feat(M1/T1): integrity hashing (ssdeep + mismatch + degraded-coverage alert) and crossbeam removal

[unclesp1d3r]

Summary

Finishes the two in-flight M1 foundation workstreams (ticket T1): executable integrity hashing and crossbeam removal.

Integrity hashing (R2):

• Adds an ssdeep/CTPH fuzzy hash alongside the SHA-256 identity hash, computed on a dedicated non-cryptographic path (daemoneye-lib/src/integrity/fuzzy.rs) — deliberately kept off MultiAlgorithmHasher so the HashResult.hashes cryptographic-only invariant is preserved (ssdeep is attacker-malleable and never used as an identity guarantee).
• Computes ssdeep in procmond's hash pass from a clone of the already-authorized fd (no second open, no new TOCTOU window) on the blocking pool, and flags degraded coverage when ssdeep fails but SHA-256 succeeds.
• Detects on-disk-vs-running mismatch on Linux via the /proc/<pid>/exe " (deleted)" suffix.
• Decouples the hash pass from the R1 enumeration deadline — hashing runs on its own budget after enumeration completes, reusing the shared hash cache.
• Threads three new signals (ssdeep_hash, on_disk_mismatch, ssdeep_degraded) to the agent over a typed protobuf contract (ProcessRecord fields 15/16/17). On the procmond side they ride ProcessEvent.platform_metadata via typed helpers, avoiding a breaking change to the 180+ ProcessEvent construction sites.
• A new agent-side alert bridge (daemoneye-agent/src/integrity_alerts.rs) raises integrity.coverage.degraded (Medium), integrity.disk_mismatch (High), and integrity.binary_change (Medium, below a validated configurable similarity threshold) — procmond can't emit alerts, so the orchestrator does.

Crossbeam removal (R14):

• Removes the export-only, zero-runtime-consumer crossbeam HighPerformanceEventBus and drops the crossbeam dependency entirely (absent from Cargo.lock). The in-process delivery path the agent actually runs is the daemoneye-eventbus broker, now covered by a new end-to-end in-process broker latency benchmark for the R14 AC4 record. No dual-bus end state remains.

Operator requirement (2026-06-10): when ssdeep fails but SHA-256 succeeds, this is surfaced as an alert (the integrity.coverage.degraded signal), not a silent None.

Implementation notes

Derived from docs/plans/2026-06-10-001-feat-integrity-hashing-crossbeam-removal-plan.md (11 implementation units, U1–U11). The ticket itself (spec/full/tickets/T1...) was refined via a documentation review before planning.

Test plan

• cargo fmt --all --check clean
• cargo clippy --workspace --all-targets -- -D warnings clean (zero warnings)
• cargo test --workspace — full suite passing (incl. new unit tests for the fuzzy module, integrity-signal helpers, hash-pass ssdeep stamping, classify_exe_target, the agent alert bridge + BinaryChangeTracker, and a ProcessEvent → proto round-trip for the three new fields)
• cargo deny check — advisories / bans / licenses / sources ok (new fuzzyhash dep is pure-Rust, MIT, exact-pinned, default-features = false)
• Criterion benches compile and run (integrity_operations ssdeep impact; broker_inprocess_latency)
• CI verifies the Linux-only linux_collector mismatch code — it cannot be compiled on the macOS dev host (cross-target C build deps), so the (deleted)-suffix wiring is validated by CI's Linux matrix. The pure classify_exe_target helper is unit-tested.

Residual review findings (from ce-code-review, not blocking)

Applied in this PR: per-target alert dedup (distinct affected executables no longer collapse to one alert), bounded BinaryChangeTracker (evicts baselines for exited executables), proto→native asymmetry doc, format inline, added tests.

Surfaced but intentionally deferred:

• Doubled read I/O per executable — ssdeep re-streams the file after SHA-256 reads it to EOF (shared fd offset, seek(0)). Inherent to computing two independent digests from a single authorized fd without buffering the whole file; bounded by the per-file size cap and concurrency semaphore.
• classify_exe_target ambiguity — a real file literally named ... (deleted) is byte-identical to a kernel-flagged deleted exe (the kernel does not escape its suffix). Inherent to the /proc convention; would require an extra stat/inode cross-check.
• macOS/Windows on_disk_mismatch always false — Linux is primary for this signal; non-Linux probes are future work.
• Agent-side fuzzy::similarity runs synchronously (no catch_unwind); digests originate from trusted procmond over CRC32-validated same-host IPC.

AI usage disclosure

Per AI_POLICY.md: implemented with Claude Code (Claude Opus 4.8 (1M Context)) via the compound-engineering autonomous pipeline (plan → work → review → fix). All code was reviewed by an 8-persona automated review pass; findings were triaged and the actionable ones applied. All changes build clean, pass clippy -D warnings, and pass the full test suite locally. Human maintainer review required before merge.

CI status

All checks green after fixing the one previously-failing job:

• eventbus-latency-slo — the failure was a pre-existing hang in the bench harness, now fixed in this PR: latency_benchmark in daemoneye-eventbus/benches/ipc_performance.rs (added by END-297 / feat(eventbus): close END-297 — finalize message broker closure pass #178) awaited the infinite start_echo_handler() accept-loop directly, so the bench process never exited (criterion runs every bench fn's setup body regardless of the --bench filter). The SLO measurement itself always passed (p99 ≈ 20µs vs 1ms). Fixed by spawning the handler on a background task, matching latency_p99_slo; verified locally that the bench now exits cleanly.

Post-review changes (from /review-pr and ce-code-review)

Applied:

• Per-target alert dedup + bounded BinaryChangeTracker (eviction of exited executables) — both flagged by 2+ reviewers.
• Stale ssdeep reset on event reuse — populate_hashes Phase 1 now clears the ssdeep metadata too (was only clearing the SHA-256 fields), so a reused event failing auth can't lift a stale digest/degraded flag onto the wire. Test extended.
• Observable fd-clone failure in the ssdeep path (was a silent drop).
• Per-target/shared dedup-key tests, tracker-eviction test, ProcessEvent → proto round-trip test, proto→native asymmetry doc, format inline.

Deferred (sound under current usage; tracked for follow-up, not reachable bugs):

• FuzzyConfig could move to parse-on-construction (new()/TryFrom) per the AGENTS.md newtype rule — today only Default constructs it, so the unvalidated state isn't reachable until operator config wiring lands.
• HashOutcome::Hashed { ssdeep: Option, ssdeep_degraded: bool } could collapse to a 3-state enum to make (Some, true) unrepresentable.
• Surfacing fuzzy::similarity / read_link error kinds (vs the benign no-op) for richer forensic telemetry.
• A Linux-only end-to-end on_disk_mismatch integration test (unlinked backing file) beyond the pure-helper unit tests.

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Require conventional commit format per https://www.conventionalcommits.org/en/v1.0.0/. Skipped for dependabot and dosubot.

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?!?:

🟢 Full CI must pass

Wonderful, this rule succeeded.

All CI checks must pass. Activates for non-bot authors, or dependabot when files exist outside .github/workflows/.

• check-success = DCO
• check-success = coverage
• check-success = quality
• check-success = test
• check-success = test-cross-platform (macos-15, macOS)
• check-success = test-cross-platform (ubuntu-22.04, Linux)
• check-success = test-cross-platform (windows-2022, Windows)

🟢 Do not merge outdated PRs

Wonderful, this rule succeeded.

Make sure PRs are within 3 commits of the base branch before merging

• #commits-behind <= 3

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4678e7e6-601e-4026-b349-3352ceed5e7a

📥 Commits

Reviewing files that changed from the base of the PR and between 7ff3d73 and 3fd3bba.

📒 Files selected for processing (1)

• daemoneye-lib/src/proto.rs

---

Summary by CodeRabbit

• New Features

  • Integrity monitoring: fuzzy-hash (ssdeep) binary-change detection with configurable similarity threshold.
  • Detection of on-disk vs running executable mismatches and degraded coverage signaling.
  • New integrity alerts: degraded coverage, on-disk mismatch, and binary-change; alerts deduplicate per-executable.
  • IPC/protocol extended to include fuzzy-hash, degraded, and mismatch signals in process records.

• Documentation

  • Architecture docs updated to reflect expanded executable integrity verification.

Walkthrough

Adds feature-gated ssdeep fuzzy hashing across collection and hash pass, extends ProcessRecord proto with ssdeep/on_disk_mismatch/ssdeep_degraded, detects deleted /proc/.../exe targets, lifts integrity signals into wire records, emits agent-side integrity alerts, and removes the crossbeam high-performance event bus.

Changes

Integrity Signal Detection and Alerting

Layer / File(s)	Summary
Fuzzy hashing library and configuration daemoneye-lib/src/integrity/fuzzy.rs, daemoneye-lib/Cargo.toml, daemoneye-lib/benches/integrity_operations.rs	Feature-gated FuzzyConfig, FuzzyHashError, compute_ssdeep_from_bytes/from_reader, and similarity() APIs; unit tests and benches; optional fuzzyhash dependency wired to fuzzy-hashes.
Protobuf and in-process metadata contracts daemoneye-lib/proto/common.proto, collector-core/src/event.rs, daemoneye-lib/src/proto.rs, daemoneye-lib/src/integrity/mod.rs, procmond/src/lib.rs	ProcessRecord adds ssdeep_hash, on_disk_mismatch, ssdeep_degraded. ProcessEvent adds reserved metadata keys and getters/setters; proto↔native conversions updated and documented; tests added to verify lifting.
On-disk executable mismatch detection procmond/src/linux_collector.rs	Adds classify_exe_target to strip " (deleted)" suffix and set on_disk_mismatch on ProcessEvent; includes unit tests.
Ssdeep computation in hash pass procmond/src/hash_pass.rs	populate_hashes computes best-effort ssdeep alongside SHA-256 using cloned fds and blocking tasks; stamps ProcessEvent via set_ssdeep_signal; introduces ssdeep_failures telemetry and tests.
Hash population budget & event-source changes procmond/src/event_source.rs, procmond/src/monitor_collector.rs	Hash population runs on an independent fixed collection timeout; timeout logging/messages updated; shutdown-aware cancellation preserved.
Agent integrity alert generation daemoneye-agent/src/integrity_alerts.rs, daemoneye-agent/src/main.rs	New module defines synthetic rule IDs and BinaryChangeTracker that maintains per-executable ssdeep baselines, validates similarity thresholds, emits binary-change alerts on threshold drops, evicts stale baselines, and converts boolean integrity flags into Alerts; main loop initializes tracker and merges integrity alerts with rule-based alerts.

Test, Benchmark, and Dependency Updates

Layer / File(s)	Summary
Test fixture updates for schema extension collector-core/tests/..., daemoneye-lib/tests/..., daemoneye-lib/benches/ipc_*.rs	Multiple test and benchmark ProcessRecord/ProtoProcessRecord literals updated to use ..Default::default() so newly added proto fields get default values in fixtures.
Ssdeep performance benchmarks daemoneye-lib/benches/integrity_operations.rs	Adds deterministic make_bytes() helper and two Criterion benches (bench_ssdeep_only, bench_sha256_plus_ssdeep_medium) gated by fuzzy-hashes.
Crossbeam removal and event bus module elimination Cargo.toml, collector-core/Cargo.toml, collector-core/src/lib.rs, collector-core/src/collector.rs, AGENTS.md	Removes crossbeam from workspace and collector-core manifests; deletes collector-core/src/high_performance_event_bus.rs and its public re-exports; updates docs to reflect tokio-based local event distribution and tightens AGENTS commit policy wording.

Sequence Diagram(s)

sequenceDiagram
  participant Collection as Linux Process Collection
  participant HashPass as Hash Pass (populate_hashes)
  participant Conversion as Proto Conversion
  participant Agent as Agent Detection Loop
  participant Alerts as Alert Pipeline

  Collection->>Collection: read /proc/pid/exe\nclassify_exe_target()
  Collection->>Collection: Create ProcessEvent\nset_on_disk_mismatch(bool)

  HashPass->>HashPass: Clone authorized fd
  HashPass->>HashPass: SHA-256 hash
  HashPass->>HashPass: Blocking: ssdeep compute_ssdeep_best_effort()
  HashPass->>Collection: Stamp event\nset_ssdeep_signal(hash, degraded)

  Conversion->>Conversion: Extract ssdeep/mismatch\nfrom platform_metadata
  Conversion->>Conversion: Populate ProtoRecord\nfields 15-17

  Agent->>Agent: detect_integrity_alerts()\n(degraded, mismatch flags)
  Agent->>Agent: BinaryChangeTracker.observe()\n(compare baseline)

  Alerts->>Alerts: build_alert()\n(custom dedup key)
  Alerts->>Alerts: Emit alerts: degraded, mismatch, binary_change

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• EvilBit-Labs/DaemonEye#168: Touches the collector-core event bus and related bus payload types; overlaps with the removed crossbeam-based event-bus work.
• EvilBit-Labs/DaemonEye#170: Prior hashing pipeline changes that this PR extends with ssdeep integration.

Suggested labels

rust, core-feature, process-monitoring, data-models, protobuf, daemoneye-agent, type:feature, ipc, async

Poem

🧩 ssdeep hums where SHA once stood,
Deleted links trimmed, paths understood,
Baselines learn, alerts arise,
Dedup keys keep distinct surprise,
Watch integrity — steady eyes.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Linked Issues check	⚠️ Warning	Significant disconnect: PR delivers M1/T1 integrity hashing and crossbeam removal, but END-297 requires a CrossProcessEventBus broker with IPC topic-routing, load-balancing, and health monitoring—none of which are present in this changeset.	Verify that END-297 is the intended linked issue. If END-297 is correct, the PR scope does not meet its requirements. If M1/T1 is the primary work, link to the correct issue instead.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title follows Conventional Commits with type (feat) and scope (M1/T1), clearly summarizing the main changes: integrity hashing implementation and crossbeam removal.
Description check	✅ Passed	Description comprehensively explains the integrity hashing (ssdeep, mismatch detection, degraded coverage) and crossbeam removal work, with implementation notes, test plan, and known trade-offs clearly documented.
Out of Scope Changes check	✅ Passed	Changes are tightly scoped to M1/T1 objectives: integrity hashing pathway, crossbeam removal, and supporting protobuf/proto conversion updates. No unrelated refactoring or feature creep detected.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/m1-integrity-hashing-crossbeam-removal

Warning

Review ran into problems

🔥 Problems

These MCP integrations need to be re-authenticated in the Integrations settings: Linear, Notion

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

procmond/src/hash_pass.rs (1)

429-449: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Treat fd-clone failures as degraded coverage, not "not attempted".

If try_clone() hits EMFILE/ENFILE, this path logs at debug and later stamps ssdeep_degraded = false. That keeps stats.ssdeep_failures at zero and suppresses the degraded-coverage alert even though ssdeep coverage was lost under resource pressure.

🐛 Suggested change

-    let fuzzy_file = match file.try_clone() {
-        Ok(clone) => Some(clone),
-        Err(ref err) => {
-            debug!(path = ?exe.as_path(), error = %err, "ssdeep fd clone failed; skipping fuzzy hash");
-            None
-        }
-    };
+    let (fuzzy_file, clone_failed) = match file.try_clone() {
+        Ok(clone) => (Some(clone), false),
+        Err(ref err) => {
+            warn!(path = ?exe.as_path(), error = %err, "ssdeep fd clone failed");
+            (None, true)
+        }
+    };
...
-                let (ssdeep, ssdeep_degraded) =
-                    compute_ssdeep_best_effort(fuzzy_file, exe.as_path()).await;
+                let (ssdeep, ssdeep_degraded) = if clone_failed {
+                    (None, true)
+                } else {
+                    compute_ssdeep_best_effort(fuzzy_file, exe.as_path()).await
+                };

As per coding guidelines, procmond/** is a privileged collector, and the PR’s degraded-coverage signaling only works if coverage drops are surfaced to operators.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@procmond/src/hash_pass.rs` around lines 429 - 449, The fd-clone failure
(try_clone) is currently treated as "not attempted" (fuzzy_file = None) which
suppresses degraded-coverage signals; instead record that cloning failed and
surface that as degraded coverage. Change the fuzzy_file handling so the clone
error is distinguishable (e.g. keep a bool/enum like fuzzy_clone_failed or make
fuzzy_file a Result<File, io::Error>), log the error at warn/debug as you
already do, and when calling or after compute_ssdeep_best_effort (function
compute_ssdeep_best_effort and call site using fuzzy_file and ssdeep_degraded),
ensure that a prior clone failure forces ssdeep_degraded = true (or pass the
failure flag into compute_ssdeep_best_effort so it returns degraded=true).
Update references to fuzzy_file, compute_ssdeep_best_effort, and ssdeep_degraded
accordingly so resource-exhaustion clone failures count as degraded coverage.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@procmond/src/hash_pass.rs`:
- Around line 258-261: The loop is currently calling
event.set_ssdeep_signal(None, false) for every event which unnecessarily
allocates; instead stop materializing ssdeep metadata on reset by either
removing the set_ssdeep_signal(None, false) call from the events.iter_mut() loop
(leave event.executable_hash = None and event.hash_algorithm = None only) or
change set_ssdeep_signal to early-return/no-alloc when the first argument is
None and the boolean is false; update the code that relies on ssdeep_degraded()
accordingly so missing metadata continues to default to false (reference: the
events.iter_mut() loop and the set_ssdeep_signal method on the event type).

---

Outside diff comments:
In `@procmond/src/hash_pass.rs`:
- Around line 429-449: The fd-clone failure (try_clone) is currently treated as
"not attempted" (fuzzy_file = None) which suppresses degraded-coverage signals;
instead record that cloning failed and surface that as degraded coverage. Change
the fuzzy_file handling so the clone error is distinguishable (e.g. keep a
bool/enum like fuzzy_clone_failed or make fuzzy_file a Result<File, io::Error>),
log the error at warn/debug as you already do, and when calling or after
compute_ssdeep_best_effort (function compute_ssdeep_best_effort and call site
using fuzzy_file and ssdeep_degraded), ensure that a prior clone failure forces
ssdeep_degraded = true (or pass the failure flag into compute_ssdeep_best_effort
so it returns degraded=true). Update references to fuzzy_file,
compute_ssdeep_best_effort, and ssdeep_degraded accordingly so
resource-exhaustion clone failures count as degraded coverage.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: 96836fa5-76da-4ae8-b345-e97b5d81ed45

📥 Commits

Reviewing files that changed from the base of the PR and between 96ffe6a and 7823f45.

⛔ Files ignored due to path filters (1)

• daemoneye-eventbus/benches/ipc_performance.rs is excluded by none and included by none

📒 Files selected for processing (1)

• procmond/src/hash_pass.rs

[Copilot]

Pull request overview

Copilot reviewed 34 out of 35 changed files in this pull request and generated 2 comments.

[coderabbitai]

♻️ Duplicate comments (1)

daemoneye-lib/benches/integrity_operations.rs (1)

158-177: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Benchmark claim still overstates production-path parity.

bench_sha256_plus_ssdeep_medium computes SHA-256 from tmp.path() but computes ssdeep from an in-memory Cursor<&[u8]>. That still omits the file/FD streaming path procmond uses for ssdeep, so the “end-to-end per executable” overhead comparison is biased. Either stream ssdeep from the temp file reader in-loop or rename/describe this as mixed-path benchmarking.

Proposed minimal adjustment

 fn bench_sha256_plus_ssdeep_medium(c: &mut Criterion) {
     let rt = Runtime::new().expect("tokio runtime");
     let size = 256 * 1024;
     let tmp = make_file(size);
-    let bytes = make_bytes(size);
     let hasher = build_hasher(vec![HashAlgorithm::Sha256]);
     c.bench_function("integrity_sha256_plus_ssdeep_256kib", |b| {
         b.iter(|| {
             rt.block_on(async {
                 black_box(hasher.compute(tmp.path()).await.expect("sha256 hash"));
             });
+            let mut file = std::fs::File::open(tmp.path()).expect("open file for ssdeep");
             black_box(
-                fuzzy::compute_ssdeep_from_reader(&mut Cursor::new(&bytes)).expect("ssdeep digest"),
+                fuzzy::compute_ssdeep_from_reader(&mut file).expect("ssdeep digest"),
             );
         });
     });
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@daemoneye-lib/benches/integrity_operations.rs` around lines 158 - 177, The
benchmark bench_sha256_plus_ssdeep_medium currently computes SHA-256 from the
temp file path (hasher.compute(tmp.path())) but computes ssdeep from an
in-memory Cursor (&bytes), which misrepresents the production streaming path;
change the ssdeep call to read from the same temp file reader instead (use
tmp.path() and open a File/BufReader and pass that reader into
fuzzy::compute_ssdeep_from_reader) inside the benchmark loop, reopening the file
(or seeking back to start) each iteration so the streaming path is measured
end-to-end and not the in-memory shortcut.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@daemoneye-lib/benches/integrity_operations.rs`:
- Around line 158-177: The benchmark bench_sha256_plus_ssdeep_medium currently
computes SHA-256 from the temp file path (hasher.compute(tmp.path())) but
computes ssdeep from an in-memory Cursor (&bytes), which misrepresents the
production streaming path; change the ssdeep call to read from the same temp
file reader instead (use tmp.path() and open a File/BufReader and pass that
reader into fuzzy::compute_ssdeep_from_reader) inside the benchmark loop,
reopening the file (or seeking back to start) each iteration so the streaming
path is measured end-to-end and not the in-memory shortcut.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: ASSERTIVE

Plan: Pro

Run ID: d0b169a1-0369-4d29-8600-bc43d34e9fe6

📥 Commits

Reviewing files that changed from the base of the PR and between 7823f45 and 7ff3d73.

⛔ Files ignored due to path filters (1)

• daemoneye-eventbus/benches/broker_inprocess_latency.rs is excluded by none and included by none

📒 Files selected for processing (5)

• AGENTS.md
• collector-core/src/event.rs
• daemoneye-lib/benches/integrity_operations.rs
• docs/src/architecture/system-architecture.md
• procmond/src/hash_pass.rs