Skip to content

adaptive_export: wire the /query runner — dx OrderQuery → forensic capture (dx#93)#73

Open
entlein wants to merge 1 commit into
ae-followup-authfrom
feat/ae-query-runner
Open

adaptive_export: wire the /query runner — dx OrderQuery → forensic capture (dx#93)#73
entlein wants to merge 1 commit into
ae-followup-authfrom
feat/ae-query-runner

Conversation

@entlein

@entlein entlein commented Jun 28, 2026

Copy link
Copy Markdown

Problem (dx#93)

The control surface shipped with control.New(activeSet, nil)"OrderQuery runner wired later." So every dx OrderQuery returns 501 and the table dx read to reach a verdict (e.g. the jndi-in-http the PEM bench found at triage) never reaches forensic_db unless a kubescape-anomaly window happens to push it. The forensic export steers to the noisiest pods, not to dx's actual evidence.

Fix

  • internal/controller/controller.go: add Controller.OrderQuery(target, table, start, end, queryID) — a single-shot pxl.QueryFor → querier.Query → sink.WritePixieRows, reusing the same path as pushPixieRows plus the global concurrency sem and reconcile (read/wrote) accounting, but independent of any anomaly-window lifecycle. Satisfies control.queryRunner.
  • cmd/main.go: control.New(activeSet, ctl) so POST /query executes it. When the operator-side querier is disabled (no PushPixieTables), OrderQuery errors and /query 502s — start/stop + dx/attack_graph are unaffected.

Tests

internal/controller/order_query_test.go: writes-rows, no-querier-errors, empty-no-write, sink-error-surfaces. Full controller + control suites pass.

Pairs with

entlein/dx#96 — dx orders the full consulted read-set (incl. ruled-out corroborating tables) through this runner, so the evidence dx used lands in forensic_db.

Stacked on ae-followup-auth (#68), which owns the control surface + reconcile internals this builds on.

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 5f9c2c69-82f3-4b20-abf4-f4d5611b8e81

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/ae-query-runner

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@entlein

entlein commented Jun 28, 2026

Copy link
Copy Markdown
Author

@build-agent — please cut an AE release from this branch (feat/ae-query-runner, stacked on ae-followup-auth/#68) so I can live-test the dx→AE steering fix. A new release/vizier/v0.14.19-aeprodNNghcr.io/k8sstormcenter/vizier-adaptive_export_image:0.14.19-aeprodNN.

What changed vs the current aeprod (what to exercise):

  • Controller.OrderQuery(target, table, window, queryID) — the /query runner that was shipped nil ("wired later"). Single-shot QueryFor → querier.Query → sink.WritePixieRows (reuses globalSem + reconcile), independent of any kubescape-anomaly window.
  • cmd/main.go: control.New(activeSet, ctl) so POST /query actually executes.

Live test I'll run (paired with dx feat/ae-steering-full-readset, entlein/dx#96): fire log4shell, then confirm the jndi-bearing http_events row lands in forensic_db via the dx-ordered /query (not just the firehose) — i.e. dx#93 closed. Will deploy on the fresh TEST rig 6a404515, AE→new image, dx→new image; no merge.

Ping the image tag here when green and I'll swap the rig's AE DS to it.

…sic capture (dx#93)

The control surface shipped with control.New(activeSet, nil) — '/query runner
wired later'. So every dx OrderQuery 501'd and the table dx read for a verdict
(e.g. the jndi-in-http) never reached forensic_db unless a kubescape-anomaly
window happened to push it. The forensic export steered to noise, not to dx's
evidence.

Adds Controller.OrderQuery(target, table, window, queryID): a single-shot
QueryFor → querier.Query → sink.WritePixieRows (the same path pushPixieRows
uses, plus globalSem + reconcile accounting), independent of any anomaly window.
Wires control.New(activeSet, ctl) in main.go so POST /query executes it. When
the operator-side querier is disabled, OrderQuery errors and /query 502s;
start/stop + dx_attack_graph are unaffected.

Pairs with entlein/dx#96 which orders the full consulted read-set through this
runner. Tests: writes-rows / no-querier-errors / empty-no-write / sink-error.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ConstanzeTU ConstanzeTU force-pushed the feat/ae-query-runner branch from fb9ccec to 7fc5561 Compare June 28, 2026 09:55
@ConstanzeTU

Copy link
Copy Markdown

🛠️ AE image build kicked offvizier-release run 28318532828 from tag release/vizier/v0.14.19-aeprod24, built at this PR's rebased tip 7fc5561b0.

Before building I rebased this branch onto the current PR 68 tip (ae-followup-auth @ 6d10b0731) — it was previously stacked on the stale 0c657514a and missing all recent PR 68 work (incl. the fork-infra cleanup). The PR now = PR 68 + your single /query runner commit, 3 AE files only. No infra files re-introduced.

Images publish to GHCR on success (~55–60 min). I'll report the result here.

@ConstanzeTU

Copy link
Copy Markdown

Build succeeded — run 28318532828 completed.

AE image:

ghcr.io/k8sstormcenter/vizier-adaptive_export_image:0.14.19-aeprod24

Full vizier image set (pem, kelvin, query_broker, metadata, cloud_connector, cert_provisioner, …) published under the same 0.14.19-aeprod24 tag. Release + signed vizier_template_yamls.tar attached to release/vizier/v0.14.19-aeprod24.

ConstanzeTU pushed a commit that referenced this pull request Jul 2, 2026
…iew)

Restacks the dx graph rename onto the #73 /query-runner tip. Renames
across the AE forensic path:

- table  forensic_db.dx_attack_graph          → dx_evidence_graph
- view   dx_attack_graph_malicious            → dx_evidence_graph_malignant
         (medical terminology: malignant, not malicious)
- endpoint /dx/attack_graph                    → /dx/evidence_graph
- Go     WriteAttackGraph/handleDXAttackGraph  → *EvidenceGraph

Done mechanically on #73 so it also covers order_query_test.go (absent
from the original rename branch's lineage). Also fixes two pre-existing
#73 lint nits surfaced by touching the package: gofumpt blank lines in
order_query_test.go and the missing order_query_test.go entry in
controller/BUILD.bazel's controller_test srcs (gazelle).
ConstanzeTU pushed a commit that referenced this pull request Jul 2, 2026
…iew)

Restacks the dx graph rename onto the #73 /query-runner tip. Renames
across the AE forensic path:

- table  forensic_db.dx_attack_graph          → dx_evidence_graph
- view   dx_attack_graph_malicious            → dx_evidence_graph_malignant
         (medical terminology: malignant, not malicious)
- endpoint /dx/attack_graph                    → /dx/evidence_graph
- Go     WriteAttackGraph/handleDXAttackGraph  → *EvidenceGraph

Done mechanically on #73 so it also covers order_query_test.go (absent
from the original rename branch's lineage). Also fixes two pre-existing
#73 lint nits surfaced by touching the package: gofumpt blank lines in
order_query_test.go and the missing order_query_test.go entry in
controller/BUILD.bazel's controller_test srcs (gazelle).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants