code>Refactor tenant worker with helper functions</code>                          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/oban/tenant_worker.ex <ul><li>Refactored <code>execute_with_tenant/3</code> to extract result handling logic <li> Extracted <code>handle_perform_result/4</code>, <code>maybe_on_success/3</code>, and <code>maybe_on_failure/4</code> helpers <li> Improved error handling with cleaner separation of concerns <li> Moved rescue clause to top level for better exception handling</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-a2d14e300b5f729f194d9d817ffd08ac4bca2cf9b5f34710b1af0610c210f6bc">+42/-36</a>  </td> </tr> <tr> <td> <details> <summary>tenant_registry.ex<dd><code>Extract helper functions for registry operations</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/cluster/tenant_registry.ex <ul><li>Extracted <code>find_parent_supervisor/2</code>, <code>resolve_ancestor_pid/1</code>, and <code>maybe_child_pid/2</code> helpers <li> Extracted <code>tenant_registries/1</code> helper function for cleaner list comprehension <li> Improved code readability by reducing nesting</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-91248b3b128a2e3d9bea6ffdb5e0f295e4a1745e82f87687c640ad01416fb85d">+35/-27</a>  </td> </tr> <tr> <td> <details> <summary>event_publisher.ex<dd><code>Refactor event messages and add SystemActor</code>                            </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/infrastructure/event_publisher.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Refactored <code>message_for_event/4</code> into separate clauses for each event type <li> Replaced <code>authorize?: false</code> with platform actor in tenant lookup <li> Improved code organization and readability</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-63959335356644b886003c769be4239d2ca6d3c39d7c358e04eece859973e86b">+28/-22</a>  </td> </tr> <tr> <td> <details> <summary>tenant_queues.ex<dd><code>Replace authorize false and extract queue helpers</code>                </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/oban/tenant_queues.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with platform actor in tenant provisioning <li> Extracted <code>fetch_queue_stats/2</code>, <code>queue_stats/2</code>, <code>queue_counts/2</code>, <code>normalize_queue_counts/1</code>, and <code>empty_tenant_stats/1</code> helpers <li> Simplified queue statistics collection logic</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-44a3d7b5eae3e35edf813f060b444c311f39a363b35f41b77258f45fdc3ae32b">+42/-26</a>  </td> </tr> <tr> <td> <details> <summary>assign_tenant_id.ex<dd><code>Add aliases and extract tenant ID helpers</code>                                </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/changes/assign_tenant_id.ex <ul><li>Added aliases for <code>Ash.Changeset</code> and <code>Ash.Resource.Info</code> for cleaner code <li> Extracted <code>actor_tenant_id/1</code> and <code>changeset_tenant_id/1</code> helper functions <li> Simplified tenant ID resolution logic</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ff319a6da51ba57109edf29b9673bccef01cadc7d42e22984ad82b9e121b25de">+20/-18</a>  </td> </tr> <tr> <td> <details> <summary>platform_service_certificates.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/platform_service_certificates.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with tenant-scoped actors throughout <li> Updated actor creation from string <code>"system"</code> to proper <code>SystemActor.for_tenant/2</code></ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-70e6d8e5f480b13dad3f26a7058abe9759c57748ec7880b278d7cb3fc6e91b43">+8/-5</a>      </td> </tr> <tr> <td> <details> <summary>cluster_status.ex<dd><code>Refactor cluster status with helper functions</code>                        </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/cluster/cluster_status.ex <ul><li>Reordered aliases alphabetically <li> Refactored <code>coordinator_health/0</code> to use if-else instead of cond <li> Extracted <code>find_remote_coordinator/0</code> and <code>coordinator_node?/1</code> helper functions <li> Simplified <code>get_local_health/0</code> by removing try-catch wrapper</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-4d39914bf1e3d207119f8d94afc598809746aa5843fb55e52cac9222d0fd335b">+29/-27</a>  </td> </tr> <tr> <td> <details> <summary>config_server.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/agent_config/config_server.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with tenant-scoped actor in database loading <li> Extracted <code>compile_cache_miss/6</code> helper function for cleaner cache handling</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-a4d8447584bfcd1088465714c00bea67c90100320b125857ac5bd6a9783de468">+19/-13</a>  </td> </tr> <tr> <td> <details> <summary>compile_zen_rule.ex<dd><code>Extract zen rule compilation helpers</code>                                          </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/observability/changes/compile_zen_rule.ex <ul><li>Extracted <code>apply_compiled_jdm/2</code>, <code>jdm_definition_present?/1</code>, and <code>atomic_payload/3</code> helpers <li> Refactored atomic change logic using <code>with</code> statement <li> Improved code organization and readability</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-8b4899d4648bdce097acf4e2b9fa07d4a616c587148032438c2390e61ff0f018">+34/-24</a>  </td> </tr> <tr> <td> <details> <summary>generator.ex<dd><code>Replace authorize false and format numbers</code>                              </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/tenant_ca/generator.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with platform actor in tenant loading <li> Reformatted large numbers with underscore separators (e.g., <code>65537</code> to <code>65_537</code>)</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-b48e4a9e1189da61e2a60e16f56fce81298d76b7cdab745107140fed3f6e48b4">+8/-4</a>      </td> </tr> <tr> <td> <details> <summary>reserved_tenant_slug.ex<dd><code>Extract slug and platform flag helpers</code>                                      </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/identity/validations/reserved_tenant_slug.ex <ul><li>Extracted <code>changeset_slug/1</code>, <code>data_slug/1</code>, <code>normalize_slug/1</code> helpers <li> Extracted <code>platform_flag_from_data/1</code> helper function <li> Simplified slug and platform flag resolution logic</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-3495f8e60db2c1472c538ed33b6d2be79730d7938ad034d273281040ee1558cb">+29/-35</a>  </td> </tr> <tr> <td> <details> <summary>alert.ex<dd><code>Add module aliases and system actor policy</code>                              </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/monitoring/alert.ex <ul><li>Added aliases for nested modules to simplify references <li> Added system actor bypass policy allowing <code>:system</code> role to perform all operations <li> Refactored duration calculation logic to check <code>is_nil(resolved_at)</code> instead of negation</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-a1371457b01155b89847470cc99d9f96141da0b2381b600a6aa50da1a99b9db6">+25/-10</a>  </td> </tr> <tr> <td> <details> <summary>collector_package.ex<dd><code>Replace authorize false and add SystemActor</code>                            </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/collector_package.ex <ul><li>Added <code>SystemActor</code> and <code>PubSub</code> aliases <li> Replaced <code>authorize?: false</code> with tenant-scoped actors in credential operations <li> Added system actor bypass policy allowing <code>:system</code> role to perform all operations <li> Simplified PubSub broadcast calls using alias</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c80c5b92e14cbc1b9d44f22a90cef81f628a5e02caf4aa9c40cce6b5c1ce54cc">+15/-6</a>    </td> </tr> <tr> <td> <details> <summary>health_check_registrar.ex<dd><code>Extract service configuration helpers</code>                                        </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/infrastructure/health_check_registrar.ex <ul><li>Extracted <code>map_service_config/3</code> and <code>basic_service_config/4</code> helper functions <li> Simplified service configuration logic by reducing repetitive map construction</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-402d0bd9780ffc6f0d97d354262abe290c8a3a088506028090b7be4c4d231148">+27/-27</a>  </td> </tr> <tr> <td> <details> <summary>nats_credential.ex<dd><code>Add PubSub alias and system actor policy</code>                                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/nats_credential.ex <ul><li>Added <code>PubSub</code> alias for cleaner code <li> Added system actor bypass policy allowing <code>:system</code> role to perform all operations <li> Reformatted multi-line changeset operations for better readability <li> Simplified PubSub broadcast calls using alias</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-43ab32ff01411168b07440bda6db64607f5823654b49471e63d59c3efc643649">+17/-4</a>    </td> </tr> <tr> <td> <details> <summary>agent_config_generator.ex<dd><code>Reorder aliases and simplify error handling</code>                            </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/edge/agent_config_generator.ex <ul><li>Reordered aliases alphabetically <li> Removed try-catch wrapper from <code>load_agent_checks/2</code> function <li> Simplified error handling with rescue clause at function level</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f368b9b41fa062759f00ff6fcae314cc5a42bb1caca82a9069103a803df1f9d7">+25/-27</a>  </td> </tr> <tr> <td> <details> <summary>device.ex<dd><code>Replace authorize false with SystemActor pattern</code>                  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/actors/device.ex <ul><li>Added <code>SystemActor</code> alias for authorization <li> Replaced <code>authorize?: false</code> with tenant-scoped actors in device operations <li> Changed <code>length(state.events) > 0</code> to <code>Enum.empty?(state.events)</code> for idiomatic Elixir</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-eba1d95a852e4a736813c7b486da651704f20718e24f931c966ff3f37c421eea">+7/-4</a>      </td> </tr> <tr> <td> <details> <summary>pipeline.ex<dd><code>Refactor batcher determination with rules</code>                                </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/event_writer/pipeline.ex <ul><li>Reordered aliases alphabetically <li> Refactored <code>determine_batcher/1</code> to use <code>Enum.find_value/3</code> with rule list <li> Extracted <code>batcher_rules/0</code> helper function for cleaner subject matching</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-876e8049c9abc69fbc9af55c1b159011b8a52e0fe55db77281a14480fcd47548">+19/-14</a>  </td> </tr> <tr> <td> <details> <summary>spiffe.ex<dd><code>Refactor SPIFFE verification with helpers</code>                                </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/spiffe.ex <ul><li>Refactored <code>verify_peer_callback/3</code> into separate function clauses for each event type <li> Extracted <code>verify_spiffe_id/2</code> helper function <li> Improved code organization and readability</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-0cb8d921c19f671b66f91c0978e351e71d927c5f4694924984c9f1ed34d7ee78">+24/-28</a>  </td> </tr> </table></details></td></tr><tr><td>Formatting</td><td><details><summary>6 files</summary><table> <tr> <td> <details> <summary>agent_registry_test.exs<dd><code>Test code formatting and idiomatic improvements</code>                    </dd></summary> <hr> elixir/serviceradar_core/test/serviceradar/registry/agent_registry_test.exs <ul><li>Reformatted port numbers using underscore separators (e.g., <code>50051</code> to <code>50_051</code>) for readability <li> Replaced <code>length(list) >= 1</code> checks with <code>refute Enum.empty?(list)</code> for better idiomatic Elixir <li> Replaced <code>length(list) >= 2</code> with pattern matching <code>[_first, _second | _]</code> for clarity</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e46695d8be4c0156bea5a577432628ea11a106208eaae749e30ca71d6ec42b47">+25/-25</a>  </td> </tr> <tr> <td> <details> <summary>agent_health_test.exs<dd><code>Format numeric literals with underscores</code>                                  </dd></summary> <hr> elixir/serviceradar_core/test/serviceradar/infrastructure/agent_health_test.exs <ul><li>Updated numeric literals to use underscore separators for readability (e.g., <code>50_051</code> instead of <code>50051</code>) <li> Applied consistent formatting across all port number assignments in test fixtures</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-7a3693ac8ee430373b23d02fade2d848001d9b6ddba5412b5a407729c0b4fff3">+14/-14</a>  </td> </tr> <tr> <td> <details> <summary>otel_traces_test.exs<dd><code>Format numeric literals with underscores</code>                                  </dd></summary> <hr> elixir/serviceradar_core/test/serviceradar/event_writer/processors/otel_traces_test.exs <ul><li>Updated numeric literals to use underscore separators for readability (e.g., <code>1_705_315_800_000_000_000</code>) <li> Applied consistent formatting across all large number assignments in test data</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-9a0deddceb471b98e8d0b2cc37ca61173e326a9d4341b2780fb19d840b923b7d">+13/-13</a>  </td> </tr> <tr> <td> <details> <summary>tenant_schemas.ex<dd><code>Add module aliases for SQL and error handling</code>                        </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/cluster/tenant_schemas.ex <ul><li>Added aliases for <code>Ecto.Adapters.SQL</code> and <code>Postgrex.Error</code> for cleaner code <li> Replaced all <code>Ecto.Adapters.SQL</code> calls with <code>SQL</code> alias <li> Replaced <code>Postgrex.Error</code> with <code>PostgrexError</code> alias throughout</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-1bedaaf2d80ba8ab6f6fc08d8b34e058cdcd0180706065b9fa51c408854a71b2">+11/-9</a>    </td> </tr> <tr> <td> <details> <summary>agent_test.exs<dd><code>Format port numbers with underscore separators</code>                      </dd></summary> <hr> elixir/serviceradar_core/test/serviceradar/infrastructure/agent_test.exs <ul><li>Reformatted port numbers using underscore separators (e.g., <code>50051</code> to <code>50_051</code>) <li> Applied consistent formatting across multiple test cases</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e035161e108d3ea7c662f359f06bb781b751069c717465d8184ab51d86c5d409">+12/-12</a>  </td> </tr> <tr> <td> <details> <summary>cross_tenant_access_test.exs<dd><code>Reorder aliases and format port numbers</code>                                    </dd></summary> <hr> elixir/serviceradar_core/test/serviceradar/security/cross_tenant_access_test.exs <ul><li>Reordered aliases alphabetically <li> Reformatted port numbers using underscore separators (e.g., <code>50051</code> to <code>50_051</code>)</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-95ab5b08b226f5bb43b4ea3eba94b33c092b2bd1e3bfd21ad5592d1fa21a8e64">+6/-6</a>      </td> </tr> </table></details></td></tr><tr><td>Refactoring</td><td><details><summary>7 files</summary><table> <tr> <td> <details> <summary>events.ex<dd><code>Refactor event processing with extracted helper functions</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/event_writer/processors/events.ex <ul><li>Extracted row building and insertion logic into separate private functions <code>build_rows/1</code> and <code>insert_event_rows/2</code> <li> Refactored <code>parse_message/1</code> to use <code>with</code> pattern matching instead of nested <code>if/case</code> statements <li> Extracted required field validation into <code>required_event_fields/1</code> function <li> Added helper functions <code>jsonb_or_empty_map/1</code>, <code>jsonb_or_empty_list/1</code>, and <code>parse_string_or/2</code> to reduce duplication</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e07b18480fd4cd1259b3401adb542f9931a421fff7fdbecd6771165367013c78">+96/-64</a>  </td> </tr> <tr> <td> <details> <summary>netflow.ex<dd><code>Refactor netflow processing with helper functions</code>                </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/event_writer/processors/netflow.ex <ul><li>Added <code>@direction_map</code> module attribute to consolidate direction string mappings <li> Extracted row building and insertion logic into <code>build_rows/1</code> and <code>insert_netflow_rows/2</code> functions <li> Refactored <code>parse_message/1</code> to use <code>with</code> pattern matching for cleaner error handling <li> Added <code>flow_value/4</code> helper function to reduce duplication in field extraction logic <li> Simplified <code>parse_direction/1</code> to use map lookup instead of case statement</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ac524b2cd0cde0bcb807814299c4d3ec5c7497c4db9b2f5bd3b00c7539736206">+51/-40</a>  </td> </tr> <tr> <td> <details> <summary>result_processor.ex<dd><code>Refactor result processor with extracted helper functions</code></dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/core/result_processor.ex <ul><li>Replaced <code>length(list) > 0</code> checks with <code>Enum.empty?/1</code> for consistency <li> Extracted canonical snapshot application into separate functions <code>apply_canonical_device_id/2</code>, <code>apply_snapshot_mac/2</code>, <code>apply_snapshot_hostname/2</code>, and <code>apply_snapshot_attributes/2</code> <li> Extracted attribute copying logic into <code>copy_attribute_if_empty/3</code> function <li> Refactored <code>has_strong_identity?/1</code> to use helper functions <code>has_attribute?/2</code> and <code>has_value?/1</code></ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f7e2338fbec758691af214fbe19d6353004519685e7a49a6db4dc7ee13b6df53">+71/-71</a>  </td> </tr> <tr> <td> <details> <summary>poll_orchestrator.ex<dd><code>Refactor gateway finding with pattern matching</code>                      </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/monitoring/poll_orchestrator.ex <ul><li>Refactored <code>find_gateway/1</code> into separate clauses for each assignment mode (<code>:any</code>, <code>:partition</code>, <code>:domain</code>, <code>:specific</code>) <li> Extracted gateway PID resolution into <code>resolve_gateway_pid/2</code> and <code>resolve_gateway_pid_from_registry/2</code> functions <li> Extracted gateway ID resolution into <code>resolve_gateway_id/2</code> function <li> Improved code readability by using pattern matching in function heads</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-68a63639fc9d92d29501700c6604921098c9bbbf21e54f9148c1109c17c9c6d4">+83/-72</a>  </td> </tr> <tr> <td> <details> <summary>logs.ex<dd><code>Refactor log processing with extracted helper functions</code>    </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/event_writer/processors/logs.ex <ul><li>Extracted row building and insertion logic into <code>build_rows/1</code> and <code>insert_log_rows/2</code> functions <li> Refactored <code>parse_message/1</code> to use <code>with</code> pattern matching for cleaner error handling <li> Extracted log payload parsing into <code>parse_log_payload/4</code> function <li> Extracted ingest metadata building into <code>build_ingest_metadata/1</code> and <code>merge_ingest_metadata/2</code> functions <li> Added <code>merge_ingest_value/2</code> helper for conditional map merging</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-60c56675b539f19f1cce7702a571d883df17ce5c20a32bdc95afcd329b0b0efd">+54/-39</a>  </td> </tr> <tr> <td> <details> <summary>alert_generator.ex<dd><code>Refactor alert generator with extracted helper functions</code>  </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/monitoring/alert_generator.ex <ul><li>Extracted stats alert skipping logic into <code>skip_stats_alert?/4</code> function <li> Extracted stats alert sending into <code>maybe_send_stats_alert/4</code> function <li> Extracted alert building into <code>build_stats_alert/4</code> and <code>build_stats_alert_details/3</code> functions <li> Refactored <code>severity_from_event/1</code> to use helper function <code>severity_for_id/1</code> with pattern matching</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-62074160ac91002a439bab337a032329681bc55c84a59ab9934bc76d05a5de04">+60/-45</a>  </td> </tr> <tr> <td> <details> <summary>cluster_health.ex<dd><code>Simplify cluster health check logic</code>                                            </dd></summary> <hr> elixir/serviceradar_core/lib/serviceradar/cluster/cluster_health.ex <ul><li>Simplified health check logic by replacing <code>cond</code> with <code>if-else</code> statement <li> Improved readability by inverting condition to check healthy state first</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-65e2a238e7a24c82a3772842be52ddfeb155d66c6f1341e6e652ec3161c5d8bb">+6/-8</a>      </td> </tr> </table></details></td></tr><tr><td>Configuration</td><td><details><summary>1 files</summary><table> <tr> <td> <details> <summary>.credo.exs<dd><code>Add Credo configuration for code quality</code>                                  </dd></summary> <hr> elixir/serviceradar_core/.credo.exs <ul><li>New Credo configuration file for code quality checks <li> Includes custom check for <code>authorize?: false</code> usage detection <li> Configures standard Elixir code style checks and refactoring suggestions <li> Sets max line length to 120 characters</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ed8b22997f4146a023c74392283e977a891cc852b0e8213eaeb1331bca0a6dae">+120/-0</a>  </td> </tr> </table></details></td></tr><tr><td>Tests</td><td><details><summary>1 files</summary><table> <tr> <td> <details> <summary>system_actor_test.exs<dd><code>Add SystemActor module tests</code>                                                          </dd></summary> <hr> elixir/serviceradar_core/test/serviceradar/actors/system_actor_test.exs <ul><li>New comprehensive test suite for <code>SystemActor</code> module <li> Tests for <code>for_tenant/2</code> function with various component names <li> Tests for <code>platform/1</code> function <li> Tests for <code>system_actor?/1</code> predicate with multiple actor types <li> Tests for actor structure and required fields</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-a9d9c2b5b7acc2e94966f4ec4f44efdedfcde3218c1d81c7432684abf2bc054c">+135/-0</a>  </td> </tr> </table></details></td></tr><tr><td>Additional files</td><td><details><summary>98 files</summary><table> <tr> <td>serviceradar-core-lint.yml</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e5c0285bdbd2331395152999bb32e56f3ceda3dde07288ca50ac43d1abfa14b5">+59/-0</a>    </td> </tr> <tr> <td>Makefile</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52">+2/-0</a>      </td> </tr> <tr> <td>CLAUDE.md</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e74c4b4d45e00f50d935fe88bc4bf340a126a9e253c77b34d4da165aeca4c846">+101/-0</a>  </td> </tr> <tr> <td>create_version_history.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-edf276f4ea9f73468d843cc8db84191727a3e37c3e964146c29419e91f120d50">+17/-2</a>    </td> </tr> <tr> <td>config_cache.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-95f0c8640267167409c8af66d33550c2440b1ac5ec810f5e4d6fcd8df6ef8e2f">+8/-8</a>      </td> </tr> <tr> <td>config_instance.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-37fd443381f2242517ed060fccbc634e3f2500b06a8702393ad8e7e034caece2">+5/-0</a>      </td> </tr> <tr> <td>config_template.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-1151a4c39db6cce97d7534f76218bd4ae14de0b1fff9cade8294c88ef67044a2">+5/-0</a>      </td> </tr> <tr> <td>config_version.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-df079b1f5d9a8c20be9c34dcfc21f00b03bc12bc729b71471931de1e2aceff83">+5/-0</a>      </td> </tr> <tr> <td>tenant_guard.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2bfe90d04e02f851260ae70b6a6d3994a6c0d5b424504abb8908b105b4a74ecd">+4/-6</a>      </td> </tr> <tr> <td>tenant_registry_loader.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f1f2089a22634757253aac7ac45805d1a430155e68f1efc60b2b59ef166d070c">+5/-1</a>      </td> </tr> <tr> <td>agent_process.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-b1a0ba4695f84f3faee480a7488345eedbf5668d6fda1f635b6ec70aa990a688">+4/-3</a>      </td> </tr> <tr> <td>edge_site.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c6a7f6bef220835fafec4056ccd604111948939e3862bebfac6331e34af533f6">+8/-1</a>      </td> </tr> <tr> <td>gateway_process.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-b0b102ecc88366a0e9eea09de860b80929729880cd47f1aa96d6cfcb0ccc9f8f">+1/-1</a>      </td> </tr> <tr> <td>onboarding_package.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e6ba48ec0db807092011fd63f422a085c059eecb8f7512e14e56b1a764920b82">+5/-0</a>      </td> </tr> <tr> <td>tenant_ca.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-45488c104eb11a38ea61cbe73beff2e25f42827abb55fce323d93cfc90db86b3">+5/-0</a>      </td> </tr> <tr> <td>health.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-d6ea366663e57dff2287712135b0a4a6dbf110f944a84dceec470f928059fc4d">+1/-1</a>      </td> </tr> <tr> <td>otel_metrics.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c304cc592b24492a8cd4da545677a6a36e6174b654ba34fd024cca0940b29c31">+19/-12</a>  </td> </tr> <tr> <td>otel_traces.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-4c389f5379801248127f3b04c42a9b945381ac7976bacd6294b233d66ea6c6a9">+19/-12</a>  </td> </tr> <tr> <td>telemetry.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-05a6273e101447a8d99fb3621640370bc66fe3b491fbce305738113e81f5cf59">+19/-12</a>  </td> </tr> <tr> <td>audit_writer.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-8af488e06b41a758f9c69de2f17fff3c95d51137e277e3c8badb94b0c7370615">+2/-3</a>      </td> </tr> <tr> <td>health_writer.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-16a7cd9230fa6615bfa2df9827fd17f1a4e4672ffb7387d025170e74e20f2757">+1/-1</a>      </td> </tr> <tr> <td>internal_log_publisher.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-5f7207a72526a27e9d3da31f1b3b40b16fe880570378f2df571b70abcdd782a0">+5/-1</a>      </td> </tr> <tr> <td>job_writer.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ee6fc954baedc85a309e48681575c44bf0210585b0db498df2c6b439b457109e">+1/-1</a>      </td> </tr> <tr> <td>onboarding_writer.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-afd0d16afe71e46bf1d2be36b464f3f0bb140df2d1b59f417e89b08d7d2fee45">+10/-2</a>    </td> </tr> <tr> <td>api_token.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-17a3c2836d27337341d157d48174c5b7c646b6b393e15f1adfcce18f85791765">+5/-0</a>      </td> </tr> <tr> <td>assign_default_tenant.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-436a33742fe2d80cc9e050fd2e936681dbd6cb2c8bcb34ad1a442d9e7b2eb8a4">+4/-6</a>      </td> </tr> <tr> <td>identity_cache.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-04c198fc69687b32a393483fdba8bef2689d49c31e7e37b3879e845dc18498f2">+11/-13</a>  </td> </tr> <tr> <td>send_magic_link_email.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-6fee42baf4eb3b1ffd6ad280a913ddf1298485b91c8b5d8ed7cb54b6e261dc4e">+9/-2</a>      </td> </tr> <tr> <td>tenant_membership.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ca364fc0ff0f6acd8031829499723d0a07400541b19d9623144b3123c6bf1445">+5/-0</a>      </td> </tr> <tr> <td>user.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c9420769195b92ae85f0cf0f4eed8872c342663a45bf0a1f5ae3864a68d632e7">+5/-0</a>      </td> </tr> <tr> <td>users.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c58eb3ecf3c38dc46cc3e3167b3592e84b6abf4d91a1247870604f72ef39b45b">+4/-6</a>      </td> </tr> <tr> <td>unique_platform_tenant.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e7b1ab070d7c34f710bfc6459ec33a6c1570fe73eb204c6bf68cdba7b8cb7883">+6/-1</a>      </td> </tr> <tr> <td>agent.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c56f92b6ce744cab3f2dc00dde92e2017cffdd12ad4618f7fa720252f2a6843a">+8/-5</a>      </td> </tr> <tr> <td>checker.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-20f578df816dd87f4fac2f4a739aa8a4cc2e18beac6d524b30a9da624225ddc2">+8/-3</a>      </td> </tr> <tr> <td>gateway.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-1655f7cc80c8949b3d2c9e50d20110cb85883413fb6181825bfbcf0bda578c6b">+8/-3</a>      </td> </tr> <tr> <td>health_check_runner.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-62d9c7231cd37a4f69c9e415878353acba3261d7fd24d93815a9fb5374a41db8">+16/-20</a>  </td> </tr> <tr> <td>health_event.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2734b4d4bc8ae43570115d17c1b66fe6e4864a18f3cb26f5116e4cb2f93a7aa8">+12/-3</a>    </td> </tr> <tr> <td>nats_operator.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f89214d61d9399a9344478b85a655ada729ff7128361030cebf1f6f031178624">+4/-1</a>      </td> </tr> <tr> <td>nats_platform_token.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-06c6db334f81778084d004b13b512b501e2c43a9ffca4d0ab1071c4b672b3cf4">+7/-2</a>      </td> </tr> <tr> <td>partition.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c484f007330e14b5eb56ee4b45f88228fde38a716b19d64be4c318009b91870a">+9/-7</a>      </td> </tr> <tr> <td>state_monitor.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f7126063b55676150db789fed6fd10c9ca4df307b4f62eb6253ae71b78f47c3d">+3/-11</a>    </td> </tr> <tr> <td>integration_source.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2cd4228801a527fa4b0b74c0e16210095001e39a8bdc359ac564e62a52c38bd9">+9/-1</a>      </td> </tr> <tr> <td>sync_config_generator.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-ca7290d1b732ecaae7c87d810e1307402f108dd254ede919a986925c41f199ee">+8/-3</a>      </td> </tr> <tr> <td>device.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-f5671d34fab1f3bdb0bcc4db602074e03c803bb379bb530c54da9925cae883f2">+9/-3</a>      </td> </tr> <tr> <td>device_group.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-84b7249b64c84fe1c97167c93c767152ec207f5d8a6f2dd54133e9f8e40010d3">+5/-0</a>      </td> </tr> <tr> <td>ocsf_event.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-7006b1cb90cb40d11d32ef6d12ec57ab3a84b57a5c2c825b3990ffa991d55e92">+5/-0</a>      </td> </tr> <tr> <td>poll_job.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e136cc8589304337f0da1f828071baed58c38dc25e82a40a611cd1e5c03fd88d">+5/-0</a>      </td> </tr> <tr> <td>polling_schedule.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2d29c8ad66e47435f150d4cf17167ecc6f048a6df9526c21cdc06ed248829cb7">+5/-0</a>      </td> </tr> <tr> <td>service_check.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-1eaae043f0f4aa369ffb214a39127c0ab9e94231345a0e15c66226f50ae6a206">+5/-0</a>      </td> </tr> <tr> <td>webhook_notifier.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-d1fa038f86e67bf2a18fabc9f20a64b81594b1679709bb3398750793a521964b">+6/-8</a>      </td> </tr> <tr> <td>account_client.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2e18ac777ac600b12982ba9e9d5327e23ebd84c139a2add7976f8bf61283e554">+21/-18</a>  </td> </tr> <tr> <td>router.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-976ce62079de3ecb83b609f4f5146105430f3dd87472f244130ef4815efd282b">+11/-10</a>  </td> </tr> <tr> <td>sync_zen_rule.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-8df265115a5ecb977c162785fdb0b65accc0393956edd7bf1e97b18a5a45452d">+21/-20</a>  </td> </tr> <tr> <td>log.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-0ce3a791fe2326e9b707407f72e5ad699093e4743879ce279804a478178ae119">+5/-0</a>      </td> </tr> <tr> <td>log_promotion_rule.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-83f9c69192f3f00691adfd18645ab89257b30c651fd71f852d1146522b9ff18d">+5/-0</a>      </td> </tr> <tr> <td>log_promotion_rule_template.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-d1a2f573520c45a47d2ab06d7d590bcedd799effe7a6691b65135988d404f30e">+5/-0</a>      </td> </tr> <tr> <td>otel_trace.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-2e229d71890be6dbc60174af6df1b1942f51247a691c8156dce4d8683ebbd160">+5/-4</a>      </td> </tr> <tr> <td>otel_trace_summary.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e71297a7b0c703d0258abbe2d06d796005bd91bda67154e46d82ed8b554e4fe1">+1/-4</a>      </td> </tr> <tr> <td>stateful_alert_cleanup_worker.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-223ffe1df2c7295d4b04bf355ce2e5dfb99b3bfbf0ceaa55aebd9b46ae8db591">+8/-5</a>      </td> </tr> <tr> <td>stateful_alert_rule.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-0f89f415054a875a7dd5b104966f4a2b60354b23353ce4c2ea8a9e83dfc6128f">+5/-0</a>      </td> </tr> <tr> <td>stateful_alert_rule_history.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-bdf937d7808f711496f21f7968afca16ec09b6ee9114ebaa893068cf6f7452f0">+5/-0</a>      </td> </tr> <tr> <td>stateful_alert_rule_state.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-92322404f925f8f672cd02ddb3298423f87ec257b1b83ae96fe196a39af894d5">+5/-0</a>      </td> </tr> <tr> <td>stateful_alert_rule_template.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c29ff715b32e958379366530de132a522181b9bf34249ae89e32e3383216f0ab">+5/-0</a>      </td> </tr> <tr> <td>sync_log_writer.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-4f519dce59882a57e8b5170e989c87196f96aefbb50fe121fdf298e16d30fbf6">+4/-1</a>      </td> </tr> <tr> <td>window_bucket.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-0256ff5d8198403f4c8a50317f37199c08afc6045f0116dd5002ecc958e82b9f">+15/-14</a>  </td> </tr> <tr> <td>zen_rule.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-7b80d236d986643dd043ab34b7b3d324ea1b58b486bc4261bbd7f2373ab38bd1">+5/-0</a>      </td> </tr> <tr> <td>zen_rule_template.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-72bc5c66a9419797f77dcb9f8082c9298be07cdfaabe5f949bab677ca79a0500">+5/-0</a>      </td> </tr> <tr> <td>nats_account.pb.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-3d19a9481184a2e9854383f6d53ec64d19b7e7670bd148d9fe44accb831da318">+0/-1</a>      </td> </tr> <tr> <td>agent_registry.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-9f192818338c69d60170c4119289f7aa31117f6b63224a4ea22a098a69dca2e1">+8/-3</a>      </td> </tr> <tr> <td>sweep_data_cleanup_worker.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-b8660522af1e1ad3ba8da56f754567fdae03d09fa9e18749a3a49435893073fe">+10/-1</a>    </td> </tr> <tr> <td>sweep_group.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-b7bfa2b8463be683eee7cf96abc97b135d225049d6507009f98a2e0ee658c728">+5/-0</a>      </td> </tr> <tr> <td>sweep_group_execution.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-35d4958b8252ecd025abfb7526da27788c2a1f08a5e22883bc1ca517c1432eb0">+5/-0</a>      </td> </tr> <tr> <td>sweep_host_result.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-6c0c4eb2ef2eeef5d76fd9fc1859240b7e3d4b1b2cdd6e72f86208c32c0086db">+5/-0</a>      </td> </tr> <tr> <td>sweep_profile.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-4977d4fef97c317cd8f6f15b0762d96d856b4d42e5ae7bf1341e8f7ef26651e4">+5/-0</a>      </td> </tr> <tr> <td>target_criteria.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-a71ead6955e751bd5d27c6d81b1723147aebfbe4c80deedc20afbaed02afc062">+15/-19</a>  </td> </tr> <tr> <td>client.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e83ca7f2697968eb50d0c8bb1063567d7fa71bb432a0ef48ca99e6fa96a75e7f">+1/-1</a>      </td> </tr> <tr> <td>telemetry.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-367e9f084e8dacc9a55c732c99d54c7fc87241bd642171b6f34b48c039309630">+8/-12</a>    </td> </tr> <tr> <td>cross_tenant_isolation_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-4a856a5c0a91682e078cba31502e576ade94ea63dc32d9145dc076cebc8e9eb1">+1/-1</a>      </td> </tr> <tr> <td>config_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-0e6ed3b49f9fc318654d2f8652d4bc584b8c2adca89b899b9d0178afdee404ca">+1/-1</a>      </td> </tr> <tr> <td>logs_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-e7bb39c18ef7f930fa926e4363387dada01f232c46e2d048ded396cca6f57fee">+2/-2</a>      </td> </tr> <tr> <td>otel_metrics_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-5be3a4380eb5a24a45a8800d47b61b3f64faeff173e6c4f067989fe9c6ff6f4d">+1/-1</a>      </td> </tr> <tr> <td>agent_tenant_isolation_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-aa1ce917b09aba711f531ae26a989fe3391ca2d6d573da81ef8d181cbdde9271">+8/-8</a>      </td> </tr> <tr> <td>health_tracker_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-9cc64b98b1c98a8c4a53e908efed61d76c3b1cb30d48d49cacd3b9359337cd85">+1/-1</a>      </td> </tr> <tr> <td>state_machine_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-9ed154f0caacaa1e967d1aae667daa4562c30f877114a5f35d8aaad26bd136ad">+1/-1</a>      </td> </tr> <tr> <td>poll_job_integration_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-d9b76f872d25d5d1be462fe2b540a0c81359cfec22bb54887dd2a1c573cc50f4">+1/-1</a>      </td> </tr> <tr> <td>account_client_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-df0db4d18387eaa5ae7a9983ebde6184d728d836a9f6f01c75c39a805a8e662c">+4/-4</a>      </td> </tr> <tr> <td>log_promotion_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-378255b98ae8842e86c7a1e9249c928de8a1a5b60cd85887d23970ad56e784b8">+6/-4</a>      </td> </tr> <tr> <td>registry_sync_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-c05c8f4a1fb97191aff6aec2cae9f7d2d32bfb1a21944a49b3e86e6d03da6db4">+6/-8</a>      </td> </tr> <tr> <td>edge_isolation_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-bf0220c5a2c4f831b9dad24beee0091dad4c468d0fb2bd29fe6ce97aa5dc8eb8">+4/-4</a>      </td> </tr> <tr> <td>status_handler_integration_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-d4c4dfd3ffb03322e52c019220e860212e15314d0bd6ed87eb80086b0237a9ac">+1/-1</a>      </td> </tr> <tr> <td>sweep_compiler_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-57f7deaf4baa32135b553fb62cb1679f9f40030a4459b4482df9452b6b964550">+2/-2</a>      </td> </tr> <tr> <td>telemetry_test.exs</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-75d7a2dd357bee15c8c6c978b31ee75816b323dfff08ebfbb2b2d3e541cdd29a">+2/-2</a>      </td> </tr> <tr> <td>proposal.md</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-5a6d9406a8357a5178d6f12507bd86dcbfc797cd2ecb2153843af5b475133419">+78/-0</a>    </td> </tr> <tr> <td>tasks.md</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-988c983aa7137ccc47b4295a8add07f3e70bf6b8bfbd8e94aa44adb4cc681486">+94/-0</a>    </td> </tr> <tr> <td>design.md</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-07cfad9cf1895a27b1a2162bebb020b7f8318229ac942d362c0a0086c6547713">+217/-0</a>  </td> </tr> <tr> <td>proposal.md</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-60ed01295f099db59f906b02dea82a74f5c65480bff77c7352d2b3fae70e1567">+100/-0</a>  </td> </tr> <tr> <td>tasks.md</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-cbb5196cfdbabcdf1d1c88bd690e2ac294ae9aeac54d1193bee4cc93364712ae">+63/-0</a>    </td> </tr> <tr> <td>index.ex</td> <td><a href="https://github.com/carverauto/serviceradar/pull/2273/files#diff-b2127e71582033bc6dfd2d7397f56bf43c1f7c613defffc504b3d8ee1e7406c4">+1/-1</a>      </td> </tr> </table></details></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-01-12 18:01:47 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2273#issuecomment-3739799002
Original created: 2026-01-12T18:01:47Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Dynamic schema injection Description: Dynamic Ecto query sources are built via string concatenation (`{tenant_schema <>` `".ocsf_devices", Device}`) without validating/sanitizing `tenant_schema`, so if `TenantSchemas.schema_for_tenant/1` can be influenced or returns unexpected values this could enable cross-tenant writes or SQL injection via crafted schema/table identifiers. sweep.ex [203-226] Referred Code unless Enum.empty?(available_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^available_uids ) \|> Repo.update_all(set: [is_available: true, last_seen_time: timestamp, modified_time: timestamp]) end end defp update_unavailable_devices(results, device_map, tenant_schema, timestamp) do unavailable_uids = results \|> Enum.reject(fn r -> r["icmp_available"] \|\| r["icmpAvailable"] end) \|> Enum.map(fn r -> r["host_ip"] \|\| r["hostIp"] \|\| r["ip"] end) \|> Enum.reject(&is_nil/1) \|> Enum.map(&Map.get(device_map, &1)) \|> Enum.reject(&is_nil/1) \|> Enum.map(& &1.canonical_device_id) unless Enum.empty?(unavailable_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^unavailable_uids ... (clipped 3 lines)
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logging: The new actor-based background operations (reads/updates/creates via `Ash.*` calls) do not show explicit audit-trail logging of critical actions (actor, action, outcome), which may be required but cannot be verified from this diff alone. Referred Code `defp load_rules(state) do actor = SystemActor.for_tenant(state.tenant_id, :alert_engine) rules = StatefulAlertRule \|> Ash.Query.for_read(:active, %{}, tenant: state.schema) \|> Ash.read(actor: actor) \|> unwrap_page() updated = %{state \| rules: rules, rules_loaded_at: System.monotonic_time(:millisecond)} ... (clipped 318 lines)` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Update results unchecked: New `Repo.update_all/2` calls for availability updates do not check or log the update result, making failures (or unexpectedly low update counts) harder to detect and diagnose in production. Referred Code defp update_available_devices(results, device_map, tenant_schema, timestamp) do available_uids = results \|> Enum.filter(fn r -> r["icmp_available"] \|\| r["icmpAvailable"] end) \|> Enum.map(fn r -> r["host_ip"] \|\| r["hostIp"] \|\| r["ip"] end) \|> Enum.reject(&is_nil/1) \|> Enum.map(&Map.get(device_map, &1)) \|> Enum.reject(&is_nil/1) \|> Enum.map(& &1.canonical_device_id) unless Enum.empty?(available_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^available_uids ) \|> Repo.update_all(set: [is_available: true, last_seen_time: timestamp, modified_time: timestamp]) end end defp update_unavailable_devices(results, device_map, tenant_schema, timestamp) do unavailable_uids = results ... (clipped 14 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Sensitive error logging: New warning logs interpolate `inspect(reason)` (and similar inspected error terms) which may include sensitive internal details depending on upstream error contents and should be reviewed/sanitized. Referred Code `{:error, reason} -> Logger.warning("Failed to resolve alert #{alert_id}: #{inspect(reason)}") :error` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Dynamic schema usage: The new code builds dynamic table references using `tenant_schema <>` `".ocsf_devices"` without an in-function validation/allowlist check, which is safe only if `tenant_schema` is guaranteed trusted by upstream code. Referred Code from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^available_uids ) \|> Repo.update_all(set: [is_available: true, last_seen_time: timestamp, modified_time: timestamp]) end end defp update_unavailable_devices(results, device_map, tenant_schema, timestamp) do unavailable_uids = results \|> Enum.reject(fn r -> r["icmp_available"] \|\| r["icmpAvailable"] end) \|> Enum.map(fn r -> r["host_ip"] \|\| r["hostIp"] \|\| r["ip"] end) \|> Enum.reject(&is_nil/1) \|> Enum.map(&Map.get(device_map, &1)) \|> Enum.reject(&is_nil/1) \|> Enum.map(& &1.canonical_device_id) unless Enum.empty?(unavailable_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^unavailable_uids ) ... (clipped 2 lines) Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2273#issuecomment-3739799002 Original created: 2026-01-12T18:01:47Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary>Dynamic schema injection </summary> Description: Dynamic Ecto query sources are built via string concatenation (<code>{tenant_schema <> </code> <code>".ocsf_devices", Device}</code>) without validating/sanitizing <code>tenant_schema</code>, so if <code>TenantSchemas.schema_for_tenant/1</code> can be influenced or returns unexpected values this could enable cross-tenant writes or SQL injection via crafted schema/table identifiers. <a href='https://github.com/carverauto/serviceradar/pull/2273/files#diff-ac15b7f40862a0f6bab14cfaf84ae8776c232baa90166014e34159a81427811eR203-R226'>sweep.ex [203-226]</a> <details open><summary>Referred Code</summary> ```elixir unless Enum.empty?(available_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^available_uids ) |> Repo.update_all(set: [is_available: true, last_seen_time: timestamp, modified_time: timestamp]) end end defp update_unavailable_devices(results, device_map, tenant_schema, timestamp) do unavailable_uids = results |> Enum.reject(fn r -> r["icmp_available"] || r["icmpAvailable"] end) |> Enum.map(fn r -> r["host_ip"] || r["hostIp"] || r["ip"] end) |> Enum.reject(&is_nil/1) |> Enum.map(&Map.get(device_map, &1)) |> Enum.reject(&is_nil/1) |> Enum.map(& &1.canonical_device_id) unless Enum.empty?(unavailable_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^unavailable_uids ... (clipped 3 lines) ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=2>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=4>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2273/files#diff-bae3a52db882de8c947e62f219a95dff8db4e155e37d9a361dbe14ec25fcd3bdR139-R477'>Missing audit logging</a>: The new actor-based background operations (reads/updates/creates via <code>Ash.*</code> calls) do not show explicit audit-trail logging of critical actions (actor, action, outcome), which may be required but cannot be verified from this diff alone. <details open><summary>Referred Code</summary> ```elixir defp load_rules(state) do actor = SystemActor.for_tenant(state.tenant_id, :alert_engine) rules = StatefulAlertRule |> Ash.Query.for_read(:active, %{}, tenant: state.schema) |> Ash.read(actor: actor) |> unwrap_page() updated = %{state | rules: rules, rules_loaded_at: System.monotonic_time(:millisecond)} ... (clipped 318 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2273/files#diff-ac15b7f40862a0f6bab14cfaf84ae8776c232baa90166014e34159a81427811eR193-R227'>Update results unchecked</a>: New <code>Repo.update_all/2</code> calls for availability updates do not check or log the update result, making failures (or unexpectedly low update counts) harder to detect and diagnose in production. <details open><summary>Referred Code</summary> ```elixir defp update_available_devices(results, device_map, tenant_schema, timestamp) do available_uids = results |> Enum.filter(fn r -> r["icmp_available"] || r["icmpAvailable"] end) |> Enum.map(fn r -> r["host_ip"] || r["hostIp"] || r["ip"] end) |> Enum.reject(&is_nil/1) |> Enum.map(&Map.get(device_map, &1)) |> Enum.reject(&is_nil/1) |> Enum.map(& &1.canonical_device_id) unless Enum.empty?(available_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^available_uids ) |> Repo.update_all(set: [is_available: true, last_seen_time: timestamp, modified_time: timestamp]) end end defp update_unavailable_devices(results, device_map, tenant_schema, timestamp) do unavailable_uids = results ... (clipped 14 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2273/files#diff-bae3a52db882de8c947e62f219a95dff8db4e155e37d9a361dbe14ec25fcd3bdR474-R476'>Sensitive error logging</a>: New warning logs interpolate <code>inspect(reason)</code> (and similar inspected error terms) which may include sensitive internal details depending on upstream error contents and should be reviewed/sanitized. <details open><summary>Referred Code</summary> ```elixir {:error, reason} -> Logger.warning("Failed to resolve alert #{alert_id}: #{inspect(reason)}") :error ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2273/files#diff-ac15b7f40862a0f6bab14cfaf84ae8776c232baa90166014e34159a81427811eR204-R226'>Dynamic schema usage</a>: The new code builds dynamic table references using <code>tenant_schema <> </code> <code>".ocsf_devices"</code> without an in-function validation/allowlist check, which is safe only if <code>tenant_schema</code> is guaranteed trusted by upstream code. <details open><summary>Referred Code</summary> ```elixir from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^available_uids ) |> Repo.update_all(set: [is_available: true, last_seen_time: timestamp, modified_time: timestamp]) end end defp update_unavailable_devices(results, device_map, tenant_schema, timestamp) do unavailable_uids = results |> Enum.reject(fn r -> r["icmp_available"] || r["icmpAvailable"] end) |> Enum.map(fn r -> r["host_ip"] || r["hostIp"] || r["ip"] end) |> Enum.reject(&is_nil/1) |> Enum.map(&Map.get(device_map, &1)) |> Enum.reject(&is_nil/1) |> Enum.map(& &1.canonical_device_id) unless Enum.empty?(unavailable_uids) do from(d in {tenant_schema <> ".ocsf_devices", Device}, where: d.uid in ^unavailable_uids ) ... (clipped 2 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2026-01-12 18:05:54 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2273#issuecomment-3739813553
Original created: 2026-01-12T18:05:54Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Strengthen system actor identification check Strengthen the `system_actor?/1` check by adding pattern matching for the `id` prefix and the presence of `tenant_id` to prevent potential authorization bypasses. elixir/serviceradar_core/lib/serviceradar/actors/system_actor.ex [157-159] `-def system_actor?(%{role: :system}), do: true +def system_actor?(%{role: :system, id: "system:" <> _, tenant_id: _}), do: true def system_actor?(%{role: :super_admin, id: "platform:" <> _}), do: true def system_actor?(_), do: false` Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a security vulnerability in the newly added `system_actor?/1` function, where a check is too broad and could be bypassed, and proposes a stricter pattern match to fix it.	High
Possible issue	Prevent GenServer crash on update Use `Ash.update(raise?: false)` in `resolve_alert_record/6` to prevent the `StatefulAlertEngine` GenServer from crashing on update failures. elixir/serviceradar_core/lib/serviceradar/observability/stateful_alert_engine.ex [458-482] defp resolve_alert_record(alert_id, schema, tenant_id, rule, snapshot, now) do actor = SystemActor.for_tenant(tenant_id, :alert_engine) case Alert.get_by_id(alert_id, tenant: schema, actor: actor) do {:ok, alert} -> alert \|> Ash.Changeset.for_update(:resolve, %{resolved_by: "system"}, tenant: schema, actor: actor ) - \|> Ash.update() + \|> Ash.update(raise?: false) \|> case do {:ok, _} -> record_history(rule, snapshot, :recovered, now, alert_id, %{}) :ok {:error, reason} -> Logger.warning("Failed to resolve alert #{alert_id}: #{inspect(reason)}") :error end {:error, _} -> :ok end end `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that `Ash.update()` can crash the `StatefulAlertEngine` GenServer and proposes using `Ash.update(raise?: false)` for graceful error handling, which is a valid and important improvement for process stability.	Medium
	Return nil on invalid events Explicitly return `nil` in the `{:error, reason}` case of `parse_event/4` to ensure invalid events are correctly filtered out before database insertion. elixir/serviceradar_core/lib/serviceradar/event_writer/processors/events.ex [126-129] `{:error, reason} -> Logger.debug("Invalid OCSF event payload: #{inspect(reason)}", subject: metadata[:subject] ) + nil` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly points out that the function should explicitly return `nil` on error to ensure invalid events are filtered out, which is a valid and important fix for data integrity.	Medium
	Handle zero-second interval parsing correctly Modify `parse_interval_fallback/1` to explicitly handle an interval of "0" as invalid, preventing it from incorrectly defaulting to 3600 seconds. elixir/serviceradar_core/lib/serviceradar/sweep_jobs/sweep_monitor_worker.ex [284-296] `defp parse_interval_fallback(interval) do case Integer.parse(interval) do + {0, ""} -> + Logger.warning("Interval cannot be zero, defaulting to 1 hour", interval: interval) + 3_600 + {value, ""} when value > 0 -> value _ -> Logger.warning("Unable to parse interval string, defaulting to 1 hour", interval: interval ) 3_600 end end` `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies an edge case where an interval of "0" is handled incorrectly and proposes a fix to explicitly handle it, improving the function's robustness.	Low
General	Simplify check by removing helper Refactor the `empty?/1` function by removing the redundant `blank?/1` helper and using built-in functions like `is_nil/1`, `String.trim/1`, and `Enum.empty?/1` directly. elixir/serviceradar_core/lib/serviceradar/identity/alias_events.ex [204-215] defp empty?(record) do - blank?(record.last_seen_at) and - blank?(record.collector_ip) and - blank?(record.current_service_id) and - blank?(record.current_ip) and - map_size(record.services) == 0 and - map_size(record.ips) == 0 + (is_nil(record.last_seen_at) or String.trim(record.last_seen_at) == "") and + (is_nil(record.collector_ip) or String.trim(record.collector_ip) == "") and + (is_nil(record.current_service_id) or String.trim(record.current_service_id) == "") and + (is_nil(record.current_ip) or String.trim(record.current_ip) == "") and + Enum.empty?(record.services) and + Enum.empty?(record.ips) end -defp blank?(nil), do: true -defp blank?(s), do: String.trim(to_string(s)) == "" - `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 4 __ Why: The suggestion correctly identifies that the `blank?/1` helper function can be inlined for better readability and to reduce a minor abstraction. The proposed change is a valid refactoring that improves code style.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2273#issuecomment-3739813553 Original created: 2026-01-12T18:05:54Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>Security</td> <td> <details><summary>Strengthen system actor identification check</summary> ___ **Strengthen the <code>system_actor?/1</code> check by adding pattern matching for the <code>id</code> prefix and the presence of <code>tenant_id</code> to prevent potential authorization bypasses.** [elixir/serviceradar_core/lib/serviceradar/actors/system_actor.ex [157-159]](https://github.com/carverauto/serviceradar/pull/2273/files#diff-f3ebf5072e8a72e025076ca013e6726fb23a0169e9e8c9b0089489a4cf17a73dR157-R159) ```diff -def system_actor?(%{role: :system}), do: true +def system_actor?(%{role: :system, id: "system:" <> _, tenant_id: _}), do: true def system_actor?(%{role: :super_admin, id: "platform:" <> _}), do: true def system_actor?(_), do: false ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a security vulnerability in the newly added `system_actor?/1` function, where a check is too broad and could be bypassed, and proposes a stricter pattern match to fix it. </details></details></td><td align=center>High </td></tr><tr><td rowspan=3>Possible issue</td> <td> <details><summary>Prevent GenServer crash on update</summary> ___ **Use <code>Ash.update(raise?: false)</code> in <code>resolve_alert_record/6</code> to prevent the <code>StatefulAlertEngine</code> GenServer from crashing on update failures.** [elixir/serviceradar_core/lib/serviceradar/observability/stateful_alert_engine.ex [458-482]](https://github.com/carverauto/serviceradar/pull/2273/files#diff-bae3a52db882de8c947e62f219a95dff8db4e155e37d9a361dbe14ec25fcd3bdR458-R482) ```diff defp resolve_alert_record(alert_id, schema, tenant_id, rule, snapshot, now) do actor = SystemActor.for_tenant(tenant_id, :alert_engine) case Alert.get_by_id(alert_id, tenant: schema, actor: actor) do {:ok, alert} -> alert |> Ash.Changeset.for_update(:resolve, %{resolved_by: "system"}, tenant: schema, actor: actor ) - |> Ash.update() + |> Ash.update(raise?: false) |> case do {:ok, _} -> record_history(rule, snapshot, :recovered, now, alert_id, %{}) :ok {:error, reason} -> Logger.warning("Failed to resolve alert #{alert_id}: #{inspect(reason)}") :error end {:error, _} -> :ok end end ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies that `Ash.update()` can crash the `StatefulAlertEngine` GenServer and proposes using `Ash.update(raise?: false)` for graceful error handling, which is a valid and important improvement for process stability. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Return nil on invalid events</summary> ___ **Explicitly return <code>nil</code> in the <code>{:error, reason}</code> case of <code>parse_event/4</code> to ensure invalid events are correctly filtered out before database insertion.** [elixir/serviceradar_core/lib/serviceradar/event_writer/processors/events.ex [126-129]](https://github.com/carverauto/serviceradar/pull/2273/files#diff-e07b18480fd4cd1259b3401adb542f9931a421fff7fdbecd6771165367013c78R126-R129) ```diff {:error, reason} -> Logger.debug("Invalid OCSF event payload: #{inspect(reason)}", subject: metadata[:subject] ) + nil ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly points out that the function should explicitly return `nil` on error to ensure invalid events are filtered out, which is a valid and important fix for data integrity. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Handle zero-second interval parsing correctly</summary> ___ **Modify <code>parse_interval_fallback/1</code> to explicitly handle an interval of "0" as invalid, preventing it from incorrectly defaulting to 3600 seconds.** [elixir/serviceradar_core/lib/serviceradar/sweep_jobs/sweep_monitor_worker.ex [284-296]](https://github.com/carverauto/serviceradar/pull/2273/files#diff-c25f50cc2e496fc7f8f883a12098f278c56ae1d2d42d4d2af4200d364e2ef9a8R284-R296) ```diff defp parse_interval_fallback(interval) do case Integer.parse(interval) do + {0, ""} -> + Logger.warning("Interval cannot be zero, defaulting to 1 hour", interval: interval) + 3_600 + {value, ""} when value > 0 -> value _ -> Logger.warning("Unable to parse interval string, defaulting to 1 hour", interval: interval ) 3_600 end end ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies an edge case where an interval of "0" is handled incorrectly and proposes a fix to explicitly handle it, improving the function's robustness. </details></details></td><td align=center>Low </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Simplify check by removing helper</summary> ___ **Refactor the <code>empty?/1</code> function by removing the redundant <code>blank?/1</code> helper and using built-in functions like <code>is_nil/1</code>, <code>String.trim/1</code>, and <code>Enum.empty?/1</code> directly.** [elixir/serviceradar_core/lib/serviceradar/identity/alias_events.ex [204-215]](https://github.com/carverauto/serviceradar/pull/2273/files#diff-bc3743067ea774f59bc5665770f7110a2d6e90f6e1156a7717a1c287f8979d28R204-R215) ```diff defp empty?(record) do - blank?(record.last_seen_at) and - blank?(record.collector_ip) and - blank?(record.current_service_id) and - blank?(record.current_ip) and - map_size(record.services) == 0 and - map_size(record.ips) == 0 + (is_nil(record.last_seen_at) or String.trim(record.last_seen_at) == "") and + (is_nil(record.collector_ip) or String.trim(record.collector_ip) == "") and + (is_nil(record.current_service_id) or String.trim(record.current_service_id) == "") and + (is_nil(record.current_ip) or String.trim(record.current_ip) == "") and + Enum.empty?(record.services) and + Enum.empty?(record.ips) end -defp blank?(nil), do: true -defp blank?(s), do: String.trim(to_string(s)) == "" - ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: The suggestion correctly identifies that the `blank?/1` helper function can be inlined for better readability and to reduce a minor abstraction. The proposed change is a valid refactoring that improves code style. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>

qodo-code-review[bot] commented

2026-01-12 18:21:04 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2273#issuecomment-3739875836
Original created: 2026-01-12T18:21:04Z

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: build

Failed stage: Configure SRQL fixture database for tests [❌]

Failed test name: ""

Failure summary:

The action failed because the workflow requires the secret SRQL_TEST_DATABASE_CA_CERT to be set, but
it is empty/missing (SRQL_TEST_DATABASE_CA_CERT: shows no value in the environment).
The job
explicitly aborts with the message SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify
SRQL fixture TLS. and exits with code 1 (log lines 636-637).

Relevant error logs:

1:  Runner name: 'arc-runner-set-hk6mk-runner-ztxw6'
2:  Runner group name: 'Default'
...

139:  ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m
140:  ^[[36;1m  sudo apt-get update^[[0m
141:  ^[[36;1m  sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m
142:  ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m
143:  ^[[36;1m  sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
144:  ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m
145:  ^[[36;1m  sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
146:  ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m
147:  ^[[36;1m  sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
148:  ^[[36;1melse^[[0m
149:  ^[[36;1m  echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m
150:  ^[[36;1m  exit 1^[[0m
151:  ^[[36;1mfi^[[0m
152:  ^[[36;1m^[[0m
153:  ^[[36;1mensure_pkg_config^[[0m
154:  ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m
155:  shell: /usr/bin/bash -e {0}
...

316:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
317:  env:
318:  BUILDBUDDY_ORG_API_KEY: ***
319:  SRQL_TEST_DATABASE_URL: ***
320:  SRQL_TEST_ADMIN_URL: ***
321:  SRQL_TEST_DATABASE_CA_CERT: 
322:  DOCKERHUB_USERNAME: ***
323:  DOCKERHUB_TOKEN: ***
324:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
325:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
326:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
327:  ##[endgroup]
328:  ##[group]Run : install rustup if needed
329:  ^[[36;1m: install rustup if needed^[[0m
330:  ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m
331:  ^[[36;1m  curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m
332:  ^[[36;1m  echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m
...

472:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
473:  env:
474:  BUILDBUDDY_ORG_API_KEY: ***
475:  SRQL_TEST_DATABASE_URL: ***
476:  SRQL_TEST_ADMIN_URL: ***
477:  SRQL_TEST_DATABASE_CA_CERT: 
478:  DOCKERHUB_USERNAME: ***
479:  DOCKERHUB_TOKEN: ***
480:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
481:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
482:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
483:  CARGO_HOME: /home/runner/.cargo
484:  CARGO_INCREMENTAL: 0
485:  CARGO_TERM_COLOR: always
486:  ##[endgroup]
487:  ##[group]Run : work around spurious network errors in curl 8.0
488:  ^[[36;1m: work around spurious network errors in curl 8.0^[[0m
489:  ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m
...

540:  SRQL_TEST_DATABASE_CA_CERT: 
541:  DOCKERHUB_USERNAME: ***
542:  DOCKERHUB_TOKEN: ***
543:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
544:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
545:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
546:  CARGO_HOME: /home/runner/.cargo
547:  CARGO_INCREMENTAL: 0
548:  CARGO_TERM_COLOR: always
549:  ##[endgroup]
550:  Attempting to download 1.x...
551:  Acquiring v1.27.0 from https://github.com/bazelbuild/bazelisk/releases/download/v1.27.0/bazelisk-linux-amd64
552:  Adding to the cache ...
553:  Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.27.0/x64
554:  Added bazelisk to the path
555:  ##[warning]Failed to restore: Cache service responded with 400
556:  Restored bazelisk cache dir @ /home/runner/.cache/bazelisk
...

622:  env:
623:  BUILDBUDDY_ORG_API_KEY: ***
624:  SRQL_TEST_DATABASE_URL: ***
625:  SRQL_TEST_ADMIN_URL: ***
626:  SRQL_TEST_DATABASE_CA_CERT: 
627:  DOCKERHUB_USERNAME: ***
628:  DOCKERHUB_TOKEN: ***
629:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
630:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
631:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
632:  CARGO_HOME: /home/runner/.cargo
633:  CARGO_INCREMENTAL: 0
634:  CARGO_TERM_COLOR: always
635:  ##[endgroup]
636:  SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.
637:  ##[error]Process completed with exit code 1.
638:  Post job cleanup.

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2273#issuecomment-3739875836 Original created: 2026-01-12T18:21:04Z --- ## CI Feedback 🧐 A test triggered by this PR failed. Here is an AI-generated analysis of the failure: <table><tr><td> **Action:** build</td></tr> <tr><td> **Failed stage:** [Configure SRQL fixture database for tests](https://github.com/carverauto/serviceradar/actions/runs/20930293651/job/60139167684) [❌] </td></tr> <tr><td> **Failed test name:** "" </td></tr> <tr><td> **Failure summary:** The action failed because the workflow requires the secret <code>SRQL_TEST_DATABASE_CA_CERT</code> to be set, but it is empty/missing (<code>SRQL_TEST_DATABASE_CA_CERT:</code> shows no value in the environment). The job explicitly aborts with the message <code>SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify </code> <code>SRQL fixture TLS.</code> and exits with code 1 (log lines 636-637). </td></tr> <tr><td> <details><summary>Relevant error logs:</summary> ```yaml 1: Runner name: 'arc-runner-set-hk6mk-runner-ztxw6' 2: Runner group name: 'Default' ... 139: ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m 140: ^[[36;1m sudo apt-get update^[[0m 141: ^[[36;1m sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m 142: ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m 143: ^[[36;1m sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 144: ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m 145: ^[[36;1m sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 146: ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m 147: ^[[36;1m sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 148: ^[[36;1melse^[[0m 149: ^[[36;1m echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m 150: ^[[36;1m exit 1^[[0m 151: ^[[36;1mfi^[[0m 152: ^[[36;1m^[[0m 153: ^[[36;1mensure_pkg_config^[[0m 154: ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m 155: shell: /usr/bin/bash -e {0} ... 316: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 317: env: 318: BUILDBUDDY_ORG_API_KEY: *** 319: SRQL_TEST_DATABASE_URL: *** 320: SRQL_TEST_ADMIN_URL: *** 321: SRQL_TEST_DATABASE_CA_CERT: 322: DOCKERHUB_USERNAME: *** 323: DOCKERHUB_TOKEN: *** 324: TEST_CNPG_DATABASE: serviceradar_web_ng_test 325: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 326: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 327: ##[endgroup] 328: ##[group]Run : install rustup if needed 329: ^[[36;1m: install rustup if needed^[[0m 330: ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m 331: ^[[36;1m curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m 332: ^[[36;1m echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m ... 472: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 473: env: 474: BUILDBUDDY_ORG_API_KEY: *** 475: SRQL_TEST_DATABASE_URL: *** 476: SRQL_TEST_ADMIN_URL: *** 477: SRQL_TEST_DATABASE_CA_CERT: 478: DOCKERHUB_USERNAME: *** 479: DOCKERHUB_TOKEN: *** 480: TEST_CNPG_DATABASE: serviceradar_web_ng_test 481: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 482: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 483: CARGO_HOME: /home/runner/.cargo 484: CARGO_INCREMENTAL: 0 485: CARGO_TERM_COLOR: always 486: ##[endgroup] 487: ##[group]Run : work around spurious network errors in curl 8.0 488: ^[[36;1m: work around spurious network errors in curl 8.0^[[0m 489: ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m ... 540: SRQL_TEST_DATABASE_CA_CERT: 541: DOCKERHUB_USERNAME: *** 542: DOCKERHUB_TOKEN: *** 543: TEST_CNPG_DATABASE: serviceradar_web_ng_test 544: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 545: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 546: CARGO_HOME: /home/runner/.cargo 547: CARGO_INCREMENTAL: 0 548: CARGO_TERM_COLOR: always 549: ##[endgroup] 550: Attempting to download 1.x... 551: Acquiring v1.27.0 from https://github.com/bazelbuild/bazelisk/releases/download/v1.27.0/bazelisk-linux-amd64 552: Adding to the cache ... 553: Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.27.0/x64 554: Added bazelisk to the path 555: ##[warning]Failed to restore: Cache service responded with 400 556: Restored bazelisk cache dir @ /home/runner/.cache/bazelisk ... 622: env: 623: BUILDBUDDY_ORG_API_KEY: *** 624: SRQL_TEST_DATABASE_URL: *** 625: SRQL_TEST_ADMIN_URL: *** 626: SRQL_TEST_DATABASE_CA_CERT: 627: DOCKERHUB_USERNAME: *** 628: DOCKERHUB_TOKEN: *** 629: TEST_CNPG_DATABASE: serviceradar_web_ng_test 630: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 631: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 632: CARGO_HOME: /home/runner/.cargo 633: CARGO_INCREMENTAL: 0 634: CARGO_TERM_COLOR: always 635: ##[endgroup] 636: SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. 637: ##[error]Process completed with exit code 1. 638: Post job cleanup. ``` </details></td></tr></table>