dx_evidence_graph: viz stub — coordination with dx-agent data model

.github/workflows/cli_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read

.github/workflows/cloud_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read

.github/workflows/mirror_deps.yaml

@@ -9,7 +9,7 @@ jobs:
     permissions:
       contents: read
       packages: write
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     steps:
     - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772  # v2
       with:

.github/workflows/operator_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read

.github/workflows/vizier_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read

bazel/ui.bzl

@@ -17,9 +17,14 @@
 # This file contains rules for for our UI builds.
 
 ui_shared_cmds_start = [
+    # set -x: trace every command so CI failure logs surface the actual
+    # failing step. Without this the action shell silently aborts with
+    # exit 1 and no indication which sub-command failed.
+    "set -x",
     'export BASE_PATH="$(pwd)"',
-    "export PATH=/usr/local/bin:/opt/px_dev/tools/node/bin:$PATH",
-    'export HOME="$(mktemp -d)"',  # This makes node-gyp happy.
+    "export PATH=/opt/px_dev/tools/node/bin:/usr/local/bin:$PATH",
+    "hash -r",
+    'export HOME="$(mktemp -d)"',
     'export TMPPATH="$(mktemp -d)"',
 ]
 
@@ -38,7 +43,7 @@ def _pl_webpack_deps_impl(ctx):
 
     cmd = ui_shared_cmds_start + cp_cmds + [
         'pushd "$TMPPATH/src/ui" &> /dev/null',
-        "yarn install --immutable &> build.log",
+        "/opt/px_dev/tools/node/bin/yarn install --immutable &> build.log",
         # Pick a deterministic mtime so that the output is not volatile.
         # This helps ensure that bazel can cache the ui builds as expected.
         'tar --mtime="2018-01-01 00:00:00 UTC" -czf "$BASE_PATH/{}" .'.format(out.path),
@@ -49,6 +54,10 @@ def _pl_webpack_deps_impl(ctx):
         execution_requirements = {tag: "" for tag in ctx.attr.tags},
         outputs = [out],
         command = " && ".join(cmd),
+        # `--incompatible_strict_action_env` (.bazelrc) strips host PATH
+        # from actions, so yarn/node at /opt/px_dev/tools/node/bin aren't
+        # resolvable. Match how licenses.bzl + proto_compile.bzl handle it.
+        use_default_shell_env = True,
         progress_message =
             "Generating webpack deps %s" % out.short_path,
     )
@@ -72,8 +81,15 @@ def _pl_webpack_library_impl(ctx):
         # and apply it to the environment here. Hopefully,
         # no special characters/spaces/quotes in the results ...
         env_cmds = [
-            '$(sed -E "s/^([A-Za-z_]+)\\s*(.*)/export \\1=\\2/g" "{}")'.format(ctx.info_file.path),
-            '$(sed -E "s/^([A-Za-z_]+)\\s*(.*)/export \\1=\\2/g" "{}")'.format(ctx.version_file.path),
+            # Whitelist the stamp vars the action actually uses
+            # (webpack.config.js' EnvironmentPlugin reads STABLE_BUILD_TAG
+            # and BUILD_TIMESTAMP). The previous wildcard sed slurped
+            # FORMATTED_DATE too — its space-separated value
+            # ("2026 Jun 18 ...") word-split in $(...) command
+            # substitution and broke every action with
+            # "export: `18': not a valid identifier".
+            '$(sed -E -n "s/^(STABLE_BUILD_TAG|BUILD_TIMESTAMP)\\s+(.*)/export \\1=\\2/p" "{}")'.format(ctx.info_file.path),
+            '$(sed -E -n "s/^(STABLE_BUILD_TAG|BUILD_TIMESTAMP)\\s+(.*)/export \\1=\\2/p" "{}")'.format(ctx.version_file.path),
         ]
         all_files.append(ctx.info_file)
         all_files.append(ctx.version_file)
@@ -84,9 +100,12 @@ def _pl_webpack_library_impl(ctx):
         'pushd "$TMPPATH/src/ui" &> /dev/null',
         'tar -xzf "$BASE_PATH/{}"'.format(ctx.file.deps.path),
         'mv -f "$BASE_PATH/{}" src/pages/credits/licenses.json'.format(ctx.file.licenses.path),
-        "retval=0",
-        "output=`yarn build_prod 2>&1` || retval=$?",
-        '[ "$retval" -eq 0 ] || (echo $output; echo "Build Failed with Code: $retval"; exit $retval)',
+        # Stream yarn output directly so failures surface a usable stderr
+        # in CI logs. Absolute path because --incompatible_strict_action_env
+        # makes bazel ignore our `export PATH` despite the dev image
+        # having yarn at this path. Children (webpack -> node) need PATH
+        # too so we don't strip the export above.
+        "/opt/px_dev/tools/node/bin/yarn build_prod",
         'cp dist/bundle.tar.gz "$BASE_PATH/{}"'.format(out.path),
     ] + ui_shared_cmds_finish
 
@@ -95,6 +114,10 @@ def _pl_webpack_library_impl(ctx):
         execution_requirements = {tag: "" for tag in ctx.attr.tags},
         outputs = [out],
         command = " && ".join(cmd),
+        # `--incompatible_strict_action_env` (.bazelrc) strips host PATH
+        # from actions, so yarn/node at /opt/px_dev/tools/node/bin aren't
+        # resolvable. Match how licenses.bzl + proto_compile.bzl handle it.
+        use_default_shell_env = True,
         progress_message =
             "Generating webpack bundle %s" % out.short_path,
     )
@@ -161,15 +184,19 @@ def _pl_deps_licenses_impl(ctx):
         'pushd "$TMPPATH/src/ui" &> /dev/null',
         'export LIC_TMPPATH="$(mktemp -d)"',
         'tar -xzf "$BASE_PATH/{}"'.format(ctx.file.deps.path),
-        "yarn license_check --excludePrivatePackages --production --json --out $LIC_TMPPATH/checker.json",
-        'yarn pnpify node ./tools/licenses/yarn_license_extractor.js --input=$LIC_TMPPATH/checker.json --output="$BASE_PATH/{}"'.format(out.path),
+        "/opt/px_dev/tools/node/bin/yarn license_check --excludePrivatePackages --production --json --out $LIC_TMPPATH/checker.json",
+        '/opt/px_dev/tools/node/bin/yarn pnpify node ./tools/licenses/yarn_license_extractor.js --input=$LIC_TMPPATH/checker.json --output="$BASE_PATH/{}"'.format(out.path),
     ] + ui_shared_cmds_finish
 
     ctx.actions.run_shell(
         inputs = all_files + ctx.files.deps,
         execution_requirements = {tag: "" for tag in ctx.attr.tags},
         outputs = [out],
         command = " && ".join(cmd),
+        # `--incompatible_strict_action_env` strips host PATH from
+        # actions; yarn lives at /opt/px_dev/tools/node/bin in the
+        # dev image.
+        use_default_shell_env = True,
         progress_message =
             "Generating licenses %s" % out.short_path,
     )

private/cockpit/script_bundles_config.yaml

@@ -1,12 +1,25 @@
 ---
+# SCRIPT_BUNDLE_URLS is read by openresty (cloud-proxy_server_image) and
+# injected into the UI's `window.__PIXIE_FLAGS__` (see
+# k8s/cloud/base/proxy_nginx_config.yaml's sub_filter + set_by_lua_block).
+# The UI's fetch resolves relative URLs against document.baseURI, which is
+# always the cloud-proxy itself, so a relative `/bundle-oss.json` URL hits
+# the bundle that the cloud-release pipeline bakes into the proxy image as
+# a container layer (src/cloud/proxy/BUILD.bazel `script_bundle` ->
+# /bundle/bundle-oss.json). nginx serves it at the path `/bundle-oss.json`
+# from both server blocks (bare + work.* subdomain,
+# k8s/cloud/base/proxy_nginx_config.yaml lines 270 + 342).
+#
+# Bottom line: every cloud-release tag's bundle now ships with the
+# deployment, no separate update-script-bundle workflow needed.
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: pl-script-bundles-config
 data:
   SCRIPT_BUNDLE_URLS: >-
     [
-    "https://k8sstormcenter.github.io/pixie/pxl_scripts/bundle.json"
+    "/bundle-oss.json"
     ]
   SCRIPT_BUNDLE_DEV: "false"
   PL_SCRIPT_MODIFICATION_DISABLED: "false"

src/pxl_scripts/px/dx_evidence_graph/README.md

@@ -0,0 +1,114 @@
+# dx_evidence_graph
+
+A Pixie UI dashboard that renders one dx-agent investigation as a
+**severity-weighted, all-protocol pod-to-pod attack graph**. Replaces
+the latency-weighted HTTP service map in `cluster_overview` for
+security work.
+
+* Nodes = pods. Falls back to service → IP, mirroring `net_flow_graph`.
+* Edges = the attack path emitted by dx (delivery → egress →
+  execution → collection → exfil → pivot).
+* Display spec: `vispb.Graph`. **`edgeWeightColumn = weight`**
+  (open-ended UInt16 sum of CRS severity → edge thickness),
+  **`edgeColorColumn = max_severity`** (discrete 2-5 heat → edge
+  colour).
+* Read source: `forensic_db.dx_attack_graph` via `px.DataFrame`'s
+  `clickhouse_dsn` kwarg (`src/carnot/planner/objects/dataframe.cc:43`).
+
+## Schema — `forensic_db.dx_attack_graph`
+
+Locked with dx-agent in PR #62 / `entlein/dx#68`. The
+`attackgraph.Edge` Go struct is the single source of truth for the
+JSON wire format, the ClickHouse row, and the test fixture.
+
+| Column | Type | Role |
+|---|---|---|
+| `investigation_id` | String | one graph per dx verdict / pivot incident (UI filter key) |
+| `ts` | UInt64 | unix nanos |
+| `requestor_pod` / `responder_pod` | String | the hop (`ns/pod`); `""` if only an IP is known |
+| `requestor_service` / `responder_service` | String | |
+| `requestor_ip` / `responder_ip` | String | peer IP when pod unresolved |
+| `weight` | UInt16 | Σ CRS severity on the hop — `edgeWeightColumn` |
+| `max_severity` | UInt8 | top single-criterion severity (2-5) — `edgeColorColumn` |
+| `confidence` | Float32 | verdict confidence |
+| `edge_kind` | String | `delivery`/`egress`/`execution`/`collection`/`exfil`/`pivot` |
+| `condition` / `criteria` | String | ruled-in condition + criterion label(s) |
+| `num_findings` | UInt32 | |
+
+Table DDL (mirrors `kubescape_logs` partition/TTL convention):
+
+```sql
+CREATE TABLE forensic_db.dx_attack_graph ( ...columns above... )
+ENGINE = MergeTree
+PARTITION BY toYYYYMM(fromUnixTimestamp64Nano(ts))
+ORDER BY (investigation_id, requestor_pod, responder_pod)
+TTL toDateTime(fromUnixTimestamp64Nano(ts)) + INTERVAL 30 DAY DELETE;
+```
+
+## Per-rig ClickHouse DSN
+
+The bundled `vis.json` ships with `clickhouse_dsn` **empty** — the
+default is intentionally non-credentialed so the bundle stays
+portable across clusters. Operators fill the DSN in via the Pixie
+UI script-args panel at run time.
+
+For the in-cluster soc deployment the DSN is:
+
+```
+forensic_analyst:changeme-analyst@clickhouse-forensic-soc-db.clickhouse.svc.cluster.local:9000/forensic_db
+```
+
+`forensic_analyst` has read-only SELECT on `forensic_db`; same
+credential the existing `soc/analysis/px_clickhouse/kubescape/observe.pxl`
+script uses for `kubescape_logs`. Override in the UI for other rigs.
+
+## Manual-load prototype
+
+`tools/load_prototype/` is a Go helper that renders the `Edge`
+schema from a JSON fixture into a standalone HTML page using
+cytoscape.js. Same column→visual mapping the production
+`vispb.Graph` spec uses. Useful when ClickHouse isn't reachable
+from the UI (offline review, fixture validation).
+
+```bash
+go run ./tools/load_prototype \
+    -fixture fixtures/sample.json \
+    -investigation_id log4shell-6a32ea57 \
+    -out /tmp/dx_log4shell.html
+```
+
+The fixture in `fixtures/sample.json` is dx-agent's real
+log4shell + argocd verdicts from the rig run that locked the
+schema. `fixtures/screenshots/dx_log4shell.html` and
+`fixtures/screenshots/dx_argocd.html` are the pre-rendered pages
+for review without running the tool.
+
+The tool retires once the AE live-write (`WriteAttackGraph` →
+`forensic_db.dx_attack_graph`) is on every cluster running this
+bundle.
+
+## Deploy
+
+Bundle build path:
+
+1. `//src/pxl_scripts:script_bundle` walks every `*.pxl` + `vis.json`
+   under `src/pxl_scripts/` and emits `bundle-oss.json`
+   (`src/pxl_scripts/BUILD.bazel:34`).
+2. `//src/cloud/proxy:proxy_server_image` bakes the bundle in as a
+   container layer at `/bundle`
+   (`src/cloud/proxy/BUILD.bazel:36`).
+3. `skaffold run -f skaffold/skaffold_cloud.yaml` rebuilds the
+   cloud-proxy image and applies the Deployment.
+
+Vizier / PEM / standalone-pem images are unaffected — this is a
+UI-bundle-only change.
+
+## Out of scope for v1
+
+* `conn_stats` overlay (the "render the benign neighbourhood + light
+  up the attack path" view). Ship the attack-path-only graph first;
+  add the join in v2 once the visual has been used on a real
+  incident.
+* Time anchoring relative to `ts` rather than free-form `start_time`.
+  Operators today use `-15m` defaults; a future widget could centre
+  the window on the investigation's first `ts`.

src/pxl_scripts/px/dx_evidence_graph/dx_evidence_graph.pxl

@@ -0,0 +1,34 @@
+# Copyright 2018- The Pixie Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+''' DX Attack Graph: pod-to-pod hops weighted by dx evidence severity. '''
+import px
+
+
+def dx_attack_graph(start_time: str, clickhouse_dsn: str):
+    ''' Read forensic_db.dx_attack_graph and return the edge columns.
+    Args:
+    @start_time: e.g. "-15m".
+    @clickhouse_dsn: user:pass@host:port/db.
+    '''
+    df = px.DataFrame('dx_attack_graph',
+                      clickhouse_dsn=clickhouse_dsn,
+                      start_time=start_time)
+    return df[['requestor_pod', 'responder_pod',
+               'requestor_service', 'responder_service',
+               'requestor_ip', 'responder_ip',
+               'weight', 'max_severity', 'confidence',
+               'edge_kind', 'condition', 'criteria', 'num_findings']]