Struct RuntimeEngine 

pub struct RuntimeEngine { /* private fields */ }

Wraps a CorrelationEngine (or a plain Engine) and provides the interface the runtime needs: process events, reload rules, and query state.

Implementations

impl RuntimeEngine

pub fn new( rules_path: PathBuf, pipelines: Vec<Pipeline>, corr_config: CorrelationConfig, include_event: bool, ) -> Self

pub fn set_bloom_prefilter(&mut self, enabled: bool)

Enable or disable bloom-filter pre-filtering on the inner detection engine. Off by default. Applies on the next load_rules(); pre-load callers should set this before calling load_rules().

pub fn set_bloom_max_bytes(&mut self, max_bytes: usize)

Override the bloom memory budget on the inner detection engine. Applies on the next load_rules().

pub fn set_source_resolver(&mut self, resolver: Arc<dyn SourceResolver>)

Set a source resolver for dynamic pipeline sources.

When set, load_rules() resolves dynamic sources and expands ${source.*} templates before compiling rules.

pub fn source_resolver(&self) -> Option<&Arc<dyn SourceResolver>>

Get the source resolver, if one is configured.

pub fn set_allow_remote_include(&mut self, allow: bool)

Allow include directives to reference HTTP/NATS sources.

pub fn allow_remote_include(&self) -> bool

Whether remote includes are allowed.

pub fn set_pipeline_paths(&mut self, paths: Vec<PathBuf>)

Set the pipeline file paths used for hot-reload.

When paths are set, load_rules() re-reads pipeline YAML from disk before rebuilding the engine. This enables pipeline hot-reload alongside rule hot-reload.

pub fn pipeline_paths(&self) -> &[PathBuf]

Return the pipeline file paths (used by the daemon to set up watchers).

pub async fn resolve_dynamic_pipelines(&mut self) -> Result<(), String>

Resolve dynamic sources in all pipelines and expand templates.

This is the async entry point for source resolution. Call this before load_rules() when you have an async context available, or let load_rules() handle it synchronously via tokio::runtime::Handle.

pub fn load_rules(&mut self) -> Result<EngineStats, String>

Load (or reload) rules from the configured path.

On reload, correlation state is exported before replacing the engine and re-imported after, so in-flight windows and suppression state survive rule changes (entries for removed correlations are dropped).

If pipeline paths are set (via set_pipeline_paths), pipelines are re-read from disk before rebuilding the engine. If any pipeline file fails to parse, the entire reload is aborted and the old engine remains active.

Dynamic pipeline sources are resolved if a source resolver is configured.

pub fn process_batch<E: Event + Sync>( &mut self, events: &[&E], ) -> Vec<ProcessResult>

Process a batch of events using parallel detection + sequential correlation.

Delegates to Engine::evaluate_batch or CorrelationEngine::process_batch depending on whether correlation rules are loaded.

pub fn stats(&self) -> EngineStats

Return summary statistics about the current engine state.

pub fn rules_path(&self) -> &Path

Return the path from which rules are loaded.

pub fn pipelines(&self) -> &[Pipeline]

Return the configured processing pipelines.

pub fn corr_config(&self) -> &CorrelationConfig

Return the correlation configuration.

pub fn include_event(&self) -> bool

Whether detection results include the matched event.

pub fn export_state(&self) -> Option<CorrelationSnapshot>

Export correlation state as a serializable snapshot. Returns None if the engine is detection-only (no correlation state to persist).

pub fn import_state(&mut self, snapshot: &CorrelationSnapshot) -> bool

Import previously exported correlation state. Returns true if the import succeeded, false if the snapshot version is incompatible. No-op (returns true) if the engine is detection-only.