feat: cold-start seeding — behavioral profiler persistence and seed/export#12
Merged
Conversation
…xport subcommands Eliminates the 24h cold-start blind spot where a redeployed sensor needs min_seen=50 observations before the behavioral profiler can fire alerts. - anomaly: BehaviorProfileEntry DTO with Serialize()/Merge() on BehaviorProfiler; Merge is additive (sums counts) so seeding from multiple sources is idempotent - anomaly: Evaluator wrappers SerializeBehaviorProfiles()/LoadBehaviorProfiles() - storage: migrate.go v4 — behavior_profiles table (anchor_key, companion_key, count, total_seen, last_updated); SaveBehaviorProfiles/LoadBehaviorProfiles - cmd: seed subcommand copies profiles from a backup DB into current sensor DB; export-profiles dumps profiles as JSON lines for inspection/transfer - main: persistLoop saves behavioral profiles every 30s and on shutdown; profiles loaded at startup via initPipeline Tests: 4 anomaly tests, 3 storage tests, 5 cmd tests (round-trip, idempotent, error paths); all 11 packages green. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Crank-Git
added a commit
that referenced
this pull request
May 9, 2026
feat: cold-start seeding — behavioral profiler persistence and seed/export
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
anomaly:BehaviorProfileEntryDTO withSerialize()/Merge()onBehaviorProfiler; merge is additive (sums counts) so seeding from multiple sources is idempotentstorage: schema migration v4 addsbehavior_profilestable;SaveBehaviorProfiles/LoadBehaviorProfilesmethodscmd:seedsubcommand copies profiles from a backup DB into current sensor;export-profilesdumps profiles as JSON lines for inspection or transfermain:persistLoopsaves behavioral profiles every 30s and on clean shutdown; profiles loaded at startup, eliminating the 24h cold-start blind spotWhy
The behavioral profiler requires
min_seen=50observations before firing — on a redeployed sensor this blind spot can last up to 24h. Seeding from a backup DB instantly provides that history. Additive merge means seeding from multiple sources is safe and idempotent.Test plan
TestBehaviorProfiler_SerializeEmpty— empty profiler serializes to zero entriesTestBehaviorProfiler_SerializeMergeRoundTrip— serialize → merge → re-serialize produces identical stateTestBehaviorProfiler_MergeAddsToExisting— merge sums counts additivelyTestBehaviorProfiler_MergeEmptyNoOp— merging empty slice leaves state unchangedTestStore_SaveLoadBehaviorProfiles_Empty— empty save/load round-trips correctlyTestStore_SaveLoadBehaviorProfiles_RoundTrip— profiles survive a full save/load cycleTestStore_SaveBehaviorProfiles_Idempotent— double-save produces single set of rowsTestRunSeed_MissingSource— errors on missing source DBTestRunSeed_SameSourceAndDest— errors when source == destinationTestRunSeed_RoundTrip— profiles seeded from src appear in dstTestRunExportProfiles_MissingDB— errors on missing DBTestRunExportProfiles_EmptyDB— succeeds with zero entries🤖 Generated with Claude Code