Release v1.15.0

Dockerfile

@@ -1,6 +1,6 @@
 FROM ghcr.io/opentofu/opentofu:minimal AS tofu
 
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 # Copy the tofu binary from the minimal image
 COPY --from=tofu /usr/local/bin/tofu /usr/local/bin/tofu

auth/auth.go

@@ -123,6 +123,36 @@ func (flowConfig ClientCredentialsConfig) TokenSource(ctx context.Context, oAuth
 	return conf.TokenSource(ctx)
 }
 
+// Auth0Config contains credentials for creating impersonation HTTP clients
+// using Auth0's client credentials flow with account impersonation.
+type Auth0Config struct {
+	Domain       string
+	ClientID     string
+	ClientSecret string
+	Audience     string
+}
+
+// ImpersonationHTTPClient creates an HTTP client that can impersonate the specified account.
+// If the config is nil or ClientID is empty, returns a basic tracing HTTP client.
+func (c *Auth0Config) ImpersonationHTTPClient(ctx context.Context, accountName string) *http.Client {
+	if c == nil || c.ClientID == "" {
+		return tracing.HTTPClient()
+	}
+	creds := ClientCredentialsConfig{
+		ClientID:     c.ClientID,
+		ClientSecret: c.ClientSecret,
+	}
+	ts := creds.TokenSource(
+		ctx,
+		fmt.Sprintf("https://%s/oauth/token", c.Domain),
+		c.Audience,
+		WithImpersonateAccount(accountName),
+	)
+	// inject otel into oauth2
+	ctx = context.WithValue(ctx, oauth2.HTTPClient, tracing.HTTPClient())
+	return oauth2.NewClient(ctx, ts)
+}
+
 // natsTokenClient A client that is capable of getting NATS JWTs and signing the
 // required nonce to prove ownership of the NKeys. Satisfies the `TokenClient`
 // interface
@@ -161,7 +191,6 @@ func (n *natsTokenClient) generateJWT(ctx context.Context) error {
 	// If we don't yet have keys generate them
 	if n.keys == nil {
 		err := n.generateKeys()
-
 		if err != nil {
 			return err
 		}
@@ -257,7 +286,6 @@ func (n *natsTokenClient) GetJWT() (string, error) {
 func (n *natsTokenClient) Sign(in []byte) ([]byte, error) {
 	if n.keys == nil {
 		err := n.generateKeys()
-
 		if err != nil {
 			return []byte{}, err
 		}
@@ -303,7 +331,6 @@ func (ats *APIKeyTokenSource) Token() (*oauth2.Token, error) {
 	res, err := ats.apiKeyClient.ExchangeKeyForToken(context.Background(), connect.NewRequest(&sdp.ExchangeKeyForTokenRequest{
 		ApiKey: ats.ApiKey,
 	}))
-
 	if err != nil {
 		return nil, fmt.Errorf("error exchanging API key: %w", err)
 	}
@@ -314,15 +341,13 @@ func (ats *APIKeyTokenSource) Token() (*oauth2.Token, error) {
 
 	// Parse the expiry out of the token
 	token, err := josejwt.ParseSigned(res.Msg.GetAccessToken(), []jose.SignatureAlgorithm{jose.RS256})
-
 	if err != nil {
 		return nil, fmt.Errorf("error parsing JWT: %w", err)
 	}
 
 	claims := josejwt.Claims{}
 
 	err = token.UnsafeClaimsWithoutVerification(&claims)
-
 	if err != nil {
 		return nil, fmt.Errorf("error parsing JWT claims: %w", err)
 	}

auth/middleware.go

@@ -41,8 +41,8 @@ type UserTokenContextKey struct{}
 // This will be the auth0 `user_id` from the tokens `sub` claim.
 type CurrentSubjectContextKey struct{}
 
-// AuthConfig Configuration for the auth middleware
-type AuthConfig struct {
+// MiddlewareConfig Configuration for the auth middleware
+type MiddlewareConfig struct {
 	Auth0Domain   string
 	Auth0Audience string
 	// The names of the cookies that will be used to authenticate, these will be
@@ -169,7 +169,7 @@ func ExtractAccount(ctx context.Context) (string, error) {
 // therefore the following environment variables must be set: AUTH0_DOMAIN,
 // AUTH0_AUDIENCE. If cookie auth is intended to be used, then AUTH_COOKIE_NAME
 // must also be set.
-func NewAuthMiddleware(config AuthConfig, next http.Handler) http.Handler {
+func NewAuthMiddleware(config MiddlewareConfig, next http.Handler) http.Handler {
 	processOverrides := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		options := []OverrideAuthOptionFunc{}
 
@@ -281,7 +281,7 @@ func withCustomClaims(modify func(*CustomClaims)) OverrideAuthOptionFunc {
 //
 // This middleware also extract custom claims form the token and stores them in
 // CustomClaimsContextKey
-func ensureValidTokenHandler(config AuthConfig, next http.Handler) http.Handler {
+func ensureValidTokenHandler(config MiddlewareConfig, next http.Handler) http.Handler {
 	if config.Auth0Domain == "" && config.IssuerURL == "" && config.Auth0Audience == "" {
 		log.Fatalf("Auth0 configuration is missing")
 	}

auth/middleware_test.go

@@ -127,12 +127,12 @@ func TestNewAuthMiddleware(t *testing.T) {
 
 	jwksURL := server.Start(ctx)
 
-	defaultConfig := AuthConfig{
+	defaultConfig := MiddlewareConfig{
 		IssuerURL:     jwksURL,
 		Auth0Audience: "https://api.overmind.tech",
 	}
 
-	bypassHealthConfig := AuthConfig{
+	bypassHealthConfig := MiddlewareConfig{
 		IssuerURL:          jwksURL,
 		Auth0Audience:      "https://api.overmind.tech",
 		BypassAuthForPaths: regexp.MustCompile("/health"),
@@ -145,7 +145,7 @@ func TestNewAuthMiddleware(t *testing.T) {
 		Name         string
 		TokenOptions *TestTokenOptions
 		ExpectedCode int
-		AuthConfig   AuthConfig
+		AuthConfig   MiddlewareConfig
 		Path         string
 	}{
 		{
@@ -263,7 +263,7 @@ func TestNewAuthMiddleware(t *testing.T) {
 					Scope:       "test:pass",
 				},
 			},
-			AuthConfig: AuthConfig{
+			AuthConfig: MiddlewareConfig{
 				IssuerURL:          jwksURL,
 				Auth0Audience:      "https://api.overmind.tech",
 				BypassAuthForPaths: regexp.MustCompile("/health"),
@@ -322,7 +322,7 @@ func TestNewAuthMiddleware(t *testing.T) {
 				},
 			},
 			ExpectedCode: http.StatusOK,
-			AuthConfig: AuthConfig{
+			AuthConfig: MiddlewareConfig{
 				IssuerURL:     jwksURL,
 				Auth0Audience: "https://api.overmind.tech",
 				BypassAuth:    true,
@@ -340,7 +340,7 @@ func TestNewAuthMiddleware(t *testing.T) {
 				},
 			},
 			ExpectedCode: http.StatusOK,
-			AuthConfig: AuthConfig{
+			AuthConfig: MiddlewareConfig{
 				IssuerURL:     jwksURL,
 				Auth0Audience: "https://api.overmind.tech",
 				BypassAuth:    true,
@@ -358,7 +358,7 @@ func TestNewAuthMiddleware(t *testing.T) {
 				},
 			},
 			ExpectedCode: http.StatusOK,
-			AuthConfig: AuthConfig{
+			AuthConfig: MiddlewareConfig{
 				IssuerURL:       jwksURL,
 				Auth0Audience:   "https://api.overmind.tech",
 				AccountOverride: &correctAccount,
@@ -376,7 +376,7 @@ func TestNewAuthMiddleware(t *testing.T) {
 				},
 			},
 			ExpectedCode: http.StatusOK,
-			AuthConfig: AuthConfig{
+			AuthConfig: MiddlewareConfig{
 				IssuerURL:     jwksURL,
 				Auth0Audience: "https://api.overmind.tech",
 				ScopeOverride: &correctScope,
@@ -536,7 +536,7 @@ func TestOverrideAuth(t *testing.T) {
 }
 
 func BenchmarkAuthMiddleware(b *testing.B) {
-	config := AuthConfig{
+	config := MiddlewareConfig{
 		Auth0Domain:   "auth.overmind-demo.com",
 		Auth0Audience: "https://api.overmind.tech",
 	}
@@ -705,7 +705,7 @@ func TestConnectErrorHandling(t *testing.T) {
 	jwksURL := server.Start(ctx)
 
 	// Create the middleware
-	handler := NewAuthMiddleware(AuthConfig{
+	handler := NewAuthMiddleware(MiddlewareConfig{
 		Auth0Domain:   "",
 		Auth0Audience: "test",
 		IssuerURL:     jwksURL,

aws-source/cmd/root.go

@@ -3,12 +3,10 @@ package cmd
 import (
 	"context"
 	"fmt"
-	"net/http"
 	"os"
 	"os/signal"
 	"strings"
 	"syscall"
-	"time"
 
 	"github.com/getsentry/sentry-go"
 	"github.com/overmindtech/cli/aws-source/proc"
@@ -89,33 +87,7 @@ var rootCmd = &cobra.Command{
 			log.WithError(err).Fatal("Could not initialize AWS source")
 		}
 
-		// Start HTTP server for health checks
-		// Liveness: Check only engine initialization (NATS, heartbeats)
-		http.HandleFunc("/healthz/alive", e.LivenessProbeHandlerFunc())
-		// Readiness: Check if adapters are healthy and ready to handle requests
-		http.HandleFunc("/healthz/ready", e.ReadinessProbeHandlerFunc())
-		// Backward compatibility - maps to liveness check (matches old behavior)
-		http.HandleFunc("/healthz", e.LivenessProbeHandlerFunc())
-
-		log.WithFields(log.Fields{
-			"port": healthCheckPort,
-		}).Debug("Starting healthcheck server with endpoints: /healthz/alive, /healthz/ready, /healthz")
-
-		go func() {
-			defer sentry.Recover()
-
-			server := &http.Server{
-				Addr:         fmt.Sprintf(":%v", healthCheckPort),
-				Handler:      nil,
-				ReadTimeout:  5 * time.Second,
-				WriteTimeout: 10 * time.Second,
-			}
-			err := server.ListenAndServe()
-
-			log.WithError(err).WithFields(log.Fields{
-				"port": healthCheckPort,
-			}).Error("Could not start HTTP server for health checks")
-		}()
+		e.ServeHealthProbes(healthCheckPort)
 
 		err = e.Start(ctx)
 		if err != nil {

cmd/changes_submit_plan.go

@@ -90,30 +90,30 @@ func tryLoadText(ctx context.Context, fileName string) string {
 	return strings.TrimSpace(string(bytes))
 }
 
-func createBlastRadiusConfig(maxDepth, maxItems int32, maxTime, changeAnalysisMaxTimeout time.Duration) (*sdp.BlastRadiusConfig, error) {
+func createBlastRadiusConfig(maxDepth, maxItems int32, maxTime, changeAnalysisTargetDuration time.Duration) (*sdp.BlastRadiusConfig, error) {
 	var blastRadiusConfigOverride *sdp.BlastRadiusConfig
-	if maxDepth > 0 || maxItems > 0 || maxTime > 0 || changeAnalysisMaxTimeout > 0 {
+	if maxDepth > 0 || maxItems > 0 || maxTime > 0 || changeAnalysisTargetDuration > 0 {
 		blastRadiusConfigOverride = &sdp.BlastRadiusConfig{
 			MaxItems:  maxItems,
 			LinkDepth: maxDepth,
 		}
 		// this is for backward compatibility, remove in a future release
 		if maxTime > 0 {
-			// we convert the maxTime to changeAnalysisMaxTimeout, this means multiplying the (blast radius calculation timeout) maxTime by 1.5
-			// eg 10 minute max (blast radius calculation) -> 15 minute changeanalysis max timeout
-			blastRadiusConfigOverride.ChangeAnalysisMaxTimeout = durationpb.New(time.Duration(float64(maxTime) * 1.5))
+			// we convert the maxTime to changeAnalysisTargetDuration, this means multiplying the (blast radius calculation timeout) maxTime by 1.5
+			// eg 10 minute max (blast radius calculation) -> 15 minute target duration
+			blastRadiusConfigOverride.ChangeAnalysisTargetDuration = durationpb.New(time.Duration(float64(maxTime) * 1.5))
 		}
-		// Add changeAnalysisMaxTimeout if specified
-		if changeAnalysisMaxTimeout > 0 {
-			blastRadiusConfigOverride.ChangeAnalysisMaxTimeout = durationpb.New(changeAnalysisMaxTimeout)
+		// Add changeAnalysisTargetDuration if specified
+		if changeAnalysisTargetDuration > 0 {
+			blastRadiusConfigOverride.ChangeAnalysisTargetDuration = durationpb.New(changeAnalysisTargetDuration)
 		}
 	}
 
-	// validate the ChangeAnalysisMaxTimeout
-	if blastRadiusConfigOverride != nil && blastRadiusConfigOverride.GetChangeAnalysisMaxTimeout() != nil {
-		changeAnalysisMaxTimeout = blastRadiusConfigOverride.GetChangeAnalysisMaxTimeout().AsDuration()
-		if changeAnalysisMaxTimeout < 1*time.Minute || changeAnalysisMaxTimeout > 30*time.Minute {
-			return nil, flagError{"--change-analysis-max-timeout must be between 1 minute and 30 minutes"}
+	// validate the ChangeAnalysisTargetDuration
+	if blastRadiusConfigOverride != nil && blastRadiusConfigOverride.GetChangeAnalysisTargetDuration() != nil {
+		changeAnalysisTargetDuration = blastRadiusConfigOverride.GetChangeAnalysisTargetDuration().AsDuration()
+		if changeAnalysisTargetDuration < 1*time.Minute || changeAnalysisTargetDuration > 30*time.Minute {
+			return nil, flagError{"--change-analysis-target-duration must be between 1 minute and 30 minutes"}
 		}
 	}
 
@@ -261,9 +261,9 @@ func SubmitPlan(cmd *cobra.Command, args []string) error {
 	maxDepth := viper.GetInt32("blast-radius-link-depth")
 	maxItems := viper.GetInt32("blast-radius-max-items")
 	maxTime := viper.GetDuration("blast-radius-max-time")
-	changeAnalysisMaxTimeout := viper.GetDuration("change-analysis-max-timeout")
+	changeAnalysisTargetDuration := viper.GetDuration("change-analysis-target-duration")
 
-	blastRadiusConfigOverride, err := createBlastRadiusConfig(maxDepth, maxItems, maxTime, changeAnalysisMaxTimeout)
+	blastRadiusConfigOverride, err := createBlastRadiusConfig(maxDepth, maxItems, maxTime, changeAnalysisTargetDuration)
 	if err != nil {
 		return err
 	}
@@ -394,8 +394,8 @@ func init() {
 	submitPlanCmd.PersistentFlags().Int32("blast-radius-max-items", 0, "Used in combination with '--blast-radius-link-depth' to customise how many items are included in the blast radius. Larger numbers will result in a more comprehensive blast radius, but may take longer to calculate. Defaults to the account level settings.")
 
 	submitPlanCmd.PersistentFlags().Duration("blast-radius-max-time", 0, "Maximum time duration for blast radius calculation (e.g., '5m', '15m', '30m'). When the time limit is reached, the analysis continues with risks identified up to that point. Defaults to the account level settings (QUICK: 10m, DETAILED: 15m, FULL: 30m). Valid range: 1m to 30m.")
-	_ = submitPlanCmd.PersistentFlags().MarkDeprecated("blast-radius-max-time", "This flag is no longer used and will be removed in a future release. Use the '--change-analysis-max-timeout' flag instead.")
-	submitPlanCmd.PersistentFlags().Duration("change-analysis-max-timeout", 0, "Maximum time duration for change analysis (e.g., '5m', '15m', '30m'). When the time limit is reached, the analysis continues with risks identified up to that point. Defaults to the account level settings (QUICK: 10m, DETAILED: 15m, FULL: 30m). Valid range: 1m to 30m.")
+	_ = submitPlanCmd.PersistentFlags().MarkDeprecated("blast-radius-max-time", "This flag is no longer used and will be removed in a future release. Use the '--change-analysis-target-duration' flag instead.")
+	submitPlanCmd.PersistentFlags().Duration("change-analysis-target-duration", 0, "Target duration for change analysis planning (e.g., '5m', '15m', '30m'). This is NOT a hard deadline - the blast radius phase uses 67% of this target to stop gracefully. The job can run slightly past this target and is only hard-stopped at 30 minutes. Defaults to the account level settings (QUICK: 10m, DETAILED: 15m, FULL: 30m). Valid range: 1m to 30m.")
 	submitPlanCmd.PersistentFlags().String("auto-tag-rules", "", "The path to the auto-tag rules file. If not provided, it will check the default location which is '.overmind/auto-tag-rules.yaml'. If no rules are found locally, the rules configured through the UI are used.")
 	submitPlanCmd.PersistentFlags().String("signal-config", "", "The path to the signal config file. If not provided, it will check the default location which is '.overmind/signal-config.yaml'. If no config is found locally, the config configured through the UI is used.")
 }