fix: audit wave 1 — dashboard reliability, controller correctness, remediation safety, concurrency (#87)

* fix(dashboard): use server-lifecycle context for background goroutines

Preset propose spawns a demoAdvancePreset goroutine that outlives the
HTTP request. The previous code used context.Background(), which meant
the goroutine would continue mutating shared state (preset store,
remediation store) after server shutdown — introducing a shutdown race.

Switch to a server-lifecycle context published by Start() via a
mutex-guarded field. Handlers that spawn background work derive from it
via backgroundContext() so goroutines observe server shutdown.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(dashboard): close audit gaps in compliance + SSE + preset flow

Consolidated dashboard-layer fixes surfaced during the audit pass:

- GitOps badge no longer lies. ConfigStatus was seeded with a demo
  default (GitOpsConfigured: true, GitOpsRepo: "zelyo-ai/platform-gitops")
  and SetConfigStatus was never wired, so the Compliance page claimed
  GitOps was connected even when no GitOpsRepository existed. Derive
  the connected/repo fields live from GitOpsRepositoryList at request
  time and drop the demo default.

- SSE send-on-closed-channel race. handleSSE's defer closed the
  subscriber channel outside the map-mutation lock while Broadcast sent
  on it under RLock — a classic send-on-closed panic window. Delete
  from the map under Lock and let GC reap the channel.

- SSE stream poisoning on unmarshalable event.Data. An ignored
  json.Marshal error emitted "data: null", breaking every subscriber's
  stream. Skip the event and log at V(1) instead.

- Start() no longer returns before Shutdown finishes. The goroutine-only
  Shutdown pattern let ListenAndServe return http.ErrServerClosed
  immediately while active handlers were still draining; join the two
  via a buffered error channel so the manager sees runnable exit only
  after Shutdown completes.

- backgroundContext() fallback now returns a cancelled ctx instead of
  context.Background() so handlers invoked before Start (test paths)
  can't silently re-introduce the goroutine leak.

- Preset state race fixed. handlePresetPropose wrote state=Proposing,
  spawned demoAdvancePreset, then wrote state=PendingMerge — racing
  with the goroutine's later merged→enabled writes. Complete both
  synchronous transitions before spawning the goroutine, and thread
  the GitOps repo slug through so the goroutine's Emit call doesn't
  re-read shared state.

- Preset ID validation. Four preset endpoints now reject IDs that
  don't match the catalog shape (lowercase, digits, dashes, ≤64 chars)
  before they reach FindPreset or the remediation store.

- /explain body cap. handleExplain now wraps r.Body in
  http.MaxBytesReader(16 KiB) so a hostile client can't make the
  handler allocate unbounded memory while decoding the request.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(controller): ScanReport GenerateName, target validation, LLM redaction

- ClusterScan controller now creates ScanReports via GenerateName rather
  than a composed "<scan>-<unix-timestamp>" Name. The previous form
  violated CLAUDE.md (which mandates GenerateName for ScanReports) and
  could exceed the 63-char DNS-1123 label limit on long scan names.
  Added scanReportBasename to bound the prefix at 56 chars so the API
  server's 5-char suffix always fits.

- truncateRunes replaces unsafe f.Title[:min(...)] byte slicing in the
  Finding ID composition. Multi-byte UTF-8 titles (any CJK/emoji) were
  being chopped mid-codepoint, producing invalid-UTF-8 ID strings.

- SecurityPolicy controller adds the RBAC markers that match its runtime
  behavior: it lists NotificationChannelList and reads the referenced
  Slack webhook Secret. Without these markers the operator silently
  fails notification delivery with RBAC-forbidden errors at runtime.

- RemediationPolicy controller no longer swallows non-NotFound errors
  when validating TargetPolicies. Missing targets now mark the policy
  Ready=False with Reason=ReconcileFailed, set Phase=Error, and requeue
  with backoff instead of ticking forward into active remediation.

- ZelyoConfig controller redacts the LLM probe error before putting it
  into the Event message and Condition. *llm.APIError.Error() includes
  the raw provider response body which, on 401/403, often echoes
  submitted header prefixes or request fragments — visible to anyone
  with namespace-scoped get-events RBAC. Full detail still goes to the
  operator log via log.Error.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(remediation,github): validate LLM fix plans and escape PR file paths

- safeRepoPath in the GitHub engine now validates and URL-escapes every
  repository-relative path before embedding it in a GitHub contents API
  URL. GetFile/createOrUpdateFile/deleteFile previously concatenated the
  path directly, so an LLM-emitted "../secret.yaml" or "%2e%2e/passwd"
  could overwrite or delete files outside the intended tree. We reject
  absolute paths, backslashes, and any ../.. segment, and url.PathEscape
  each remaining segment so spaces/percent-encodings don't corrupt the
  URL. branch and ref query args are now url.QueryEscape'd too.

- extractFixes no longer trusts the LLM response. The previous
  fallback wrapped any unstructured LLM prose as a single "patch" fix
  and committed it — exactly the kind of arbitrary-content-in-a-PR
  outcome the auto-remediation design is supposed to prevent. The new
  extractFixes rejects any response that doesn't conform to the JSON
  schema, validates each fix's operation against an allowlist
  (create/update/delete — no silent "update" default for unknown ops),
  validates the file path against the same safety rules the GitHub
  engine enforces, and bounds patch/description sizes.

- Added test coverage for the three regressions this closes:
  unstructured responses must be rejected (0 fixes), path traversal
  in LLM-emitted paths must be filtered out, and unknown operations
  must be dropped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(concurrency): deep-copy shared state + move callback outside lock

- correlator.Engine.Ingest no longer holds the engine mutex across
  onIncident callback invocation. A callback that calls back into the
  engine (ResolveIncident, GetOpenIncidents) would deadlock waiting
  for the Ingest-held lock. Snapshot the incident to notify, release
  the lock, then fire the callback with a copy.

- correlator.Engine.Ingest and GetOpenIncidents now return *Incident
  copies. The previous code returned a pointer into e.incidents that a
  concurrent Ingest would then mutate via `append(incident.Events, ...)`
  — producing a data race any caller ranging over Events could hit.
  New copyIncident clones the Incident struct and its Events slice
  header (shielding callers from future appends while keeping the
  *Event pointers shared, which are treated as immutable post-ingest).

- anomaly.Detector.GetBaseline now deep-copies Baseline.Values. The
  shallow struct copy aliased the slice backing array with the engine's
  own, so a caller ranging over Values raced with Observe() appending.

- threat.Aggregator.LookupImage stores and returns ImageThreat copies
  instead of aliasing one pointer across the cache and every caller.
  cloneImageThreat handles the CVEs slice too.

None of these were hypothetical — each would trip `-race` under
realistic load. No behavior change for single-threaded callers.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(lint): rename url locals and fix cancelled/canceled misspell

Renaming github/engine.go local url -> reqURL removes the
importShadow gocritic warnings that surfaced once net/url was
imported for safeRepoPath. No behavior change; mechanical rename of
six locals and one parameter.

Comment spellings in dashboard/server.go adjusted to "canceled" to
match stdlib (context.Canceled) and the misspell linter.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: address codex review — close post-unlock race, fail on empty plans

Two P1 findings from codex review of PR #87:

1. correlator.Engine.Ingest still had a post-unlock race in the
   callback dispatch path. notifySnapshot previously captured the raw
   internal *Incident pointer under the lock, but the copyIncident
   call happened AFTER e.mu.Unlock() — so a concurrent Ingest could
   append to incident.Events between the unlock and the copy,
   producing the exact data race the fix was meant to eliminate.
   Snapshot the incident via copyIncident WHILE holding the lock,
   then pass the immutable snapshot to the callback after unlock.
   Added TestEngine_ConcurrentIngestIsRaceFree which drives 16×50
   concurrent Ingests against the same (ns, resource) plus a parallel
   GetOpenIncidents reader — the old code tripped -race immediately;
   the new code is clean.

2. remediation.Engine.GeneratePlan no longer returns a successful
   plan with zero fixes. When every LLM-proposed fix fails validation
   (path traversal, unknown operation, size cap, or the response is
   unstructured prose), extractFixes correctly returns zero fixes —
   but GeneratePlan was still returning (plan, nil). In dry-run mode
   ApplyPlan then returns nil error too, and processIncidents resolves
   the incident anyway: malformed/unsafe LLM output was silently
   closing incidents with no remediation applied. GeneratePlan now
   returns an error in the zero-fix case so the caller keeps the
   incident open for retry/manual triage. Added
   TestGeneratePlan_ZeroValidatedFixes_ReturnsError covering three
   representative rejection paths.

Verified: go build, go vet, golangci-lint, full `go test`, and
`go test -race ./internal/correlator/... ./internal/remediation/...`
are all clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix: address coderabbit review comments on PR #87

Six major-severity items flagged by coderabbit, each independently
verifiable:

1. securitypolicy_controller RBAC marker reduced `secrets` to verbs=get.
   The controller only fetches named secrets via r.Get — list/watch were
   overscoped. (Note: aggregate role.yaml still shows get;list;watch
   because four other controllers legitimately need the wider verbs;
   tightening those is out of scope for this review and tracked
   separately.)

2. resolveConfigStatus now explicitly clears GitOpsConfigured/GitOpsRepo
   when the live GitOpsRepositoryList is empty. The previous branch
   returned the store snapshot unchanged, so if SetConfigStatus ever
   seeded stale values the badge could still read "connected" after
   the live query proved there are no repos. Live state is the source
   of truth.

3. dashboard Server.Start now surfaces ListenAndServe startup errors
   even when ctx.Done() wins the select. A real bind/cert-load failure
   could race ctx cancellation and be silently discarded by the old
   `<-serveErr` discard; we now check the drained error and return it
   if it's not http.ErrServerClosed.

4. GitHub engine safeRepoPath validation errors are now wrapped with
   operation context (GetFile / upsert / delete), per CLAUDE.md's rule
   against bare `return err`.

5. remediation.Engine.GeneratePlan no longer embeds raw LLM analysis
   in the returned error. The error is emitted as a Kubernetes Event
   by the RemediationPolicy controller — LLM output can echo secrets,
   request fragments, or arbitrary text and must not land on
   cluster-visible sinks. Full analysis stays in the operator log.
   The now-unused truncateString helper is removed.

6. extractFixes now rejects create/update fixes with empty/whitespace
   patches. An `operation:"update"` + `patch:""` previously passed
   validation and would generate a PR that blanks the target manifest
   — empty payloads are only valid for `delete` (where the op carries
   the intent). Added TestExtractFixes_EmptyPatchForCreateUpdateDropped
   covering the mixed case (blank create/update dropped, legit
   delete + non-blank update kept).

Verified: build clean, full test suite + -race on dashboard/remediation/
correlator green, golangci-lint 0 issues.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(dashboard): clarify SSE marshal-failure log message

Per coderabbit review: the log read "unmarshalable Data" but the op is
json.Marshal. Renamed to "json.Marshal failed" and added the error to
the structured fields so V(1) logs carry enough context to debug the
poisoning event without reaching for the code.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(dashboard): SSE loop observes shutdown + surface Shutdown errors

Two major items from coderabbit review:

1. SSE handler's inner select now watches s.backgroundContext().Done()
   in addition to r.Context().Done(). http.Server.Shutdown waits for
   active handlers to return on their own up to the 10s timeout — an
   SSE loop that only observed the per-request ctx would stall every
   graceful shutdown until that timeout expired. Wiring the
   server-lifecycle ctx into the select makes active dashboard tabs
   drop out promptly when the manager ctx cancels.

2. Start()'s ctx.Done() branch no longer masks Shutdown failures. The
   previous code logged Shutdown errors and still returned nil once
   ListenAndServe reported the expected ErrServerClosed — so a real
   stop failure (DeadlineExceeded, close error) disappeared. Capture
   shutdownErr, drain serveErr, and return wrapped errors per CLAUDE.md
   (no bare return err) on both branches: dashboard listen, dashboard
   listen during shutdown, dashboard shutdown.

Verified: build clean, dashboard tests green under -race, lint 0.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: mayurkr

internal/anomaly/detector.go

@@ -145,7 +145,10 @@ func (d *Detector) Observe(key string, value float64) *Anomaly {
 	}
 }
 
-// GetBaseline returns the current baseline for a key, or nil if not found.
+// GetBaseline returns a copy of the current baseline for key, or nil if
+// not found. The Values slice is deep-copied: the previous shallow struct
+// copy aliased the backing array, so a caller iterating Values raced with
+// the next Observe() `append` mutating the same memory.
 func (d *Detector) GetBaseline(key string) *Baseline {
 	d.mu.RLock()
 	defer d.mu.RUnlock()
@@ -154,6 +157,9 @@ func (d *Detector) GetBaseline(key string) *Baseline {
 		return nil
 	}
 	result := *b
+	if len(b.Values) > 0 {
+		result.Values = append([]float64(nil), b.Values...)
+	}
 	return &result
 }
 

internal/controller/clusterscan_controller.go

@@ -258,7 +258,7 @@ func (r *ClusterScanReconciler) executeScan(ctx context.Context, scan *zelyov1al
 		for i := range results {
 			f := &results[i]
 			finding := zelyov1alpha1.Finding{
-				ID:          fmt.Sprintf("%s-%s-%s-%s", f.RuleType, f.ResourceNamespace, f.ResourceName, f.Title[:min(len(f.Title), 20)]),
+				ID:          fmt.Sprintf("%s-%s-%s-%s", f.RuleType, f.ResourceNamespace, f.ResourceName, truncateRunes(f.Title, 20)),
 				Severity:    f.Severity,
 				Category:    f.RuleType,
 				Title:       f.Title,
@@ -354,11 +354,15 @@ func (r *ClusterScanReconciler) evaluateCompliance(ctx context.Context, scan *ze
 func (r *ClusterScanReconciler) createScanReport(ctx context.Context, scan *zelyov1alpha1.ClusterScan, findings []zelyov1alpha1.Finding, summary *zelyov1alpha1.ScanSummary, complianceResults []zelyov1alpha1.ComplianceResult) (string, error) {
 	log := logf.FromContext(ctx)
 
-	reportName := fmt.Sprintf("%s-%d", scan.Name, time.Now().Unix())
+	// Use GenerateName (not Name) so the API server appends a 5-char random
+	// suffix: this guarantees the result never exceeds the DNS-1123 label
+	// limit of 63 chars regardless of scan.Name length, and stays unique
+	// even when two scans complete in the same second (the unix-timestamp
+	// approach previously collided under parallel execution).
 	report := &zelyov1alpha1.ScanReport{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      reportName,
-			Namespace: scan.Namespace,
+			GenerateName: scanReportBasename(scan.Name),
+			Namespace:    scan.Namespace,
 			Labels: map[string]string{
 				"zelyo.ai/scan": scan.Name,
 			},
@@ -388,7 +392,21 @@ func (r *ClusterScanReconciler) createScanReport(ctx context.Context, scan *zely
 		log.Error(err, "Failed to update ScanReport status")
 	}
 
-	return reportName, nil
+	return report.Name, nil
+}
+
+// scanReportBasename returns a GenerateName prefix that leaves at least
+// 6 chars for the API server's random suffix while respecting the 63-char
+// DNS-1123 label limit. ScanReports use the scan name as a prefix so
+// human operators can still correlate reports to their scan in `kubectl
+// get scanreports`.
+func scanReportBasename(scanName string) string {
+	const maxPrefix = 56 // 63 - 5 suffix - 1 dash - 1 safety = plenty.
+	base := scanName
+	if len(base) > maxPrefix {
+		base = base[:maxPrefix]
+	}
+	return base + "-"
 }
 
 // resolveTargetPods lists running pods matching the scan's scope.
@@ -499,3 +517,17 @@ func (r *ClusterScanReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Named("clusterscan").
 		Complete(r)
 }
+
+// truncateRunes returns s truncated to at most maxRunes runes. Slicing a
+// string by byte index (s[:n]) chops mid-codepoint on multi-byte UTF-8
+// input, producing invalid sequences in downstream Finding IDs.
+func truncateRunes(s string, maxRunes int) string {
+	if maxRunes <= 0 {
+		return ""
+	}
+	r := []rune(s)
+	if len(r) <= maxRunes {
+		return s
+	}
+	return string(r[:maxRunes])
+}

internal/controller/remediationpolicy_controller.go

@@ -19,6 +19,7 @@ package controller
 import (
 	"context"
 	"fmt"
+	"strings"
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
@@ -112,18 +113,37 @@ func (r *RemediationPolicyReconciler) Reconcile(ctx context.Context, req ctrl.Re
 		fmt.Sprintf("GitOpsRepository %q is available (phase: %s)", repo.Name, repo.Status.Phase), policy.Generation)
 
 	// ── Step 2: Validate targeted SecurityPolicies ──
+	// Non-NotFound errors previously fell through silently; track missing
+	// and errored targets explicitly so we can mark a degraded condition
+	// and requeue with backoff.
+	var missingTargets []string
 	if len(policy.Spec.TargetPolicies) > 0 {
 		for _, policyName := range policy.Spec.TargetPolicies {
 			sp := &zelyov1alpha1.SecurityPolicy{}
 			spKey := types.NamespacedName{Name: policyName, Namespace: policy.Namespace}
 			if err := r.Get(ctx, spKey, sp); err != nil {
 				if errors.IsNotFound(err) {
+					missingTargets = append(missingTargets, policyName)
 					r.Recorder.Event(policy, corev1.EventTypeWarning, zelyov1alpha1.EventReasonReconcileError,
 						fmt.Sprintf("Target SecurityPolicy %q not found", policyName))
+					continue
 				}
+				return ctrl.Result{}, fmt.Errorf("fetching target SecurityPolicy %q: %w", policyName, err)
 			}
 		}
 	}
+	if len(missingTargets) > 0 {
+		conditions.MarkFalse(&policy.Status.Conditions, zelyov1alpha1.ConditionReady,
+			zelyov1alpha1.ReasonReconcileFailed,
+			fmt.Sprintf("target SecurityPolicies not found: %s", strings.Join(missingTargets, ", ")),
+			policy.Generation)
+		policy.Status.Phase = zelyov1alpha1.PhaseError
+		policy.Status.ObservedGeneration = policy.Generation
+		if err := r.Status().Update(ctx, policy); err != nil {
+			return ctrl.Result{}, fmt.Errorf("updating status: %w", err)
+		}
+		return ctrl.Result{RequeueAfter: 2 * time.Minute}, nil
+	}
 
 	// ── Step 3: Query correlator for open incidents ──
 	var prsCreated int32

internal/controller/securitypolicy_controller.go

@@ -70,8 +70,10 @@ type SecurityPolicyReconciler struct {
 // +kubebuilder:rbac:groups=zelyo.ai,resources=securitypolicies,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=zelyo.ai,resources=securitypolicies/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=zelyo.ai,resources=securitypolicies/finalizers,verbs=update
+// +kubebuilder:rbac:groups=zelyo.ai,resources=notificationchannels,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=pods,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=namespaces,verbs=get;list;watch
+// +kubebuilder:rbac:groups="",resources=secrets,verbs=get
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
 
 // Reconcile implements the main reconciliation loop for SecurityPolicy.

internal/controller/zelyoconfig_controller.go

@@ -18,6 +18,7 @@ package controller
 
 import (
 	"context"
+	stderrors "errors"
 	"fmt"
 	"os"
 	"time"
@@ -254,13 +255,20 @@ func (r *ZelyoConfigReconciler) reconcileRemediationEngine(ctx context.Context,
 				if ns == "" {
 					ns = "zelyo-system"
 				}
+				// Events and Conditions are visible to anyone with namespace
+				// read access; upstream *APIError.Error() includes the raw
+				// provider response body which can echo request fragments or
+				// header prefixes on 401/403. Use a redacted status-code-only
+				// summary for any externally-visible surface. Full detail
+				// stays in the operator log above.
+				probeSummary := redactLLMProbeError(probeErr)
 				r.Recorder.Event(config, corev1.EventTypeWarning, "LLMKeyVerificationFailed",
-					fmt.Sprintf("LLM API key verification failed: %v. Verify your key with: kubectl get secret %s -n %s -o jsonpath='{.data.api-key}' | base64 -d",
-						probeErr, config.Spec.LLM.APIKeySecret, ns))
+					fmt.Sprintf("LLM API key verification failed: %s. Verify your key with: kubectl get secret %s -n %s -o jsonpath='{.data.api-key}' | base64 -d",
+						probeSummary, config.Spec.LLM.APIKeySecret, ns))
 				config.Status.LLMKeyStatus = "Invalid"
 				conditions.MarkFalse(&config.Status.Conditions, zelyov1alpha1.ConditionLLMKeyVerified,
 					zelyov1alpha1.ReasonLLMKeyInvalid,
-					fmt.Sprintf("API key probe failed: %v", probeErr), config.Generation)
+					fmt.Sprintf("API key probe failed: %s", probeSummary), config.Generation)
 			} else {
 				now := metav1.Now()
 				config.Status.LLMKeyStatus = "Verified"
@@ -297,3 +305,25 @@ func (r *ZelyoConfigReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Named("zelyoconfig").
 		Complete(r)
 }
+
+// redactLLMProbeError returns a short status-code-only summary for the
+// LLM probe error, suitable for Kubernetes Events and Condition messages.
+// The full error (including upstream provider response body) stays in the
+// operator log; Events are visible to any namespace reader and must not
+// carry raw upstream bodies that may echo prompts or header prefixes.
+func redactLLMProbeError(err error) string {
+	if err == nil {
+		return ""
+	}
+	var apiErr *llm.APIError
+	if stderrors.As(err, &apiErr) {
+		if apiErr.StatusCode == 429 {
+			return "rate limited by provider"
+		}
+		if apiErr.StatusCode >= 400 && apiErr.StatusCode < 500 {
+			return fmt.Sprintf("provider returned HTTP %d (auth/config error)", apiErr.StatusCode)
+		}
+		return fmt.Sprintf("provider returned HTTP %d", apiErr.StatusCode)
+	}
+	return "provider unreachable"
+}

internal/correlator/engine.go

@@ -83,18 +83,26 @@ func NewEngine(cfg *Config) *Engine {
 }
 
 // Ingest adds an event and attempts to correlate it.
+//
+// The onIncident callback is invoked OUTSIDE the engine lock so callbacks
+// that call back into the engine (ResolveIncident, GetOpenIncidents) do
+// not deadlock. Both the callback payload and the returned *Incident are
+// independent copies snapshotted WHILE the lock is held — a concurrent
+// Ingest must not be able to append to incident.Events between our
+// snapshot and the callback/return.
 func (e *Engine) Ingest(event *Event) *Incident {
-	e.mu.Lock()
-	defer e.mu.Unlock()
+	var notifySnapshot *Incident
+	var result *Incident
 
+	e.mu.Lock()
 	if event.Timestamp.IsZero() {
 		event.Timestamp = time.Now()
 	}
 
 	e.events = append(e.events, event)
 	e.pruneOldEvents()
 
-	for id, incident := range e.incidents {
+	for _, incident := range e.incidents {
 		if incident.Resolved {
 			continue
 		}
@@ -104,50 +112,74 @@ func (e *Engine) Ingest(event *Event) *Incident {
 			if severityOrder(event.Severity) > severityOrder(incident.Severity) {
 				incident.Severity = event.Severity
 			}
-			if e.onIncident != nil {
-				e.onIncident(incident)
-			}
-			return e.incidents[id]
+			notifySnapshot = copyIncident(incident)
+			result = copyIncident(incident)
+			break
 		}
 	}
 
-	related := e.findRelated(event)
-	if len(related) >= 2 {
-		e.incidentSeq++
-		incident := &Incident{
-			ID:        fmt.Sprintf("INC-%06d", e.incidentSeq),
-			Severity:  highestSeverity(related),
-			Title:     fmt.Sprintf("Correlated incident on %s/%s", event.Namespace, event.Resource),
-			Events:    related,
-			Namespace: event.Namespace,
-			Resource:  event.Resource,
-			CreatedAt: time.Now(),
-			UpdatedAt: time.Now(),
-		}
-		e.incidents[incident.ID] = incident
-		if e.onIncident != nil {
-			e.onIncident(incident)
+	if result == nil {
+		related := e.findRelated(event)
+		if len(related) >= 2 {
+			e.incidentSeq++
+			incident := &Incident{
+				ID:        fmt.Sprintf("INC-%06d", e.incidentSeq),
+				Severity:  highestSeverity(related),
+				Title:     fmt.Sprintf("Correlated incident on %s/%s", event.Namespace, event.Resource),
+				Events:    related,
+				Namespace: event.Namespace,
+				Resource:  event.Resource,
+				CreatedAt: time.Now(),
+				UpdatedAt: time.Now(),
+			}
+			e.incidents[incident.ID] = incident
+			notifySnapshot = copyIncident(incident)
+			result = copyIncident(incident)
 		}
-		return incident
 	}
+	cb := e.onIncident
+	e.mu.Unlock()
 
-	return nil
+	if notifySnapshot != nil && cb != nil {
+		cb(notifySnapshot)
+	}
+	return result
 }
 
-// GetOpenIncidents returns all unresolved incidents.
+// GetOpenIncidents returns copies of all unresolved incidents. Returning
+// copies keeps the internal *Incident records from being aliased into
+// caller code, where a concurrent Ingest appending to incident.Events
+// would race with a range-loop reader.
 func (e *Engine) GetOpenIncidents() []*Incident {
 	e.mu.Lock()
 	defer e.mu.Unlock()
 
 	result := make([]*Incident, 0)
 	for _, inc := range e.incidents {
 		if !inc.Resolved {
-			result = append(result, inc)
+			result = append(result, copyIncident(inc))
 		}
 	}
 	return result
 }
 
+// copyIncident returns a shallow-deep copy of the incident: a new
+// *Incident with a new Events slice header containing the same *Event
+// pointers. Events themselves are treated as immutable once ingested;
+// cloning the slice header is sufficient to shield callers from future
+// `append`s mutating the engine's backing array.
+func copyIncident(inc *Incident) *Incident {
+	if inc == nil {
+		return nil
+	}
+	cp := *inc
+	if len(inc.Events) > 0 {
+		cp.Events = make([]*Event, len(inc.Events))
+		copy(cp.Events, inc.Events)
+	}
+	return &cp
+}
+
 // ResolveIncident marks an incident as resolved.
 func (e *Engine) ResolveIncident(id string) {
 	e.mu.Lock()