feat: T7 default-on resourceContext + content search + log pipe primitives

internal/issues/issues.go

@@ -74,10 +74,17 @@ func Compose(p Provider, f Filters) []Issue {
 // severity desc, then last-seen desc, then kind/ns/name for stable
 // tiebreaks.
 func ComposeWithStats(p Provider, f Filters) ([]Issue, ComposeStats) {
+	// Negative Limit is the "uncapped" sentinel: callers that need the
+	// full matched set (per-resource issue indexes for /api/ai list +
+	// search summaryContext) pass NoLimit so a 5000-issue cluster
+	// doesn't silently drop counts for resources whose issues fall in
+	// the tail beyond MaxLimit. Zero still maps to DefaultLimit so the
+	// public /api/issues + MCP issues_list keep their tight caps.
+	uncapped := f.Limit < 0
 	if f.Limit == 0 {
 		f.Limit = DefaultLimit
 	}
-	if f.Limit > MaxLimit {
+	if !uncapped && f.Limit > MaxLimit {
 		f.Limit = MaxLimit
 	}
 
@@ -201,7 +208,7 @@ func ComposeWithStats(p Provider, f Filters) ([]Issue, ComposeStats) {
 		return out[i].Name < out[j].Name
 	})
 	stats.TotalMatched = len(out)
-	if len(out) > f.Limit {
+	if !uncapped && len(out) > f.Limit {
 		out = out[:f.Limit]
 	}
 	return out, stats
@@ -211,11 +218,24 @@ func ComposeWithStats(p Provider, f Filters) ([]Issue, ComposeStats) {
 // warning Issue for each object that has a False Ready/Available/etc.
 // condition. Skips kinds owned by curated checkers (Cluster API today)
 // to avoid double-reporting.
+//
+// When f.Kinds is non-empty (e.g. summaryContext building a per-resource
+// issue index for a list_resources call on a single kind), GVRs whose
+// kind isn't in the filter are skipped BEFORE the ListDynamic call —
+// without this gate, a pods-only request still scanned every watched
+// CRD up front and applyFilters discarded the rows afterward. Kind
+// comparison mirrors applyFilters: lowercase for case-insensitive
+// match against the user's filter (which itself is canonicalized to
+// the singular form upstream).
 func detectGenericCRDIssues(p Provider, f Filters) []Issue {
 	gvrs := p.WatchedDynamic()
 	if len(gvrs) == 0 {
 		return nil
 	}
+	wantKind := map[string]bool{}
+	for _, k := range f.Kinds {
+		wantKind[strings.ToLower(k)] = true
+	}
 	var out []Issue
 	for _, gvr := range gvrs {
 		if isCuratedCRDGroup(gvr.Group) {
@@ -225,6 +245,15 @@ func detectGenericCRDIssues(p Provider, f Filters) []Issue {
 		if kind == "" {
 			continue
 		}
+		// applyFilters runs after Compose returns — but on hot paths that
+		// pin a single kind (summaryContext per-row index), routing the
+		// kind filter through here skips the per-GVR ListDynamic call
+		// entirely. Match in lowercase (same as applyFilters) so
+		// "Pod"/"pod" and CRD-typed "MyResource"/"myresource" both
+		// compare equal.
+		if len(wantKind) > 0 && !wantKind[strings.ToLower(kind)] {
+			continue
+		}
 		clusterScoped, _, _ := classifyDynamicScope(p, gvr, kind)
 		if clusterScoped && f.CanReadClusterScoped != nil && !f.CanReadClusterScoped(kind, gvr.Group) {
 			continue
@@ -303,6 +332,21 @@ func condTypeReason(condType, reason string) string {
 // Source-specific normalization
 // ---------------------------------------------------------------------------
 
+// resolveGroup returns the explicit group if set, else falls back to the
+// built-in (Kind→Group) table. Some legacy Problem emission sites in
+// k8s.DetectProblems still leave Group="" for built-in workloads
+// (Deployment, StatefulSet, etc.) — without this fallback, the
+// group-aware consumer (computeIssueSummaryForResource) would silently
+// drop those rows when looking up by canonical group like "apps".
+// Centralised here so the (Kind→Group) map lives in one place across
+// packages (pkg/audit owns the table; this is a pass-through).
+func resolveGroup(group, kind string) string {
+	if group != "" {
+		return group
+	}
+	return bp.GroupForBuiltinKind(kind)
+}
+
 func fromProblem(p k8s.Problem, now time.Time) Issue {
 	sev := SeverityWarning
 	if p.Severity == "critical" {
@@ -313,7 +357,7 @@ func fromProblem(p k8s.Problem, now time.Time) Issue {
 		Severity:  sev,
 		Source:    SourceProblem,
 		Kind:      p.Kind,
-		Group:     p.Group,
+		Group:     resolveGroup(p.Group, p.Kind),
 		Namespace: p.Namespace,
 		Name:      p.Name,
 		Reason:    p.Reason,
@@ -333,6 +377,7 @@ func fromAudit(fin bp.Finding, now time.Time) Issue {
 		Severity:  sev,
 		Source:    SourceAudit,
 		Kind:      fin.Kind,
+		Group:     resolveGroup(fin.Group, fin.Kind),
 		Namespace: fin.Namespace,
 		Name:      fin.Name,
 		Reason:    fin.CheckID,
@@ -413,10 +458,19 @@ func fromWarningEvent(e *corev1.Event) Issue {
 	if first.IsZero() {
 		first = last
 	}
+	// Event.InvolvedObject carries apiVersion (group/version); split out
+	// the group so cross-group consumers don't collide when a Knative
+	// Service and a core Service share name+ns.
+	group, _, _ := strings.Cut(e.InvolvedObject.APIVersion, "/")
+	if e.InvolvedObject.APIVersion != "" && !strings.Contains(e.InvolvedObject.APIVersion, "/") {
+		// "v1" → core group "".
+		group = ""
+	}
 	return Issue{
 		Severity:  SeverityWarning,
 		Source:    SourceEvent,
 		Kind:      e.InvolvedObject.Kind,
+		Group:     resolveGroup(group, e.InvolvedObject.Kind),
 		Namespace: e.Namespace,
 		Name:      e.InvolvedObject.Name,
 		Reason:    e.Reason,

internal/issues/issues_test.go

@@ -622,3 +622,87 @@ func TestFlattenNamespacedProblems_EmptyInputReturnsNil(t *testing.T) {
 		t.Errorf("empty input should produce empty output, got %+v", out)
 	}
 }
+
+// countingProvider wraps fakeProvider and tallies ListDynamic calls per
+// GVR. Used by TestDetectGenericCRDIssues_SkipsListWhenKindFiltered to
+// pin that detectGenericCRDIssues short-circuits the per-GVR
+// ListDynamic call when f.Kinds excludes the GVR's kind — on clusters
+// with hundreds of watched CRDs, scanning every one for a pods-only
+// summaryContext request was the dominant cost.
+type countingProvider struct {
+	fakeProvider
+	listCalls map[schema.GroupVersionResource]int
+}
+
+func (c *countingProvider) ListDynamic(gvr schema.GroupVersionResource, ns string) ([]*unstructured.Unstructured, error) {
+	if c.listCalls == nil {
+		c.listCalls = map[schema.GroupVersionResource]int{}
+	}
+	c.listCalls[gvr]++
+	return c.fakeProvider.ListDynamic(gvr, ns)
+}
+
+// TestDetectGenericCRDIssues_SkipsListWhenKindFiltered pins the
+// "scan all CRDs before kindFilter applies" perf fix in
+// detectGenericCRDIssues. Pre-fix, a Compose call with Kinds=["Pod"]
+// still iterated every watched CRD GVR and ran ListDynamic on each;
+// applyFilters then discarded the non-matching rows at the end.
+//
+// On a cluster with hundreds of watched CRDs this dominated the
+// summaryContext per-row index build for list_resources kind=pods.
+// The fix routes f.Kinds awareness into detectGenericCRDIssues so
+// non-matching GVRs skip the ListDynamic call entirely.
+func TestDetectGenericCRDIssues_SkipsListWhenKindFiltered(t *testing.T) {
+	podGVR := schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"}
+	appGVR := schema.GroupVersionResource{Group: "argoproj.io", Version: "v1alpha1", Resource: "applications"}
+	npGVR := schema.GroupVersionResource{Group: "karpenter.sh", Version: "v1", Resource: "nodepools"}
+
+	p := &countingProvider{
+		fakeProvider: fakeProvider{
+			dynamic: map[schema.GroupVersionResource][]*unstructured.Unstructured{
+				podGVR: {}, // empty — only counts the call.
+				appGVR: {{Object: map[string]any{
+					"metadata": map[string]any{"name": "a", "namespace": "argocd"},
+					"status": map[string]any{
+						"conditions": []any{
+							map[string]any{"type": "Synced", "status": "False", "reason": "Drift"},
+						},
+					},
+				}}},
+				npGVR: {}, // empty — only counts the call.
+			},
+			kinds: map[schema.GroupVersionResource]string{
+				podGVR: "Pod",
+				appGVR: "Application",
+				npGVR:  "NodePool",
+			},
+		},
+	}
+
+	// kindFilter restricts to Application — the other two GVRs must NOT
+	// be listed. detectGenericCRDIssues lowercases the kind comparison
+	// (mirrors applyFilters), so the canonical "Application" matches the
+	// emitted Kind for the argoproj.io GVR.
+	_ = detectGenericCRDIssues(p, Filters{Kinds: []string{"Application"}})
+
+	if got := p.listCalls[podGVR]; got != 0 {
+		t.Errorf("Pod GVR ListDynamic calls = %d, want 0 (kind filter must skip non-matching GVRs)", got)
+	}
+	if got := p.listCalls[npGVR]; got != 0 {
+		t.Errorf("NodePool GVR ListDynamic calls = %d, want 0 (kind filter must skip non-matching GVRs)", got)
+	}
+	if got := p.listCalls[appGVR]; got == 0 {
+		t.Errorf("Application GVR ListDynamic calls = %d, want >= 1 (matching kind must still be scanned)", got)
+	}
+
+	// Sanity: empty Kinds filter scans every GVR (no per-kind shortcut
+	// when caller didn't ask for one). Pins that the fix is filter-aware
+	// rather than always-skip.
+	p.listCalls = nil
+	_ = detectGenericCRDIssues(p, Filters{})
+	for gvr, want := range map[schema.GroupVersionResource]bool{podGVR: true, appGVR: true, npGVR: true} {
+		if got := p.listCalls[gvr] > 0; got != want {
+			t.Errorf("no kind filter: GVR %s called=%v, want %v", gvr.Resource, got, want)
+		}
+	}
+}

internal/issues/types.go

@@ -123,4 +123,11 @@ type Filters struct {
 const (
 	DefaultLimit = 200
 	MaxLimit     = 1000
+	// NoLimit disables the result cap. Pass as Filters.Limit when the
+	// caller needs the full matched set (e.g. building a per-resource
+	// issue index for summaryContext — capping there would silently zero
+	// out counts for resources whose issues fall in the tail beyond
+	// MaxLimit on large clusters). Stats.TotalMatched is reliable
+	// regardless; this just turns off the post-sort slice.
+	NoLimit = -1
 )

internal/k8s/problems.go

@@ -59,6 +59,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 					Kind:            "Deployment",
 					Namespace:       d.Namespace,
 					Name:            d.Name,
+					Group:           "apps",
 					Severity:        "critical",
 					Reason:          fmt.Sprintf("%d/%d available", d.Status.AvailableReplicas, d.Status.Replicas),
 					Age:             FormatAge(ageDur),
@@ -78,6 +79,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 						Kind:            "Deployment",
 						Namespace:       d.Namespace,
 						Name:            d.Name,
+						Group:           "apps",
 						Severity:        "critical",
 						Reason:          "Rollout stuck",
 						Message:         cond.Message,
@@ -107,6 +109,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 					Kind:            "StatefulSet",
 					Namespace:       ss.Namespace,
 					Name:            ss.Name,
+					Group:           "apps",
 					Severity:        "critical",
 					Reason:          fmt.Sprintf("%d/%d ready", ss.Status.ReadyReplicas, ss.Status.Replicas),
 					Age:             FormatAge(ageDur),
@@ -133,6 +136,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 					Kind:            "DaemonSet",
 					Namespace:       ds.Namespace,
 					Name:            ds.Name,
+					Group:           "apps",
 					Severity:        "critical",
 					Reason:          fmt.Sprintf("%d unavailable", ds.Status.NumberUnavailable),
 					Age:             FormatAge(ageDur),
@@ -157,6 +161,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 				Kind:      "HorizontalPodAutoscaler",
 				Namespace: hp.Namespace,
 				Name:      hp.Name,
+				Group:     "autoscaling",
 				Severity:  "medium",
 				Reason:    hp.Problem,
 				Message:   hp.Reason,
@@ -177,6 +182,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 				Kind:      "CronJob",
 				Namespace: cp.Namespace,
 				Name:      cp.Name,
+				Group:     "batch",
 				Severity:  "medium",
 				Reason:    cp.Problem,
 				Message:   cp.Reason,
@@ -251,6 +257,7 @@ func DetectProblems(cache *ResourceCache, namespace string) []Problem {
 						Kind:            "Job",
 						Namespace:       job.Namespace,
 						Name:            job.Name,
+						Group:           "batch",
 						Severity:        "high",
 						Reason:          fmt.Sprintf("Running for %s with no completions", FormatAge(ageDur)),
 						Age:             FormatAge(ageDur),