feat(agent): carve netprobe out of the base agent + land its add-on bundle (#3425) #3472

Merged

mfreeman451 merged 1 commit from feat/netprobe-addon-carve into staging

2026-05-31 17:14:58 +00:00

mfreeman451 commented

2026-05-31 17:12:31 +00:00

Owner

What

Carves the netprobe host-network-visibility sidecar out of the base serviceradar-agent package and lands it as a signed per-arch pushed-artifact add-on. Covers delivery-models 1.1 (netprobe) and migrate-netprobe-to-native-addon §1.1 / §1.2 / §1.4.

netprobe was the only optional capability binary baked into the base agent (deb/rpm and both self-update release-runtime archives). This makes the base agent core-only and moves netprobe onto the native add-on framework.

The carve (base agent installs no netprobe binary or capability grant)

packages.bzl: drop the //rust/netprobe files entry + the libpcap recommends (libpcap was netprobe's dep).
agent/BUILD.bazel: drop //rust/netprobe from both agent_release_runtime_files and agent_rdp_release_runtime_files.
agent/scripts/postinstall.sh: drop the cap_net_raw,cap_bpf,cap_perfmon setcap step — capabilities are now applied to the staged add-on binary by the root-owned agent-updater per the assignment's os_capabilities.
The //rust/netprobe build target is retained (now consumed by the add-on bundle). grep confirms no netprobe refs remain under build/packaging.

netprobe add-on source + bundle

addons/netprobe/{addon.yaml, config.schema.json, BUILD.bazel} — delivery: pushed-artifact, supervision: systemd-service, capability host-network-visibility, requires: [CAP_NET_RAW, CAP_BPF, CAP_PERFMON]. The schema mirrors agent.netprobe.v1.VisibilityAgentConfig (capture_interfaces, dpi, sample intervals, flow-table bound, process-snapshot interval, per-device bindings). Passes go/tools/addon-manifest-validator.
addon_inventory.bzl — netprobe_addon_bundle (rust //rust/netprobe:netprobe, serviceradar-netprobe, linux amd64/arm64, pushed_artifact_tarball) → per-arch pushed-artifact tarballs (binary + manifest + schema).

Deliberately deferred (not fabricated here)

The systemd unit + agent-side activation/lifecycle (migrate-netprobe §2.1/2.2). netprobe's --socket is required and the agent currently owns that socket (it launches netprobe and drives it over NetprobeFrame IPC). Whether netprobe becomes a standalone systemd-service or stays agent-launched is an explicit open question in the migration design; shipping a guessed unit would bake in a wrong lifecycle. So no unit_entries in the bundle yet.
rdp-adapter is still bundled in agent_rdp_release_runtime_files — carve it when remote-access/rdp-adapter gets its own (ephemeral-helper) add-on delivery. (So delivery-models 1.1 stays partially open.)

Sequencing / operational delivery

This is the build/packaging foundation. Operational netprobe delivery additionally needs: artifact signing (build-signing — OpenBao cosign-release, the flow documented in the demo-local-rollout skill), Edge-Ops package seeding (§3.1), and a current agent build with the add-on manager + the §2.x sidecar gating. Staging-only; reviewed before any release. Break-glass per the migration design is git revert.

Safety

The netprobe sidecar is config-gated (visibility disabled by default), and the sidecar manager degrades a missing binary to a circuit-breaker-open state (restart backoff, no tight crash-loop) — so the carve does not destabilize default installs.

Verification

go/tools/addon-manifest-validator OK (netprobe + both samples); buildifier -mode=check, sh -n, and JSON parse all clean; openspec validate --strict passes for both add-native-addon-delivery-models and migrate-netprobe-to-native-addon. (Bazel build runs in CI.)

🤖 Generated with Claude Code

## What Carves the **netprobe** host-network-visibility sidecar out of the base `serviceradar-agent` package and lands it as a signed per-arch **pushed-artifact** add-on. Covers delivery-models **1.1** (netprobe) and migrate-netprobe-to-native-addon **§1.1 / §1.2 / §1.4**. netprobe was the only optional capability binary baked into the base agent (deb/rpm **and** both self-update release-runtime archives). This makes the base agent core-only and moves netprobe onto the native add-on framework. ## The carve (base agent installs no netprobe binary or capability grant) - `packages.bzl`: drop the `//rust/netprobe` files entry + the `libpcap` recommends (libpcap was netprobe's dep). - `agent/BUILD.bazel`: drop `//rust/netprobe` from **both** `agent_release_runtime_files` and `agent_rdp_release_runtime_files`. - `agent/scripts/postinstall.sh`: drop the `cap_net_raw,cap_bpf,cap_perfmon` `setcap` step — capabilities are now applied to the staged add-on binary by the root-owned `agent-updater` per the assignment's `os_capabilities`. - The `//rust/netprobe` **build target is retained** (now consumed by the add-on bundle). `grep` confirms no netprobe refs remain under `build/packaging`. ## netprobe add-on source + bundle - `addons/netprobe/{addon.yaml, config.schema.json, BUILD.bazel}` — `delivery: pushed-artifact`, `supervision: systemd-service`, capability `host-network-visibility`, `requires: [CAP_NET_RAW, CAP_BPF, CAP_PERFMON]`. The schema mirrors `agent.netprobe.v1.VisibilityAgentConfig` (capture_interfaces, dpi, sample intervals, flow-table bound, process-snapshot interval, per-device bindings). **Passes `go/tools/addon-manifest-validator`.** - `addon_inventory.bzl` — `netprobe_addon_bundle` (rust `//rust/netprobe:netprobe`, `serviceradar-netprobe`, linux amd64/arm64, `pushed_artifact_tarball`) → per-arch pushed-artifact tarballs (binary + manifest + schema). ## Deliberately deferred (not fabricated here) - **The systemd unit + agent-side activation/lifecycle** (migrate-netprobe §2.1/2.2). netprobe's `--socket` is **required** and the agent currently *owns* that socket (it launches netprobe and drives it over `NetprobeFrame` IPC). Whether netprobe becomes a *standalone* systemd-service or stays agent-launched is an explicit **open question** in the migration design; shipping a guessed unit would bake in a wrong lifecycle. So no `unit_entries` in the bundle yet. - **`rdp-adapter`** is still bundled in `agent_rdp_release_runtime_files` — carve it when remote-access/rdp-adapter gets its own (ephemeral-helper) add-on delivery. (So delivery-models 1.1 stays partially open.) ## Sequencing / operational delivery This is the build/packaging foundation. Operational netprobe delivery additionally needs: artifact **signing** (build-signing — OpenBao `cosign-release`, the flow documented in the `demo-local-rollout` skill), **Edge-Ops package seeding** (§3.1), and a current agent build with the add-on manager + the §2.x sidecar gating. **Staging-only; reviewed before any release.** Break-glass per the migration design is `git revert`. ## Safety The netprobe sidecar is config-gated (visibility disabled by default), and the sidecar manager degrades a missing binary to a **circuit-breaker-open** state (restart backoff, no tight crash-loop) — so the carve does not destabilize default installs. ## Verification `go/tools/addon-manifest-validator` OK (netprobe + both samples); `buildifier -mode=check`, `sh -n`, and JSON parse all clean; `openspec validate --strict` passes for both `add-native-addon-delivery-models` and `migrate-netprobe-to-native-addon`. (Bazel build runs in CI.) 🤖 Generated with [Claude Code](https://claude.com/claude-code)

mfreeman451 added 1 commit

2026-05-31 17:12:31 +00:00

feat(agent): carve netprobe out of the base agent + land its add-on bundle (#3425 )

lint / lint (push) Successful in 49s

Details

Secret Scan / gitleaks (pull_request) Successful in 47s

Details

Golang Tests / test-go (push) Successful in 1m32s

Details

lint / lint (pull_request) Successful in 1m11s

Details

CI / build (pull_request) Failing after 2m26s

Details

3a24db30f0

delivery-models 1.1 (netprobe) + migrate-netprobe-to-native-addon §1.1/1.2/1.4.
Stops baking the host-network-visibility sidecar into the base serviceradar-agent
and delivers it as a signed per-arch pushed-artifact add-on instead.

Carve (the base agent now installs no netprobe binary or capability grant):
- packages.bzl: drop the //rust/netprobe files entry + the libpcap recommends.
- agent/BUILD.bazel: drop //rust/netprobe from BOTH self-update release-runtime
  archives (agent_release_runtime_files, agent_rdp_release_runtime_files).
- agent/scripts/postinstall.sh: drop the cap_net_raw,cap_bpf,cap_perfmon setcap
  step — capabilities are applied to the staged add-on binary by the root-owned
  agent-updater per the assignment's os_capabilities.
- The //rust/netprobe build target is retained (now consumed by the add-on bundle).

netprobe add-on source + bundle:
- addons/netprobe/{addon.yaml,config.schema.json,BUILD.bazel}: delivery
  pushed-artifact, supervision systemd-service, capability host-network-visibility,
  requires CAP_NET_RAW/CAP_BPF/CAP_PERFMON; schema mirrors VisibilityAgentConfig.
  Passes go/tools/addon-manifest-validator.
- addon_inventory.bzl: netprobe_addon_bundle (rust //rust/netprobe:netprobe,
  binary_name serviceradar-netprobe, linux amd64/arm64, pushed_artifact_tarball)
  -> per-arch pushed-artifact tarballs (binary + manifest + schema).

Deliberately deferred (not fabricated here):
- The systemd unit + agent-side activation/lifecycle (migrate-netprobe §2.1/2.2):
  netprobe's --socket is required and the agent currently owns that socket, so the
  standalone-systemd vs agent-launched model is an open design question; shipping a
  guessed unit would bake in a wrong lifecycle. No unit_entries in the bundle yet.
- rdp-adapter is still bundled in agent_rdp_release_runtime_files (its own migration).

Operational delivery still needs artifact signing (build-signing; OpenBao
cosign-release) + Edge-Ops package seeding + a current agent build; this PR is the
build/packaging foundation and is staging-only, reviewed before any release.

Safety: the netprobe sidecar is config-gated (visibility disabled by default) and
the sidecar manager degrades a missing binary to a circuit-breaker-open state
(backoff, no tight crash-loop), so the carve does not destabilize default installs.

Validated: addon-manifest-validator OK; buildifier + sh -n + JSON parse clean;
openspec --strict passes for both changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 reviewed

2026-05-31 17:14:51 +00:00

mfreeman451 left a comment

lgtm

mfreeman451 merged commit 76f0b5fe89 into staging

2026-05-31 17:14:58 +00:00

mfreeman451 referenced this pull request from a commit

2026-05-31 17:14:59 +00:00

Merge pull request 'feat(agent): carve netprobe out of the base agent + land its add-on bundle (#3425)' (#3472) from feat/netprobe-addon-carve into staging

mfreeman451 referenced this pull request

2026-06-01 04:33:29 +00:00

Tracker: host-network-visibility + native add-on framework OpenSpec proposals #3456