old sprints work, new sprints for exposing functionality via cli, improve code_of_conduct and other agents instructions

2026-01-15 18:37:59 +02:00
parent c631bacee2
commit 88a85cdd92
208 changed files with 32271 additions and 2287 deletions
--- a/docs/modules/signals/guides/unknowns-ranking.md
+++ b/docs/modules/signals/guides/unknowns-ranking.md
@@ -376,6 +376,86 @@ The following metrics are exposed for monitoring:
 | `signals_unknowns_scoring_duration_seconds` | Histogram | Scoring computation time |
 | `signals_unknowns_band_transitions_total` | Counter | Band changes (e.g., WARM->HOT) |

+---
+
+## Runtime Updated Events
+
+> Sprint: SPRINT_20260112_008_SIGNALS_runtime_telemetry_events
+
+When runtime observations change for a CVE and product pair, the Signals module emits `runtime.updated` events to drive policy reanalysis of unknowns.
+
+### Event Types
+
+| Event Type | Constant | Description |
+|------------|----------|-------------|
+| `runtime.updated` | `RuntimeEventTypes.Updated` | Runtime observations changed for a subject |
+| `runtime.ingested` | `RuntimeEventTypes.Ingested` | New runtime observation batch ingested |
+| `runtime.confirmed` | `RuntimeEventTypes.Confirmed` | Runtime fact confirmed by additional evidence |
+| `runtime.exploit_detected` | `RuntimeEventTypes.ExploitDetected` | Exploit behavior detected at runtime |
+
+### Update Types
+
+| Type | Description |
+|------|-------------|
+| `NewObservation` | First runtime observation for a subject |
+| `StateChange` | Reachability state changed from previous observation |
+| `ConfidenceIncrease` | Additional hits increased confidence score |
+| `NewCallPath` | Previously unseen call path observed |
+| `ExploitTelemetry` | Exploit behavior detected (always triggers reanalysis) |
+
+### Event Schema
+
+```jsonc
+{
+  "eventId": "sha256:abc123...",         // Deterministic based on content
+  "eventType": "runtime.updated",
+  "version": "1.0.0",
+  "tenant": "default",
+  "cveId": "CVE-2026-1234",              // Optional
+  "purl": "pkg:npm/lodash@4.17.21",      // Optional
+  "subjectKey": "cve:CVE-2026-1234|purl:pkg:npm/lodash@4.17.21",
+  "callgraphId": "cg-scan-001",
+  "evidenceDigest": "sha256:def456...",  // Digest of runtime evidence
+  "updateType": "NewCallPath",
+  "previousState": "observed",           // Null for new observations
+  "newState": "observed",
+  "confidence": 0.85,                    // 0.0-1.0
+  "fromRuntime": true,
+  "runtimeMethod": "ebpf",               // "ebpf", "agent", "probe"
+  "observedNodeHashes": ["sha256:...", "sha256:..."],
+  "pathHash": "sha256:...",              // Optional
+  "triggerReanalysis": true,
+  "reanalysisReason": "New call path observed at runtime",
+  "occurredAtUtc": "2026-01-15T10:30:00Z",
+  "traceId": "abc123"                    // Optional correlation ID
+}
+```
+
+### Reanalysis Triggers
+
+The `triggerReanalysis` flag is set to `true` when:
+
+1. **Exploit telemetry detected** (always triggers)
+2. **State change** from previous observation
+3. **High-confidence runtime observation** (confidence >= 0.8 and fromRuntime=true)
+4. **New observation** (no previous runtime data)
+
+### Event Emission Points
+
+Runtime updated events are emitted from:
+
+1. `RuntimeFactsIngestionService.IngestAsync` - After runtime facts are persisted
+2. `ReachabilityScoringService` - When scores are recomputed with new runtime data
+
+### Deterministic Event IDs
+
+Event IDs are computed deterministically using SHA-256 of:
+- `subjectKey`
+- `evidenceDigest`
+- `occurredAtUtc` (ISO 8601 format)
+
+This ensures idempotent event handling and deduplication.
+
 ## Related Documentation

 - [Unknowns Registry](./unknowns-registry.md) - Data model and API for unknowns