Add pprof profiling endpoint on main HTTP port under /pprof#107
Merged
Conversation
Exposes Go's net/http/pprof handlers on the main HTTP port (HTTP_PORT) under /pprof for collecting heap dumps, CPU profiles, and goroutine stacks from a running agent. Gated behind a new ENABLE_PPROF env flag (default off) since pprof exposes sensitive runtime data and the main HTTP port has no auth on any route. Logs an info line when the endpoint is enabled. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The PR Trivy scan flags CVE-2026-43494 in linux-libc-dev (pulled in transitively via build-essential). The fix is already published in trixie (linux-libc-dev 6.12.90-2); the cached apt layer was just stale. Bumping APT_CACHE_BUST forces apt-get update && upgrade to re-fetch the patched version. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
ashiramin
approved these changes
May 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Exposes Go's standard
net/http/pprofhandlers on the main HTTP port (HTTP_PORT/DefaultHttpPort) under/pprof, so operators can collect heap dumps, CPU profiles, and goroutine stacks from a running agent.Gated behind a new
ENABLE_PPROFenv flag (default off), mirroring the existingEnableApiProxypattern. Routes register only when the flag is set — pprof exposes sensitive runtime data (raw memory, goroutine stacks) and the main HTTP port has no auth on any route today.Changes
agent/config/config.go— newEnablePprof boolfield, parsed fromENABLE_PPROF("true"/"1", defaultfalse); shown inPrint()when enabled.agent/server/http/pprof_handler.go(new) — aRegisterableHandler(same pattern asmetricsHandler) that mounts a/pprofsubrouter wiring the standard pprof entry points (/,/cmdline,/profile,/symbol,/trace) plus named profiles (heap,goroutine,allocs,block,mutex,threadcreate). Logs an info line when enabled.agent/server/main_http_server.go— conditional registration:if config.EnablePprof { ... }.agent/server/http/pprof_handler_test.go(new) — httptest-based coverage of the index page and heap profile..vscode/launch.json— setsENABLE_PPROF=truefor the local debug config.Usage
Start the agent with
ENABLE_PPROF=true, then:curl http://localhost:$HTTP_PORT/pprof/— profile indexgo tool pprof http://localhost:$HTTP_PORT/pprof/heap— memory profilego tool pprof http://localhost:$HTTP_PORT/pprof/profile?seconds=5— CPU profileTesting
go build ./...— compilesgo test ./server/http/... ./config/...— passesSecurity note
Since the main HTTP port has no auth on any route, keep
ENABLE_PPROFoff in environments where the port is publicly reachable.🤖 Generated with Claude Code