42 lines
4.0 KiB
Markdown
42 lines
4.0 KiB
Markdown
# Tetragon/eBPF Runtime Instrumentation Bridge (Runtime Witnesses, Build Correlation)
|
|
|
|
## Module
|
|
RuntimeInstrumentation
|
|
|
|
## Status
|
|
VERIFIED
|
|
|
|
## Description
|
|
Runtime trace ingestion and query bridge for Tetragon/eBPF evidence with privacy canonicalization, hot-symbol aggregation, runtime timeline correlation to build artifacts, and disabled-mode null-service fallback.
|
|
|
|
## Implementation Details
|
|
- **Runtime Traces API (ingest + query + score)**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/RuntimeTracesEndpoints.cs` -- `POST /api/v1/findings/{findingId}/runtime/traces` for ingestion and `GET` runtime traces/score retrieval.
|
|
- **Runtime Timeline API**: `src/Findings/StellaOps.Findings.Ledger.WebService/Endpoints/RuntimeTimelineEndpoints.cs` -- timeline query endpoint with time-window and bucket options.
|
|
- **Runtime Contracts**: `src/Findings/StellaOps.Findings.Ledger.WebService/Contracts/RuntimeTracesContracts.cs` -- ingest request/response and runtime traces DTOs.
|
|
- **Runtime In-Memory Services**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/InMemoryRuntimeInstrumentationServices.cs` -- deterministic observation store, address canonicalization, hot-symbol hit aggregation, and timeline construction.
|
|
- **Runtime Null Service (disabled mode)**: `src/Findings/StellaOps.Findings.Ledger.WebService/Services/NullRuntimeTracesService.cs` -- accepts ingest requests and returns non-materialized query behavior when runtime instrumentation is disabled.
|
|
- **Runtime Wiring Toggle**: `src/Findings/StellaOps.Findings.Ledger.WebService/Program.cs` -- switches between in-memory runtime services and null runtime services via `findings:ledger:runtime:enabled`.
|
|
- **Runtime Signal Ingester**: `src/Unknowns/__Libraries/StellaOps.Unknowns.Core/Services/RuntimeSignalIngester.cs` -- containment/blast-radius signal ingestion path used by unknowns analysis.
|
|
- **Signal Snapshot Builder**: `src/Findings/StellaOps.Findings.Ledger/Observations/SignalSnapshotBuilder.cs` -- signal snapshot composition for replay/audit workflows.
|
|
|
|
## E2E Test Plan
|
|
- [x] Submit a runtime trace event via the runtime traces endpoint and verify it is persisted and queryable.
|
|
- [x] Correlate runtime trace data to build artifact metadata and verify timeline details include component/artifact linkage.
|
|
- [x] Verify privacy filtering canonicalizes raw user-space memory addresses in returned symbol/file fields.
|
|
- [x] Verify hot-symbol tracking aggregates repeated symbol observations with higher hit counts.
|
|
- [x] Verify null runtime traces service handles requests without server errors when runtime instrumentation is disabled.
|
|
- [x] Query runtime timeline over a time range and verify chronological ordering and correlation metadata.
|
|
|
|
## Verification
|
|
- `run-001` (2026-02-11): failed behavioral verification, triaged/confirmed missing ingest and runtime service wiring.
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/tier1-build-check.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/tier2-api-check.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/triage.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-001/confirmation.json`
|
|
- `run-002` (2026-02-11): passed after fixes.
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/tier0-source-check.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/tier1-build-check.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/tier2-api-check.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/fix-summary.json`
|
|
- `docs/qa/feature-checks/runs/runtimeinstrumentation/tetragon-ebpf-runtime-instrumentation-bridge/run-002/retest-result.json`
|