Skip to content

Add structured denial telemetry#209

Merged
seanwevans merged 2 commits into
mainfrom
codex/treat-denials-as-structured-telemetry
May 13, 2026
Merged

Add structured denial telemetry#209
seanwevans merged 2 commits into
mainfrom
codex/treat-denials-as-structured-telemetry

Conversation

@seanwevans
Copy link
Copy Markdown
Owner

@seanwevans seanwevans commented May 13, 2026

Motivation

  • Treat denied operations as first-class, structured telemetry so denials can be inspected and segmented rather than inferred from exception strings.
  • Record both broker and kernel decisions for denied operations to make policy/bpf interactions observable.
  • Surface denial events to monitoring so denial counts and decision-dimensions are available as Prometheus metrics.

Description

  • Add a new DenialEvent dataclass and public export via pyisolate.telemetry.DenialEvent. (pyisolate/telemetry.py, exported in pyisolate/__init__.py).
  • Attach denial events to PolicyError/PolicyAuthError via a new optional denial_event attribute so callers can inspect the event that caused the raised error. (pyisolate/errors.py).
  • Emit structured denial events from sandbox enforcement paths (filesystem, network, subprocess, random, import) and record them on the SandboxThread, plus expose Sandbox.get_denial_events() and SandboxThread.get_denial_events(). (pyisolate/runtime/thread.py, pyisolate/supervisor.py).
  • Include denial events in Sandbox.stats and add Prometheus export of denial aggregates and decision-dimensional denial samples in the metrics exporter. (pyisolate/observability/metrics.py).
  • Add control-plane denial telemetry when control operations are rejected due to invalid policy tokens. (pyisolate/supervisor.py).
  • Document the denial telemetry schema in the protocol docs and add tests validating event payloads and metric export. (docs/protocol.md, tests/test_alerts.py, tests/test_metrics.py).

Testing

  • Compiled affected modules with python -m py_compile which succeeded for the modified files.
  • Ran focused test groups (tests/test_alerts.py, tests/test_metrics.py, tests/test_capabilities.py, tests/test_policy_enforcement.py) and the denial-telemetry/metering assertions passed.
  • Ran additional BPF/ Supervisor unit checks and a broad subset of the suite; the targeted denial telemetry checks pass but the full test suite currently reports 3 failures related to legacy global-state interactions around policy reload monkeypatching and recovery cleanup (test_reload_with_cap, test_refresh_passes_compiled_policy, test_module_import_is_lazy). These failures are orthogonal to the telemetry feature and stem from test environment global-state assumptions.

Codex Task

@seanwevans seanwevans merged commit 2bcb475 into main May 13, 2026
1 of 19 checks passed
@seanwevans seanwevans deleted the codex/treat-denials-as-structured-telemetry branch May 13, 2026 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@seanwevans