Fix hotspots findings groupBy

[willwashburn]

User description

Fixes #467

Summary

• Accept findings as a HotspotsGroupBy value in the Rust SDK and napi binding.
• Route hotspots({ groupBy: "findings" }) through the existing findings analyzer, using all detector kinds by default and honoring explicit patterns filters.
• Update @relayburn/sdk typings, enum constants, conformance coverage, and changelogs.

Verification

• cargo test -p relayburn-sdk hotspots_group_by_findings
• cargo check --workspace
• cargo test --workspace
• pnpm --filter @relayburn/sdk test
• Direct native smoke: rebuilt local napi artifact and called hotspots({ ledgerHome: "tests/fixtures/cli-golden/ledger", groupBy: "findings" }) against packages/sdk-node/src/index.darwin-arm64.node

---

CodeAnt-AI Description

Allow hotspots to return findings results for groupBy: "findings"

What Changed

• hotspots({ groupBy: "findings" }) now returns the findings result instead of rejecting the option
• When no patterns are provided, findings uses the built-in default set of finding kinds
• Existing pattern filters still apply when they are provided
• The Node SDK types and exported HotspotsGroupBy values now include findings

Impact

✅ Fewer hotspots option errors
✅ Clearer findings reports
✅ Safer findings grouping in SDK apps

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

[codeant-ai]

CodeAnt AI is reviewing your PR.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR enables the groupBy: 'findings' option for the hotspots API, making the previously unreachable HotspotsFindingsResult type accessible. The change propagates a new Findings variant through the TypeScript types, Rust N-API binding, and core SDK hotspots implementation, with early-return routing to the findings pathway and complete test coverage.

Changes

Findings Grouping Support

Layer / File(s)	Summary
TypeScript API surface packages/sdk-node/src/index.d.ts	HotspotsGroupBy type union and constant are extended to include 'findings' as a valid grouping option.
SDK Node N-API binding crates/relayburn-sdk-node/src/lib.rs	Rust HotspotsGroupBy enum gains Findings variant with kebab-case serialization, and the SDK conversion function maps it to the underlying SDK's HotspotsGroupBy::Findings.
Core SDK hotspots routing and state handling crates/relayburn-sdk/src/query_verbs.rs	HotspotsGroupBy gains Findings variant; LedgerHandle::hotspots branches early when group_by: Findings and routes to run_hotspots_findings using either user-provided patterns or a new default finding-kind list; attribution code path and refusal handling are updated to account for the new variant.
Tests and changelog documentation crates/relayburn-sdk/src/query_verbs.rs, packages/sdk-node/test/conformance.test.js, CHANGELOG.md, packages/sdk-node/CHANGELOG.md	New hotspots tests verify group_by: Findings returns findings with non-empty kind fields and respects patterns filtering; conformance test validates the new enum constant and API behavior; changelogs document the fix.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• AgentWorkforce/burn#387: Wires --findings and pattern modes through to run_hotspots_findings in the CLI; this PR adds the SDK/N-API/TS support for the same pathway via the public groupBy: "findings" option.
• AgentWorkforce/burn#370: Also modifies hotspots construction in crates/relayburn-sdk/src/query_verbs.rs, adding refused/fidelity breakdowns to the same code paths this PR touches.

Poem

🐰 A findings path, once hidden from sight,
Now glows with 'findings' in the light—
Each variant through the stack does flow,
From TypeScript types to SDK below,
The reachable result now brings delight! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 44.44% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Fix hotspots findings groupBy' directly describes the main change: enabling the findings groupBy option for hotspots that was previously broken/unreachable.
Description check	✅ Passed	The description is related to the changeset and clearly explains what is being fixed: accepting 'findings' as a HotspotsGroupBy value and routing it through the findings analyzer.
Linked Issues check	✅ Passed	The PR fully implements the primary objective from issue #467: making HotspotsFindingsResult reachable by accepting 'findings' as a HotspotsGroupBy value across Rust SDK, napi binding, and Node.js typings.
Out of Scope Changes check	✅ Passed	All changes are directly scoped to issue #467: adding findings support to HotspotsGroupBy, updating bindings/types, implementing findings routing logic, and adding conformance tests. No unrelated changes detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-hotspots-findings-group-by

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds support for grouping hotspots by "findings" in the @relayburn/sdk and its Node.js bindings. It updates the HotspotsGroupBy enum in both Rust and TypeScript, handles the new option in the query execution logic, defines default finding kinds, and adds corresponding unit and conformance tests. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[cubic-dev-ai]

No issues found across 6 files

_{Re-trigger cubic}

[codeant-ai]

CodeAnt AI is running Incremental review

[codeant-ai]

CodeAnt AI Incremental review completed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/relayburn-sdk/src/query_verbs.rs`:
- Around line 3177-3183: HotspotsGroupBy::Findings leaks project/provider scope
because run_hotspots_findings builds side_q without q.project/provider filters
and detect_observed_bloat processes all tool_result_events; fix by updating
run_hotspots_findings to include q.project and the provider allow-list from q
(or from the same filter used for turns) when constructing side_q before calling
query_user_turns and query_tool_result_events, and ensure the tool_result_events
returned are either queried with those filters or post-filtered to only events
whose session_id (or other session identifier) is present in the turns slice;
also update detect_observed_bloat to iterate only over tool_result_events that
are intersected with the provided turns (e.g., filter by session_id in turns) so
findings cannot reference sessions outside the caller’s requested
turns/provider/project scope.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 78cc2e90-f4ce-4650-afdd-4db1b1363382

📥 Commits

Reviewing files that changed from the base of the PR and between 5bc0023 and c47f1c1.

📒 Files selected for processing (6)

• CHANGELOG.md
• crates/relayburn-sdk-node/src/lib.rs
• crates/relayburn-sdk/src/query_verbs.rs
• packages/sdk-node/CHANGELOG.md
• packages/sdk-node/src/index.d.ts
• packages/sdk-node/test/conformance.test.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the new route into the findings pipeline.
rg -n -C4 'run_hotspots_findings|group_by.*Findings|query_user_turns|query_tool_result_events' crates/relayburn-sdk/src/query_verbs.rs

# Inspect whether the tool-output-bloat detector explicitly scopes side data
# back to the passed `turns` / selected session ids.
rg -n -C6 'fn detect_tool_output_bloat|struct DetectToolOutputBloatOptions|tool_result_events|user_turns|turns' crates packages --glob '!**/target/**'

Repository: AgentWorkforce/burn

Length of output: 50377

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the full run_hotspots_findings block around where side_q/session_q are built and queries are executed.
sed -n '3400,3560p' crates/relayburn-sdk/src/query_verbs.rs

# Locate and show detect_tool_output_bloat implementation + relevant option struct usage.
fd detect_tool_output_bloat crates/relayburn-sdk -a 2>/dev/null || true
rg -n "fn detect_tool_output_bloat|struct DetectToolOutputBloatOptions|DetectToolOutputBloatOptions" crates/relayburn-sdk/src crates -S --glob '!**/target/**'

# If detect_tool_output_bloat is in another file, print the function body area.
# Try common file targets first; otherwise we rely on next sed once we know the path from rg output.
# (We keep this command robust by grepping the first match path from rg.)
FILE="$(rg -l "fn detect_tool_output_bloat" crates/relayburn-sdk/src crates --glob '!**/target/**' | head -n 1 || true)"
if [ -n "$FILE" ]; then
  echo "---- detect_tool_output_bloat in: $FILE ----"
  sed -n '1,240p' "$FILE" | head -n 60
  # Print around the function definition (roughly)
  START="$(rg -n "fn detect_tool_output_bloat" "$FILE" -S --glob '!**/target/**' | head -n 1 | cut -d: -f1)"
  if [ -n "$START" ]; then
    S=$((START-60)); E=$((START+220));
    sed -n "${S},${E}p" "$FILE"
  fi
fi

# Also locate LedgerHandle::hotspots scoping logic (project/provider allow-list) and show how it constructs q/session_q.
rg -n "LedgerHandle::hotspots|fn hotspots\\(|HotspotsOptions|project|provider" crates/relayburn-sdk/src/query_verbs.rs crates/relayburn-sdk/src -S --glob '!**/target/**'

Repository: AgentWorkforce/burn

Length of output: 10977

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect how the hotspots entrypoint constructs the Query `q` (provider/project/session scoping).
rg -n "fn hotspots\\(|HotspotsOptions|struct HotspotsOptions|Query \\{" crates/relayburn-sdk/src/query_verbs.rs
HS_LINE="$(rg -n "fn hotspots\\(" crates/relayburn-sdk/src/query_verbs.rs | head -n 1 | cut -d: -f1)"
echo "hotspots fn at line: $HS_LINE"
sed -n "$((HS_LINE-80)),$((HS_LINE+220))p" crates/relayburn-sdk/src/query_verbs.rs

# Narrow to the part where Query q is built (look for `let q = Query {`)
Q_LINE="$(rg -n "let q = Query \\{" crates/relayburn-sdk/src/query_verbs.rs | head -n 1 | cut -d: -f1 || true)"
if [ -n "${Q_LINE:-}" ]; then
  echo "q construction at line: $Q_LINE"
  sed -n "$((Q_LINE-40)),$((Q_LINE+140))p" crates/relayburn-sdk/src/query_verbs.rs
fi

# 2) Inspect detect_tool_output_bloat implementation for session scoping against passed `turns`.
TOB_FILE="crates/relayburn-sdk/src/analyze/tool_output_bloat.rs"
TOB_LINE="$(rg -n "pub fn detect_tool_output_bloat" "$TOB_FILE" | head -n 1 | cut -d: -f1)"
echo "detect_tool_output_bloat at line: $TOB_LINE"
sed -n "$((TOB_LINE-40)),$((TOB_LINE+260))p" "$TOB_FILE"

# Look for explicit filtering to sessions present in `turns`.
rg -n "session_ids|session_id.*turns|keep|turns.*session_id|in_turns|HashSet" "$TOB_FILE" | head -n 80

Repository: AgentWorkforce/burn

Length of output: 30801

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

TOB="crates/relayburn-sdk/src/analyze/tool_output_bloat.rs"

# Extract the observed-bloat path where tool_result_events/user_turns/turns are combined and (hopefully) filtered to turns.session_id set.
rg -n "detect_observed_bloat|struct DetectObservedBloatOptions|user_turns|turns: &|tool_result_events" "$TOB" | head -n 80
OBS_LINE="$(rg -n "fn detect_observed_bloat" "$TOB" | head -n 1 | cut -d: -f1)"
echo "detect_observed_bloat at: $OBS_LINE"
sed -n "$((OBS_LINE-60)),$((OBS_LINE+260))p" "$TOB"

# Find where it builds/uses `sessions` / filters by session_id.
rg -n "sessions: HashSet|HashSet<String>|session_id.*in|contains\\(&.*session_id|turns\\.iter\\(\\)\\.map\\(|e\\.session_id" "$TOB" | head -n 120

# Also inspect the detect_patterns implementation to see if extra user_turns_by_session sessions are ignored.
RG_BASE="crates/relayburn-sdk/src/analyze"
rg -n "fn detect_patterns|user_turns_by_session|content_by_session|tool_result_events" "$RG_BASE" | head -n 80

PATTERN_FILE="$(rg -l "fn detect_patterns" "$RG_BASE" | head -n 1)"
echo "detect_patterns file: $PATTERN_FILE"
PAT_LINE="$(rg -n "fn detect_patterns" "$PATTERN_FILE" | head -n 1 | cut -d: -f1)"
sed -n "$((PAT_LINE-80)),$((PAT_LINE+260))p" "$PATTERN_FILE"

# See how DetectPatternsOptions is applied (particularly how it uses user_turns_by_session).
rg -n "DetectPatternsOptions\\s*\\{|user_turns_by_session:|user_turns_by_session\\.get|user_turns_by_session\\[|get\\(&.*session_id" "$PATTERN_FILE" | head -n 120

Repository: AgentWorkforce/burn

Length of output: 37696

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail
TOB="crates/relayburn-sdk/src/analyze/tool_output_bloat.rs"

# Show build_lookup implementation (likely around line ~273 from prior output)
BL_LINE="$(rg -n "fn build_lookup" "$TOB" | head -n 1 | cut -d: -f1)"
echo "build_lookup at line: $BL_LINE"
sed -n "$((BL_LINE-30)),$((BL_LINE+220))p" "$TOB"

# Also inspect any helper that might filter by session ids from opts.turns.
rg -n "build_lookup|approx_tokens_by_use_id|tool_use_lookup|turns\\b|session_id.*turns" "$TOB" | head -n 120

Repository: AgentWorkforce/burn

Length of output: 11587

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# 1) Inspect Query definition + Default fields to know which scoping gets dropped by `..Default::default()`.
rg -n "struct Query\\s*\\{" crates/relayburn-sdk/src/query_verbs.rs crates/relayburn-sdk/src -S --glob '!**/target/**' | head -n 20

QDEF="$(rg -n "struct Query\\s*\\{" crates/relayburn-sdk/src -S --glob '!**/target/**' | head -n 1 | cut -d: -f1)"
echo "First Query struct match line: $QDEF"
FILE="$(rg -l "struct Query\\s*\\{" crates/relayburn-sdk/src -S --glob '!**/target/**' | head -n 1)"
echo "Query struct file: $FILE"
sed -n '1,220p' "$FILE"

# 2) Inspect build_query to see what q contains (esp. project) and how provider is represented.
rg -n "fn build_query\\(" crates/relayburn-sdk/src/query_verbs.rs crates/relayburn-sdk/src -S --glob '!**/target/**'
BQ_FILE="$(rg -l "fn build_query\\(" crates/relayburn-sdk/src -S --glob '!**/target/**' | head -n 1)"
BQ_LINE="$(rg -n "fn build_query\\(" "$BQ_FILE" -S --glob '!**/target/**' | head -n 1 | cut -d: -f1)"
echo "build_query at $BQ_FILE:$BQ_LINE"
sed -n "$((BQ_LINE-40)),$((BQ_LINE+160))p" "$BQ_FILE"

# 3) Inspect normalize_provider_filter / provider-related logic presence in Query.
rg -n "normalize_provider_filter|provider.*Query|Query.*provider|provider:" crates/relayburn-sdk/src/query_verbs.rs crates/relayburn-sdk/src -S --glob '!**/target/**' | head -n 80

Repository: AgentWorkforce/burn

Length of output: 13762

---

Fix project/provider scoping leak in HotspotsGroupBy::Findings (tool-output-bloat runs on unscoped side data)

In crates/relayburn-sdk/src/query_verbs.rs run_hotspots_findings builds side_q from only session_id/since/enrichment and uses it to query query_user_turns + query_tool_result_events, dropping q.project and any provider allow-list logic (provider filtering is applied only to the turns slice). As a result, groupBy: Findings can pull tool-result evidence outside the caller’s requested project/provider slice.

Additionally, crates/relayburn-sdk/src/analyze/tool_output_bloat.rs’s detect_observed_bloat iterates over all passed tool_result_events without intersecting them to the provided turns sessions, so the findings can reference sessions not present in the turns slice.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/relayburn-sdk/src/query_verbs.rs` around lines 3177 - 3183,
HotspotsGroupBy::Findings leaks project/provider scope because
run_hotspots_findings builds side_q without q.project/provider filters and
detect_observed_bloat processes all tool_result_events; fix by updating
run_hotspots_findings to include q.project and the provider allow-list from q
(or from the same filter used for turns) when constructing side_q before calling
query_user_turns and query_tool_result_events, and ensure the tool_result_events
returned are either queried with those filters or post-filtered to only events
whose session_id (or other session identifier) is present in the turns slice;
also update detect_observed_bloat to iterate only over tool_result_events that
are intersected with the provided turns (e.g., filter by session_id in turns) so
findings cannot reference sessions outside the caller’s requested
turns/provider/project scope.