netdata
diff --git a/‎.agents/sow/current/SOW-0014-20260603-maintainability-hotspots.md‎
Lines changed: 45 additions & 0 deletions b/‎.agents/sow/current/SOW-0014-20260603-maintainability-hotspots.md‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎src/crates/netipc/src/protocol/lookup.rs‎
Lines changed: 96 additions & 117 deletions b/‎src/crates/netipc/src/protocol/lookup.rs‎
Lines changed: 96 additions & 117 deletions
@@ -340,6 +340,15 @@ Refined recommendation:
   - `src/go/pkg/netipc/service/apps_lookup/client_common.go`
   - `src/go/pkg/netipc/service/cgroups_lookup/client_common.go`
 - Left build-tagged Go files responsible only for POSIX/Windows transport config conversion and platform-specific `NewCache()` construction where needed.
+- Committed and pushed the typed-facade cleanup as `ef9fcef` with message `Refactor Go service facade wrappers`.
+- GitHub reported the direct push bypassed the pull-request rule for `main`, as requested by the user.
+- Switched to the lookup codec complexity target.
+- Extracted apps lookup semantic validation into one local helper per language:
+  - `src/go/pkg/netipc/protocol/lookup.go`
+  - `src/libnetdata/netipc/src/protocol/netipc_protocol.c`
+  - `src/crates/netipc/src/protocol/lookup.rs`
+- The codec change intentionally did not change layout offsets, byte-order writes, label table construction, directory entries, or packed-data compaction.
+- The extracted helpers preserve the existing validation order: status domain, cgroup-status domain, comm length, unknown-pid metadata rules, known-pid/cgroup-state rules, then source-string validation in builder paths.
 
 ## Validation
 
@@ -405,6 +414,42 @@ Implementation validation:
     - total: 0 issues, 0 errors.
   - `bash .agents/sow/audit.sh` passed and reported SOW initialization complete and clean.
   - `git diff --check` passed.
+- Lookup codec complexity validation:
+  - `gofmt -w src/go/pkg/netipc/protocol/lookup.go` passed.
+  - `cargo fmt --manifest-path src/crates/netipc/Cargo.toml` passed.
+  - `go test ./pkg/netipc/protocol` passed.
+  - `go test ./...` passed in `src/go`.
+  - `cargo test --manifest-path src/crates/netipc/Cargo.toml` passed: 329 Rust unit tests passed, plus bin/doc test targets.
+  - `cmake --build build` passed.
+  - `/usr/bin/ctest --test-dir build --output-on-failure -R protocol` passed: 4/4 protocol tests.
+  - `bash tests/interop_codec.sh` passed after CTest, serially:
+    - Rust decoded C output: 89 passed, 0 failed.
+    - Go decoded C output: 90 passed, 0 failed.
+    - C decoded Rust output: 101 passed, 0 failed.
+    - Go decoded Rust output: 90 passed, 0 failed.
+    - C decoded Go output: 101 passed, 0 failed.
+    - Rust decoded Go output: 89 passed, 0 failed.
+    - C, Rust, and Go generated byte-identical protocol fixture files.
+  - Lizard focused lookup-code comparison:
+    - Go `decodeAppsLookupItem`: CCN 52 before, 19 after.
+    - Go `AppsLookupBuilder.Add`: CCN 71 before, 39 after.
+    - C `apps_lookup_decode_item_bytes`: CCN 49 before, 16 after.
+    - C `nipc_apps_lookup_builder_add`: CCN 63 before, 31 after.
+    - Rust `decode_apps_item`: CCN 43 before, 13 after.
+    - Rust `AppsLookupBuilder::add`: CCN 56 before, 27 after.
+    - New semantic helpers remain intentionally high-complexity state machines: Go CCN 35, C CCN 35, Rust CCN 32.
+    - Focused lookup-code average CCN moved from 7.4 to 6.8; NLOC warning ratio moved from 0.32 to 0.26.
+  - `codacy-analysis analyze --output-format json` passed:
+    - Checkov: 0 issues.
+    - Opengrep/Semgrep: 0 issues.
+    - Trivy: 0 issues.
+    - cppcheck: 0 issues.
+    - ShellCheck: 0 issues.
+    - Spectral: 0 issues.
+    - total: 0 issues, 0 errors.
+  - `bash .agents/sow/audit.sh` passed and reported SOW initialization complete and clean.
+  - `git diff --check` passed.
+  - Sensitive-data scan across the touched SOW and codec files returned no matches.
 
 Sensitive data gate:
 
 
@@ -124,6 +124,75 @@ fn source_string_invalid(bytes: &[u8], require_non_empty: bool) -> bool {
     (require_non_empty && bytes.is_empty()) || bytes.contains(&0)
 }
 
+fn validate_apps_lookup_semantics(
+    status: u16,
+    cgroup_status: u16,
+    orchestrator: u16,
+    ppid: u32,
+    uid: u32,
+    starttime: u64,
+    comm_len: u64,
+    path_len: u64,
+    name_len: u64,
+    label_count: u64,
+) -> Result<(), NipcError> {
+    if status != PID_LOOKUP_KNOWN && status != PID_LOOKUP_UNKNOWN {
+        return Err(NipcError::BadLayout);
+    }
+    if cgroup_status != APPS_CGROUP_KNOWN
+        && cgroup_status != APPS_CGROUP_UNKNOWN_RETRY_LATER
+        && cgroup_status != APPS_CGROUP_UNKNOWN_PERMANENT
+        && cgroup_status != APPS_CGROUP_HOST_ROOT
+    {
+        return Err(NipcError::BadLayout);
+    }
+    if comm_len > 15 {
+        return Err(NipcError::BadLayout);
+    }
+    if status == PID_LOOKUP_UNKNOWN {
+        if orchestrator != 0
+            || cgroup_status != 0
+            || ppid != 0
+            || uid != NIPC_UID_UNSET
+            || starttime != 0
+            || comm_len != 0
+            || path_len != 0
+            || name_len != 0
+            || label_count != 0
+        {
+            return Err(NipcError::BadLayout);
+        }
+        return Ok(());
+    }
+    if comm_len == 0 {
+        return Err(NipcError::BadLayout);
+    }
+    match cgroup_status {
+        APPS_CGROUP_KNOWN => {
+            if path_len == 0 {
+                return Err(NipcError::BadLayout);
+            }
+        }
+        APPS_CGROUP_UNKNOWN_RETRY_LATER => {
+            if orchestrator != 0 || name_len != 0 || label_count != 0 {
+                return Err(NipcError::BadLayout);
+            }
+        }
+        APPS_CGROUP_UNKNOWN_PERMANENT => {
+            if path_len == 0 || orchestrator != 0 || name_len != 0 || label_count != 0 {
+                return Err(NipcError::BadLayout);
+            }
+        }
+        APPS_CGROUP_HOST_ROOT => {
+            if orchestrator != 0 || path_len != 0 || name_len != 0 || label_count != 0 {
+                return Err(NipcError::BadLayout);
+            }
+        }
+        _ => return Err(NipcError::BadLayout),
+    }
+    Ok(())
+}
+
 fn validate_lookup_dir(
     buf: &[u8],
     dir_start: usize,
@@ -1016,59 +1085,18 @@ fn decode_apps_item(item: &[u8]) -> Result<AppsLookupItemView<'_>, NipcError> {
     if u16_at(item, 0) != 1 || u32_at(item, 20) != 0 || u16_at(item, 58) != 0 {
         return Err(NipcError::BadLayout);
     }
-    if status != PID_LOOKUP_KNOWN && status != PID_LOOKUP_UNKNOWN {
-        return Err(NipcError::BadLayout);
-    }
-    if cgroup_status != APPS_CGROUP_KNOWN
-        && cgroup_status != APPS_CGROUP_UNKNOWN_RETRY_LATER
-        && cgroup_status != APPS_CGROUP_UNKNOWN_PERMANENT
-        && cgroup_status != APPS_CGROUP_HOST_ROOT
-    {
-        return Err(NipcError::BadLayout);
-    }
-    if comm_len > 15 {
-        return Err(NipcError::BadLayout);
-    }
-    if status == PID_LOOKUP_UNKNOWN {
-        if orchestrator != 0
-            || cgroup_status != 0
-            || ppid != 0
-            || uid != NIPC_UID_UNSET
-            || starttime != 0
-            || comm_len != 0
-            || path_len != 0
-            || name_len != 0
-            || label_count != 0
-        {
-            return Err(NipcError::BadLayout);
-        }
-    } else if comm_len == 0 {
-        return Err(NipcError::BadLayout);
-    } else {
-        match cgroup_status {
-            APPS_CGROUP_KNOWN => {
-                if path_len == 0 {
-                    return Err(NipcError::BadLayout);
-                }
-            }
-            APPS_CGROUP_UNKNOWN_RETRY_LATER => {
-                if orchestrator != 0 || name_len != 0 || label_count != 0 {
-                    return Err(NipcError::BadLayout);
-                }
-            }
-            APPS_CGROUP_UNKNOWN_PERMANENT => {
-                if path_len == 0 || orchestrator != 0 || name_len != 0 || label_count != 0 {
-                    return Err(NipcError::BadLayout);
-                }
-            }
-            APPS_CGROUP_HOST_ROOT => {
-                if orchestrator != 0 || path_len != 0 || name_len != 0 || label_count != 0 {
-                    return Err(NipcError::BadLayout);
-                }
-            }
-            _ => return Err(NipcError::BadLayout),
-        }
-    }
+    validate_apps_lookup_semantics(
+        status,
+        cgroup_status,
+        orchestrator,
+        ppid,
+        uid,
+        starttime,
+        comm_len as u64,
+        path_len as u64,
+        name_len as u64,
+        label_count as u64,
+    )?;
 
     let (comm, comm_end) = lookup_string(item, APPS_LOOKUP_ITEM_HDR_SIZE, comm_off, comm_len)?;
     let (cgroup_path, path_end) =
@@ -1168,77 +1196,28 @@ impl<'a> AppsLookupBuilder<'a> {
             self.error = Some(NipcError::Overflow);
             return Err(NipcError::Overflow);
         }
-        if status != PID_LOOKUP_KNOWN && status != PID_LOOKUP_UNKNOWN {
-            self.error = Some(NipcError::BadLayout);
-            return Err(NipcError::BadLayout);
-        }
-        if cgroup_status != APPS_CGROUP_KNOWN
-            && cgroup_status != APPS_CGROUP_UNKNOWN_RETRY_LATER
-            && cgroup_status != APPS_CGROUP_UNKNOWN_PERMANENT
-            && cgroup_status != APPS_CGROUP_HOST_ROOT
-        {
-            self.error = Some(NipcError::BadLayout);
-            return Err(NipcError::BadLayout);
+        if let Err(err) = validate_apps_lookup_semantics(
+            status,
+            cgroup_status,
+            orchestrator,
+            ppid,
+            uid,
+            starttime,
+            comm.len() as u64,
+            cgroup_path.len() as u64,
+            cgroup_name.len() as u64,
+            labels.len() as u64,
+        ) {
+            self.error = Some(err);
+            return Err(err);
         }
-        if comm.len() > 15
-            || source_string_invalid(comm, status == PID_LOOKUP_KNOWN)
+        if source_string_invalid(comm, status == PID_LOOKUP_KNOWN)
             || source_string_invalid(cgroup_path, false)
             || source_string_invalid(cgroup_name, false)
         {
             self.error = Some(NipcError::BadLayout);
             return Err(NipcError::BadLayout);
         }
-        if status == PID_LOOKUP_UNKNOWN {
-            if orchestrator != 0
-                || cgroup_status != 0
-                || ppid != 0
-                || uid != NIPC_UID_UNSET
-                || starttime != 0
-                || !comm.is_empty()
-                || !cgroup_path.is_empty()
-                || !cgroup_name.is_empty()
-                || !labels.is_empty()
-            {
-                self.error = Some(NipcError::BadLayout);
-                return Err(NipcError::BadLayout);
-            }
-        } else {
-            match cgroup_status {
-                APPS_CGROUP_KNOWN => {
-                    if cgroup_path.is_empty() {
-                        self.error = Some(NipcError::BadLayout);
-                        return Err(NipcError::BadLayout);
-                    }
-                }
-                APPS_CGROUP_UNKNOWN_RETRY_LATER => {
-                    if orchestrator != 0 || !cgroup_name.is_empty() || !labels.is_empty() {
-                        self.error = Some(NipcError::BadLayout);
-                        return Err(NipcError::BadLayout);
-                    }
-                }
-                APPS_CGROUP_UNKNOWN_PERMANENT => {
-                    if cgroup_path.is_empty()
-                        || orchestrator != 0
-                        || !cgroup_name.is_empty()
-                        || !labels.is_empty()
-                    {
-                        self.error = Some(NipcError::BadLayout);
-                        return Err(NipcError::BadLayout);
-                    }
-                }
-                APPS_CGROUP_HOST_ROOT => {
-                    if orchestrator != 0
-                        || !cgroup_path.is_empty()
-                        || !cgroup_name.is_empty()
-                        || !labels.is_empty()
-                    {
-                        self.error = Some(NipcError::BadLayout);
-                        return Err(NipcError::BadLayout);
-                    }
-                }
-                _ => unreachable!(),
-            }
-        }
         let label_count = match checked_u16(labels.len()) {
             Ok(v) => v,
             Err(err) => {