2277 feat sysmon rewrite in golang #2660
No reviewers
Labels
No labels
1week
2weeks
Failed compliance check
IP cameras
NATS
Possible security concern
Review effort 1/5
Review effort 2/5
Review effort 3/5
Review effort 4/5
Review effort 5/5
UI
aardvark
accessibility
amd64
api
arm64
auth
back-end
bgp
blog
bug
build
checkers
ci-cd
cleanup
cnpg
codex
core
dependencies
device-management
documentation
duplicate
dusk
ebpf
enhancement
eta 1d
eta 1hr
eta 3d
eta 3hr
feature
fieldsurvey
github_actions
go
good first issue
help wanted
invalid
javascript
k8s
log-collector
mapper
mtr
needs-triage
netflow
network-sweep
observability
oracle
otel
plug-in
proton
python
question
reddit
redhat
research
rperf
rperf-checker
rust
sdk
security
serviceradar-agent
serviceradar-agent-gateway
serviceradar-web
serviceradar-web-ng
siem
snmp
sysmon
topology
ubiquiti
wasm
wontfix
zen-engine
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
carverauto/serviceradar!2660
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "refs/pull/2660/head"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Imported from GitHub pull request.
Original GitHub pull request: #2279
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2279
Original created: 2026-01-14T02:33:50Z
Original updated: 2026-01-14T06:47:55Z
Original head: carverauto/serviceradar:2277-feat-sysmon-rewrite-in-golang
Original base: staging
Original merged: 2026-01-14T06:47:53Z by @mfreeman451
User description
IMPORTANT: Please sign the Developer Certificate of Origin
Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:
Describe your changes
Issue ticket number and link
Code checklist before requesting a review
PR Type
Enhancement
Description
Complete sysmon monitoring system rewrite from Rust to Go with full backend and frontend integration
Sysmon profiles management with CRUD operations, SRQL-based device targeting, and priority-based resolution
Agent configuration system for sysmon with multi-stage resolution (device > SRQL > tag > default) and config compilation
Device linking and enrollment via agent gateway sync with device identity reconciliation and capability-based discovery
Web UI enhancements including sysmon profile settings, device bulk assignment, and agent status display
Go sysmon package implementing metric collection for CPU, memory, disk, network, and processes with configurable sampling
Service lifecycle management in Go agent with config refresh loop, local/cache/default precedence, and concurrent operation support
Protobuf definitions extended with
SysmonConfigmessage type andconfig_sourcefield for configuration trackingDatabase migrations for sysmon profiles, assignments, and agent config source tracking
SRQL shared library with Rustler NIF bindings for query parsing and translation
Comprehensive test coverage including E2E profile assignment tests, sysmon compiler tests, service lifecycle tests, and performance benchmarks
Agent capabilities extended with "sysmon" status reporting via streaming for large payloads
Diagram Walkthrough
File Walkthrough
39 files
index.ex
Sysmon profiles management LiveView with query builderweb-ng/lib/serviceradar_web_ng_web/live/settings/sysmon_profiles_live/index.ex
operations
filters
and deletion
monitoring.pb.ex
Protobuf definitions update with sysmon config supportelixir/serviceradar_core/lib/serviceradar/proto/monitoring.pb.ex
definitions
full_namefield to all Protobuf module declarations for claritySysmonConfigmessage type with fields for monitoringconfiguration
AgentConfigResponseandGatewayStatusRequestwithconfig_sourcefieldindex.ex
Device list bulk sysmon profile assignment featureweb-ng/lib/serviceradar_web_ng_web/live/device_live/index.ex
indicators
devices
device
show.ex
Device detail view sysmon configuration managementweb-ng/lib/serviceradar_web_ng_web/live/device_live/show.ex
device assignments
assignments
indicators
sysmon_profile.ex
SysmonProfile Ash resource with targeting and policieselixir/serviceradar_core/lib/serviceradar/sysmon_profiles/sysmon_profile.ex
multitenancy support
and alert thresholds
resolution
admin users
sysmon_compiler.ex
Sysmon configuration compiler with profile resolutionelixir/serviceradar_core/lib/serviceradar/agent_config/compilers/sysmon_compiler.ex
Compilerbehaviour for sysmonconfiguration
tag, default)
and collection settings
srql_target_resolver.ex
SRQL-based device targeting for sysmon profileselixir/serviceradar_core/lib/serviceradar/sysmon_profiles/srql_target_resolver.ex
queries against devices
sysmon_profile_assignment.ex
Sysmon profile assignment resource for flexible targetingelixir/serviceradar_core/lib/serviceradar/sysmon_profiles/sysmon_profile_assignment.ex
ordering
sysmon_profile_seeder.ex
Default sysmon profile seeder for tenantselixir/serviceradar_core/lib/serviceradar/sysmon_profiles/sysmon_profile_seeder.ex
InitializeTenantInfrastructurevalidate_srql_query.ex
SRQL query validation for sysmon profile targetingelixir/serviceradar_core/lib/serviceradar/sysmon_profiles/changes/validate_srql_query.ex
target_queryattribute on sysmon profileswith
in:devicessysmon_profiles.ex
Sysmon profiles domain and resource registryelixir/serviceradar_core/lib/serviceradar/sysmon_profiles.ex
SysmonProfileandSysmonProfileAssignmentresourcesagent_gateway_sync.ex
Device creation and linking for agent enrollmentelixir/serviceradar_core/lib/serviceradar/edge/agent_gateway_sync.ex
ensure_device_for_agent/3function to create/update device recordsfor agents
identity
capabilities)
capabilities
agent_config_generator.ex
Sysmon config integration into agent configuration generationelixir/serviceradar_core/lib/serviceradar/edge/agent_config_generator.ex
ConfigServer.get_config/4Monitoring.SysmonConfigstruct for agentdelivery
versioning
agent_gateway_server.ex
Agent gateway device creation and config source trackingelixir/serviceradar_agent_gateway/lib/serviceradar_agent_gateway/agent_gateway_server.ex
ensure_device_for_agent/5during agent registration to createdevice records
config_sourcefrom agent hello requests and heartbeatsagent.ex
Agent resource extended with device linking and config sourceelixir/serviceradar_core/lib/serviceradar/infrastructure/agent.ex
device_uidandconfig_sourceattributes to Agent resourcegateway_syncaction to acceptdevice_uidandconfig_sourceheartbeataction to acceptconfig_sourceconfig_sourcetracks origin: remote, local, cached, or defaultcompiler.ex
Compiler registry updated with sysmon compilerelixir/serviceradar_core/lib/serviceradar/agent_config/compiler.ex
:sysmontoconfig_typeunion typeSysmonCompilerin the compiler registryinitialize_tenant_infrastructure.ex
Tenant initialization extended with sysmon profile seedingelixir/serviceradar_core/lib/serviceradar/identity/changes/initialize_tenant_infrastructure.ex
SysmonProfileSeeder.seed_for_tenant/1during tenantinitialization
native.ex
SRQL native Rust NIF bindingselixir/serviceradar_srql/lib/serviceradar_srql/native.ex
translate/5andparse_ast/1functionssrql_nifcratenative.ex
SRQL native module refactored to use shared libraryweb-ng/lib/serviceradar_web_ng/srql/native.ex
ServiceRadarSRQL.Nativefor backwards compatibilityrouter.ex
Web router extended with sysmon profile routesweb-ng/lib/serviceradar_web_ng_web/router.ex
settings_components.ex
Settings navigation extended with sysmon optionweb-ng/lib/serviceradar_web_ng_web/components/settings_components.ex
index.ex
Agent live view extended with sysmon status displayweb-ng/lib/serviceradar_web_ng_web/live/agent_live/index.ex
sysmon_status_badge/1component showing sysmon capabilitymonitoring.pb.go
Protobuf definitions extended with sysmon configurationproto/monitoring.pb.go
SysmonConfigmessage type with monitoring configuration fieldsconfig_sourcefield toGatewayStatusRequest,GatewayStatusChunk,and
AgentHelloRequestsysmon_configfield toAgentConfigResponseprocess.go
Go sysmon package for process metric collectionpkg/sysmon/process.go
CollectProcesses/1to gather CPU, memory, and status forall processes
sysmon_service.go
Core sysmon service implementation with config managementpkg/agent/sysmon_service.go
SysmonServicewrapper for system metricscollection
local/cache/default precedence
configuration changes
GetStatus()with JSON payload containingmetrics
collector.go
System metrics collector with periodic samplingpkg/sysmon/collector.go
DefaultCollectorimplementation of theCollectorinterfacemetrics.go
Metric data structures and sample definitionspkg/sysmon/metrics.go
MetricSample,CPUMetric,DiskMetric,etc.)
config.go
Configuration management and validationpkg/sysmon/config.go
ParsedConfigwith validated, usable valuescpu.go
CPU metrics collection with frequency supportpkg/sysmon/cpu.go
cpufreqpackage for frequency informationhost.go
Host identification and network interface detectionpkg/sysmon/host.go
disk.go
Disk usage metrics collectionpkg/sysmon/disk.go
network.go
Network interface metrics collectionpkg/sysmon/network.go
drops)
memory.go
Memory and swap metrics collectionpkg/sysmon/memory.go
push_loop.go
Integration of sysmon metrics into push loop and config applicationpkg/agent/push_loop.go
pushSysmonStatus()usingStreamStatusfor large payloadsapplySysmonConfig()to apply gateway-provided sysmonconfiguration
protoToSysmonConfig()for proto-to-internal configconversion
server.go
Server integration of sysmon service lifecyclepkg/agent/server.go
SysmonServiceduring server startupinitSysmonService()to create and start the serviceGetSysmonStatus()method for retrieving current metricsdefaultPartitionconstant for partition configurationtypes.go
Server type definition update for sysmon servicepkg/agent/types.go
sysmonServicefield toServerstructsyn_scanner_stub.go
SYN scanner statistics structure for non-Linux platformspkg/scan/syn_scanner_stub.go
ScannerStatsstruct for performance and diagnostic counterslimiting statistics
GetStats()stub returning empty stats on non-Linuxplatforms
agents.rs
Agent query support for config source filteringrust/srql/src/query/agents.rs
config_sourcefield to agent query filteringconfig_sourcefieldconfig_sourceequality and IN filtersmodels.rs
Agent model update with config source fieldrust/srql/src/models.rs
config_sourceoptional field toAgentRowstructconfig_sourcein JSON serialization output8 files
sysmon_profile_assignment_test.exs
End-to-end tests for sysmon profile assignment resolutionelixir/serviceradar_core/test/serviceradar/sysmon_profiles/sysmon_profile_assignment_test.exs
workflow
priority resolution
integration
agent_gateway_sync_test.exs
Agent gateway sync integration testselixir/serviceradar_core/test/serviceradar/edge/agent_gateway_sync_test.exs
discovery source assignment
config_source tracking
sysmon_compiler_test.exs
Unit and integration tests for sysmon compilerelixir/serviceradar_core/test/serviceradar/sysmon_profiles/sysmon_compiler_test.exs
sysmon_profile_seeder_test.exs
Unit and integration tests for sysmon profile seederelixir/serviceradar_core/test/serviceradar/sysmon_profiles/sysmon_profile_seeder_test.exs
agent_config_generator_test.exs
Agent config generator tests extended with sysmon configelixir/serviceradar_core/test/serviceradar/edge/agent_config_generator_test.exs
:databaseto:integrationsysmon_service_test.go
Extensive test coverage for sysmon service functionalitypkg/agent/sysmon_service_test.go
configuration
cache > default)
behavior
sysmon_config_bench_test.go
Performance benchmarks for sysmon configuration operationspkg/agent/sysmon_config_bench_test.go
collector_test.go
Unit tests for metrics collection and configurationpkg/sysmon/collector_test.go
processes)
compatibility
7 files
config.exs
Configuration update for sysmon profiles domainelixir/serviceradar_core/config/config.exs
ServiceRadar.SysmonProfilesdomain to the list of configureddomains
20260113212456_add_sysmon_profiles.exs
Database migration for sysmon profiles and assignmentselixir/serviceradar_core/priv/repo/migrations/20260113212456_add_sysmon_profiles.exs
sysmon_profilestable with profile configuration fieldssysmon_profile_assignmentstable for device/tag assignments20260114000000_add_sysmon_profile_srql_targeting.exs
Database migration for SRQL targeting on sysmon profileselixir/serviceradar_core/priv/repo/migrations/20260114000000_add_sysmon_profile_srql_targeting.exs
target_queryandprioritycolumns tosysmon_profiles20260114001354_add_agent_config_source.exs
Tenant migration for agent config source trackingelixir/serviceradar_core/priv/repo/tenant_migrations/20260114001354_add_agent_config_source.exs
config_sourcecolumn toocsf_agentstable in tenant schemasconfig_sourcefor query efficiencytest.exs
Test configuration updated with sysmon profiles domainelixir/serviceradar_core/config/test.exs
ServiceRadar.SysmonProfilesto the list of domains for testingmix.exs
SRQL shared library Mix project configurationelixir/serviceradar_srql/mix.exs
schema.rs
Database schema update for agent config source trackingrust/srql/src/schema.rs
config_sourcenullable text column toocsf_agentstable schema2 files
mix.exs
Mix dependencies updated with SRQL libraryelixir/serviceradar_core/mix.exs
serviceradar_srqlshared librarymix.exs
Mix dependencies updated with SRQL libraryweb-ng/mix.exs
serviceradar_srqlshared library17 files
client.ex
Compiler directive for gRPC stub warning suppressionelixir/serviceradar_core/lib/serviceradar/sync/client.ex
agent_process.ex
Compiler directive for gRPC stub warning suppressionelixir/serviceradar_core/lib/serviceradar/edge/agent_process.ex
identity_map.pb.go
Protobuf version comment updatesproto/identitymap/v1/identity_map.pb.go
rperf.pb.go
Protobuf code regeneration with version updatesproto/rperf/rperf.pb.go
flow.pb.go
Protobuf code regeneration with version updatesproto/flow/flow.pb.go
discovery.pb.go
Protobuf code regeneration with version updatesproto/discovery/discovery.pb.go
nats_account.pb.go
Protobuf code regeneration with version updatesproto/nats_account.pb.go
data_service.pb.go
Protobuf code regeneration with version updatesproto/data_service.pb.go
core_service.pb.go
Protobuf code regeneration with version updatesproto/core_service.pb.go
kv.pb.go
Protobuf code regeneration with version updatesproto/kv.pb.go
rperf_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/rperf/rperf_grpc.pb.go
discovery_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/discovery/discovery_grpc.pb.go
nats_account_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/nats_account_grpc.pb.go
core_service_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/core_service_grpc.pb.go
data_service_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/data_service_grpc.pb.go
monitoring_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/monitoring_grpc.pb.go
kv_grpc.pb.go
gRPC protobuf code regeneration with version updatesproto/kv_grpc.pb.go
2 files
serviceradar_srql.ex
SRQL shared library module documentationelixir/serviceradar_srql/lib/serviceradar_srql.ex
serviceradar_core
behaviour.ex
SRQL behaviour module documentation improvementweb-ng/lib/serviceradar_web_ng/srql/behaviour.ex
falseto descriptive documentation1 files
.formatter.exs
Code formatter configuration for SRQL libraryelixir/serviceradar_srql/.formatter.exs
22 files
Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2279#issuecomment-3747417071
Original created: 2026-01-14T02:35:12Z
PR Compliance Guide 🔍
(Compliance updated until commit
github.com/carverauto/serviceradar@7bf551f03e)Below is a summary of compliance checks for this PR:
Resource exhaustion risk
Description: User-controlled SRQL input is parsed and can trigger database counting on each form
validation/event (e.g.,
count_target_devices/2called fromhandle_event("validate_profile", ...)), which could be abused to cause resource exhaustionvia repeated expensive parses/count queries.
index.ex [111-963]
Referred Code
Identity spoofing risk
Description: Device identity and inventory fields (notably IP/hostname from
attrsinensure_device_for_agent/3) appear to trust agent-supplied values, which could enablespoofing/poisoning of inventory associations if agent enrollment is not strongly
authenticated and source IP is not verified server-side.
agent_gateway_sync.ex [115-316]
Referred Code
🎫 #2277
sysmon in Go.
/pkg/sysmonlibrary incorporating the existing sysmon macOS behavior.serviceradar-sysmonpackage to easereintegration into ServiceRadar.
github.com/shirou/gopsutil)where appropriate.
Codebase context is not defined
Follow the guide to enable codebase context checks.
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting
Status: Passed
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.
Status: Passed
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation
Status:
Errors silently swallowed: Multiple
rescue _ -> nil/ generic error branches drop parsing/DB/count/compile errorswithout logging or actionable context, making failures hard to diagnose.
Referred Code
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.
Status:
Missing audit logging: Sysmon profile create/update/delete/enable/default operations appear to only use UI
flashes without an explicit audit trail including acting user, action, and outcome.
Referred Code
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.
Status:
Unvetted error payloads: Logging uses
inspect(reason)for device/identity failures which may include sensitiveinternal details depending on upstream error content and log sink exposure.
Referred Code
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities
Status:
Weak input validation: Agent-supplied
hostname/os/arch/capabilitiesand derivedsource_ipare forwarded into coredevice creation without visible validation/sanitization in this diff, relying on
downstream checks not shown.
Referred Code
Compliance status legend
🟢 - Fully Compliant🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label
Previous compliance checks
Compliance check up to commit f5c81a9
No security concerns identified
No security vulnerabilities detected by AI analysis. Human verification advised for critical code.🎫 No ticket provided
Codebase context is not defined
Follow the guide to enable codebase context checks.
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting
Status: Passed
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.
Status: Passed
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation
Status: 🏷️
Silent error swallowing: Multiple new code paths swallow exceptions and/or parsing failures by returning
nilor ageneric fallback without logging or returning actionable context, making production
debugging and correctness verification difficult.
Referred Code
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.
Status: 🏷️
No audit logging: New sysmon profile CRUD actions appear to be executed without emitting audit-log entries
that include acting user context and outcome, but this may be handled elsewhere in the
stack (e.g., Ash notifiers/telemetry).
Referred Code
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.
Status: 🏷️
Logs may leak data: New logging statements include
inspect(reason)on failures and include identifiers such asagent_id/device_uid, which could leak sensitive/internal details depending on whatreasoncontains and the organization’s data classification.
Referred Code
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities
Status: 🏷️
External attrs unvalidated: New device creation/update logic consumes agent-provided attributes (e.g.,
hostname,source_ip,capabilities) without explicit validation/sanitization in this diff, relying ondownstream layers whose guarantees are not visible here.
Referred Code
Compliance check up to commit ab4b174
Resource exhaustion
Description: User-controlled SRQL input triggers repeated parsing and database counting (e.g.,
handle_event("validate_profile", ...)callingcount_target_devices/2which callsAsh.count/2) on every form change, which could be abused to generate excessive DB load/DoSif not rate-limited/debounced. index.ex [111-1246]
Referred Code
🎫 #2277
pkg/sysmonusing Go libraries (e.g.,gopsutil) to collectsystem metrics.
implementation; incorporate existing Go sysmon-osx).
serviceradar-sysmonpackage to easeintegration back into ServiceRadar.
package.
Codebase context is not defined
Follow the guide to enable codebase context checks.
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting
Status: Passed
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.
Status: Passed
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.
Status: 🏷️
Missing audit logs: Admin CRUD actions for sysmon profiles (create/update/delete/toggle/set default) are
performed without emitting audit log entries including actor identity and outcome.
Referred Code
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation
Status: 🏷️
Swallowed parse errors: SRQL parsing/JSON decoding/counting errors are swallowed via broad
rescueand{:error, _}-> nilbranches without logging/context, making production diagnosis difficult.Referred Code
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.
Status: 🏷️
Unvetted error logging: Logging
inspect(reason)may expose sensitive internal/DB details depending on errorcontents, and the diff does not show whether logs are structured/redacted.
Referred Code
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities
Status: 🏷️
Weak input validation: Device attributes derived from agent requests (e.g.,
hostname,os,arch,source_ip, andcapabilities) are forwarded into core/device creation flows without clearvalidation/sanitization in the visible diff.
Referred Code
Compliance check up to commit 7ab36f9
SRQL injection risk
Description: The code builds
combined_query = "#{target_query} uid:#{device_uid}"withoutescaping/quoting
device_uid, so a crafted device UID containing SRQL syntax/whitespacecould alter query semantics and potentially bypass/expand targeting behavior. srql_target_resolver.ex [104-138]
Referred Code
🎫 #2277
SysmonConfigin protobufs and related config plumbing).sysinfo-based sysmon with a unified implementation in Go so thereis a single sysmon codebase across platforms.
pkg/sysmon(incorporating prior sysmon-osx functionality)and implement system metric collection (CPU/memory/disk/network/processes), leveraging Go
libraries (e.g.,
github.com/shirou/gopsutil).serviceradar-sysmonpackage to easeintegration back into ServiceRadar.
serviceradar-agentas part of consolidation ofGo-based components into one installation package.
Codebase context is not defined
Follow the guide to enable codebase context checks.
Generic: Meaningful Naming and Self-Documenting Code
Objective: Ensure all identifiers clearly express their purpose and intent, making code
self-documenting
Status: Passed
Generic: Comprehensive Audit Trails
Objective: To create a detailed and reliable record of critical system actions for security analysis
and compliance.
Status:
Missing audit logging: Critical sysmon profile actions (create/update/delete/toggle/set default) are performed
without recording an audit log containing actor/user context and outcome.
Referred Code
Generic: Robust Error Handling and Edge Case Management
Objective: Ensure comprehensive error handling that provides meaningful context and graceful
degradation
Status:
Unsafe destructive ops: Bulk assignment deletes existing assignments using
Ash.destroy!insideEnum.each, whichcan raise and crash the LiveView and is not wrapped in a transaction/rollback for partial
failures.
Referred Code
Generic: Secure Error Handling
Objective: To prevent the leakage of sensitive system information through error messages while
providing sufficient detail for internal debugging.
Status:
Leaky user error: A user-facing flash message interpolates the underlying failure
reason, which may exposeinternal details (e.g., database/validation errors) to the end-user.
Referred Code
Generic: Secure Logging Practices
Objective: To ensure logs are useful for debugging and auditing without exposing sensitive
information like PII, PHI, or cardholder data.
Status:
Detailed reason logged: Warning logs include
inspect(reason)which could unintentionally log sensitive internaldata depending on what upstream errors contain, requiring verification of logged error
contents.
Referred Code
Generic: Security-First Input Validation and Data Handling
Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent
vulnerabilities
Status:
Authorization not visible: The LiveView bulk sysmon profile assignment path accepts a client-provided
profile_idandperforms destructive/creation operations without visible authorization checks in the diff,
requiring verification that access control is enforced elsewhere.
Referred Code
Imported GitHub PR comment.
Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2279#issuecomment-3747419811
Original created: 2026-01-14T02:36:41Z
PR Code Suggestions ✨
Explore these optional code suggestions:
✅
Consolidate sysmon profile targeting mechanismsSuggestion Impact:
The compiler was simplified to resolve profiles only via SRQL targeting (then default), removed all device/tag assignment resolution logic and references, updated documentation/comments accordingly, and deleted the SysmonProfileAssignment resource file (effectively consolidating targeting into SRQL).code diff:
The current implementation uses two methods for sysmon profile targeting: SRQL
queries and separate assignment resources. This should be consolidated into a
single, SRQL-based system to reduce complexity.
Examples:
elixir/serviceradar_core/lib/serviceradar/agent_config/compilers/sysmon_compiler.ex [109-121]
elixir/serviceradar_core/lib/serviceradar/sysmon_profiles/sysmon_profile_assignment.ex [1-233]
Solution Walkthrough:
Before:
After:
Suggestion importance[1-10]: 9
__
Why: The suggestion correctly identifies a significant design issue where two parallel sysmon profile targeting mechanisms (SRQL and direct assignments) are introduced, leading to increased complexity in the backend resolution logic and a confusing user experience.
Prevent race condition in stop
Modify the
Stopfunction to hold the mutex lock for the entire critical sectionto prevent a race condition that could cause a panic.
pkg/agent/sysmon_service.go [195-233]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 9
__
Why: The suggestion correctly identifies a race condition in the
Stopfunction that could lead to a panic from a double-close on a channel. This is a critical concurrency bug fix.Fix incorrect device count preview
Update the
apply_srql_filter/2function to correctly handle all filter operators(
contains,not_contains,equals,not_equals) when calculating the target devicecount preview, ensuring the count is accurate.
web-ng/lib/serviceradar_web_ng_web/live/settings/sysmon_profiles_live/index.ex [940-964]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies a bug where the filter operator is ignored, leading to an inaccurate device count preview, and provides a correct fix.
✅
Prevent incorrect deletion of assignmentsSuggestion Impact:
The PR did not implement the suggested query filter or the change from Ash.destroy!/2 to Ash.destroy/2. Instead, it removed the entire bulk sysmon profile assignment workflow, including create_sysmon_assignments/3 and all related UI/event handlers, eliminating the deletion logic altogether (and therefore also eliminating the risk of incorrect deletions in that code path).code diff:
Refine the
create_sysmon_assignments/3function to only delete device-specificassignments by adding
assignment_type == :deviceto the query. Also, replaceAsh.destroy!/2withAsh.destroy/2for safer error handling.web-ng/lib/serviceradar_web_ng_web/live/device_live/index.ex [1511-1551]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies a bug that could cause incorrect data deletion and improves robustness by replacing a crashing function call with a safer alternative.
✅
Use correct interval fieldSuggestion Impact:
The commit did not replace `profile.interval_seconds` with `profile.sample_interval`. Instead, it removed the entire bulk sysmon profile assignment modal and its event handlers, including the template line that referenced `profile.interval_seconds`, thereby eliminating the runtime error by removing the feature/code path.code diff:
In the bulk sysmon modal, replace the incorrect field
profile.interval_secondswith the correct field
profile.sample_intervalto display the profile's intervaland prevent a runtime error.
web-ng/lib/serviceradar_web_ng_web/live/device_live/index.ex [771-777]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies the use of a non-existent field (
interval_seconds) which would cause a runtime error, and provides the correct field name (sample_interval).Enforce a single default profile
Implement a custom Ash change to enforce a single default sysmon profile per
tenant by unsetting the current default before setting a new one.
elixir/serviceradar_core/lib/serviceradar/sysmon_profiles/sysmon_profile.ex [130-139]
Suggestion importance[1-10]: 8
__
Why: The suggestion correctly identifies a data integrity issue where multiple default profiles could exist for a tenant and provides a robust solution using a custom
Ash.Resource.Change, which aligns with the developer's intent noted in the code comments.Ensure agent-device linking on registration
Update the guard clause in
link_agent_to_device/4to handle cases where theagent's
device_uidisnil, ensuring the agent-device link is created on firstregistration.
elixir/serviceradar_core/lib/serviceradar/edge/agent_gateway_sync.ex [322-346]
Suggestion importance[1-10]: 8
__
Why: This suggestion identifies a subtle but critical bug where an agent would not be linked to a device on its initial registration because the guard clause doesn't account for a
nildevice_uid. The fix is correct and essential for the feature's functionality.✅
Prevent race condition during assignmentSuggestion Impact:
The commit did not implement the proposed upsert/update-or-create logic. Instead, it removed the direct device assignment functionality entirely (deleted the handle_event that performed assignments and removed load_device_assignment/assign_sysmon_profile_to_device/remove_device_sysmon_assignment plus the SysmonProfileAssignment alias). This eliminates the original delete+create race window by removing that code path rather than refactoring it.code diff:
Refactor
assign_sysmon_profile_to_device/3to perform an atomic upsertoperation. Instead of deleting and creating, update the existing assignment if
it exists, or create a new one if it does not, to prevent a potential race
condition.
web-ng/lib/serviceradar_web_ng_web/live/device_live/show.ex [2127-2152]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 7
__
Why: The suggestion correctly identifies a potential race condition and proposes a more robust upsert-style logic, which improves the atomicity and reliability of the operation.
Avoid silently ignoring invalid filters
Remove the
rescueblock inapply_filter/2to prevent silently ignoring invalidSRQL filters and to allow proper error propagation and logging.
elixir/serviceradar_core/lib/serviceradar/sysmon_profiles/srql_target_resolver.ex [177-191]
Suggestion importance[1-10]: 7
__
Why: The suggestion correctly points out that silently swallowing errors is poor practice and can lead to incorrect behavior. Removing the
rescueblock improves error handling by leveraging the existing error logging in the calling function, making debugging easier.Allow disabling sysmon via remote config
Update
applySysmonConfigto reconfigure thesysmonservice even whenprotoConfig.Enabledisfalse, allowing the service to be disabled remotely.pkg/agent/push_loop.go [1028-1071]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 7
__
Why: The suggestion correctly points out that the service cannot be disabled via remote configuration, which is a logical flaw in the implementation. Fixing this improves the remote management capability of the feature.
✅
Allow modal close clicksSuggestion Impact:
The PR did not implement the suggested wrapper removals. Instead, it removed the entire bulk sysmon modal UI and its related LiveView event handlers, which eliminates the problematic usage by deleting the feature/component altogether.code diff:
Remove the
wrappers from the modal's close button andbackdrop to ensure their
phx-click="close_bulk_sysmon_modal"events are handledby LiveView.
web-ng/lib/serviceradar_web_ng_web/live/device_live/index.ex [735-800]
[To ensure code accuracy, apply this suggestion manually]Suggestion importance[1-10]: 7
__
Why: The suggestion correctly identifies that wrapping buttons with
phx-clickinside a<form method="dialog">will break the LiveView event handling, and the proposed fix is correct.Prioritize custom config directory first
**Modify
loadCon...