Skip to content

🧹 Slim cloud-provider SDKs out of the MQL embedding path#8456

Draft
chris-rock wants to merge 1 commit into
mainfrom
chris/slim-inventory-aws-deps
Draft

🧹 Slim cloud-provider SDKs out of the MQL embedding path#8456
chris-rock wants to merge 1 commit into
mainfrom
chris/slim-inventory-aws-deps

Conversation

@chris-rock

Copy link
Copy Markdown
Member

Summary

Embedding the MQL evaluator dragged ~50+ AWS/cloud-SDK packages into a consumer's build graph even when no vault, asset, or cloud feature is used. The vault half of this was fixed in v13.21.1; this PR removes the two remaining edges, both via the same registry pattern.

After this change, a consumer importing only llx + mqlc + exec + resources + inventory builds with zero cloud-provider SDK packages.

The two edges

1. inventory → upstream → tokenauth → AWS (the reported edge)

upstream/sts.go imported upstream/tokenauth for external token exchange, and tokenauth pulls the AWS SigV4 signer. Since inventory embeds upstream's protobuf types, and llx.Runtime requires AssetUpdated(*inventory.Asset), every embedder inherited the AWS SDK. Now the TokenProvider interface and a resolver hook live in upstream; tokenauth self-registers from init().

2. exec → upstream/health → cli/config → AWS (a second, independent edge)

cli/config directly imported the AWS SDK for its aws-ssm-ps:// config loader, and the eval path reaches cli/config through health's panic reporting. Moved the AWS SSM backend into cli/config/awsssm, dispatched via a new remote-config-loader registry; it self-registers from init().

The mql binary blank-imports both implementations in main (alongside the existing vault/register), so the CLI is unchanged. Other binaries opt in as needed; if external token exchange or aws-ssm-ps:// is used without the import, a clear error explains how to enable it.

Before / after (cloud-SDK package count via go list -deps)

package before after
providers-sdk/v1/inventory 54 0
exec 57 0
cli/config 57 0
llx, mqlc, resources 0 0
apps/mql (the binary) 71 71

Notes for reviewers

  • Pattern mirrors the existing vault registry (providers-sdk/v1/vault/registry.go) and vault/register.
  • Behavior change: binaries that perform external token exchange or load aws-ssm-ps:// config must blank-import the relevant package. The mql binary does; cnquery/cnspec mains should add the same imports. The runtime error message names the package to import.
  • No public type removed: tokenauth.TokenProvider is retained as an alias of upstream.TokenProvider.

Test plan

  • go build ./... — clean.
  • go test ./cli/config/awsssm/ ./providers-sdk/v1/upstream/... — pass (SSM path parsing, token resolver, health).
  • go mod tidy — no change.
  • go list -deps counts above verified.
  • Pre-existing, environment-specific cli/config.Test_autodetectConfig/test_systemConfig_returned fails identically on main (depends on absence of a local ~/.config/mondoo/mondoo.yml); untouched by this PR.

🤖 Generated with Claude Code

@github-actions

github-actions Bot commented Jun 16, 2026

Copy link
Copy Markdown
Contributor

Test Results

9 978 tests   9 972 ✅  3m 9s ⏱️
  544 suites      6 💤
   40 files        0 ❌

Results for commit 8613ff1.

♻️ This comment has been updated with latest results.

@chris-rock chris-rock force-pushed the chris/slim-inventory-aws-deps branch from d00c806 to ac0ddc2 Compare June 17, 2026 10:14
Embedding the MQL evaluator pulled ~50+ AWS/cloud-SDK packages into a
consumer's build graph even when no vault, asset, or cloud feature is
used. Remove the two remaining edges with the registry pattern already
used for vault backends, so a consumer importing only
llx + mqlc + exec + resources + inventory builds with zero
cloud-provider SDKs.

- upstream/sts.go no longer imports upstream/tokenauth (which pulls the
  AWS SigV4 signer). The TokenProvider interface and a resolver hook live
  in upstream; tokenauth self-registers from init(). This clears the
  inventory → upstream → tokenauth → AWS edge (inventory: 54 → 0).
- cli/config no longer imports the AWS SDK directly for its
  "aws-ssm-ps://" loader. The loader moves to cli/config/awsssm behind a
  remote-config-loader registry and self-registers from init(). This
  clears the exec → upstream/health → cli/config → AWS edge (exec: 57 → 0).

The mql binary blank-imports both implementations in main, so the CLI is
unchanged; other binaries opt in as needed.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@chris-rock chris-rock force-pushed the chris/slim-inventory-aws-deps branch from ac0ddc2 to 8613ff1 Compare June 17, 2026 10:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant