[Greenhouse] Add agentless mode and simplify CEL cursor handling#18345
Draft
narph wants to merge 3 commits intoelastic:mainfrom
Draft
[Greenhouse] Add agentless mode and simplify CEL cursor handling#18345narph wants to merge 3 commits intoelastic:mainfrom
narph wants to merge 3 commits intoelastic:mainfrom
Conversation
- Add agentless deployment mode to the greenhouse policy template, enabling serverless collection alongside the default agent mode. - Simplify CEL cursor handling by replacing empty-string sentinels in cursor fields (pit_id, search_after, max_event_time) with genuine absence using optional map entries. - Preserve auth_token in the 429 rate-limit handler to avoid unnecessary token refresh on the next poll. Made-with: Cursor
Made-with: Cursor
narph
added
Team:Security-Service Integrations
🚀 Benchmarks reportTo see the full report comment with |
💚 Build Succeeded
|
The empty last page (results=0, next_search_after=null) returned 0 events, so the cursor was never persisted and window_start_time never advanced. Emit a retry placeholder event on the empty last page so the cursor update (advancing window_start_time to max_event_time) is persisted. This prevents re-fetching the entire time window on every poll cycle. Made-with: Cursor
![macroscopeapp[bot]](https://avatars.githubusercontent.com/in/900172?s=60&v=4){kind=small}
Comment on lines
+145
to
+146
| ?"Pit-Id": state.?cursor.pit_id.optMap(v, [v]), | ||
| ?"Search-After": state.?cursor.search_after.optMap(v, [v]), |
There was a problem hiding this comment.
🟠 High stream/cel.yml.hbs:145
The migration from optFlatMap to optMap at lines 145-146 removes empty-string filtering for Pit-Id and Search-After headers. Cursors created before this upgrade may contain pit_id: "" and search_after: "" (the old code at lines 179-180 set these to empty strings between windows). After upgrade, optMap transforms empty strings to [""] and sends Pit-Id: "" and Search-After: "" headers to the API, causing API errors instead of omitting the headers. This breaks data collection for users with existing cursor state until it expires or is manually cleared.
- ?"Pit-Id": state.?cursor.pit_id.optMap(v, [v]),
- ?"Search-After": state.?cursor.search_after.optMap(v, [v]),🤖 Copy this AI Prompt to have your agent fix this:
In file packages/greenhouse/data_stream/audit/agent/stream/cel.yml.hbs around lines 145-146:
The migration from `optFlatMap` to `optMap` at lines 145-146 removes empty-string filtering for `Pit-Id` and `Search-After` headers. Cursors created before this upgrade may contain `pit_id: ""` and `search_after: ""` (the old code at lines 179-180 set these to empty strings between windows). After upgrade, `optMap` transforms empty strings to `[""]` and sends `Pit-Id: ""` and `Search-After: ""` headers to the API, causing API errors instead of omitting the headers. This breaks data collection for users with existing cursor state until it expires or is manually cleared.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
security-service-integrationsteam).pit_id,search_after,max_event_time) with genuine absence using optional map entries. This reduces nesting depth, removes 4.as()bindings in the success path, and makes the cursor semantics explicit.auth_tokenin the 429 rate-limit handler to avoid an unnecessary token refresh on the next poll when rate-limited.CEL cursor changes in detail
Production sites (cursor map):
?"key": has_more ? optional.of(v) : optional.none()instead of"key": has_more ? v : ""formax_event_time,pit_id,search_after.pit_idandsearch_afterentirely instead of setting them to"".Consumption sites:
window_start_time: collapse 5-line ternary toorValue()with initial_interval default.Pit-Id/Search-Afterheaders:optFlatMapwith""guard becomesoptMap(v, [v]).next_max_event_time: 4.as()bindings collapse to 2 usingoptMap/orValue.!body.?results[0].hasValue()for empty-results early return.Test plan
elastic-package test pipeline)elastic-package test system) — 2 hits asserted and foundelastic-package build)Made with Cursor