Runtime trace merge (eBPF/ETW observed edges)

Module

Signals

Status

PARTIALLY_IMPLEMENTED

Description

Runtime facts ingestion and provenance normalization exist, but full eBPF/ETW trace integration appears to be at the synthetic probe level rather than production-grade runtime tracing.

What's Implemented

Modules: src/Signals/StellaOps.Signals/Services/, src/Signals/StellaOps.Signals.RuntimeAgent/, src/Signals/__Libraries/StellaOps.Signals.Ebpf/
Key Classes:
- RuntimeFactsIngestService (src/Signals/StellaOps.Signals.RuntimeAgent/RuntimeFactsIngestService.cs) - ingests runtime facts from agents
- SyntheticRuntimeProbeBuilder (src/Signals/StellaOps.Signals/Services/SyntheticRuntimeProbeBuilder.cs) - builds synthetic runtime probes for testing reachability
- ProcSnapshotDocument (src/Signals/StellaOps.Signals/Models/ProcSnapshotDocument.cs) - process snapshot model for runtime state capture
- ReachabilityLattice (src/Signals/StellaOps.Signals/Lattice/ReachabilityLattice.cs) - merge logic for combining static and runtime evidence
- RuntimeSignalCollector (src/Signals/__Libraries/StellaOps.Signals.Ebpf/Services/RuntimeSignalCollector.cs) - eBPF-based runtime signal collection (experimental)
Source: Feature matrix scan

What's Missing

Production-grade eBPF trace merging with static callgraph edges
ETW (Event Tracing for Windows) trace collection and merge
Conflict resolution when runtime traces contradict static analysis
Runtime trace deduplication across multiple collection windows
Performance profiling of trace merge under high-volume runtime data

Implementation Plan

Implement runtime-to-static edge merge algorithm with conflict resolution strategies
Add ETW trace collection agent for Windows container environments
Implement trace deduplication with temporal windowing
Benchmark merge performance and optimize for high-throughput runtime streams
Add integration tests for eBPF and ETW trace merge scenarios

Source: See feature catalog

2.0 KiB Raw Blame History