🐛 Expose recovered provider panics via Runtime.CriticalErrors() (#7021)

* 🐛 Expose recovered provider panics via Runtime.CriticalErrors()

Provider panics recovered by PR #6939 are handled gracefully (execution
continues), but the errors are downgraded to field-level data errors and
never propagate as real Go errors. This means consumers like cnspec
cannot report them to Sentry.

Add a CriticalErrors() method on Runtime that collects serious errors
(recovered panics) in a thread-safe slice. Consumers can drain this
after execution to report them to error trackers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* lint

* 🐛 Cap criticalErrors slice to prevent unbounded growth

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vjeffrey

providers/runtime.go

@@ -45,6 +45,10 @@ type Runtime struct {
 	close           sync.Once
 	shutdownTimeout time.Duration
 
+	// criticalErrors collects serious errors (e.g. recovered provider panics)
+	// that should be reported to an error tracker even though execution continues.
+	criticalErrors []error
+
 	// used to lock unsafe tasks
 	mu sync.Mutex
 }
@@ -108,6 +112,26 @@ func (r *Runtime) Close() {
 	})
 }
 
+// CriticalErrors returns serious errors (e.g. recovered provider panics) that
+// occurred during execution. These errors were handled gracefully (execution
+// continued), but they should still be reported to an error tracker like Sentry.
+func (r *Runtime) CriticalErrors() []error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	out := make([]error, len(r.criticalErrors))
+	copy(out, r.criticalErrors)
+	return out
+}
+
+func (r *Runtime) addCriticalError(err error) {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	const maxCriticalErrors = 100
+	if len(r.criticalErrors) < maxCriticalErrors {
+		r.criticalErrors = append(r.criticalErrors, err)
+	}
+}
+
 func (r *Runtime) Recording() llx.Recording {
 	return r.recording
 }
@@ -500,7 +524,9 @@ func (r *Runtime) handlePluginError(err error, provider *ConnectedProvider) (boo
 		// this prefix is present; other Internal errors fall through.
 		if strings.HasPrefix(st.Message(), "panic in provider ") {
 			log.Error().Str("provider", provider.Instance.Name).Msg(st.Message())
-			return true, errors.New("the '" + provider.Instance.Name + "' provider panicked: " + st.Message())
+			panicErr := errors.New("the '" + provider.Instance.Name + "' provider panicked: " + st.Message())
+			r.addCriticalError(panicErr)
+			return true, panicErr
 		}
 
 	case codes.Unavailable:

providers/runtime_test.go

@@ -11,6 +11,8 @@ import (
 	"go.mondoo.com/mql/v13/providers-sdk/v1/recording"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/resources"
 	"go.uber.org/mock/gomock"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
 )
 
 func TestRuntimeClose(t *testing.T) {
@@ -380,3 +382,68 @@ func TestRuntime_LookupFieldProvider_ProviderOverridesOthers_ResourceInfo(t *tes
 	assert.Equal(t, fieldName, field.Name)
 	assert.Equal(t, "test", field.Provider)
 }
+
+func TestRuntime_CriticalErrors_Empty(t *testing.T) {
+	r := &Runtime{}
+	assert.Empty(t, r.CriticalErrors())
+}
+
+func TestRuntime_HandlePluginError_PanicRecordsCriticalError(t *testing.T) {
+	r := &Runtime{}
+	provider := &ConnectedProvider{
+		Instance: &RunningProvider{Name: "aws"},
+	}
+
+	panicErr := status.Error(codes.Internal, "panic in provider aws: runtime error: nil pointer")
+	handled, err := r.handlePluginError(panicErr, provider)
+
+	assert.True(t, handled)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "provider panicked")
+
+	critErrs := r.CriticalErrors()
+	require.Len(t, critErrs, 1)
+	assert.Contains(t, critErrs[0].Error(), "provider panicked")
+}
+
+func TestRuntime_HandlePluginError_CrashDoesNotRecordCriticalError(t *testing.T) {
+	r := &Runtime{}
+	provider := &ConnectedProvider{
+		Instance: &RunningProvider{Name: "aws"},
+	}
+
+	crashErr := status.Error(codes.Unavailable, "connection lost")
+	handled, err := r.handlePluginError(crashErr, provider)
+
+	assert.False(t, handled)
+	require.Error(t, err)
+	assert.Empty(t, r.CriticalErrors())
+}
+
+func TestRuntime_HandlePluginError_NonPanicInternalDoesNotRecordCriticalError(t *testing.T) {
+	r := &Runtime{}
+	provider := &ConnectedProvider{
+		Instance: &RunningProvider{Name: "aws"},
+	}
+
+	internalErr := status.Error(codes.Internal, "some other internal error")
+	handled, err := r.handlePluginError(internalErr, provider)
+
+	assert.False(t, handled)
+	require.Error(t, err)
+	assert.Empty(t, r.CriticalErrors())
+}
+
+func TestRuntime_CriticalErrors_MultiplePanics(t *testing.T) {
+	r := &Runtime{}
+	provider := &ConnectedProvider{
+		Instance: &RunningProvider{Name: "aws"},
+	}
+
+	for i := 0; i < 3; i++ {
+		panicErr := status.Error(codes.Internal, "panic in provider aws: error")
+		r.handlePluginError(panicErr, provider) // nolint:errcheck
+	}
+
+	assert.Len(t, r.CriticalErrors(), 3)
+}