Skip to content

v0.10.0 — richer signals: exit-signal, LLM model, dest-port, uid#2

Merged
ZhiXiao-Lin merged 1 commit into
mainfrom
feat/observer-enrichments
Jun 24, 2026
Merged

v0.10.0 — richer signals: exit-signal, LLM model, dest-port, uid#2
ZhiXiao-Lin merged 1 commit into
mainfrom
feat/observer-enrichments

Conversation

@ZhiXiao-Lin

Copy link
Copy Markdown
Contributor

Four new observability signals, each validated live on the production cluster.

Added

  • Exit signalProcessExit{signal}: clean / SIGSEGV crash / SIGKILL-OOM. Probe moved sys_enter_exit_group tracepoint → do_exit kprobe (catches crashes/kills the tracepoint never saw), gated to the thread-group leader → one event per process.
  • LLM model + tokensLlmApi{model, prompt_tokens, completion_tokens} parsed (userspace) from the opt-in TLS content.
  • Dest port on Egress — service class (443/22/5432/6379/11434); was read in-kernel and discarded.
  • UID on ToolExec — root/privesc visibility; was read in-kernel and discarded.

Fixed

  • build.rs rerun-if-changed on the eBPF crate (no more stale bytecode).

Verified

Adversarial fan-out review caught + fixed a per-thread ProcessExit duplication regression (multithreaded agents) and a broken test before release; the untrusted-input LLM parser passed a 50M-iteration fuzz. Generated from an 8-dimension enrichment roadmap.

- ProcessExit gains signal (do_exit kprobe, thread-group-leader gated -> one event per process):
  clean / SIGSEGV crash / SIGKILL-OOM, which the old exit_group tracepoint never saw.
- LlmApi {model, prompt_tokens, completion_tokens} parsed (userspace) from opt-in TLS content.
- Egress gains dest port (service class); ToolExec gains uid (root/privesc) — both were already
  read in-kernel and discarded (free wins).
- build.rs rerun-if-changed on the ebpf crate (no more stale bytecode).
Validated live on the prod cluster; adversarial fan-out caught + fixed a per-thread duplication
regression + a broken test before release. 0.9.3 -> 0.10.0.
@ZhiXiao-Lin ZhiXiao-Lin merged commit 73d6642 into main Jun 24, 2026
1 check passed
@ZhiXiao-Lin ZhiXiao-Lin deleted the feat/observer-enrichments branch June 24, 2026 09:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant