feat: kubectl ate logs filter container supervisor

[Mayowa Fajobi (MayorFaj)]

Fixes #294

• Tests pass
• Appropriate changes to documentation are included in the PR

Summary

Implements kubectl ate logs actors <id> can now filter by source:

• default — all of the actor's logs (unchanged)
• -c, --container <name> — only that container's logs
• --supervisor — only ateom lifecycle logs (Actor restoring/restored/…)

--container and --supervisor are mutually exclusive. After #290 every
forwarded container line carries an ate.dev/container_name label and
supervisor lifecycle lines carry none, so this is implemented client-side.

What changed

CLI (cmd/kubectl-ate)

• New --container/-c and --supervisor flags.
• logLineFilter + matchesSource() encode the selection rules.
• filterAndDisplayLogLine reads actor_id and container_name atomically
  from the first recognized label key, and returns the zero time for any
  non-displayed line so follow mode's resume cursor only advances on lines the
  user actually sees (a reconnect can't skip wanted lines).
• validateLogFilterFlags enforces mutual exclusion, called from the cobra
  command and from LogsActorRunner.Run (fail-fast for direct construction).

ateom log wrapper (cmd/ateom-gvisor) — security hardening

• WrapContainerLogs strips application-provided ate.dev/* labels from both
  recognized label keys before injecting Substrate metadata, so an app cannot
  spoof another actor's actor_id/container_name under the key a consumer
  treats as authoritative.

Docs

• cmd/kubectl-ate/README.md and docs/observability.md document the flags and
  mutual exclusivity; examples use the required kubectl ate logs actors form.

Design notes

• Mutual exclusion uses a value-based check rather than cobra's
  MarkFlagsMutuallyExclusive, which keys off flag.Changed and would wrongly
  reject --container x --supervisor=false.

Testing

• Unit: filter table cases (container/supervisor/default, dual-key precedence +
  atomicity, foreign-actor), validateLogFilterFlags, Run fail-fast,
  follow-mode resume-cursor regression, and TestWrapContainerLogs_CrossKeyLabelSpoofing.
• make test green; gofmt / go vet clean.
• Verified on a kind cluster (counter demo): default, -c counter, --supervisor,
  and the mutual-exclusion error all behave as expected.

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[Julian Gutierrez Oschmann (juli4n)]

Instead of iterating over all label keys, how about having a method that takes the log entry map (i.e. m) and returns labels. It iterates on the possible keys and probes them, and return the first one that matches. That simplifies the control flow at the caller.

[Mayowa Fajobi (MayorFaj)]

Done, extracted it into a helper so the caller no longer iterates the keys inline. Based on follow-up review it ended up as actorSource(m) returning - actorID, containerName - (reads both from the first map carrying ate.dev/actor_id), which keeps the same-map guarantee and drops the loop at the call site. Thanks for the nudge!

[Julian Gutierrez Oschmann (juli4n)]

Why making --container and supervisor mutually exclusive? They seem orthogonal to me.

I was expecting:

• --supervisor (boolean, defaults to false): whether to include supervisor logs or not
• --container (string, default to ""): if set, restricts to the logs of this container.

WDYT?