adaptive_export: wire the /query runner — dx OrderQuery → forensic capture (dx#93)#73
adaptive_export: wire the /query runner — dx OrderQuery → forensic capture (dx#93)#73entlein wants to merge 1 commit into
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Plus Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@build-agent — please cut an AE release from this branch ( What changed vs the current aeprod (what to exercise):
Live test I'll run (paired with dx Ping the image tag here when green and I'll swap the rig's AE DS to it. |
…sic capture (dx#93) The control surface shipped with control.New(activeSet, nil) — '/query runner wired later'. So every dx OrderQuery 501'd and the table dx read for a verdict (e.g. the jndi-in-http) never reached forensic_db unless a kubescape-anomaly window happened to push it. The forensic export steered to noise, not to dx's evidence. Adds Controller.OrderQuery(target, table, window, queryID): a single-shot QueryFor → querier.Query → sink.WritePixieRows (the same path pushPixieRows uses, plus globalSem + reconcile accounting), independent of any anomaly window. Wires control.New(activeSet, ctl) in main.go so POST /query executes it. When the operator-side querier is disabled, OrderQuery errors and /query 502s; start/stop + dx_attack_graph are unaffected. Pairs with entlein/dx#96 which orders the full consulted read-set through this runner. Tests: writes-rows / no-querier-errors / empty-no-write / sink-error. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fb9ccec to
7fc5561
Compare
|
🛠️ AE image build kicked off — Before building I rebased this branch onto the current PR 68 tip ( Images publish to GHCR on success (~55–60 min). I'll report the result here. |
|
✅ Build succeeded — run 28318532828 completed. AE image: Full vizier image set (pem, kelvin, query_broker, metadata, cloud_connector, cert_provisioner, …) published under the same |
…iew) Restacks the dx graph rename onto the #73 /query-runner tip. Renames across the AE forensic path: - table forensic_db.dx_attack_graph → dx_evidence_graph - view dx_attack_graph_malicious → dx_evidence_graph_malignant (medical terminology: malignant, not malicious) - endpoint /dx/attack_graph → /dx/evidence_graph - Go WriteAttackGraph/handleDXAttackGraph → *EvidenceGraph Done mechanically on #73 so it also covers order_query_test.go (absent from the original rename branch's lineage). Also fixes two pre-existing #73 lint nits surfaced by touching the package: gofumpt blank lines in order_query_test.go and the missing order_query_test.go entry in controller/BUILD.bazel's controller_test srcs (gazelle).
…iew) Restacks the dx graph rename onto the #73 /query-runner tip. Renames across the AE forensic path: - table forensic_db.dx_attack_graph → dx_evidence_graph - view dx_attack_graph_malicious → dx_evidence_graph_malignant (medical terminology: malignant, not malicious) - endpoint /dx/attack_graph → /dx/evidence_graph - Go WriteAttackGraph/handleDXAttackGraph → *EvidenceGraph Done mechanically on #73 so it also covers order_query_test.go (absent from the original rename branch's lineage). Also fixes two pre-existing #73 lint nits surfaced by touching the package: gofumpt blank lines in order_query_test.go and the missing order_query_test.go entry in controller/BUILD.bazel's controller_test srcs (gazelle).
Problem (dx#93)
The control surface shipped with
control.New(activeSet, nil)— "OrderQuery runner wired later." So every dxOrderQueryreturns 501 and the table dx read to reach a verdict (e.g. the jndi-in-http the PEM bench found at triage) never reachesforensic_dbunless a kubescape-anomaly window happens to push it. The forensic export steers to the noisiest pods, not to dx's actual evidence.Fix
internal/controller/controller.go: addController.OrderQuery(target, table, start, end, queryID)— a single-shotpxl.QueryFor → querier.Query → sink.WritePixieRows, reusing the same path aspushPixieRowsplus the global concurrency sem and reconcile (read/wrote) accounting, but independent of any anomaly-window lifecycle. Satisfiescontrol.queryRunner.cmd/main.go:control.New(activeSet, ctl)soPOST /queryexecutes it. When the operator-side querier is disabled (noPushPixieTables),OrderQueryerrors and/query502s —start/stop+dx/attack_graphare unaffected.Tests
internal/controller/order_query_test.go: writes-rows, no-querier-errors, empty-no-write, sink-error-surfaces. Full controller + control suites pass.Pairs with
entlein/dx#96 — dx orders the full consulted read-set (incl. ruled-out corroborating tables) through this runner, so the evidence dx used lands in
forensic_db.Stacked on
ae-followup-auth(#68), which owns the control surface + reconcile internals this builds on.🤖 Generated with Claude Code