⚡ Stream-decode Windows firewall rules to reduce memory (#7099)

* ⚡ stream-decode Windows firewall rules and profiles JSON

Replace io.ReadAll + json.Unmarshal with json.NewDecoder streaming
in ParseWindowsFirewallRules and ParseWindowsFirewallProfiles. This
avoids holding the entire raw byte buffer and the parsed struct slice
in memory simultaneously, roughly halving peak memory usage on machines
with thousands of firewall rules.

Also handles the PowerShell single-object edge case where exactly one
rule/profile is emitted as a bare {} instead of [{}].

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* ⚡ address review: validate token, use MultiReader, extract generic helper

- Validate that a non-array token is actually '{' before treating it as
  a single object; return a clear error for unexpected tokens (null, etc.)
- Use io.MultiReader instead of manual byte splicing to avoid intermediate
  allocations in the single-object fallback path
- Extract streamDecodeJSONArray[T] generic helper to deduplicate the
  identical logic between ParseWindowsFirewallRules and
  ParseWindowsFirewallProfiles

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: vjeffrey

providers/os/resources/windows/firewall.go

@@ -4,7 +4,9 @@
 package windows
 
 import (
+	"bytes"
 	"encoding/json"
+	"fmt"
 	"io"
 )
 
@@ -33,24 +35,56 @@ type WindowsFirewallRule struct {
 	PolicyStoreSourceType int64  `json:"PolicyStoreSourceType"`
 }
 
-func ParseWindowsFirewallRules(input io.Reader) ([]WindowsFirewallRule, error) {
-	data, err := io.ReadAll(input)
+// streamDecodeJSONArray stream-decodes a JSON array from input, returning
+// elements one at a time to avoid buffering the entire payload. It also
+// handles the PowerShell quirk where a single-element result is emitted as
+// a bare object instead of a one-element array.
+func streamDecodeJSONArray[T any](input io.Reader) ([]T, error) {
+	dec := json.NewDecoder(input)
+
+	// Read the opening token of the JSON value.
+	tok, err := dec.Token()
+	if err == io.EOF {
+		return []T{}, nil
+	}
 	if err != nil {
 		return nil, err
 	}
 
-	// for empty result set do not get the '{}', therefore lets abort here
-	if len(data) == 0 {
-		return []WindowsFirewallRule{}, nil
+	delim, isDelim := tok.(json.Delim)
+
+	// PowerShell emits a bare object when there is exactly one element.
+	if isDelim && delim == '{' {
+		var item T
+		if err := json.NewDecoder(io.MultiReader(
+			bytes.NewReader([]byte{'{'}),
+			dec.Buffered(),
+			input,
+		)).Decode(&item); err != nil {
+			return nil, err
+		}
+		return []T{item}, nil
 	}
 
-	var winFirewallRules []WindowsFirewallRule
-	err = json.Unmarshal(data, &winFirewallRules)
-	if err != nil {
-		return nil, err
+	if !isDelim || delim != '[' {
+		return nil, fmt.Errorf("unexpected JSON token %v; expected '[' or '{'", tok)
 	}
 
-	return winFirewallRules, nil
+	// Stream-decode array elements one at a time.
+	var items []T
+	for dec.More() {
+		var item T
+		if err := dec.Decode(&item); err != nil {
+			return nil, err
+		}
+		items = append(items, item)
+	}
+
+	return items, nil
+}
+
+func ParseWindowsFirewallRules(input io.Reader) ([]WindowsFirewallRule, error) {
+	return streamDecodeJSONArray[WindowsFirewallRule](input)
 }
 
 type WindowsFirewallSettings struct {
@@ -119,21 +153,5 @@ type WindowsFirewallProfile struct {
 }
 
 func ParseWindowsFirewallProfiles(input io.Reader) ([]WindowsFirewallProfile, error) {
-	data, err := io.ReadAll(input)
-	if err != nil {
-		return nil, err
-	}
-
-	// for empty result set do not get the '{}', therefore lets abort here
-	if len(data) == 0 {
-		return []WindowsFirewallProfile{}, nil
-	}
-
-	var winFirewallProfiles []WindowsFirewallProfile
-	err = json.Unmarshal(data, &winFirewallProfiles)
-	if err != nil {
-		return nil, err
-	}
-
-	return winFirewallProfiles, nil
+	return streamDecodeJSONArray[WindowsFirewallProfile](input)
 }