feat: migrate BCC tools to native eBPF (cilium/ebpf CO-RE)

## Summary

Gradually replace BCC Python-based tools (Tier 2) with native eBPF programs (Tier 3) loaded directly via cilium/ebpf. BCC tools remain as fallback for systems without BTF support.

## Motivation

Current state: **67 BCC tools** run as external Python processes. Per tool:
- ~50MB RAM (Python interpreter)
- ~200ms startup (LLVM compilation)
- Text output → regex parsing

With 67 tools in parallel: **~3GB peak RAM**, significant observer effect.

Native eBPF eliminates all of this:
- ~1MB/tool (BPF maps only)
- ~5ms startup (pre-compiled .o)
- Binary struct parsing (zero-copy)
- **40x faster startup, 50x less memory**

## Migration Phases

### Phase 1: High-Impact Histogram Tools ⭐
| Tool | Attach Point | Ref |
|------|-------------|-----|
| `runqlat` | `tp/sched_switch` + `tp/sched_wakeup` | `libbpf-tools/runqlat.bpf.c` |
| `biolatency` | `tp/block_rq_issue` + `tp/block_rq_complete` | `libbpf-tools/biolatency.bpf.c` |
| `tcpconnlat` | `kprobe/tcp_v4_connect` | `libbpf-tools/tcpconnlat.bpf.c` |
| `cpudist` | `tp/sched_switch` | `libbpf-tools/cpudist.bpf.c` |
| `tcprtt` | `kprobe/tcp_rcv_established` | `libbpf-tools/tcprtt.bpf.c` |

### Phase 2: Stack Trace Tools (heaviest)
- `profile`, `offcputime`, `wakeuptime`

### Phase 3: Network Event Tools
- `tcpdrop`, `tcpstates`, `tcpconnect`, `tcplife`, `tcpaccept`
- (`tcpretrans` already done as Tier 3)

### Phase 4: Process/Disk Event Tools
- `execsnoop`, `opensnoop`, `biosnoop`, `ext4slower`, `killsnoop`, `oomkill`

### Phase 5: Remaining tools (as needed)

## Implementation Pattern

Per tool — files to create/modify:
```
internal/ebpf/c/<tool>.bpf.c              # BPF C program (CO-RE)
internal/ebpf/bpf/<tool>.o                # Compiled ELF (make generate)
internal/collector/ebpf_<tool>.go          # Go collector (Tier 3)
internal/collector/ebpf_<tool>_test.go     # Tests
internal/ebpf/loader.go                    # Add ProgramSpec
internal/orchestrator/orchestrator.go      # Register with Tier 3 priority
Makefile                                   # Add compile target
```

Reference implementation: `internal/collector/ebpf_tcpretrans.go`

## Documentation

- Full plan: `context/NATIVE_EBPF_MIGRATION.md`
- AI prompt template: `context/PROMPT_NATIVE_EBPF.md`

## Acceptance Criteria

- [ ] Phase 1 tools produce equivalent output to BCC versions
- [ ] BCC fallback works when BTF unavailable
- [ ] CI validates on Ubuntu 24.04 (kernel 6.8+)
- [ ] `melisai diff bcc.json native.json` shows no regressions
- [ ] Observer effect measurably reduced (lower CPU/RAM in `observer_overhead`)

## Labels
enhancement, performance

Tool	Attach Point	Ref
`runqlat`	`tp/sched_switch` + `tp/sched_wakeup`	`libbpf-tools/runqlat.bpf.c`
`biolatency`	`tp/block_rq_issue` + `tp/block_rq_complete`	`libbpf-tools/biolatency.bpf.c`
`tcpconnlat`	`kprobe/tcp_v4_connect`	`libbpf-tools/tcpconnlat.bpf.c`
`cpudist`	`tp/sched_switch`	`libbpf-tools/cpudist.bpf.c`
`tcprtt`	`kprobe/tcp_rcv_established`	`libbpf-tools/tcprtt.bpf.c`

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: migrate BCC tools to native eBPF (cilium/ebpf CO-RE) #22

Summary

Motivation

Migration Phases

Phase 1: High-Impact Histogram Tools ⭐

Phase 2: Stack Trace Tools (heaviest)

Phase 3: Network Event Tools

Phase 4: Process/Disk Event Tools

Phase 5: Remaining tools (as needed)

Implementation Pattern

Documentation

Acceptance Criteria

Labels

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

feat: migrate BCC tools to native eBPF (cilium/ebpf CO-RE) #22

Description

Summary

Motivation

Migration Phases

Phase 1: High-Impact Histogram Tools ⭐

Phase 2: Stack Trace Tools (heaviest)

Phase 3: Network Event Tools

Phase 4: Process/Disk Event Tools

Phase 5: Remaining tools (as needed)

Implementation Pattern

Documentation

Acceptance Criteria

Labels

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions