feat(causal-engine): umbrella proposal + Phase-0 (state-change feed, Gap B, Gap G handoff) #3519

Open

mfreeman451 wants to merge 30 commits from feat/causal-engine-v1 into staging

pull from: feat/causal-engine-v1

merge into: carverauto:staging

carverauto:staging

carverauto:fix/netprobe-event-driven-inventory

carverauto:update-attributed-flow-explorer

carverauto:demo/prod-release

carverauto:release/1.2.94-netprobe-attribution

carverauto:fix/nats-platform-object-store-acl

carverauto:renovate/registry.carverauto.dev-serviceradar-forgejo-ci

carverauto:feat/attributed-flow-correlation

carverauto:feat/netprobe-p0f-userspace-ebpf-verifier

carverauto:add-endpoint-sbom-inventory

carverauto:renovate/ubuntu_jammy-22.04

carverauto:fix/remove-attributed-flow-fixtures

carverauto:renovate/node_20_alpine-20-alpine

carverauto:renovate/alpine_3_23-3.23

carverauto:fix/demo-nats-import-acls

carverauto:feat/netprobe-rollback-tests

carverauto:fix/armis-northbound-raw-token-auth

carverauto:renovate/alpine_3_20-3.20

carverauto:fix/remove-stale-nginx

carverauto:feat/native-addon-web-importer

carverauto:feat/native-addon-artifact-mirror

carverauto:feat/native-addon-importer-db-test

carverauto:feat/native-addon-publish-pipeline

carverauto:feat/netprobe-addon-carve

carverauto:feat/addon-os-package-template

carverauto:feat/addon-bundle-tarball

carverauto:feat/addon-ephemeral-helper

carverauto:feat/addon-pushed-tarball

carverauto:feat/addon-systemd-dispatch

carverauto:fix/elixir-quality-format

carverauto:feat/addon-delivery-supervision

carverauto:feat/native-addon-rust-sdk

carverauto:feat/native-addon-build-signing

carverauto:docs/reconcile-fingerprintd-netprobe-feature-sets

carverauto:fix/addon-status-test-netprobe-fixture

carverauto:feat/migrate-netprobe-native-addon

carverauto:codex/fix-datasvc-nats-storage-acl

carverauto:fix/rust-test-failures

carverauto:fix/go-test-failures

carverauto:feat/native-addon-edge-ops

carverauto:feat/host-network-visibility-phase-2

carverauto:feat/native-addon-delivery-models

carverauto:feat/3425-agent-feature-sets-proposal

carverauto:feat/3444-bumblebee-agent

carverauto:fix/netprobe-e2e-sidecar-runtime

carverauto:fix/srql-sort-diagnostics

carverauto:feat/passive-device-fingerprinting

carverauto:fix/device-list-sweep-availability

carverauto:update/plugin-system

carverauto:add-service-monitoring-foundation

carverauto:fix/cli-auth-settings-navigation

carverauto:fix-proxmox-console-react-client-render

carverauto:fix-services-plugin-status-read-model

carverauto:fix/docker-update/cnpg

carverauto:fix/sweep-ip-family-routing

carverauto:codex/remote-access-desktop-rdp

carverauto:propose-interface-action-target-context

carverauto:codex/fix-armis-names-string

carverauto:main

carverauto:fix/agent-accept-deprecated-remote-access-config

carverauto:fix/device-results-count-facets

carverauto:fix/bazelisk-installer-retries

carverauto:fix/tinygo-host-toolchain-fetch

carverauto:add-per-agent-availability

carverauto:fix/forgejo-release-multipart-assets

carverauto:fix/agent-config-stale-session

carverauto:fix/mtr-hop-dns-resolution

carverauto:fix/hostname-only-device-create

carverauto:fix/otlp-log-metadata-sanitization

carverauto:add-nats-object-store-retention

carverauto:fix/helm-serviceradar-state-pvc

carverauto:fix/armis-large-sync-streaming

carverauto:demo/release-v1.2.44-source-fix

carverauto:demo-rollout-proxmox-bazel-fix

carverauto:security/postgres-update

carverauto:fix/mtr-bulk-queue-and-srql-targets

carverauto:armis-northbound-availability-updates

carverauto:codex/topology-endpoint-evidence-investigation

carverauto:codex/topology-bootstrap-and-layout-simplification

carverauto:codex/remove-ingress-nginx-edge

carverauto:security/k8s-hardening

carverauto:2406-feat-agent-fleet-management-secure-self-update-system

carverauto:chore/k8s-arc-update

carverauto:rust-fix

carverauto:2371-analytics-stats-cards-should-abbreviate-numbers

carverauto:chore/perl-cleanup

carverauto:192-feat-tftp-server

carverauto:mikemiles-dev/feature/netflow_collection

carverauto:815-feat-support-win32-for-agentpoller

carverauto:gh-pages

Conversation 0 Commits 30 Files changed 47 +7468 -22

mfreeman451 commented 2026-06-03 02:49:41 +00:00

Owner

Copy link

Summary

Introduces the add-causal-engine OpenSpec umbrella proposal for ServiceRadar's DeepCausality causal engine and lands Phase 0 of it.

The engine's value is automation — events → alerts → state enrichment → prediction — with the God-View topology renderer as one optional consumer. Today DeepCausality backs a misplaced 244-line reactive stub in god_view_nif; the proposal ships a real single-pod fused rust/causal-engine on the existing CNPG/SRQL/AGE substrate and closes the loop by publishing predictions that re-enter StatefulAlertEngine.

Proposal (openspec/changes/add-causal-engine/)

• Validates openspec validate --strict (49 requirements / 131 scenarios).
• 11 capability deltas — 6 ADDED (causal-engine, causal-reasoning, causal-prediction-signals, inventory-risk-feed, service-flow-bridge, device-components), 5 MODIFIED (observability-signals, age-graph, health-events, topology-causal-overlays, topology-god-view).
• Phased V1 + Gaps A–G; design.md records the four key decisions and the reversible god_view_nif cutover. The three authoritative design docs are vendored under docs/docs/.

Phase-0 implementation (ServiceRadar-owned slice)

• Gap B — capacity eligibility: network_discovery/topology_graph.ex now marks edges without a populated capacity_bps (min-of-both-ends speed_bps/if_speed) ineligible, so the saturation causaloid (C6) skips them rather than treating absent capacity as zero/infinite. Refines the existing telemetry_eligible field; no new schema column. Coverage audit SQL in runbooks/gap-b-capacity-audit.sql.
• Decision-1 state-change feed: new ServiceRadar.EventWriter.StateChangePublisher emits app-level state transitions to cdc.platform.<table> over NATS — default-disabled (STATE_CHANGE_EVENTS_ENABLED / :state_change_events_enabled), fire-and-forget, never hypertables, and not pgoutput CDC / logical replication. Hooked health_events (HealthTracker), service_state (ServiceStateRegistry, gated pre-fetch + transition diff), and ocsf_devices (sync_ingestor bulk path, COALESCE-aware diff). Pure unit test for the envelope + gating.
• Gap G: routed to the DeepCausality author — runbooks/gap-g-ultragraph-handoff.md specs the StructuralGraphAlgorithms trait (articulation points / bridges / reachability / pathway centrality / unfreeze) and the six causaloids that gate on it. ServiceRadar does not fork ultragraph.

Deferred (tracked in tasks.md)

Virtualization + AGE-projection transition hooks, the cdc.platform.> JetStream stream + Phase-1 consumer (held back so app startup isn't coupled to a not-yet-existing processor), and an optional risk_score rollup hook.

Testing

All touched Elixir was syntax-parsed locally (Code.string_to_quoted); full compile + credo + the publisher unit test run in CI (no local deps fetched). openspec validate --strict passes. No Bazel BUILD change needed (serviceradar_core globs sources).

Per the OpenSpec gate this proposal is not yet approved — opening for CI (a real compile/credo gate on the Phase-0 Elixir) and review; implementation continues on the branch.

🤖 Generated with Claude Code

## Summary Introduces the **`add-causal-engine`** OpenSpec umbrella proposal for ServiceRadar's DeepCausality causal engine and lands **Phase 0** of it. The engine's value is **automation** — events → alerts → state enrichment → prediction — with the God-View topology renderer as one optional consumer. Today DeepCausality backs a misplaced 244-line reactive stub in `god_view_nif`; the proposal ships a real single-pod fused `rust/causal-engine` on the existing CNPG/SRQL/AGE substrate and closes the loop by publishing predictions that re-enter `StatefulAlertEngine`. ## Proposal (`openspec/changes/add-causal-engine/`) - Validates `openspec validate --strict` (49 requirements / 131 scenarios). - 11 capability deltas — **6 ADDED** (`causal-engine`, `causal-reasoning`, `causal-prediction-signals`, `inventory-risk-feed`, `service-flow-bridge`, `device-components`), **5 MODIFIED** (`observability-signals`, `age-graph`, `health-events`, `topology-causal-overlays`, `topology-god-view`). - Phased V1 + Gaps A–G; `design.md` records the four key decisions and the reversible `god_view_nif` cutover. The three authoritative design docs are vendored under `docs/docs/`. ## Phase-0 implementation (ServiceRadar-owned slice) - **Gap B — capacity eligibility:** `network_discovery/topology_graph.ex` now marks edges without a populated `capacity_bps` (min-of-both-ends `speed_bps`/`if_speed`) ineligible, so the saturation causaloid (C6) skips them rather than treating absent capacity as zero/infinite. Refines the existing `telemetry_eligible` field; no new schema column. Coverage audit SQL in `runbooks/gap-b-capacity-audit.sql`. - **Decision-1 state-change feed:** new `ServiceRadar.EventWriter.StateChangePublisher` emits app-level state transitions to `cdc.platform.<table>` over NATS — **default-disabled** (`STATE_CHANGE_EVENTS_ENABLED` / `:state_change_events_enabled`), fire-and-forget, never hypertables, and **not** pgoutput CDC / logical replication. Hooked `health_events` (HealthTracker), `service_state` (ServiceStateRegistry, gated pre-fetch + transition diff), and `ocsf_devices` (sync_ingestor bulk path, COALESCE-aware diff). Pure unit test for the envelope + gating. - **Gap G:** routed to the DeepCausality author — `runbooks/gap-g-ultragraph-handoff.md` specs the `StructuralGraphAlgorithms` trait (articulation points / bridges / reachability / pathway centrality / unfreeze) and the six causaloids that gate on it. ServiceRadar does not fork `ultragraph`. ## Deferred (tracked in `tasks.md`) Virtualization + AGE-projection transition hooks, the `cdc.platform.>` JetStream stream + Phase-1 consumer (held back so app startup isn't coupled to a not-yet-existing processor), and an optional `risk_score` rollup hook. ## Testing All touched Elixir was syntax-parsed locally (`Code.string_to_quoted`); full compile + credo + the publisher unit test run in CI (no local deps fetched). `openspec validate --strict` passes. No Bazel BUILD change needed (`serviceradar_core` globs sources). > Per the OpenSpec gate this proposal is **not yet approved** — opening for CI (a real compile/credo gate on the Phase-0 Elixir) and review; implementation continues on the branch. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

mfreeman451 added 3 commits 2026-06-03 02:49:41 +00:00

docs(openspec): add add-causal-engine umbrella proposal ... 0537d448b8

Author the OpenSpec umbrella change `add-causal-engine` for the
DeepCausality causal engine: a single-pod fused `rust/causal-engine`
service consuming EmbeddedSrql + JetStream + app-level NATS state-change
events, reasoning over ultragraph CSR, and emitting verdicts on
`signals.causal.predictions` that re-enter StatefulAlertEngine (the
automation loop) and the existing God-View renderer.

Covers the full roadmap as 11 capability spec deltas (6 ADDED, 5
MODIFIED) plus proposal/design/tasks, phased V1 + Gaps A-G:
- ADDED: causal-engine, causal-reasoning, causal-prediction-signals,
  inventory-risk-feed, service-flow-bridge, device-components
- MODIFIED: observability-signals, age-graph, health-events,
  topology-causal-overlays, topology-god-view

Decisions: app-level NATS state-change events (NOT pgoutput CDC);
Gap G as a committed upstream ultragraph dependency; package<->CVE
matching delegated to add-cti-signal-coverage; the inventory->engine
risk seam authored here. Composes with the in-flight attributed-flow
correlation (a partial Gap A down-payment). Validates
`openspec validate --strict` (49 requirements / 131 scenarios).

Also vendors the three design docs (Integration-assessment,
unblock-capabilities, causal-engine-integration-points) onto this branch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(causal-engine): Phase-0 state-change publisher + Gap B capacity eligibility ... db176fad6f

Implements the ServiceRadar-owned slice of add-causal-engine Phase 0.

Gap B (task 0.2): network_discovery/topology_graph.ex telemetry_status_fields/4
now requires a populated capacity_bps (min-of-both-ends from speed_bps/if_speed)
in addition to observed flow before an edge is telemetry_eligible, so the
saturation causaloid (C6) skips capacity-less edges rather than treating absent
capacity as zero/infinite. Refines the existing telemetry_eligible field; no new
schema column. Coverage audit SQL added at
openspec/changes/add-causal-engine/runbooks/gap-b-capacity-audit.sql.

Decision-1 state-change feed (task 0.3, partial): new
ServiceRadar.EventWriter.StateChangePublisher publishes app-level state
TRANSITIONS to cdc.platform.<table> over NATS (default-disabled via
STATE_CHANGE_EVENTS_ENABLED / :state_change_events_enabled; fire-and-forget;
NOT pgoutput CDC, NOT logical replication, never hypertables). Hooked:
- health_events via HealthTracker.record_state_change/3 (old/new in hand)
- service_state via ServiceStateRegistry.upsert_from_status/1 (gated pre-fetch
  + transition diff; composite service identity per Decision 2)
Per-table canonical identity, before/after, partition_id, monotonic seq,
event_time, and event_identity (engine dedupes on event_identity). Pure unit
test for envelope + gating.

Deferred (tasks 0.3.1d/0.3.1e/0.3.5, new follow-up): the ocsf_devices
bulk-path hook in sync_ingestor.ex, virtualization/AGE-projection hooks, and
the cdc.platform.> JetStream stream + Phase-1 consumer. Gap G (task 0.1) is an
upstream ultragraph PR (deepcausality-rs) left for author coordination.

Elixir syntax-parsed locally (Code.string_to_quoted); full compile/credo gated
in CI (no local deps). openspec validate --strict passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(causal-engine): ocsf_devices state-change hook + Gap G handoff ... 961918369e

Completes the device-availability slice of the add-causal-engine Decision-1
state-change feed (task 0.3.1d):

- inventory/sync_ingestor.ex: before the bulk upsert_devices, gated pre-fetch
  of prior is_available/is_managed by uid (StateChangePublisher.enabled?/0
  guards the extra read); after {:ok, remap}, diff against the records and
  publish a cdc.platform.ocsf_devices transition per changed device, keyed by
  the remapped final sr: uid. COALESCE-aware: only a non-nil incoming value
  that differs from the stored one is treated as a transition (matches the
  device upsert's COALESCE(EXCLUDED.x, stored)). risk_score transitions
  deferred (separate DeviceRiskReducer rollup hook). Best-effort + rescued;
  never affects ingestion.

- Gap G (task 0.1) routed to the DeepCausality author: handoff spec at
  runbooks/gap-g-ultragraph-handoff.md (StructuralGraphAlgorithms trait —
  articulation_points/bridges/biconnected_components/is_reachable/
  pathway_betweenness_centrality + unfreeze, ~200 LOC Tarjan; tests; the six
  causaloids that gate on it). ServiceRadar does not fork ultragraph.

Remaining Phase-0/1 deferred: virtualization + AGE-projection hooks, the
cdc.platform.> JetStream stream + Phase-1 consumer. Elixir syntax-parsed
locally; full compile/credo + the publisher unit test gated in CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 02:55:53 +00:00

docs(causal-engine): Gap G resolved upstream — ultragraph 0.9.0 already ships it ... ca6d75df98

On inspecting deepcausality-rs/deep_causality, ultragraph 0.9.0 (published
2025-08-27, on crates.io) already implements the full Gap G surface with real
code — StructuralGraphAlgorithms (strongly_connected_components /
articulation_points / bridges / biconnected_components),
pathway_betweenness_centrality(pathways, directed, normalized), is_reachable,
and unfreeze. The docs' "implement upstream" framing was an artifact of being
written against the 0.8 the NIF pins.

No DeepCausality PR is needed: ServiceRadar just depends on `ultragraph = "0.9"`
in rust/causal-engine, unblocking the six graph causaloids (C4/C5/C5b/C7/C8/C9)
immediately with no upstream wait.

- proposal.md, design.md (Decision 2 + risk + goals), tasks.md (0.1, 1.1.3,
  1.4.2/1.4.3) reframed from "upstream PR" to "ultragraph 0.9 version bump".
- Replaced runbooks/gap-g-ultragraph-handoff.md with gap-g-resolution.md.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 02:58:25 +00:00

docs(causal-engine): land Gap G resolution edits (ultragraph 0.9 bump) ... 3e4c8fac98

Follow-up to ca6d75df9 (which removed the now-moot handoff runbook). Carries the
actual reframing from "implement Gap G upstream" to "depend on ultragraph 0.9":
- proposal.md Gap G bullet, design.md Decision 2 + risk + goals, tasks.md 0.1 /
  1.1.3 / 1.4.2 / 1.4.3
- new runbooks/gap-g-resolution.md documenting that ultragraph 0.9.0 already
  ships StructuralGraphAlgorithms + pathway_betweenness_centrality + is_reachable
  + unfreeze (no DeepCausality PR needed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 03:12:41 +00:00

feat(causal-engine): scaffold rust/causal-engine crate (Phase 1.1) ... 39f93ace50

New top-level workspace crate for the DeepCausality engine — single binary,
single pod, fused (hydrator + reasoner in-process). Modules:
- context_hydrator: ContextStore trait (hydrator<->reasoner seam, preserves a
  future split) + ContextHydrator stub
- domain_model: V1 entity types (Context/Device/Service) keyed by canonical sr: ids
- reasoner: Verdict/Classification + Reasoner stub (CausaloidGraph TODO 1.3)
- emitter: signals.causal.predictions publisher stub (TODO 1.6)
- snapshot: restart-snapshot stub (TODO 1.7)
- config (CAUSAL_ENGINE_* via envy) + error (thiserror)
main.rs wires a fused reasoning tick loop (hydrate -> reason -> emit).

Heavy integration deps are deferred to the increment that first uses them
(srql + async-nats in 1.2; ultragraph 0.9 + deep_causality in 1.3) to keep each
crate_universe change scoped. Added to workspace members + Cargo.lock;
BUILD.bazel mirrors rust/srql (all_crate_deps).

Verified: cargo check, cargo clippy --all-targets -D warnings, cargo fmt
--check, and bazel build //rust/causal-engine:{causal_engine_lib,causal_engine_bin}
--config=ci (RBE) all green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 03:13:15 +00:00

build(causal-engine): update MODULE.bazel.lock for the new workspace crate ... e8323e87ba

The crate_universe from_cargo lock records the rust/causal-engine/Cargo.toml
entry plus refreshed Cargo.lock/Cargo.toml hashes — committed so RBE/CI builds
reproducibly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 03:23:19 +00:00

feat(causal-engine): emitter publishes signals.causal.predictions (Phase 1.6) ... 142d4e8ec2

rust/causal-engine/src/emitter.rs: Emitter connects NATS JetStream (async_nats
0.48) and publishes one message per verdict on signals.causal.predictions.<entity>
with a DETERMINISTIC event_identity (pred:<entity>:<classification>) so
re-emission is idempotent (CausalSignals dedupes on it). The OCSF-compatible
envelope (signal_type "causal"; event_type mapped to the God-View 4 buckets;
source_identity / routing_correlation) mirrors what the existing CausalSignals
processor normalizes into ocsf_events — the signals.causal.* prefix already
routes, so no new inbound plumbing. main.rs connects the emitter at startup.

Deps async-nats 0.48 + chrono added (both already in the workspace lock).
Verified: cargo clippy --all-targets -D warnings, cargo test (3 pass), cargo
fmt --check, and bazel build //rust/causal-engine:{causal_engine_lib,
causal_engine_bin,causal_engine_test} --config=ci (RBE).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 04:04:39 +00:00

feat(causal-engine): hydrator current-state snapshot via EmbeddedSrql (1.2 feed 1) ... a753e8d1b7

ContextHydrator::connect() opens a CNPG pool through EmbeddedSrql (srql path
dep, srql AppConfig::from_env), and current_context() hydrates the Context from
SRQL (in:devices, in:services) via QueryEngine::execute_query, mapping result
rows to domain_model Device/Service. Single-point identity validation: device
rows without a canonical sr: uid are skipped (the engine never forks the ID
space). Service identity is the composite agent_id:service_type:service_name
(Decision 2). Unit-tested row mappers; main.rs connects the hydrator at startup.

Feeds 2/3 (JetStream signals.causal.> + cdc.platform.<table> live deltas),
broader entity coverage, and endpoint-cluster-summary handling land in 1.2b.

Dep: srql = { path = "../srql" }; BUILD.bazel deps //rust/srql:srql_lib.
Verified: cargo check, cargo clippy --all-targets -D warnings, cargo test
(6 pass), cargo fmt --check, bazel build //rust/causal-engine:{causal_engine_lib,
causal_engine_bin,causal_engine_test} --config=ci (RBE, 1097 actions).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 04:08:10 +00:00

feat(causal-engine): cdc.platform delta parse/apply core (Phase 1.2 feed 3 core) ... 27426970dc

New `delta` module: parse_state_change parses the cdc.platform.<table> envelope
(the Phase-0 StateChangePublisher format) into a typed StateChangeDelta, and
apply_delta mutates the in-memory Context for ocsf_devices (is_available/
is_managed) and service_state (available). Pure + unit-tested (11 crate tests
total). The async JetStream subscriber that maintains a shared Context and
applies these deltas between EmbeddedSrql snapshots is the next sub-step (1.2b).

No new deps. Verified: cargo clippy --all-targets -D warnings, cargo test
(11 pass), cargo fmt --check, bazel build //rust/causal-engine:{lib,test}
--config=ci (RBE).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 05:10:26 +00:00

refactor(causal-engine): rename cdc.platform.* -> signals.state.* (it's NATS, not CDC) ... 8d5f5c2153

The app-level state-change feed (Decision 1) publishes to NATS JetStream — it was
never pgoutput CDC / logical replication. The cdc.platform.<table> subject name
(carried from the design doc) implied otherwise and caused confusion. Renamed the
subject to signals.state.<table>, the telemetry event to
[:serviceradar, :state_change, :published], and the envelope signal_type to
"state_change", across StateChangePublisher + the core-elx hooks, the engine's
delta module/docs, the proposal/design/tasks, and the observability-signals /
causal-engine spec deltas (+ the publisher unit test). The "NOT pgoutput CDC"
clarifications are kept (they now read correctly against signals.state).

No behavior change. Verified: cargo clippy --all-targets -D warnings + test (11)
+ fmt, elixir syntax-parse, openspec validate --strict.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 05:22:52 +00:00

feat(causal-engine): live signals.state.> subscriber + shared Context (1.2 feed 3) ... 2bc9bcd86c

Push-input wired for V1 (per the input-strategy decision):
- nats.rs: TLS-aware NATS connect helper (mTLS via CAUSAL_ENGINE_NATS_* cert
  paths) returning the core Client + a JetStream context; used by both the
  subscriber and the emitter.
- context_hydrator: now holds a shared Arc<RwLock<Context>> — seeded by an
  initial EmbeddedSrql snapshot on connect, refreshed periodically (refresh()),
  and read via current_context() (clone under read lock). shared_context() hands
  the Arc to the subscriber.
- subscriber.rs: best-effort core-NATS subscription to signals.state.> that
  parses StateChangePublisher envelopes (delta.rs) and applies deltas to the
  shared Context between refreshes. Durability/correctness comes from the
  periodic refresh, so no JetStream stream/consumer/ack is needed for V1
  (Phase-2 reactivity/scale concern).
- emitter: refactored to Emitter::new(jetstream) over the shared connection.
- main: connect NATS once, spawn the subscriber, run dual cadences (reason tick
  + slower refresh tick) via tokio::select!.

Config gains nats_ca_file/nats_cert_file/nats_key_file + refresh_interval_ms.
Dep: futures 0.3 (StreamExt; already in the workspace lock). Verified: cargo
check, cargo clippy --all-targets -D warnings, cargo test (11), cargo fmt
--check, bazel build //rust/causal-engine:{causal_engine_lib,causal_engine_bin,
causal_engine_test} --config=ci (RBE).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 05:44:34 +00:00

fix(sr-testing): restricted-PodSecurity securityContext on the NATS deployment ... 0b274da26c

The sr-testing namespace enforces PodSecurity "restricted:latest", which had
been forbidding the sr-testing-nats pod (FailedCreate: no securityContext) —
leaving the Services + TLS secret orphaned with 0 pods. Add a restricted-
compliant securityContext: runAsNonRoot + runAsUser/Group 1000 + fsGroup
(JetStream writes its store dir on an fsGroup-owned emptyDir), seccompProfile
RuntimeDefault, allowPrivilegeEscalation=false, drop ALL capabilities.

Pod now Running 1/1; JetStream + TLS up; reachable at the external LB
23.138.124.18:4222. This restores the test NATS used to runtime-test the
causal-engine subscriber/emitter (signals.state.> / signals.causal.predictions).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 05:47:45 +00:00

docs(causal-engine): drop residual CDC verbiage from tasks.md ... 62c9ae72cb

The state-change feed is an app-level NATS publish, not CDC; remove the
lingering 'NOT pgoutput CDC / NOT logical replication' clarifier now that the
cdc.platform -> signals.state rename has landed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 13:55:45 +00:00

Merge feat/endpoint-sbom-ingestion into feat/causal-engine-v1 ... 80097d807b

Bring the endpoint-SBOM inventory feature (endpoint_inventory_ingestor +
endpoint_inventory_* resources/tables) onto the causal-engine branch so the
inventory-risk-feed (task 1.8) can wire the engine's DeviceRiskReducer
contribution + signals.causal.inventory emission against the REAL ingestor —
which is not yet on staging (staging still has the older pre-scale design).

The causal-engine work builds on top of the inventory (intended dependency
order); these SBOM commits drop out on rebase once that feature lands on
staging. Clean auto-merge — topology_graph.ex reconciled the Gap B
telemetry-eligibility edit with the inventory changes; cargo check green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 14:00:00 +00:00

docs(causal-engine): mark 1.8/1.9 delivered by the merged endpoint-SBOM feature ... 1bdbc82508

After merging feat/endpoint-sbom-ingestion, the inventory-risk-feed (1.8) and
automation-loop (1.9) are already implemented in the inventory feature:
- EndpointInventoryVulnerabilityRisk -> DeviceRiskReducer (source "endpoint_inventory", CVSS-scored)
- EndpointInventoryHistory -> signals.causal.inventory.<event_type>
- topology_graph.ex pkg_* Device scalars (project_vulnerability_risk_summary)
- causal_signals.ex OCSF class_uid 2004 vuln findings + inventory alert evaluation

The engine consumes per-device risk via ocsf_devices.risk_score (hydrator
map_device already reads it); composing risk into causaloids C5/C7/C10 is the
reasoner (1.5, Marvin's DeepCausality domain). Resolves the cti boundary (D1):
inventory scores vulnerability-match payloads itself.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 14:05:24 +00:00

feat(causal-engine): Context snapshot persistence + restore (Phase 1.7) ... 6e60832470

snapshot.rs SnapshotStore: atomic JSON persistence of the Context (temp+rename).
ContextHydrator::connect(snapshot_path) restores the snapshot to seed the shared
Context instantly, then runs a best-effort initial refresh (serves the restored
state if CNPG is momentarily down at boot; the refresh tick retries). refresh()
persists the Context after each SRQL re-snapshot. Context/Device/Service gain
serde derives. main passes config.snapshot_path; the standalone SnapshotStore in
main is removed (the hydrator owns it).

CausaloidGraph frozen-state persistence is deferred to the reasoner (Marvin).
Verified: cargo clippy --all-targets -D warnings, cargo test (12, incl. snapshot
round-trip), cargo fmt --check, bazel build //rust/causal-engine:{causal_engine_lib,
causal_engine_bin,causal_engine_test} --config=ci (RBE).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:04:55 +00:00

docs(causal-engine): reasoner hand-off note; mark V1 plumbing complete ... 20ddd3d2c0

The ServiceRadar-owned V1 engine plumbing is complete and green: scaffold,
hydrator (SRQL snapshot + live signals.state.> subscriber + shared Context +
snapshot persistence), emitter, the Phase-0 state-change feed + Gap B, Gap G
(ultragraph 0.9), and 1.8/1.9 via the merged endpoint-SBOM feature. The
remaining tasks — reasoner + causaloids C1-C13 + risk composition (1.3/1.4/1.5),
the causality.rs extraction (1.10.1), and the reasoner-gated NIF cutover (1.10)
+ feed-2 (1.2.2) — are the DeepCausality author's domain.

runbooks/reasoner-handoff.md documents the seams: ContextStore (input),
Reasoner::evaluate, Verdict + emitter (output), ultragraph 0.9 (Gap G already
upstream), risk inputs (ocsf_devices.risk_score + AGE pkg_* scalars), and the
1.10 / feed-2 follow-ups.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:12:53 +00:00

feat(causal-engine): reasoner C3 gateway shared-fate root cause (Phase 1.4) ... c3c3ebc557

First real causaloid: c3_gateway_shared_fate groups unavailable devices by
gateway_id and, when >= threshold share a gateway, emits a RootCause verdict for
the gateway + Affected verdicts for the devices (the shared gateway is the
likelier root cause than each device independently). Plain Rust over the
Context; maps cleanly onto the God-View 4 buckets. domain_model.Device gains
gateway_id (hydrator map_device reads it). Unit-tested (shared-gateway,
below-threshold, gatewayless, evaluate-runs-c3).

Remaining causaloids (C1/C2/C4/C5/C5b/C6/C7-C13) + risk composition build on
this + the ultragraph 0.9 graph layer (next).

Verified: cargo clippy --all-targets -D warnings, cargo test (15), cargo fmt
--check, bazel build //rust/causal-engine:{lib,test} --config=ci (RBE).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:20:51 +00:00

feat(causal-engine): add C4 management-unobservable causaloid (#3425) ... 5987dc8b77

A device whose MANAGED_BY manager is unavailable is unobservable through
that manager, so its availability is Unknown rather than failed. Suppresses
false "down" classifications for devices behind a dead manager.

- c4_management_unobservable() over Context.edges (ManagedBy)
- wired into Reasoner::evaluate after C3
- 2 unit tests (dead-manager -> Unknown; live-manager -> no verdict)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 5 commits 2026-06-03 17:34:58 +00:00

feat(causal-engine): reasoner domain model + verdict severity (#3425) ... 8a9804db7c

Substrate for causaloids C1-C13 and risk composition (tasks 1.3/1.5):

- EdgeKind gains Contains/BackedBy/DependsOn (C1/C2/C7); GatewayClass enum
  (Gap E, C3 OOB); InterfaceLink (C6); AttributedFlow (C10); BgpRoute (C8);
  OperatorRule (C12).
- Context gains links/flows/bgp_routes/operator_rules collections; Device
  gains gateway_class/flap_count/observation_expected/pkg_severity; all new
  fields serde(default) so snapshots stay backward compatible.
- Verdict gains a 0..=100 predicted `severity` (Verdict::new seeds it from
  the classification; raise_severity_to amplifies for risk composition).
- Emitter envelope surfaces severity_score + derives OCSF severity_id.
- map_device reads pkg_worst_severity; construction sites updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(causal-engine): add C1/C2 containment & datastore cascade causaloids (#3425) ... 1a15f37fbb

- C1: a CONTAINS host going unavailable cascades Affected to its guests.
- C2: a BACKED_BY datastore degrading cascades Affected to backed guest disks.
- Factor availability_map() helper shared by C1/C2/C4.
- 4 unit tests (cascade fires / suppressed when source healthy).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(causal-engine): add C6 interface-saturation causaloid (#3425) ... 86d84744cd

Projects link saturation from Context.links by comparing observed flow_bps
against engineered capacity_bps (>=80% utilization). Capacity-ineligible
links (no denominator, Gap B contract) are skipped — no projection without
a capacity denominator. Severity scales with utilization. 3 unit tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(causal-engine): add C7 stack-collapse + C3 Gap-E OOB suppression (#3425) ... db7ccd0134

- C7: a failed DEPENDS_ON dependency (service/host/resource) predicts collapse
  of the dependent stack. entity_availability_map() spans devices + services.
- C3 Gap E: a gateway whose gateway_class is OutOfBand/Management is no longer
  blamed as a data-plane root cause (shared-fate inference suppressed).
- 4 unit tests (C7 fires/suppressed; C3 OOB suppressed / in-band still blamed).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

feat(causal-engine): add C11/C12/C13 temporal & operator causaloids (#3425) ... e53cdc7eb5

- C11: elevated flap_count (>=3 recent transitions) emits an instability
  precursor, severity scaling with flap rate.
- C12: an operator-authored stateful rule whose condition is met is promoted
  into causal reasoning as an observation over its target entity.
- C13: a node expected to be observed but with no availability reading is a
  discovery/observation gap (Unknown), not a confirmed outage (pairs with C4).
- Refresh module/evaluate docs: the 9 non-graph causaloids are wired; C5/C5b/
  C8/C9/C10 land with the ultragraph graph module next.
- 4 unit tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:44:26 +00:00

feat(causal-engine): add graph causaloids C5/C5b/C8/C9/C10 on ultragraph 0.9 (#3425) ... 261aff1051

New `graph` module projects Context CONNECTS_TO edges into a frozen ultragraph
0.9 CsmGraph (Gap G algorithms already upstream) keyed back to canonical ids:

- C5 single-point-of-failure via articulation_points (StructuralGraphAlgorithms)
- C5b bridge redundancy-gap via bridges (both endpoints flagged, de-duped)
- C9 shared-hop bottleneck via betweenness_centrality (CentralityGraphAlgorithms)
- C10 traffic-source blast radius via is_reachable (PathfindingGraphAlgorithms),
  severity weighted by source risk (low-risk source => lower severity)
- C8 BGP withdrawal: downstream destinations of a withdrawn route degraded

All 13 causaloids (C1-C13) now wired into Reasoner::evaluate. ultragraph = "0.9"
added; crate_universe repinned (Cargo.lock + MODULE.bazel.lock). 44 unit tests;
cargo clippy/fmt + bazel lib/bin/test --config=ci green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:49:32 +00:00

feat(causal-engine): compose per-device risk into C5/C7/C10 severity (#3425) ... 1b9ebfdc72

Task 1.5: device_risk() folds the MAX-wins ocsf_devices.risk_score and the
bounded pkg_severity (CVSS, scaled x10) into a 0..=100 per-device risk that
RAISES — never lowers — the predicted severity of C5 (SPOF), C7 (stack
collapse), and C10 (blast radius) for the affected node. The structural
classification is unchanged (raise_severity_to is monotonic). 2 unit tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:53:48 +00:00

feat(causal-engine): project AGE topology edges into the hydrated Context (#3425) ... 791eb39cd0

refresh() now runs a read-only graph_cypher MATCH over the AGE platform graph
and projects CONNECTS_TO/MANAGED_BY/CONTAINS/BACKED_BY/DEPENDS_ON relationships
into Context.edges (canonical sr: ids via the Device `id` property), unlocking
C1/C2/C4/C5/C5b/C7/C9/C10 against live topology. Best-effort: a projection
failure logs and reasons-without-edges that tick rather than aborting refresh.

parse_topology_edges + edge_kind_from_label are pure and unit-tested against the
documented graph_cypher {nodes,edges} wrapper shape (dedup + canonical-id +
unknown-label filtering). Live cypher still needs a CNPG smoke test; links/
flows/bgp_routes/operator_rules feeds remain TODO(1.2b) (causaloids no-op empty).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 17:57:24 +00:00

feat(causal-engine): extract god_view reasoning into the engine (#3425, task 1.10.1) ... d06a767f7c

Port god_view_nif/core/causality.rs (betweenness root-cause selection + 3-hop
affected BFS) into rust/causal-engine/src/god_view.rs, dropping the dead
DeepCausality CausaloidGraph the NIF built-then-froze-but-never-queried. State
codes (0=root/1=affected/2=healthy/3=unknown) and reason strings are preserved
verbatim so shadow-mode diffing against the legacy NIF is exact. 5 unit tests.

The remaining 1.10 steps (NIF demotion 1.10.2, drop deep_causality/ultragraph
1.10.3, workspace rejoin 1.10.4, shadow 1.10.5, cutover 1.10.6) are deploy-gated
and documented in runbooks/god-view-nif-cutover.md — demoting the live NIF
before the engine serves verdicts would blank the God-View overlay, so they
follow engine deployment + parity, not this PR.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

mfreeman451 added 1 commit 2026-06-03 18:01:52 +00:00

feat(causal-engine): Gap D reverse MANAGES edge + V1 task closeout (#3425) ... a41724c6d4

- Gap D (5.2.1): upsert_managed_by/2 now also MERGEs the reverse
  (mgmt)-[:MANAGES]->(child) AGE edge so the engine traverses manager->managed
  directly (additive; mirrors the MANAGED_BY MERGE).
- tasks.md: mark Phase 0-1 V1 engine COMPLETE — 1.1.3 (ultragraph dep),
  1.3 (reasoner shape), 1.4 (C1-C13), 1.5 (risk composition), 1.9.4, 1.10.1
  (god_view extraction), 5.2.1 (Gap D), and validation 6.1-6.5 all done.
- Phases 2-4 (Gaps A/C/F) and Gap E data-source remain spec-captured +
  dependency/deploy-gated by design; 1.10.2-1.10.6 deploy-gated (cutover runbook).
- openspec validate --strict: valid.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Some checks failed

Hide all checks

Helm Lint / Helm Lint (pull_request) Successful in 21s

Details

Secret Scan / gitleaks (pull_request) Successful in 42s

Details

Fingerprint Licensing / netprobe-fingerprint-licenses (pull_request) Failing after 1m8s

Details

lint / lint (pull_request) Successful in 1m23s

Details

Golang Tests / test-go (push) Successful in 1m24s

Details

lint / lint (push) Successful in 1m51s

Details

CI / build (pull_request) Failing after 9m25s

Details

Elixir Quality / Elixir Quality (pull_request) Failing after 10m40s

Details

This pull request has changes conflicting with the target branch.

• Cargo.lock
• MODULE.bazel.lock

View command line instructions

Manual merge helper

Use this merge commit message when completing the merge manually.

Merge commit title Merge pull request 'feat(causal-engine): umbrella proposal + Phase-0 (state-change feed, Gap B, Gap G handoff)' (#3519) from feat/causal-engine-v1 into staging

Merge commit body Reviewed-on: https://code.carverauto.dev/carverauto/serviceradar/pulls/3519

Merge pull request 'feat(causal-engine): umbrella proposal + Phase-0 (state-change feed, Gap B, Gap G handoff)' (#3519) from feat/causal-engine-v1 into staging Reviewed-on: https://code.carverauto.dev/carverauto/serviceradar/pulls/3519 Copy merge commit message

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feat/causal-engine-v1:feat/causal-engine-v1

git switch feat/causal-engine-v1

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch staging

git merge --no-ff feat/causal-engine-v1

git switch feat/causal-engine-v1

git rebase staging

git switch staging

git merge --ff-only feat/causal-engine-v1

git switch feat/causal-engine-v1

git rebase staging

git switch staging

git merge --no-ff feat/causal-engine-v1

git switch staging

git merge --squash feat/causal-engine-v1

git switch staging

git merge --ff-only feat/causal-engine-v1

git switch staging

git merge feat/causal-engine-v1

git push origin staging

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

1week

  

2weeks

  

Failed compliance check

  

IP cameras

  

NATS

NATS JetStream

  

Possible security concern

  

Review effort 1/5

  

Review effort 2/5

  

Review effort 3/5

  

Review effort 4/5

  

Review effort 5/5

  

UI

  

aardvark

  

accessibility

  

amd64

  

api

  

arm64

  

auth

  

back-end

  

bgp

  

blog

  

bug

Something isn't working

  

build

  

checkers

  

ci-cd

continuous integration-continuous deployments

  

cleanup

  

cnpg

cloud-native postgres

  

codex

  

core

core service

  

dependencies

Pull requests that update a dependency file

  

device-management

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

dusk

  

ebpf

  

enhancement

New feature or request

  

eta 1d

  

eta 1hr

  

eta 3d

  

eta 3hr

  

feature

  

fieldsurvey

  

github_actions

Pull requests that update GitHub Actions code

  

go

Pull requests that update Go code

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

javascript

Pull requests that update Javascript code

  

k8s

  

log-collector

  

mapper

  

mtr

multi traceroute

  

needs-triage

  

netflow

  

network-sweep

  

observability

  

oracle

Oracle Linux related issues

  

otel

opentelemetry logs, traces, metrics

  

plug-in

  

proton

timeplus proton streaming database

  

python

  

question

Further information is requested

  

reddit

  

redhat

  

research

  

rperf

  

rperf-checker

  

rust

Pull requests that update rust code

  

sdk

  

security

  

serviceradar-agent

  

serviceradar-agent-gateway

  

serviceradar-web

  

serviceradar-web-ng

  

siem

  

snmp

  

sysmon

  

topology

  

ubiquiti

  

wasm

  

wontfix

This will not be worked on

  

zen-engine

No labels

1week

2weeks

Failed compliance check

IP cameras

NATS

Possible security concern

Review effort 1/5

Review effort 2/5

Review effort 3/5

Review effort 4/5

Review effort 5/5

UI

aardvark

accessibility

amd64

api

arm64

auth

back-end

bgp

blog

bug

build

checkers

ci-cd

cleanup

cnpg

codex

core

dependencies

device-management

documentation

duplicate

dusk

ebpf

enhancement

eta 1d

eta 1hr

eta 3d

eta 3hr

feature

fieldsurvey

github_actions

go

good first issue

help wanted

invalid

javascript

k8s

log-collector

mapper

mtr

needs-triage

netflow

network-sweep

observability

oracle

otel

plug-in

proton

python

question

reddit

redhat

research

rperf

rperf-checker

rust

sdk

security

serviceradar-agent

serviceradar-agent-gateway

serviceradar-web

serviceradar-web-ng

siem

snmp

sysmon

topology

ubiquiti

wasm

wontfix

zen-engine

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

carverauto/serviceradar!3519

No description provided.