Crate cellos_host_telemetry

Expand description

Host-side telemetry receiver for the in-VM observability path (Phase F).

Status: F3b — vsock listener + host-stamping + agent-silenced detection shipped. The remaining F-phase work is F4b (supervisor signing of the outbound CloudEvents) and F1b (additive event constructor for cell.observability.guest.agent_silenced). ADR-0006 is the doctrine reference.

Role: bind a per-cell UDS at <vsock_uds_base>_9001 BEFORE the workload runs, receive CBOR-framed cell.observability.guest.* events from the in-guest [cellos-telemetry] agent, host-stamp the non-negotiable attribution fields (cell_id, run_id, host_received_at, spec_signature_hash, ADG output), and produce internal StampedDeclaration values the F4b signer projects to CloudEventV1 via the cellos_core::events builders.

Channel-authenticity model (ADR-0006 §5): the host trusts WHICH UDS path the bytes arrived on (Firecracker proxies the guest’s vsock connection to a per-cell UDS at <vsock_uds_base>_<port>), not a payload signature. The guest agent must NOT hold a signing key. This crate must NEVER take a dependency on signing primitives that would let it accept guest-signed envelopes; the supervisor signs outbound, period.

Module layout:

listener — per-cell UDS bind + CBOR frame decode + content_version major-version gate.
host_stamp — projects GuestDeclaration + HostStamp into the internal StampedDeclaration value type.
keepalive — KeepAlive tracker, AgentSilencedTrigger (fire-once), and watch_for_silence watcher loop.

See [docs/adr/0006-in-vm-observability-runner-evidence.md] for the complete decision record.

Modules§

host_stamp: Host-stamping of guest declarations (ADR-0006 §6).
keepalive: Keep-alive watcher and agent_silenced detection (ADR-0006 §7).
listener: Per-cell vsock UDS listener — Phase F3b.
probes: Host-side observability probes (Slot F1a / Path B).
sign_outbound: F4b — supervisor-side signing of outbound guest-derived envelopes.

Structs§

GuestDeclaration: Fields a guest-side agent fills. Anything else is host-stamped on receipt and overrides what the guest sent (ADR-0006 §6).
HostProbeReading: Forward-looking F3 host-probe reading shape (ADR-0006 acceptance prep, 2026-05-16). The richer probes::HostProbe / probes::ProbeReading API in this crate is the F3a implementation; this simpler envelope is the minimal contract documented for future host-side probes that emit cellos.events.host.probe.v1 CloudEvents without needing the full ProbeContext / EventSink plumbing.
HostStamp: Attribution fields stamped supervisor-side on every guest declaration. Overrides whatever the guest sent — non-negotiable per ADR-0006 §6.
ProbeContext: Per-cell context every host probe needs to attribute its readings.
ProbeReading: One reading produced by a HostProbe::read call.
StampedDeclaration: Internal value type: a guest declaration with host-stamped attribution.

Enums§

ProbeError: Errors a host probe can surface.
TelemetryError: Errors surfaced by the telemetry receiver.

Constants§

HOST_PROBE_EVENT_SOURCE: CloudEvents source for host-probe-emitted events.
HOST_PROBE_EVENT_TYPE_PREFIX: CloudEvents type prefix for host-probe-emitted events.
VSOCK_TELEMETRY_PORT: Vsock port reserved for guest telemetry events.
WIRE_CONTENT_VERSION_MAJOR: CBOR wire-format major version. Host rejects unknown majors per ADR-0006 §12 wire-schema versioning.

Traits§

HostProbe: A single host-side probe.

Functions§

build_host_probe_envelope: Build a CloudEventV1 envelope for a host-probe reading.
emit_reading: Stamp host_received_at on reading, build the CloudEvent envelope via the F1b-shaped constructors, and dispatch via the supervisor’s existing EventSink.