chore: Configure Renovate#3
Merged
Merged
Conversation
Contributor
Author
Renovate is disabledRenovate is disabled because there is no Renovate configuration file. To enable Renovate, you can either (a) change this PR's title to get a new onboarding PR, and merge the new onboarding PR, or (b) create a Renovate config file, and commit that file to your base branch. |
aksOps
added a commit
that referenced
this pull request
Apr 25, 2026
…isolation Reviewer (cf5145d8) requested three changes on commit c839460. Addresses each with verified failure-on-regression checks. #1 — Cross-tenant boot hydration of vector index Previously main.go hydrated the index via repo.GetLogsV2(appCtx, ...) which is tenant-scoped to whatever tenant ctx carries — appCtx has none, so only the default tenant's rows reloaded after restart and find_similar_logs was cold for every other tenant until fresh ERROR logs landed. The new tenant-aware vectorIdx.Add(..., l.TenantID, ...) didn't fix it because the non-default rows were never fetched. - internal/storage/log_repo.go: new ListRecentHighSeverityLogsAllTenants — explicitly cross-tenant administrative read used only by hydration. Each row carries its own TenantID; fan-out happens in the caller. - main.go: hydration now uses the new method so every tenant's warm index survives a restart. - internal/vectordb/index.go: tenant-aware FIFO eviction. At cap, drop up to maxSize/10 of the inserting tenant's oldest rows so a noisy tenant cannot evict another tenant's warm rows (availability isolation; confidentiality is still enforced by doc.Tenant filtering in Search). Brand-new tenants drop one globally-oldest row to claim a first slot. #2 — root_cause_analysis assertion was vacuous internal/mcp/tenant_isolation_test.go:434 passed an empty ownMarker to assertNoLeak, so the merge gate would still pass if the tool regressed to returning [] for every tenant. Now passes ownService (RankedCause carries Service so it must appear in a non-empty response). Verified by sabotaging the handler to return a nil slice — the assertion fails with 'expected own marker "acme-orders" in response, body=null' as designed, then reverted. #3 — Drain cluster-id test didn't actually compare cluster IDs The previous test reused seedTenant (per-tenant service names) and only scanned response text, so a regression that surfaced the same cluster row across tenants would still pass. Rewritten to: - Use one shared service name across both tenants so Drain produces colliding (service, templateID) keys — the SignalStore partition is the only thing keeping rows separate. - Inspect the actual []graphrag.LogClusterNode returned by CorrelatedSignals (not just response text), checking Template + SampleLog content for own-marker presence and foreign-marker absence. - Log the per-tenant cluster IDs so future refactors that change the ID scheme leave a visible audit trail. - End-to-end probe via the MCP HTTP surface remains, asserting the same isolation reaches clients. RAN-20 supporting tests internal/vectordb/index_test.go, internal/api/similar_handler_test.go, internal/mcp/tools_ran20_test.go cover vectordb tenant scoping at three layers (in-memory, REST handler, MCP tool). They were sitting untracked on the branch from the parallel RAN-20 work; bundling them so the follow-up vectordb behavior added here is covered. Verified: - go vet ./... clean - go test ./... clean (full repo) - go test -race ./internal/{mcp,graphrag,vectordb,api}/... clean Co-Authored-By: Paperclip <noreply@paperclip.ing>
aksOps
added a commit
that referenced
this pull request
Apr 25, 2026
…N-20) (#31) * feat(mcp): tenant ctx through GraphRAG handlers + merge-gate isolation test (RAN-39) Threads the tenant resolved by the MCP transport (X-Tenant-ID header → ctx) into every GraphRAG-backed tool handler and adds the merge-gate integration test that asserts cross-tenant isolation for the full GraphRAG-backed MCP surface. mcp/tools.go - get_system_graph and get_service_health now accept ctx and route through GraphRAG.ServiceMap / AllServiceEdges so they pick up RAN-37's per-tenant in-memory partitioning. Legacy svcGraph remains as a fallback path only when GraphRAG isn't wired (boot windows, future test harnesses). - All other GraphRAG handlers were already ctx-threaded after RAN-37/38; no behavior change for those. vectordb/index.go (+ main.go, api/similar_handler.go) - vectordb.Index.Add and Search now take a tenant string; LogVector and SearchResult carry the tenant tag and Search filters by it. RAN-37 already added tenant args at the call sites in graphrag/clustering.go and mcp/tools.go but the matching vectordb signature change had not landed, leaving the branch unbuildable. This closes that gap with the smallest surgical change; the broader vectordb rework remains RAN-20. - main.go now passes l.TenantID into vectorIdx.Add on hydration and the live ingest hook; api/similar_handler resolves tenant from the request context before searching. graphrag/builder.go - New RegisterAnomaly(tenant, AnomalyNode) — small public API symmetric with PersistInvestigation, used by the new isolation test to seed per-tenant anomalies without depending on the throttled detector loop. mcp/tenant_isolation_test.go - Stands up an in-process MCP server (httptest) wired to GraphRAG over in-memory SQLite, seeds three tenants (acme, beta, default) with overlapping service_name / trace_id / span_id / Drain template / log body / snapshot, and exercises every GraphRAG-backed tool — get_service_map, get_service_health, get_error_chains, trace_graph, impact_analysis, root_cause_analysis, correlated_signals, get_anomaly_timeline, get_investigations, get_investigation (own + cross-tenant id-guess), get_graph_snapshot, find_similar_logs, get_system_graph — three times each (X-Tenant-ID acme, X-Tenant-ID beta, no header → DefaultTenantID). Each response is scanned for the caller's own tenant marker and for any other seeded tenant's marker (service name, log body, op name, anomaly evidence, snapshot id) to prove no cross-tenant leak. Verified: go vet ./... clean; go test ./... clean; go test -race ./internal/{mcp,graphrag}/... clean. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(mcp,vectordb): RAN-39 reviewer follow-ups + RAN-20 vector tenant isolation Reviewer (cf5145d8) requested three changes on commit c839460. Addresses each with verified failure-on-regression checks. #1 — Cross-tenant boot hydration of vector index Previously main.go hydrated the index via repo.GetLogsV2(appCtx, ...) which is tenant-scoped to whatever tenant ctx carries — appCtx has none, so only the default tenant's rows reloaded after restart and find_similar_logs was cold for every other tenant until fresh ERROR logs landed. The new tenant-aware vectorIdx.Add(..., l.TenantID, ...) didn't fix it because the non-default rows were never fetched. - internal/storage/log_repo.go: new ListRecentHighSeverityLogsAllTenants — explicitly cross-tenant administrative read used only by hydration. Each row carries its own TenantID; fan-out happens in the caller. - main.go: hydration now uses the new method so every tenant's warm index survives a restart. - internal/vectordb/index.go: tenant-aware FIFO eviction. At cap, drop up to maxSize/10 of the inserting tenant's oldest rows so a noisy tenant cannot evict another tenant's warm rows (availability isolation; confidentiality is still enforced by doc.Tenant filtering in Search). Brand-new tenants drop one globally-oldest row to claim a first slot. #2 — root_cause_analysis assertion was vacuous internal/mcp/tenant_isolation_test.go:434 passed an empty ownMarker to assertNoLeak, so the merge gate would still pass if the tool regressed to returning [] for every tenant. Now passes ownService (RankedCause carries Service so it must appear in a non-empty response). Verified by sabotaging the handler to return a nil slice — the assertion fails with 'expected own marker "acme-orders" in response, body=null' as designed, then reverted. #3 — Drain cluster-id test didn't actually compare cluster IDs The previous test reused seedTenant (per-tenant service names) and only scanned response text, so a regression that surfaced the same cluster row across tenants would still pass. Rewritten to: - Use one shared service name across both tenants so Drain produces colliding (service, templateID) keys — the SignalStore partition is the only thing keeping rows separate. - Inspect the actual []graphrag.LogClusterNode returned by CorrelatedSignals (not just response text), checking Template + SampleLog content for own-marker presence and foreign-marker absence. - Log the per-tenant cluster IDs so future refactors that change the ID scheme leave a visible audit trail. - End-to-end probe via the MCP HTTP surface remains, asserting the same isolation reaches clients. RAN-20 supporting tests internal/vectordb/index_test.go, internal/api/similar_handler_test.go, internal/mcp/tools_ran20_test.go cover vectordb tenant scoping at three layers (in-memory, REST handler, MCP tool). They were sitting untracked on the branch from the parallel RAN-20 work; bundling them so the follow-up vectordb behavior added here is covered. Verified: - go vet ./... clean - go test ./... clean (full repo) - go test -race ./internal/{mcp,graphrag,vectordb,api}/... clean Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(mcp,graphrag): wire tenant from ctx into vectordb.Search call sites (RAN-20) The vectordb.Index.Search signature went tenant-aware in the prior commit but two call sites still used the legacy 2-arg form, leaving the branch unbuildable: - internal/mcp/tools.go: toolFindSimilarLogs had a TODO(RAN-20) marker and `_ = ctx`. Now resolves tenant via storage.TenantFromContext on mcpCtx(ctx) and passes it to Search. - internal/graphrag/clustering.go: SimilarErrors had the same TODO and `_ = ctx`. Now resolves tenant from the same ctx and passes it through. Both surfaces share the storage tenant-context idiom used everywhere else, so coercion rules (empty → DefaultTenantID) stay consistent. Verified: go build ./... clean, go vet ./... clean, go test -race ./internal/{vectordb,api,mcp,graphrag,storage}/... clean. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Welcome to Renovate! This is an onboarding PR to help you understand and configure settings before regular Pull Requests begin.
🚦 To activate Renovate, merge this Pull Request. To disable Renovate, simply close this Pull Request unmerged.
Detected Package Files
.github/workflows/audit.yml(github-actions).github/workflows/release.yml(github-actions)go.mod(gomod)web/package.json(npm)Configuration Summary
Based on the default config's presets, Renovate will:
fixfor dependencies andchorefor all others if semantic commits are in use.node_modules,bower_components,vendorand various test/tests (except for nuget) directories.🔡 Do you want to change how Renovate upgrades your dependencies? Add your custom config to
renovate.jsonin this branch. Renovate will update the Pull Request description the next time it runs.What to Expect
With your current configuration, Renovate will create 16 Pull Requests:
fix(deps): replace dependency framer-motion with motion
renovate/framer-motion-replacementmain^12.34.1chore(deps): update dependency framer-motion to v12.34.3
renovate/framer-motion-12.x-lockfilemain12.34.3chore(deps): update eslint monorepo to v9.39.3
renovate/eslint-monorepomain9.39.39.39.3chore(deps): update dependency eslint-plugin-react-refresh to ^0.5.0
renovate/eslint-plugin-react-refresh-0.xmain^0.5.0chore(deps): update dependency go to 1.26
renovate/go-1.xmain1.26fix(deps): update dependency lucide-react to ^0.575.0
renovate/lucide-monorepomain^0.575.0fix(deps): update module github.com/go-sql-driver/mysql to v1.9.3
renovate/github.com-go-sql-driver-mysql-1.xmainv1.9.3fix(deps): update module github.com/microsoft/go-mssqldb to v1.9.6
renovate/github.com-microsoft-go-mssqldb-1.xmainv1.9.6fix(deps): update module go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp to v0.65.0
renovate/opentelemetry-go-contrib-monorepomainv0.65.0fix(deps): update opentelemetry-go monorepo to v1.40.0
renovate/opentelemetry-go-monorepomainv1.40.0v1.40.0v1.40.0v1.40.0v1.40.0chore(deps): update actions/checkout action to v6
renovate/actions-checkout-6.xmainv6chore(deps): update actions/setup-go action to v6
renovate/actions-setup-go-6.xmainv6chore(deps): update actions/setup-node action to v6
renovate/actions-setup-node-6.xmainv6chore(deps): update dependency globals to v17
renovate/globals-17.xmain^17.0.0chore(deps): update dependency node to v24
renovate/node-24.xmain24chore(deps): update eslint monorepo to v10 (major)
renovate/major-eslint-monorepomain^10.0.0^10.0.0🚸 PR creation will be limited to maximum 2 per hour, so it doesn't swamp any CI resources or overwhelm the project. See docs for
prHourlyLimitfor details.❓ Got questions? Check out Renovate's Docs, particularly the Getting Started section.
If you need any further assistance then you can also request help here.
This PR was generated by Mend Renovate. View the repository job log.