rsigma_runtime/risk/snapshot.rs
1//! Versioned persistence snapshot for the per-entity risk accumulator.
2//!
3//! Saved to the daemon's SQLite store on the periodic and shutdown hooks, beside
4//! the correlation and alert-pipeline snapshots, and restored on boot with
5//! window-aware pruning. A version mismatch starts fresh rather than erroring.
6
7use serde::{Deserialize, Serialize};
8
9use super::accumulator::Contribution;
10
11/// Snapshot format version. Bump on any breaking change to the layout below; a
12/// loaded snapshot whose version differs is discarded and the accumulator
13/// starts empty.
14pub const SNAPSHOT_VERSION: u32 = 1;
15
16/// A point-in-time capture of the whole accumulator.
17#[derive(Debug, Clone, Serialize, Deserialize)]
18pub struct RiskStateSnapshot {
19 /// Snapshot layout version.
20 pub version: u32,
21 /// One entry per tracked entity.
22 pub entities: Vec<EntitySnapshot>,
23}
24
25/// One tracked entity's window.
26#[derive(Debug, Clone, Serialize, Deserialize)]
27pub struct EntitySnapshot {
28 /// The risk-object type.
29 pub entity_type: String,
30 /// The entity value.
31 pub entity_value: String,
32 /// When this entity last fired an incident, if ever (unix seconds).
33 #[serde(skip_serializing_if = "Option::is_none", default)]
34 pub last_fired: Option<i64>,
35 /// When this entity was last seen (unix seconds).
36 pub last_seen: i64,
37 /// The retained window of contributions.
38 pub contributions: Vec<Contribution>,
39}