fix(reverse-import): wire closure-capable discoverer into the job (#195)

[sam-at-luther]

Closes #195

Problem

The Mars reverse-import job built reverseimport.Options{…} with neither Discoverer nor ClosureDiscoverer set. Both stayed nil, so the presets reverse-import engine emitted the selection_closure_unavailable diagnostic and silently skipped:

• dependency-closure expansion (the "auto-included N dependencies" behavior the fast-discovery initiative relies on), and
• dep-chase (the engine requires opts.Discoverer != nil).

Found during reliable's #2040 fast-discovery e2e on staging: the diagnostic appeared in the plan artifact for reverse run ri-ea0b6f37-vvwqf. The presets CLI wires this correctly; the omission was squarely in Mars.

Fix

• Hand the engine a closure-capable cloud discoverer built from the shared presets constructor reversedisco.New (added in feat(reverse-import): export shared closure-capable discoverer constructor insideout-terraform-presets#738). The concrete adapter implements both reverseimport.Discoverer (DiscoverByID) and reverseimport.ClosureDiscoverer (DiscoverClosure); the engine resolves the closure surface from Options.Discoverer when it is closure-capable, so one field wires both.
• Construction is lazy (lazyDiscoverer): the real cloud client is built on first use by the engine's closure/dep-chase phases, which run after the engine's cheap selection validation. Building it eagerly would let a credential/API gap (e.g. GCP ADC missing) mask the structured validation result the engine produces for an invalid selection.
• Cloud/region/GCP-project are derived from the request resources when the flags are omitted, mirroring how reverseimport.Run derives the cloud, so the discoverer targets the correct provider regardless of dispatch flags.
• DiscoverRegions carries every distinct region across the selected resources (or the single --region override) so closure discovery scans all selected regions for a multi-region request, not just the first.
• newDiscoverer is a package var defaulting to reversedisco.New; tests swap in a fake to assert the wiring, region scope, and validation-first ordering without real cloud clients.
• Bump insideout-terraform-presets to the commit that exports reversedisco.New.

Rather than duplicate the discoverer wiring in Mars, the constructor was extracted into an exported presets package so the CLI and Mars share one wiring. See luthersystems/insideout-terraform-presets#738.

Tests

• TestMainWiresClosureDiscovererForRegisteredParents — selects a registered parent type (aws_kms_key) and asserts Main passes the engine a non-nil Options.Discoverer implementing reverseimport.ClosureDiscoverer. Verified failing before the fix.
• TestMainValidatesSelectionBeforeBuildingCloudClient — a failing discoverer factory must not mask the engine's selection validation; asserts the cloud client is never constructed before validation rejects an InsideOutImported selection. Verified failing under eager construction.
• TestMainScansAllSelectedRegionsForClosure / TestMainRegionOverrideWinsForClosureScope — multi-region closure scope and --region override.
• TestMainDecodesRequestAndPassesOptions also asserts the discoverer and region scope are wired, using the real production newDiscoverer.

Full mars suite green (15 tests in the touched package, 17 packages overall), go vet clean, gofmt-clean; the insideout-reverse-import binary cross-compiles.

Depends on luthersystems/insideout-terraform-presets#738 — the go.mod bump currently points at that PR's branch commit. Re-pin to the merge commit once #738 lands.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	golang/​github.com/​luthersystems/​insideout-terraform-presets@​v0.11.1-0.20260605233704-4ab729343696 ⏵ v0.11.1-0.20260609165415-4669c80c4789	+1

View full report