fix: restrict file agg events to ai agents

kylewanginchina · kylewanginchina · commit af35e3bb02a2 · 2026-04-10T16:34:53.000+08:00
diff --git a/server/ingester/event/decoder/decoder.go b/server/ingester/event/decoder/decoder.go
@@ -402,6 +402,10 @@ func splitFilePath(fullPath string) (string, string) {
 	return "", fullPath
 }
 
+func shouldAggregateFileAggEvent(rootPID uint32) bool {
+	return rootPID != 0
+}
+
 func (d *Decoder) emitFileAggItems(items []*dbwriter.FileAggEventStore) {
 	if len(items) == 0 {
 		return
@@ -456,7 +460,7 @@ func (d *Decoder) writeRawFileEvent(vtapId uint16, e *pb.ProcEvent) {
 
 	d.export(s)
 	d.rawFileWriter().Write(s)
-	if d.fileAggReducer != nil {
+	if d.fileAggReducer != nil && shouldAggregateFileAggEvent(s.RootPID) {
 		d.emitFileAggItems(d.fileAggReducer.Add(s))
 	}
 }
diff --git a/server/ingester/event/decoder/decoder_test.go b/server/ingester/event/decoder/decoder_test.go
@@ -259,3 +259,12 @@ func TestExtractFileMgmtTargets(t *testing.T) {
 		t.Fatalf("chmod targets = (%d,%d,%d)", uid, gid, mode)
 	}
 }
+
+func TestShouldAggregateFileAggEvent(t *testing.T) {
+	if shouldAggregateFileAggEvent(0) {
+		t.Fatalf("expected root pid 0 to skip file_agg_event aggregation")
+	}
+	if !shouldAggregateFileAggEvent(42) {
+		t.Fatalf("expected non-zero root pid to allow file_agg_event aggregation")
+	}
+}
diff --git a/server/ingester/event/decoder/file_agg_reducer.go b/server/ingester/event/decoder/file_agg_reducer.go
@@ -113,6 +113,9 @@ func shouldSplitFileAggByIdleGap(current, next *dbwriter.FileAggEventStore) bool
 }
 
 func (r *FileAggReducer) Add(raw *dbwriter.EventStore) []*dbwriter.FileAggEventStore {
+	if raw == nil || raw.RootPID == 0 {
+		return nil
+	}
 	next := cloneRawFileEventToAgg(raw)
 	if next == nil {
 		return nil
diff --git a/server/ingester/event/decoder/file_agg_reducer_test.go b/server/ingester/event/decoder/file_agg_reducer_test.go
@@ -195,3 +195,19 @@ func TestFileAggReducerSplitsSameKeyWhenIdleGapExceeded(t *testing.T) {
 		t.Fatalf("remaining event_count = %d, want 1", remaining[0].EventCount)
 	}
 }
+
+func TestFileAggReducerSkipsNonAiAgentEvent(t *testing.T) {
+	reducer := NewFileAggReducer()
+	raw := makeRawFileEvent("bash", "read", "plain.txt", 16)
+	raw.RootPID = 0
+
+	flushed := reducer.Add(raw)
+	if flushed != nil {
+		t.Fatalf("add returned %d flushed items, want nil", len(flushed))
+	}
+
+	remaining := reducer.Flush()
+	if remaining != nil {
+		t.Fatalf("flush returned %d items, want nil", len(remaining))
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -402,6 +402,10 @@ func splitFilePath(fullPath string) (string, string) {`
`402`	`402`	`return "", fullPath`
`403`	`403`	`}`
`404`	`404`
	`405`	`+func shouldAggregateFileAggEvent(rootPID uint32) bool {`
	`406`	`+ return rootPID != 0`
	`407`	`+}`
	`408`	`+`
`405`	`409`	`func (d Decoder) emitFileAggItems(items []dbwriter.FileAggEventStore) {`
`406`	`410`	`if len(items) == 0 {`
`407`	`411`	`return`
`@@ -456,7 +460,7 @@ func (d Decoder) writeRawFileEvent(vtapId uint16, e pb.ProcEvent) {`
`456`	`460`
`457`	`461`	`d.export(s)`
`458`	`462`	`d.rawFileWriter().Write(s)`
`459`		`- if d.fileAggReducer != nil {`
	`463`	`+ if d.fileAggReducer != nil && shouldAggregateFileAggEvent(s.RootPID) {`
`460`	`464`	`d.emitFileAggItems(d.fileAggReducer.Add(s))`
`461`	`465`	`}`
`462`	`466`	`}`
Original file line number	Diff line number	Diff line change
`@@ -259,3 +259,12 @@ func TestExtractFileMgmtTargets(t *testing.T) {`
`259`	`259`	`t.Fatalf("chmod targets = (%d,%d,%d)", uid, gid, mode)`
`260`	`260`	`}`
`261`	`261`	`}`
	`262`	`+`
	`263`	`+func TestShouldAggregateFileAggEvent(t *testing.T) {`
	`264`	`+ if shouldAggregateFileAggEvent(0) {`
	`265`	`+ t.Fatalf("expected root pid 0 to skip file_agg_event aggregation")`
	`266`	`+ }`
	`267`	`+ if !shouldAggregateFileAggEvent(42) {`
	`268`	`+ t.Fatalf("expected non-zero root pid to allow file_agg_event aggregation")`
	`269`	`+ }`
	`270`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -113,6 +113,9 @@ func shouldSplitFileAggByIdleGap(current, next *dbwriter.FileAggEventStore) bool`
`113`	`113`	`}`
`114`	`114`
`115`	`115`	`func (r FileAggReducer) Add(raw dbwriter.EventStore) []*dbwriter.FileAggEventStore {`
	`116`	`+ if raw == nil \|\| raw.RootPID == 0 {`
	`117`	`+ return nil`
	`118`	`+ }`
`116`	`119`	`next := cloneRawFileEventToAgg(raw)`
`117`	`120`	`if next == nil {`
`118`	`121`	`return nil`