Feat/mobilization—closed loop finding lifecycle

.github/workflows/ci.yml

@@ -10,26 +10,27 @@ env:
   GO_VERSION: "1.25.8"
 
 jobs:
-  # TEMPORARILY DISABLED: golangci-lint does not support Go 1.25 yet
-  # TODO: Re-enable when golangci-lint releases a version built with Go 1.25
-  # lint:
-  #   name: Lint
-  #   runs-on: ubuntu-latest
-  #   steps:
-  #     - name: Checkout code
-  #       uses: actions/checkout@v6
-  #
-  #     - name: Setup Go
-  #       uses: actions/setup-go@v6
-  #       with:
-  #         go-version: "1.25"
-  #         cache: true
-  #
-  #     - name: Run golangci-lint
-  #       uses: golangci/golangci-lint-action@v6
-  #       with:
-  #         version: latest
-  #         args: --timeout=5m
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v6
+
+      - name: Setup Go
+        uses: actions/setup-go@v6
+        with:
+          go-version: ${{ env.GO_VERSION }}
+          cache: true
+
+      - name: Run go vet
+        run: go vet ./...
+
+      - name: Install staticcheck
+        run: go install honnef.co/go/tools/cmd/staticcheck@latest
+
+      - name: Run staticcheck
+        run: staticcheck ./...
 
   test:
     name: Test
@@ -92,7 +93,7 @@ jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
-    needs: [test]  # Removed lint dependency (temporarily disabled)
+    needs: [lint, test]
     steps:
       - name: Checkout code
         uses: actions/checkout@v6

cmd/server/handlers.go

@@ -84,8 +84,9 @@ func NewHandlers(deps *HandlerDeps) routes.Handlers {
 		AssetRelationship: handler.NewAssetRelationshipHandler(svc.AssetRelationship, v, log),
 
 		// Vulnerabilities & Exposures
-		Vulnerability:    vulnHandler,
-		FindingActivity:  handler.NewFindingActivityHandler(svc.FindingActivity, svc.Vulnerability, log),
+		Vulnerability:      vulnHandler,
+		FindingActivity:    handler.NewFindingActivityHandler(svc.FindingActivity, svc.Vulnerability, log),
+		FindingActions:   handler.NewFindingActionsHandler(svc.FindingActions, log),
 		Exposure:         handler.NewExposureHandler(svc.Exposure, svc.User, v, log),
 		ThreatIntel:      handler.NewThreatIntelHandler(svc.ThreatIntel, v, log),
 		CredentialImport: handler.NewCredentialImportHandler(svc.CredentialImport, v, log),

cmd/server/services.go

@@ -62,9 +62,10 @@ type Services struct {
 	FindingSourceCache *app.FindingSourceCacheService
 
 	// Vulnerabilities & Exposures
-	Vulnerability    *app.VulnerabilityService
-	FindingActivity  *app.FindingActivityService
-	Exposure         *app.ExposureService
+	Vulnerability      *app.VulnerabilityService
+	FindingActivity    *app.FindingActivityService
+	FindingActions   *app.FindingActionsService
+	Exposure           *app.ExposureService
 	ThreatIntel      *app.ThreatIntelService
 	CredentialImport *app.CredentialImportService
 
@@ -232,6 +233,12 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 
 	// Note: AITriage is wired to VulnerabilityService later after AITriage initialization
 
+	// Initialize finding lifecycle service (closed-loop: fix_applied → verify → resolved)
+	s.FindingActions = app.NewFindingActionsService(
+		repos.Finding, repos.AccessControl, repos.Group, repos.Asset,
+		s.FindingActivity, deps.DB, log,
+	)
+
 	s.Exposure = app.NewExposureService(repos.Exposure, repos.ExposureStateHistory, log)
 	s.ThreatIntel = app.NewThreatIntelService(repos.ThreatIntel, log)
 	s.CredentialImport = app.NewCredentialImportService(repos.Exposure, repos.ExposureStateHistory, log)

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/hibiken/asynq v0.26.0
 	github.com/klauspost/compress v1.18.4
 	github.com/lib/pq v1.11.2
-	github.com/openctemio/sdk-go v0.2.0
+	github.com/openctemio/sdk-go v0.2.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/redis/go-redis/v9 v9.18.0
 	golang.org/x/crypto v0.49.0

go.sum

@@ -154,8 +154,8 @@ github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOF
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
-github.com/openctemio/sdk-go v0.2.0 h1:bW89q14TdxrNTrKZWBGtaReXHvkRLDA+sMUBZDgsJX8=
-github.com/openctemio/sdk-go v0.2.0/go.mod h1:WSQ4d1rBp75udy2JNO8JRNbzke/Nq39v6kn9EURgF3U=
+github.com/openctemio/sdk-go v0.2.1 h1:DcmX8JuZK3nNWpUajs6F+wv5x/sKn9WvqT7o49VFIB8=
+github.com/openctemio/sdk-go v0.2.1/go.mod h1:WSQ4d1rBp75udy2JNO8JRNbzke/Nq39v6kn9EURgF3U=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
 github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

internal/app/asset_service.go

@@ -1679,7 +1679,7 @@ func (s *AssetService) RecalculateAllRiskScores(ctx context.Context, tenantID sh
 	// Acquire distributed lock to prevent concurrent recalculations
 	if s.redisClient != nil {
 		lockKey := recalcLockKeyPrefix + tid
-		acquired, err := s.redisClient.Client().SetNX(ctx, lockKey, "1", recalcLockTTL).Result()
+		acquired, err := s.redisClient.SetNX(ctx, lockKey, "1", recalcLockTTL)
 		switch {
 		case err != nil:
 			s.logger.Warn("failed to acquire recalc lock, proceeding anyway", "tenant_id", tid, "error", err)