🐛 handle asset explorer discovery targets properly

[imilchev]

Summary

Fixes discovery target filtering for staged discovery. Previously, --discover pods would still scan intermediate hierarchy levels (namespaces) because all discovered assets with platform IDs were treated as scannable.

Problem

With staged discovery (AssetExplorer), the K8s provider emits namespace assets in Stage 1 so that AssetExplorer can connect to them and trigger Stage 2 (workload discovery). But the scanner treats every asset with a platform ID as scannable — so namespaces were added to the progress bar and scanned even when the user only asked for pods.

Solution

Strip platform IDs from intermediate assets that don't match discovery targets. The existing "no platform IDs → skip" logic in AssetExplorer and the scanner already handles these correctly:

• Assets without platform IDs are still connected (triggering the next discovery stage)
• Their children are discovered normally
• They are never added to the progress bar or sent for scanning
• They are closed after their children are processed

This requires zero changes to AssetExplorer or the scanner — it's purely a provider-side convention.

Changes

• providers/k8s/resources/discovery.go — In discoverClusterStage, check if namespaces are a discovery target. If not, set ns.PlatformIds = nil before emitting. The namespace is still emitted with its connection config (triggering Stage 2), but skipped by the scanner.
• docs/adr/002-staged-discovery.md — New "Traversal-Only Assets" section documenting the pattern with code examples and a generalization table for K8s/GCP/AWS.
• .claude/skills/staged-discovery/SKILL.md — New step for stripping platform IDs, updated verification and checklist.

Example

# Before: --discover pods scans namespaces too
cnspec scan k8s --discover pods
→ Scans: [cluster, ns-default, ns-prod, pod-a, pod-b, pod-c]

# After: namespaces are traversal-only (no platform IDs)
cnspec scan k8s --discover pods
→ Scans: [pod-a, pod-b, pod-c]
→ Traversed but not scanned: [ns-default, ns-prod]

Test plan

• cnspec scan k8s --discover pods — only pods appear in the progress bar, namespaces are traversed but not scanned
• cnspec scan k8s --discover namespaces — namespaces are scanned (platform IDs preserved)
• cnspec scan k8s --discover auto — everything is scanned (backward compatible)
• cnspec scan k8s — default discovery unchanged
• go build ./providers/k8s/... compiles

🤖 Generated with Claude Code

[mondoo-code-review]

Discovery target filtering for k8s namespaces works correctly; documentation and skill guide updated accordingly.

Additional findings (file/line not in diff):

• 🟡 providers/k8s/resources/discovery.go:192 — Pre-existing issue (not introduced by this PR): if invConfig.Discover == nil and conn.Asset() == nil, the early return is skipped and the function will panic at line 217 (invConfig.Discover.Targets). discoverNamespaceStage (line 273) handles this correctly by returning unconditionally when Discover is nil. Consider aligning the guard here, e.g.:

if invConfig.Discover == nil || len(invConfig.Discover.Targets) == 0 {
    if conn.Asset() != nil {
        in.Spec.Assets = append(in.Spec.Assets, conn.Asset())
    }
    return in, nil
}

[mondoo-code-review]

Discovery target filtering now correctly prevents intermediate K8s namespace assets from appearing in scan results when not explicitly targeted.

[mondoo-code-review]

🟡 warning — This is a generated file (Code generated by resources. DO NOT EDIT.) with an unrelated copyright header change. It shouldn't be part of this PR — was it accidentally included? If the generator changed the copyright format, that change should be in a separate commit/PR.