feat: adding falco deployment automation #3010

Merged

mfreeman451 merged 1 commit from refs/pull/3010/head into staging 2026-03-03 06:21:21 +00:00

Conversation 5 Commits 1 Files changed 20 +1237 -22

mfreeman451 commented 2026-03-03 06:18:42 +00:00 (Migrated from github.com)

Owner

Copy link

Imported from GitHub pull request.

Original GitHub pull request: #2984
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2984
Original created: 2026-03-03T06:18:42Z
Original updated: 2026-03-03T06:25:26Z
Original head: carverauto/serviceradar:chore/setup-falco-k8s
Original base: staging
Original merged: 2026-03-03T06:21:21Z by @mfreeman451

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

• I have signed the DCO?
• The build completes without errors?
• All tests are passing when running make test?

Imported from GitHub pull request. Original GitHub pull request: #2984 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2984 Original created: 2026-03-03T06:18:42Z Original updated: 2026-03-03T06:25:26Z Original head: carverauto/serviceradar:chore/setup-falco-k8s Original base: staging Original merged: 2026-03-03T06:21:21Z by @mfreeman451 --- ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test?

qodo-code-review[bot] commented 2026-03-03 06:19:04 +00:00 (Migrated from github.com)

Author

Owner

Copy link

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2984#issuecomment-3988916592
Original created: 2026-03-03T06:19:04Z

Review Summary by Qodo

Add Falcosidekick collector type for Falco runtime security event streaming

✨ Enhancement

Walkthroughs

Description

• Add Falcosidekick collector type for Falco runtime security event ingestion
• Extend collector package provisioning with Falcosidekick NATS permissions
• Generate Falcosidekick-specific Helm values and deployment scripts
• Add comprehensive documentation for Falco integration setup

Diagram

flowchart LR
  A["Falco DaemonSet"] -->|HTTP events| B["Falcosidekick Pod"]
  B -->|NATS mTLS| C["NATS JetStream"]
  C -->|events.falco.>| D["ServiceRadar Pipeline"]
  E["CollectorPackage"] -->|provisions| F["NATS JWT Credentials"]
  F -->|bundled| B
  G["Helm Values Generator"] -->|creates| H["falcosidekick.yaml"]
  H -->|configures| B

File Changes

1. elixir/serviceradar_core/lib/serviceradar/edge/collector_package.ex ✨ Enhancement +4/-2

Add falcosidekick to collector type constraints

elixir/serviceradar_core/lib/serviceradar/edge/collector_package.ex

---

2. elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex ✨ Enhancement +6/-0

Add NATS permissions for falcosidekick collector

elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex

---

3. elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex ✨ Enhancement +270/-16

Generate Falcosidekick-specific bundle with Helm values

elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex

---

View more (17)

4. elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_controller.ex ✨ Enhancement +3/-2

Add falcosidekick to API collector type validation

elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_controller.ex

---

5. elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex ✨ Enhancement +8/-0

Add default configuration for falcosidekick enrollment

elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex

---

6. elixir/web-ng/lib/serviceradar_web_ng_web/live/admin/collector_live/index.ex ✨ Enhancement +5/-2

Add Falcosidekick to UI collector type dropdown

elixir/web-ng/lib/serviceradar_web_ng_web/live/admin/collector_live/index.ex

---

7. docs/docs/falco-integration.md 📝 Documentation +235/-0

Comprehensive Falco integration setup and troubleshooting guide

docs/docs/falco-integration.md

---

8. docs/docs/falco.md 📝 Documentation +174/-0

Detailed Falcosidekick deployment with NATS and OTLP configuration

docs/docs/falco.md

---

9. docs/sidebars.ts 📝 Documentation +1/-0

Add Falco integration to documentation navigation

docs/sidebars.ts

---

10. go/cmd/wasm-plugins/dusk-checker/go.sum Dependencies +2/-0

Add serviceradar-sdk-go dependency

go/cmd/wasm-plugins/dusk-checker/go.sum

---

11. openspec/changes/add-falco-nats-integration/design.md 📝 Documentation +153/-0

Design document for Falco NATS integration architecture

openspec/changes/add-falco-nats-integration/design.md

---

12. openspec/changes/add-falco-nats-integration/proposal.md 📝 Documentation +98/-0

Proposal for Falco runtime security event ingestion

openspec/changes/add-falco-nats-integration/proposal.md

---

13. openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md 📝 Documentation +96/-0

Formal specification with requirements and scenarios

openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md

---

14. openspec/changes/add-falco-nats-integration/tasks.md 📝 Documentation +78/-0

Implementation tasks and dependency graph

openspec/changes/add-falco-nats-integration/tasks.md

---

15. openspec/changes/add-falco-nats-integration/upstream-patch/README.md 📝 Documentation +27/-0

Documentation for upstream Falcosidekick patch files

openspec/changes/add-falco-nats-integration/upstream-patch/README.md

---

16. openspec/changes/add-falco-nats-integration/upstream-patch/config.go.patch 📝 Documentation +10/-0

Patch for Falcosidekick config to support credsfile

openspec/changes/add-falco-nats-integration/upstream-patch/config.go.patch

---

17. openspec/changes/add-falco-nats-integration/upstream-patch/config_example.yaml.patch 📝 Documentation +11/-0

Patch for Falcosidekick example config with new fields

openspec/changes/add-falco-nats-integration/upstream-patch/config_example.yaml.patch

---

18. openspec/changes/add-falco-nats-integration/upstream-patch/nats-docs.md.patch 📝 Documentation +17/-0

Patch for Falcosidekick NATS output documentation

openspec/changes/add-falco-nats-integration/upstream-patch/nats-docs.md.patch

---

19. openspec/changes/add-falco-nats-integration/upstream-patch/nats.go.patch 📝 Documentation +28/-0

Patch for Falcosidekick NATS client connection logic

openspec/changes/add-falco-nats-integration/upstream-patch/nats.go.patch

---

20. openspec/changes/add-falco-nats-integration/upstream-patch/types.go.patch 📝 Documentation +11/-0

Patch for Falcosidekick NATS config struct fields

openspec/changes/add-falco-nats-integration/upstream-patch/types.go.patch

---

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2984#issuecomment-3988916592 Original created: 2026-03-03T06:19:04Z --- <h3>Review Summary by Qodo</h3> Add Falcosidekick collector type for Falco runtime security event streaming <code>✨ Enhancement</code> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <h3>Walkthroughs</h3> <details open> <summary>Description</summary> <br/> <pre> • Add Falcosidekick collector type for Falco runtime security event ingestion • Extend collector package provisioning with Falcosidekick NATS permissions • Generate Falcosidekick-specific Helm values and deployment scripts • Add comprehensive documentation for Falco integration setup </pre> </details> <details> <summary>Diagram</summary> <br/> > ```mermaid flowchart LR A["Falco DaemonSet"] -->|HTTP events| B["Falcosidekick Pod"] B -->|NATS mTLS| C["NATS JetStream"] C -->|events.falco.>| D["ServiceRadar Pipeline"] E["CollectorPackage"] -->|provisions| F["NATS JWT Credentials"] F -->|bundled| B G["Helm Values Generator"] -->|creates| H["falcosidekick.yaml"] H -->|configures| B ``` </details> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <h3>File Changes</h3> <details> <summary>1. elixir/serviceradar_core/lib/serviceradar/edge/collector_package.ex <code>✨ Enhancement</code> <code> +4/-2 </code> </summary> <br/> >Add falcosidekick to collector type constraints > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-c80c5b92e14cbc1b9d44f22a90cef81f628a5e02caf4aa9c40cce6b5c1ce54cc'> elixir/serviceradar_core/lib/serviceradar/edge/collector_package.ex </a> <hr/> </details> <details> <summary>2. elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex <code>✨ Enhancement</code> <code> +6/-0 </code> </summary> <br/> >Add NATS permissions for falcosidekick collector > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-7ff3df8f584638f1a5e4a5b4676e90267a4a4558726f42fb88e8e2455b584a81'> elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex </a> <hr/> </details> <details> <summary>3. elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex <code>✨ Enhancement</code> <code> +270/-16 </code> </summary> <br/> >Generate Falcosidekick-specific bundle with Helm values > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-a0fb07eb3adaced928ab25312589e99ecae19893a22dfbaa3b8f3ffbf056e860'> elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex </a> <hr/> </details> <details><summary><ins><strong>View more (17)</strong></ins></summary><br/> <details> <summary>4. elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_controller.ex <code>✨ Enhancement</code> <code> +3/-2 </code> </summary> <br/> >Add falcosidekick to API collector type validation > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-bc7214df2faf96f7e818643ef86f486990b94586a849036a58aaa35e8971ed16'> elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_controller.ex </a> <hr/> </details> <details> <summary>5. elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex <code>✨ Enhancement</code> <code> +8/-0 </code> </summary> <br/> >Add default configuration for falcosidekick enrollment > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-0820ec3f8c0cb81c5aec2a64f665ad91f0ac7bddf3cc2a1fc2e6ef473e6e1186'> elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex </a> <hr/> </details> <details> <summary>6. elixir/web-ng/lib/serviceradar_web_ng_web/live/admin/collector_live/index.ex <code>✨ Enhancement</code> <code> +5/-2 </code> </summary> <br/> >Add Falcosidekick to UI collector type dropdown > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-89e5750b7cb0b019b2818897083a81271959b1c3f329d4598b6fd7f32cc86088'> elixir/web-ng/lib/serviceradar_web_ng_web/live/admin/collector_live/index.ex </a> <hr/> </details> <details> <summary>7. docs/docs/falco-integration.md <code>📝 Documentation</code> <code> +235/-0 </code> </summary> <br/> >Comprehensive Falco integration setup and troubleshooting guide > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-e0ebafd5cc5f498253da37160323fbe8156f7a35ac629e75ab71c31c3b323d7a'> docs/docs/falco-integration.md </a> <hr/> </details> <details> <summary>8. docs/docs/falco.md <code>📝 Documentation</code> <code> +174/-0 </code> </summary> <br/> >Detailed Falcosidekick deployment with NATS and OTLP configuration > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-27e4c4a06b275c8f809e60d7bbb8342297cd9e5faad6f7865f68a1b069829fe3'> docs/docs/falco.md </a> <hr/> </details> <details> <summary>9. docs/sidebars.ts <code>📝 Documentation</code> <code> +1/-0 </code> </summary> <br/> >Add Falco integration to documentation navigation > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-6e908f6e4016ad389cfb93ce7a47df677247c0f9d17c3589710592e8cf9527e0'> docs/sidebars.ts </a> <hr/> </details> <details> <summary>10. go/cmd/wasm-plugins/dusk-checker/go.sum <code> Dependencies </code> <code> +2/-0 </code> </summary> <br/> >Add serviceradar-sdk-go dependency > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-57d3cb407daa10e7a924bc49c129286101de27b3efb2893ae733a15f0ebe499d'> go/cmd/wasm-plugins/dusk-checker/go.sum </a> <hr/> </details> <details> <summary>11. openspec/changes/add-falco-nats-integration/design.md <code>📝 Documentation</code> <code> +153/-0 </code> </summary> <br/> >Design document for Falco NATS integration architecture > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-a33328696df3e38005eda51a2a29ce253f539bf79e14d50b764ebac1b39d2988'> openspec/changes/add-falco-nats-integration/design.md </a> <hr/> </details> <details> <summary>12. openspec/changes/add-falco-nats-integration/proposal.md <code>📝 Documentation</code> <code> +98/-0 </code> </summary> <br/> >Proposal for Falco runtime security event ingestion > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-48e127b2f41e3663b1d21a4ac8f3e63798068922c9d87959e3eb2c1ec9d7451a'> openspec/changes/add-falco-nats-integration/proposal.md </a> <hr/> </details> <details> <summary>13. openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md <code>📝 Documentation</code> <code> +96/-0 </code> </summary> <br/> >Formal specification with requirements and scenarios > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-a59727d666feaab4c638bd53b1ae75d31fc3722a7adb2d1f90b63f8141447146'> openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md </a> <hr/> </details> <details> <summary>14. openspec/changes/add-falco-nats-integration/tasks.md <code>📝 Documentation</code> <code> +78/-0 </code> </summary> <br/> >Implementation tasks and dependency graph > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-9bf0fa78cd62c2e29023c432fd6bc3ef472223190de09c9c9afe32f8b3cc5fcd'> openspec/changes/add-falco-nats-integration/tasks.md </a> <hr/> </details> <details> <summary>15. openspec/changes/add-falco-nats-integration/upstream-patch/README.md <code>📝 Documentation</code> <code> +27/-0 </code> </summary> <br/> >Documentation for upstream Falcosidekick patch files > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-b3711a771cf3b2125e9509ce0d98cbd3711484a124cb13339395452196527aa8'> openspec/changes/add-falco-nats-integration/upstream-patch/README.md </a> <hr/> </details> <details> <summary>16. openspec/changes/add-falco-nats-integration/upstream-patch/config.go.patch <code>📝 Documentation</code> <code> +10/-0 </code> </summary> <br/> >Patch for Falcosidekick config to support credsfile > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-3cc70f4b2222f64d610d0c25516e67ac75dc5e4098936f6a66b0f27323b0a77c'> openspec/changes/add-falco-nats-integration/upstream-patch/config.go.patch </a> <hr/> </details> <details> <summary>17. openspec/changes/add-falco-nats-integration/upstream-patch/config_example.yaml.patch <code>📝 Documentation</code> <code> +11/-0 </code> </summary> <br/> >Patch for Falcosidekick example config with new fields > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-5b2975769ca589c738dcebcc83f5e2c7d189e10e22978206815747fcbe0e4bfa'> openspec/changes/add-falco-nats-integration/upstream-patch/config_example.yaml.patch </a> <hr/> </details> <details> <summary>18. openspec/changes/add-falco-nats-integration/upstream-patch/nats-docs.md.patch <code>📝 Documentation</code> <code> +17/-0 </code> </summary> <br/> >Patch for Falcosidekick NATS output documentation > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-20688c981db4ce91917fed69fb9dbc686d4ea2917537719c413488c42443460d'> openspec/changes/add-falco-nats-integration/upstream-patch/nats-docs.md.patch </a> <hr/> </details> <details> <summary>19. openspec/changes/add-falco-nats-integration/upstream-patch/nats.go.patch <code>📝 Documentation</code> <code> +28/-0 </code> </summary> <br/> >Patch for Falcosidekick NATS client connection logic > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-634aeb378e6985d73ac7389fcbd512e011a22464da329f80170098f7eb8d0356'> openspec/changes/add-falco-nats-integration/upstream-patch/nats.go.patch </a> <hr/> </details> <details> <summary>20. openspec/changes/add-falco-nats-integration/upstream-patch/types.go.patch <code>📝 Documentation</code> <code> +11/-0 </code> </summary> <br/> >Patch for Falcosidekick NATS config struct fields > ><a href='https://github.com/carverauto/serviceradar/pull/2984/files#diff-3abdb4ba8677195d386e82a371a292ed5555d3004d19be2b0ec54d0c3e378b5c'> openspec/changes/add-falco-nats-integration/upstream-patch/types.go.patch </a> <hr/> </details> </details> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <a href="https://www.qodo.ai"><img src="https://www.qodo.ai/wp-content/uploads/2025/03/qodo-logo.svg" width="80" alt="Qodo Logo"></a>

qodo-code-review[bot] commented 2026-03-03 06:19:05 +00:00 (Migrated from github.com)

Author

Owner

Copy link

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2984#issuecomment-3988916630
Original created: 2026-03-03T06:19:05Z

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (2) 📎 Requirement gaps (0)

1. Non-ASCII diagram characters 📘 Rule violation ✓ Correctness

Description

docs/docs/falco-integration.md includes non-ASCII box-drawing characters, violating the repository
requirement that Markdown be ASCII-only. This can break tooling or rendering expectations that
assume ASCII.

Code

docs/docs/falco-integration.md[R14-20]

+┌─────────┐     ┌───────────────┐     ┌──────────────────┐     ┌──────────────┐
+│  Falco   │────▶│ Falcosidekick │────▶│ NATS JetStream   │────▶│ ServiceRadar │
+│ DaemonSet│     │  (Helm)       │     │ falco.>           │     │  Pipeline    │
+└─────────┘     └───────────────┘     └──────────────────┘     └──────────────┘
+                  │
+                  └──▶ OTLP Metrics ──▶ ServiceRadar Log Collector
+```

Evidence

PR Compliance ID 4 requires Markdown to be ASCII-only; the added architecture diagram uses non-ASCII
box drawing and arrow characters in the new doc.

AGENTS.md
docs/docs/falco-integration.md[14-20]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`docs/docs/falco-integration.md` contains non-ASCII characters (box drawing / arrow glyphs). The compliance rule requires Markdown to be ASCII-only.

## Issue Context
The architecture diagram uses Unicode box-drawing characters and arrow symbols; these should be replaced with ASCII characters (e.g., `+`, `-`, `|`, `>`), or rewritten as a simple bullet list.

## Fix Focus Areas
- docs/docs/falco-integration.md[14-20]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Falco subject mismatch 🐞 Bug ✓ Correctness

Description

The generated Falcosidekick Helm values default to publishing on falco.<priority>.<rule>, but the
provisioned NATS permissions (and enroll defaults/spec) are scoped to events.falco.*. This will
cause publish authorization failures and/or downstream consumers subscribing to events.falco.* to
miss events.

Code

elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[R340-365]

+    subject_template =
+      get_in(package.config_overrides, ["subject_template"]) || "falco.<priority>.<rule>"
+
+    otlp_endpoint =
+      get_in(package.config_overrides, ["otlp_endpoint"]) || "https://serviceradar-log-collector:4317"
+
+    """
+    # Falcosidekick Helm Values for ServiceRadar
+    # Package ID: #{package.id}
+    # Site: #{package.site || "default"}
+    # Generated: #{DateTime.utc_now() |> DateTime.to_iso8601()}
+    #
+    # Usage:
+    #   helm upgrade -n #{namespace} #{release_name} falcosecurity/falcosidekick \\
+    #     -f falcosidekick.yaml
+    #
+    # Or run the included deploy.sh script which creates the k8s secret
+    # and runs helm upgrade for you.
+
+    config:
+      nats:
+        hostport: "#{nats_url}"
+        mutualtls: true
+        checkcert: true
+        subjecttemplate: "#{subject_template}"
+        minimumpriority: "debug"

Evidence

Provisioning scopes Falcosidekick credentials to subjects prefixed with events.falco, while the
bundle generator and docs default to a different subject namespace (falco.*). With NATS subject
permissions, a publish to falco.* is not permitted by events.falco.> and is also inconsistent
with the enrollment defaults/spec which call out events.falco.raw.

elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]
elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[340-365]
elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex[292-297]
openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[13-20]
openspec/changes/add-falco-nats-integration/proposal.md[60-77]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Falcosidekick is provisioned with NATS publish permissions for `events.falco.>`, but the generated Helm values default to publishing on `falco.<priority>.<rule>`. This mismatch will break publishing under subject-scoped permissions and will also confuse verification/consumption.

### Issue Context
The repo’s OpenSpec and enrollment defaults both describe `events.falco.raw` as the canonical subject. The bundle generator should default to that (or to an `events.falco.<priority>.<rule>` template) so the out-of-the-box bundle works with provisioned permissions.

### Fix Focus Areas
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[340-365]
- elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]
- elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex[292-297]
- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[13-27]
- openspec/changes/add-falco-nats-integration/proposal.md[60-77]
- docs/docs/falco-integration.md[24-25] (verification subjects)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Missing NATS creds wiring 🐞 Bug ⛯ Reliability

Description

The Falcosidekick bundle includes creds/nats.creds, but the Helm values and deploy script never
mount or reference it. In JWT .creds auth mode (used elsewhere in this repo and required by the
OpenSpec), Falcosidekick will fail to authenticate to NATS.

Code

elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[R359-391]

+    config:
+      nats:
+        hostport: "#{nats_url}"
+        mutualtls: true
+        checkcert: true
+        subjecttemplate: "#{subject_template}"
+        minimumpriority: "debug"
+      tlsclient:
+        cacertfile: /etc/serviceradar/certs/ca-chain.pem
+      mutualtlsclient:
+        cacertfile: /etc/serviceradar/certs/ca-chain.pem
+        certfile: /etc/serviceradar/certs/client.pem
+        keyfile: /etc/serviceradar/certs/client-key.pem
+      otlp:
+        metrics:
+          endpoint: "#{otlp_endpoint}"
+          protocol: grpc
+          checkcert: true
+          minimumpriority: "debug"
+          extraenvvars:
+            OTEL_EXPORTER_OTLP_METRICS_CERTIFICATE: /etc/serviceradar/certs/ca-chain.pem
+            OTEL_EXPORTER_OTLP_METRICS_CLIENT_CERTIFICATE: /etc/serviceradar/certs/client.pem
+            OTEL_EXPORTER_OTLP_METRICS_CLIENT_KEY: /etc/serviceradar/certs/client-key.pem
+
+    extraVolumes:
+      - name: serviceradar-certs
+        secret:
+          secretName: serviceradar-falcosidekick-certs
+
+    extraVolumeMounts:
+      - name: serviceradar-certs
+        mountPath: /etc/serviceradar/certs
+        readOnly: true

Evidence

The bundle generator explicitly packages a .creds file, and other collectors’ configs require it
for NATS auth. However, the Falcosidekick Helm values only mount certs and the deploy script only
creates a cert secret; there is no volume/mount for creds and no config.nats.credsfile pointing
Falcosidekick to the .creds file.

elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[64-78]
elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[359-391]
elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[439-446]
elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[172-184]
openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[5-20]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The generated Falcosidekick package includes `creds/nats.creds` but the Helm values + deploy.sh never mount it or configure Falcosidekick to use it. In JWT `.creds` auth deployments, Falcosidekick won’t be able to authenticate to NATS.

### Issue Context
Other collectors in this repo configure `nats_creds_file` / `creds_file` and the OpenSpec requires `.creds` auth for Falcosidekick.

### Fix Focus Areas
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[64-78]
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[359-391]
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[439-446]
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[172-184]
- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[5-20]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

4. go.sum updated without go.mod 📘 Rule violation ⛯ Reliability

Description

A new Go dependency (github.com/carverauto/serviceradar-sdk-go v0.1.1) is added to go.sum but
this PR does not show corresponding go.mod (and Bazel module) updates. This can make dependency
resolution non-reproducible across toolchains.

Code

go/cmd/wasm-plugins/dusk-checker/go.sum[R1-2]

+github.com/carverauto/serviceradar-sdk-go v0.1.1 h1:e+QY6DkPHAF3GyxfO9fLlLdpAeFEPqsKi2hAZAvSJIk=
+github.com/carverauto/serviceradar-sdk-go v0.1.1/go.mod h1:tMMF+WXki1H+nh+soQlNcgb2yZmiUSeZuTmuj/wwdq0=

Evidence

PR Compliance ID 2 requires updating go.mod and (when applicable) Bazel module files when
introducing Go dependencies. The diff shows a new module hash added to go.sum, indicating a
dependency change that should be reflected in module/Bazel manifests.

AGENTS.md
go/cmd/wasm-plugins/dusk-checker/go.sum[1-2]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
A new Go dependency appears in `go.sum`, but the PR does not show accompanying `go.mod` (and Bazel MODULE) updates required for reproducible dependency management.

## Issue Context
`go.sum` entries typically correspond to dependencies declared/resolved via `go.mod`. If Bazel module/dependency tracking is used for this area, the corresponding MODULE files may also require updates.

## Fix Focus Areas
- go/cmd/wasm-plugins/dusk-checker/go.sum[1-2]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

5. No _INBOX permission 🐞 Bug ⛯ Reliability

Description

Falcosidekick credentials are provisioned with subscribe_allow: [], but the OpenSpec requires
_INBOX.> subscriptions. If Falcosidekick uses request/reply patterns (common for acks or
request-based APIs), it may fail at runtime due to missing inbox permissions.

Code

elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[R214-218]

+      :falcosidekick ->
+        %{
+          publish_allow: ["events.falco.>"],
+          subscribe_allow: []
+        }

Evidence

The implementation explicitly forbids all subscriptions for the falcosidekick collector type. The
spec/proposal in-repo calls out _INBOX.> subscription permission as a requirement for this
collector type, so the provisioning logic does not meet the documented contract.

elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]
openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[50-54]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Falcosidekick provisioning currently disallows all subscriptions. The in-repo OpenSpec requires `_INBOX.>` subscription permission for this collector type.

### Issue Context
Even if Falcosidekick currently only publishes, allowing `_INBOX.>` is typically needed for request/reply patterns and aligns provisioning with the documented spec.

### Fix Focus Areas
- elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]
- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[50-54]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2984#issuecomment-3988916630 Original created: 2026-03-03T06:19:05Z --- <h3>Code Review by Qodo</h3> <code>🐞 Bugs (3)</code> <code>📘 Rule violations (2)</code> <code>📎 Requirement gaps (0)</code> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <br/> <img src="https://www.qodo.ai/wp-content/uploads/2026/01/action-required.png" height="20" alt="Action required"> <details> <summary> 1. Non-ASCII diagram characters <code>📘 Rule violation</code> <code>✓ Correctness</code></summary> <br/> > <details open> ><summary>Description</summary> ><br/> > ><pre> ><b><i>docs/docs/falco-integration.md</i></b> includes non-ASCII box-drawing characters, violating the repository >requirement that Markdown be ASCII-only. This can break tooling or rendering expectations that >assume ASCII. ></pre> ></details> > <details open> ><summary>Code</summary> ><br/> > ><code>[docs/docs/falco-integration.md[R14-20]](https://github.com/carverauto/serviceradar/pull/2984/files#diff-e0ebafd5cc5f498253da37160323fbe8156f7a35ac629e75ab71c31c3b323d7aR14-R20)</code> > >```diff >+┌─────────┐ ┌───────────────┐ ┌──────────────────┐ ┌──────────────┐ >+│ Falco │────▶│ Falcosidekick │────▶│ NATS JetStream │────▶│ ServiceRadar │ >+│ DaemonSet│ │ (Helm) │ │ falco.> │ │ Pipeline │ >+└─────────┘ └───────────────┘ └──────────────────┘ └──────────────┘ >+ │ >+ └──▶ OTLP Metrics ──▶ ServiceRadar Log Collector >+``` >``` ></details> > <details > ><summary>Evidence</summary> ><br/> > ><pre> >PR Compliance ID 4 requires Markdown to be ASCII-only; the added architecture diagram uses non-ASCII >box drawing and arrow characters in the new doc. ></pre> > > <code>AGENTS.md</code> > <code>[docs/docs/falco-integration.md[14-20]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/docs/docs/falco-integration.md/#L14-L20)</code> ></details> > <details> ><summary>Agent prompt</summary> ><br/> > >``` >The issue below was found during a code review. Follow the provided context and guidance below and implement a solution > >## Issue description >`docs/docs/falco-integration.md` contains non-ASCII characters (box drawing / arrow glyphs). The compliance rule requires Markdown to be ASCII-only. > >## Issue Context >The architecture diagram uses Unicode box-drawing characters and arrow symbols; these should be replaced with ASCII characters (e.g., `+`, `-`, `|`, `&gt;`), or rewritten as a simple bullet list. > >## Fix Focus Areas >- docs/docs/falco-integration.md[14-20] >``` > <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> ></details> <hr/> </details> <details> <summary> 2. Falco subject mismatch <code>🐞 Bug</code> <code>✓ Correctness</code></summary> <br/> > <details open> ><summary>Description</summary> ><br/> > ><pre> >The generated Falcosidekick Helm values default to publishing on <b><i>falco.&lt;priority&gt;.&lt;rule&gt;</i></b>, but the >provisioned NATS permissions (and enroll defaults/spec) are scoped to <b><i>events.falco.*</i></b>. This will >cause publish authorization failures and/or downstream consumers subscribing to <b><i>events.falco.*</i></b> to >miss events. ></pre> ></details> > <details open> ><summary>Code</summary> ><br/> > ><code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[R340-365]](https://github.com/carverauto/serviceradar/pull/2984/files#diff-a0fb07eb3adaced928ab25312589e99ecae19893a22dfbaa3b8f3ffbf056e860R340-R365)</code> > >```diff >+ subject_template = >+ get_in(package.config_overrides, ["subject_template"]) || "falco.<priority>.<rule>" >+ >+ otlp_endpoint = >+ get_in(package.config_overrides, ["otlp_endpoint"]) || "https://serviceradar-log-collector:4317" >+ >+ """ >+ # Falcosidekick Helm Values for ServiceRadar >+ # Package ID: #{package.id} >+ # Site: #{package.site || "default"} >+ # Generated: #{DateTime.utc_now() |> DateTime.to_iso8601()} >+ # >+ # Usage: >+ # helm upgrade -n #{namespace} #{release_name} falcosecurity/falcosidekick \\ >+ # -f falcosidekick.yaml >+ # >+ # Or run the included deploy.sh script which creates the k8s secret >+ # and runs helm upgrade for you. >+ >+ config: >+ nats: >+ hostport: "#{nats_url}" >+ mutualtls: true >+ checkcert: true >+ subjecttemplate: "#{subject_template}" >+ minimumpriority: "debug" >``` ></details> > <details > ><summary>Evidence</summary> ><br/> > ><pre> >Provisioning scopes Falcosidekick credentials to subjects prefixed with <b><i>events.falco</i></b>, while the >bundle generator and docs default to a different subject namespace (<b><i>falco.*</i></b>). With NATS subject >permissions, a publish to <b><i>falco.*</i></b> is not permitted by <b><i>events.falco.&gt;</i></b> and is also inconsistent >with the enrollment defaults/spec which call out <b><i>events.falco.raw</i></b>. ></pre> > > <code>[elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex/#L214-L218)</code> > <code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[340-365]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex/#L340-L365)</code> > <code>[elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex[292-297]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex/#L292-L297)</code> > <code>[openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[13-20]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md/#L13-L20)</code> > <code>[openspec/changes/add-falco-nats-integration/proposal.md[60-77]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/openspec/changes/add-falco-nats-integration/proposal.md/#L60-L77)</code> ></details> > <details> ><summary>Agent prompt</summary> ><br/> > >``` >The issue below was found during a code review. Follow the provided context and guidance below and implement a solution > >### Issue description >Falcosidekick is provisioned with NATS publish permissions for `events.falco.&gt;`, but the generated Helm values default to publishing on `falco.&lt;priority&gt;.&lt;rule&gt;`. This mismatch will break publishing under subject-scoped permissions and will also confuse verification/consumption. > >### Issue Context >The repo’s OpenSpec and enrollment defaults both describe `events.falco.raw` as the canonical subject. The bundle generator should default to that (or to an `events.falco.&lt;priority&gt;.&lt;rule&gt;` template) so the out-of-the-box bundle works with provisioned permissions. > >### Fix Focus Areas >- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[340-365] >- elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218] >- elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex[292-297] >- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[13-27] >- openspec/changes/add-falco-nats-integration/proposal.md[60-77] >- docs/docs/falco-integration.md[24-25] (verification subjects) >``` > <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> ></details> <hr/> </details> <details> <summary> 3. Missing NATS creds wiring <code>🐞 Bug</code> <code>⛯ Reliability</code></summary> <br/> > <details open> ><summary>Description</summary> ><br/> > ><pre> >The Falcosidekick bundle includes <b><i>creds/nats.creds</i></b>, but the Helm values and deploy script never >mount or reference it. In JWT <b><i>.creds</i></b> auth mode (used elsewhere in this repo and required by the >OpenSpec), Falcosidekick will fail to authenticate to NATS. ></pre> ></details> > <details open> ><summary>Code</summary> ><br/> > ><code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[R359-391]](https://github.com/carverauto/serviceradar/pull/2984/files#diff-a0fb07eb3adaced928ab25312589e99ecae19893a22dfbaa3b8f3ffbf056e860R359-R391)</code> > >```diff >+ config: >+ nats: >+ hostport: "#{nats_url}" >+ mutualtls: true >+ checkcert: true >+ subjecttemplate: "#{subject_template}" >+ minimumpriority: "debug" >+ tlsclient: >+ cacertfile: /etc/serviceradar/certs/ca-chain.pem >+ mutualtlsclient: >+ cacertfile: /etc/serviceradar/certs/ca-chain.pem >+ certfile: /etc/serviceradar/certs/client.pem >+ keyfile: /etc/serviceradar/certs/client-key.pem >+ otlp: >+ metrics: >+ endpoint: "#{otlp_endpoint}" >+ protocol: grpc >+ checkcert: true >+ minimumpriority: "debug" >+ extraenvvars: >+ OTEL_EXPORTER_OTLP_METRICS_CERTIFICATE: /etc/serviceradar/certs/ca-chain.pem >+ OTEL_EXPORTER_OTLP_METRICS_CLIENT_CERTIFICATE: /etc/serviceradar/certs/client.pem >+ OTEL_EXPORTER_OTLP_METRICS_CLIENT_KEY: /etc/serviceradar/certs/client-key.pem >+ >+ extraVolumes: >+ - name: serviceradar-certs >+ secret: >+ secretName: serviceradar-falcosidekick-certs >+ >+ extraVolumeMounts: >+ - name: serviceradar-certs >+ mountPath: /etc/serviceradar/certs >+ readOnly: true >``` ></details> > <details > ><summary>Evidence</summary> ><br/> > ><pre> >The bundle generator explicitly packages a <b><i>.creds</i></b> file, and other collectors’ configs require it >for NATS auth. However, the Falcosidekick Helm values only mount certs and the deploy script only >creates a cert secret; there is no volume/mount for creds and no <b><i>config.nats.credsfile</i></b> pointing >Falcosidekick to the <b><i>.creds</i></b> file. ></pre> > > <code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[64-78]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex/#L64-L78)</code> > <code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[359-391]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex/#L359-L391)</code> > <code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[439-446]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex/#L439-L446)</code> > <code>[elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[172-184]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex/#L172-L184)</code> > <code>[openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[5-20]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md/#L5-L20)</code> ></details> > <details> ><summary>Agent prompt</summary> ><br/> > >``` >The issue below was found during a code review. Follow the provided context and guidance below and implement a solution > >### Issue description >The generated Falcosidekick package includes `creds/nats.creds` but the Helm values + deploy.sh never mount it or configure Falcosidekick to use it. In JWT `.creds` auth deployments, Falcosidekick won’t be able to authenticate to NATS. > >### Issue Context >Other collectors in this repo configure `nats_creds_file` / `creds_file` and the OpenSpec requires `.creds` auth for Falcosidekick. > >### Fix Focus Areas >- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[64-78] >- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[359-391] >- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[439-446] >- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[172-184] >- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[5-20] >``` > <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> ></details> <hr/> </details> <br/> <img src="https://www.qodo.ai/wp-content/uploads/2026/01/review-recommended.png" height="20" alt="Remediation recommended"> <details> <summary> 4. go.sum updated without go.mod <code>📘 Rule violation</code> <code>⛯ Reliability</code></summary> <br/> > <details open> ><summary>Description</summary> ><br/> > ><pre> >A new Go dependency (<b><i>github.com/carverauto/serviceradar-sdk-go v0.1.1</i></b>) is added to <b><i>go.sum</i></b> but >this PR does not show corresponding <b><i>go.mod</i></b> (and Bazel module) updates. This can make dependency >resolution non-reproducible across toolchains. ></pre> ></details> > <details open> ><summary>Code</summary> ><br/> > ><code>[go/cmd/wasm-plugins/dusk-checker/go.sum[R1-2]](https://github.com/carverauto/serviceradar/pull/2984/files#diff-57d3cb407daa10e7a924bc49c129286101de27b3efb2893ae733a15f0ebe499dR1-R2)</code> > >```diff >+github.com/carverauto/serviceradar-sdk-go v0.1.1 h1:e+QY6DkPHAF3GyxfO9fLlLdpAeFEPqsKi2hAZAvSJIk= >+github.com/carverauto/serviceradar-sdk-go v0.1.1/go.mod h1:tMMF+WXki1H+nh+soQlNcgb2yZmiUSeZuTmuj/wwdq0= >``` ></details> > <details > ><summary>Evidence</summary> ><br/> > ><pre> >PR Compliance ID 2 requires updating <b><i>go.mod</i></b> and (when applicable) Bazel module files when >introducing Go dependencies. The diff shows a new module hash added to <b><i>go.sum</i></b>, indicating a >dependency change that should be reflected in module/Bazel manifests. ></pre> > > <code>AGENTS.md</code> > <code>[go/cmd/wasm-plugins/dusk-checker/go.sum[1-2]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/go/cmd/wasm-plugins/dusk-checker/go.sum/#L1-L2)</code> ></details> > <details> ><summary>Agent prompt</summary> ><br/> > >``` >The issue below was found during a code review. Follow the provided context and guidance below and implement a solution > >## Issue description >A new Go dependency appears in `go.sum`, but the PR does not show accompanying `go.mod` (and Bazel MODULE) updates required for reproducible dependency management. > >## Issue Context >`go.sum` entries typically correspond to dependencies declared/resolved via `go.mod`. If Bazel module/dependency tracking is used for this area, the corresponding MODULE files may also require updates. > >## Fix Focus Areas >- go/cmd/wasm-plugins/dusk-checker/go.sum[1-2] >``` > <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> ></details> <hr/> </details> <details> <summary> 5. No _INBOX permission <code>🐞 Bug</code> <code>⛯ Reliability</code></summary> <br/> > <details open> ><summary>Description</summary> ><br/> > ><pre> >Falcosidekick credentials are provisioned with <b><i>subscribe_allow: []</i></b>, but the OpenSpec requires ><b><i>_INBOX.&gt;</i></b> subscriptions. If Falcosidekick uses request/reply patterns (common for acks or >request-based APIs), it may fail at runtime due to missing inbox permissions. ></pre> ></details> > <details open> ><summary>Code</summary> ><br/> > ><code>[elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[R214-218]](https://github.com/carverauto/serviceradar/pull/2984/files#diff-7ff3df8f584638f1a5e4a5b4676e90267a4a4558726f42fb88e8e2455b584a81R214-R218)</code> > >```diff >+ :falcosidekick -> >+ %{ >+ publish_allow: ["events.falco.>"], >+ subscribe_allow: [] >+ } >``` ></details> > <details > ><summary>Evidence</summary> ><br/> > ><pre> >The implementation explicitly forbids all subscriptions for the falcosidekick collector type. The >spec/proposal in-repo calls out <b><i>_INBOX.&gt;</i></b> subscription permission as a requirement for this >collector type, so the provisioning logic does not meet the documented contract. ></pre> > > <code>[elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex/#L214-L218)</code> > <code>[openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[50-54]](https://github.com/carverauto/serviceradar/blob/8510f16533f42eb7553d1e2b6306c4b34a662c41/openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md/#L50-L54)</code> ></details> > <details> ><summary>Agent prompt</summary> ><br/> > >``` >The issue below was found during a code review. Follow the provided context and guidance below and implement a solution > >### Issue description >Falcosidekick provisioning currently disallows all subscriptions. The in-repo OpenSpec requires `_INBOX.&gt;` subscription permission for this collector type. > >### Issue Context >Even if Falcosidekick currently only publishes, allowing `_INBOX.&gt;` is typically needed for request/reply patterns and aligns provisioning with the documented spec. > >### Fix Focus Areas >- elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218] >- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[50-54] >``` > <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> ></details> <hr/> </details> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <pre>ⓘ The new review experience is currently in Beta. <a href="https://docs.qodo.ai/qodo-documentation/code-review">Learn more</a></pre> <img src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg" height="10%" alt="Grey Divider"> <!-- https://github.com/carverauto/serviceradar/commit/8510f16533f42eb7553d1e2b6306c4b34a662c41 --> <a href="https://www.qodo.ai"><img src="https://www.qodo.ai/wp-content/uploads/2025/03/qodo-logo.svg" width="80" alt="Qodo Logo"></a>

qodo-code-review[bot] commented 2026-03-03 06:25:26 +00:00 (Migrated from github.com)

Author

Owner

Copy link

Imported GitHub PR review comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2984#discussion_r2876351714
Original created: 2026-03-03T06:25:26Z
Original path: docs/docs/falco-integration.md
Original line: 20

1. Non-ascii diagram characters 📘 Rule violation ✓ Correctness

docs/docs/falco-integration.md includes non-ASCII box-drawing characters, violating the repository
requirement that Markdown be ASCII-only. This can break tooling or rendering expectations that
assume ASCII.

Agent Prompt

## Issue description
`docs/docs/falco-integration.md` contains non-ASCII characters (box drawing / arrow glyphs). The compliance rule requires Markdown to be ASCII-only.

## Issue Context
The architecture diagram uses Unicode box-drawing characters and arrow symbols; these should be replaced with ASCII characters (e.g., `+`, `-`, `|`, `>`), or rewritten as a simple bullet list.

## Fix Focus Areas
- docs/docs/falco-integration.md[14-20]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Imported GitHub PR review comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2984#discussion_r2876351714 Original created: 2026-03-03T06:25:26Z Original path: docs/docs/falco-integration.md Original line: 20 --- <img src="https://www.qodo.ai/wp-content/uploads/2025/12/v2-action-required.svg" height="20" alt="Action required"> 1\. Non-ascii diagram characters <code>📘 Rule violation</code> <code>✓ Correctness</code> <pre> <b><i>docs/docs/falco-integration.md</i></b> includes non-ASCII box-drawing characters, violating the repository requirement that Markdown be ASCII-only. This can break tooling or rendering expectations that assume ASCII. </pre> <details> <summary><strong>Agent Prompt</strong></summary> ``` ## Issue description `docs/docs/falco-integration.md` contains non-ASCII characters (box drawing / arrow glyphs). The compliance rule requires Markdown to be ASCII-only. ## Issue Context The architecture diagram uses Unicode box-drawing characters and arrow symbols; these should be replaced with ASCII characters (e.g., `+`, `-`, `|`, `>`), or rewritten as a simple bullet list. ## Fix Focus Areas - docs/docs/falco-integration.md[14-20] ``` <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> </details>

qodo-code-review[bot] commented 2026-03-03 06:25:26 +00:00 (Migrated from github.com)

Author

Owner

Copy link

Imported GitHub PR review comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2984#discussion_r2876351715
Original created: 2026-03-03T06:25:26Z
Original path: elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex
Original line: 365

2. Falco subject mismatch 🐞 Bug ✓ Correctness

The generated Falcosidekick Helm values default to publishing on falco.<priority>.<rule>, but the
provisioned NATS permissions (and enroll defaults/spec) are scoped to events.falco.*. This will
cause publish authorization failures and/or downstream consumers subscribing to events.falco.* to
miss events.

Agent Prompt

### Issue description
Falcosidekick is provisioned with NATS publish permissions for `events.falco.>`, but the generated Helm values default to publishing on `falco.<priority>.<rule>`. This mismatch will break publishing under subject-scoped permissions and will also confuse verification/consumption.

### Issue Context
The repo’s OpenSpec and enrollment defaults both describe `events.falco.raw` as the canonical subject. The bundle generator should default to that (or to an `events.falco.<priority>.<rule>` template) so the out-of-the-box bundle works with provisioned permissions.

### Fix Focus Areas
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[340-365]
- elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218]
- elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex[292-297]
- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[13-27]
- openspec/changes/add-falco-nats-integration/proposal.md[60-77]
- docs/docs/falco-integration.md[24-25] (verification subjects)

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Imported GitHub PR review comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2984#discussion_r2876351715 Original created: 2026-03-03T06:25:26Z Original path: elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex Original line: 365 --- <img src="https://www.qodo.ai/wp-content/uploads/2025/12/v2-action-required.svg" height="20" alt="Action required"> 2\. Falco subject mismatch <code>🐞 Bug</code> <code>✓ Correctness</code> <pre> The generated Falcosidekick Helm values default to publishing on <b><i>falco.&lt;priority&gt;.&lt;rule&gt;</i></b>, but the provisioned NATS permissions (and enroll defaults/spec) are scoped to <b><i>events.falco.*</i></b>. This will cause publish authorization failures and/or downstream consumers subscribing to <b><i>events.falco.*</i></b> to miss events. </pre> <details> <summary><strong>Agent Prompt</strong></summary> ``` ### Issue description Falcosidekick is provisioned with NATS publish permissions for `events.falco.>`, but the generated Helm values default to publishing on `falco.<priority>.<rule>`. This mismatch will break publishing under subject-scoped permissions and will also confuse verification/consumption. ### Issue Context The repo’s OpenSpec and enrollment defaults both describe `events.falco.raw` as the canonical subject. The bundle generator should default to that (or to an `events.falco.<priority>.<rule>` template) so the out-of-the-box bundle works with provisioned permissions. ### Fix Focus Areas - elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[340-365] - elixir/serviceradar_core/lib/serviceradar/edge/workers/provision_collector_worker.ex[214-218] - elixir/web-ng/lib/serviceradar_web_ng_web/controllers/api/collector_enroll_controller.ex[292-297] - openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[13-27] - openspec/changes/add-falco-nats-integration/proposal.md[60-77] - docs/docs/falco-integration.md[24-25] (verification subjects) ``` <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> </details>

qodo-code-review[bot] commented 2026-03-03 06:25:26 +00:00 (Migrated from github.com)

Author

Owner

Copy link

Imported GitHub PR review comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2984#discussion_r2876351716
Original created: 2026-03-03T06:25:26Z
Original path: elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex
Original line: 391

3. Missing nats creds wiring 🐞 Bug ⛯ Reliability

The Falcosidekick bundle includes creds/nats.creds, but the Helm values and deploy script never
mount or reference it. In JWT .creds auth mode (used elsewhere in this repo and required by the
OpenSpec), Falcosidekick will fail to authenticate to NATS.

Agent Prompt

### Issue description
The generated Falcosidekick package includes `creds/nats.creds` but the Helm values + deploy.sh never mount it or configure Falcosidekick to use it. In JWT `.creds` auth deployments, Falcosidekick won’t be able to authenticate to NATS.

### Issue Context
Other collectors in this repo configure `nats_creds_file` / `creds_file` and the OpenSpec requires `.creds` auth for Falcosidekick.

### Fix Focus Areas
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[64-78]
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[359-391]
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[439-446]
- elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[172-184]
- openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[5-20]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Imported GitHub PR review comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2984#discussion_r2876351716 Original created: 2026-03-03T06:25:26Z Original path: elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex Original line: 391 --- <img src="https://www.qodo.ai/wp-content/uploads/2025/12/v2-action-required.svg" height="20" alt="Action required"> 3\. Missing nats creds wiring <code>🐞 Bug</code> <code>⛯ Reliability</code> <pre> The Falcosidekick bundle includes <b><i>creds/nats.creds</i></b>, but the Helm values and deploy script never mount or reference it. In JWT <b><i>.creds</i></b> auth mode (used elsewhere in this repo and required by the OpenSpec), Falcosidekick will fail to authenticate to NATS. </pre> <details> <summary><strong>Agent Prompt</strong></summary> ``` ### Issue description The generated Falcosidekick package includes `creds/nats.creds` but the Helm values + deploy.sh never mount it or configure Falcosidekick to use it. In JWT `.creds` auth deployments, Falcosidekick won’t be able to authenticate to NATS. ### Issue Context Other collectors in this repo configure `nats_creds_file` / `creds_file` and the OpenSpec requires `.creds` auth for Falcosidekick. ### Fix Focus Areas - elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[64-78] - elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[359-391] - elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[439-446] - elixir/web-ng/lib/serviceradar_web_ng/edge/collector_bundle_generator.ex[172-184] - openspec/changes/add-falco-nats-integration/specs/falco-nats-ingestion/spec.md[5-20] ``` <code>ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools</code> </details>

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3010

No description provided.