Doctor: causal timeline & cross-signal correlation (the headline differentiator)

[btwshivam]

Problem

Today's kerno doctor output is a flat list of findings. That's good — but every competing tool (Datadog, Pixie, Cilium Hubble, Inspektor Gadget) also produces a flat list of findings. The differentiator promised in the brand positioning is:

"Datadog shows the dashboard. Kerno tells you the diagnosis."

A diagnosis is causal. It looks like:

[14:32:01.000] Disk fsync p99 spiked to 240ms (was 8ms)
       │
       ▼
[14:32:03.500] PostgreSQL write latency p99 climbed to 1.8s (write_xlog blocked on fsync)
       │
       ▼
[14:32:05.200] payment-api request p99 hit 6s; first 504s emitted
       │
       ▼
[14:32:06.100] kube-proxy retransmit rate hit 4% (downstream queue saturation)

Root cause: storage controller (sda) experienced an unusual fsync stall.
Recommended action: investigate /sys/block/sda for IO errors; consider
moving WAL to a less contended device.

Every signal here is already in Signals; today we just don't sequence them.

Goal

Build the causal timeline engine: take the []Finding plus the time-bucketed signal history (the engine.history ring buffer, currently 10 entries) and produce a Timeline that orders findings by their first-detection timestamp and links them by suspected causation.

Files to add

• internal/doctor/timeline.go — the engine
• internal/doctor/timeline_test.go — table-driven tests with synthetic Signals showing known cascades
• internal/doctor/render_timeline.go — renderer extension for the box-tree view above

Approach

1. Signal history: bump engine.maxHistory from 10 to ~120 (10 minutes at 5s intervals — bounded, ~1MB max).
2. Timeline construction: for each finding, find the earliest Signals snapshot in history where the underlying metric crossed its threshold. That's the "fired at" timestamp.
3. Causation links: a small rule table — disk-saturation → DB-slow → upstream-API → cascade is one row; OOMKill ← memory-pressure-imminent is another. Match by signal pair + temporal ordering (cause must precede effect).
4. Confidence: each link has 0–1 confidence; only links above 0.7 render in the timeline.

Acceptance criteria

• kerno doctor --timeline renders the box-tree view
• kerno doctor --output json includes a timeline array with each link annotated by {cause, effect, confidence, gap_ms}
• Pair with chaos cascade in scripts/verify.sh — induce the disk→TCP→memory→CPU cascade and assert the timeline links them in order
• Unit tests cover: linear cascade, parallel non-related findings, single-finding case, no findings case
• AI integration: when --ai is set, the AI summary references the timeline by ID, not by raw finding name

Why this matters

This is the shareable feature. A screenshot of a 4-hop causal timeline going viral on r/sre is worth 10x the OOMKill detection. It's also the foundation for Phase 18.1 (shareable incident links) and the kubectl-kerno demo.

Effort

~5 days. Significant: history store, link engine, renderer, AI prompt update, tests.

References

• Phase 14.2 in TODO.md (the "headline feature")
• Brand positioning: BRAND_TODO.md (gitignored, in repo) — "Datadog shows, Kerno tells"

[indenigrate]

/take
hey @btwshivam id like to take this on since I just finished the preflight engine.

since its a massive feature ill break it down into smaller PRs:

• bump the history ring buffer to 120 and add memory tests
• build timeline.go with the causation rule table and logic
• build the ascii box-tree renderer in render_timeline.go
• hook up the chaos cascade in verify.sh and update the ai prompt

i checked the references in the issue but noticed BRAND_TODO.md is missing from the repo, and Phase 14.2 is only briefly mentioned in TODO.md without the full spec. because of that, i just have two quick questions before starting phase 1:

should the causation rules just be hardcoded in go (like a slice/map) for now?
for the ascii tree rendering, do you want a custom string formatter to keep it dependency-free, or is it cool to use a ui library?

[github-actions]

@indenigrate, you're already on 2 open issues (#61 (feat: improve CONTRIBUTING.md onboarding for the two build modes), #44 (CLI: kerno preflight — validate prerequisites without running)).

We cap contributors at 2 concurrent issues so the backlog stays available to others. Please finish or /unassign one before claiming another.

(Maintainers are exempt from this cap.)

[nxn0]

hi @btwshivam ,i'd like to work on this issue under GSSoC '26.

/assign

[github-actions]

Assigned to @nxn0. Thanks for picking this up! 🚀

Heads-up: if there's no activity (comment or PR linked here) within 10 days, the issue will be auto-released so others can pick it up. Comment any time to reset that timer.

Need help getting started? Check CONTRIBUTING.md or ask in the issue thread.

[github-actions]

Hi @nxn0 — heads up that this issue has had no activity from you in 7 days.

If you're still working on it, leave a comment and the timer resets. Otherwise it'll be auto-released in 3 days so others can pick it up.

Need help getting unstuck? Reply here, no judgement.

[nxn0]

I am actively working on it.

[nxn0]

I don't think I can do it.
I'll stick to something much lighter .

/unassign