Skip to content

Add analyze-quality-gate-security-mean-fs-load skill#50375

Open
preinlein wants to merge 1 commit intopaul.reinlein/explain-ladingfrom
paul.reinlein/explain-quality-gate
Open

Add analyze-quality-gate-security-mean-fs-load skill#50375
preinlein wants to merge 1 commit intopaul.reinlein/explain-ladingfrom
paul.reinlein/explain-quality-gate

Conversation

@preinlein
Copy link
Copy Markdown
Contributor

@preinlein preinlein commented May 5, 2026
edited
Loading

What does this PR do?

Adds a new Claude Code skill analyze-quality-gate-security-mean-fs-load that compares production CWS perf_buffer.events.write open rates against the quality_gate_security_mean_fs_load SMP experiment, using quality_gate_security_no_fs_load as the no-load baseline, and proposes lading config changes when a mismatch is found.

Motivation

The quality_gate_security_mean_fs_load lading config should reflect production filesystem workload so the SMP regression detector catches real-world CWS overhead. This skill formalizes the comparison procedure — pinning analysis to a specific SMP job_id, subtracting the no-load noise floor, and proposing concrete YAML changes — so tuning decisions are traceable and reproducible across sessions.

Describe how you validated your changes

Skill is read-only documentation that drives pup metrics query and the existing explain-lading-config skill; no code paths are exercised. Validated by inspection of the procedure against the two regression cases under test/regression/cases/quality_gate_security_{mean,no}_fs_load/.

Additional Notes

  • Adds a CODEOWNERS entry assigning the skill to @DataDog/single-machine-performance and @DataDog/agent-security.

@preinlein preinlein mentioned this pull request May 5, 2026
Open
@preinlein Graphite App
Copy link
Copy Markdown
Contributor Author

preinlein commented May 5, 2026

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@preinlein preinlein mentioned this pull request May 5, 2026
Open
@preinlein preinlein added the changelog/no-changelog No changelog entry needed label May 5, 2026
@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented May 5, 2026
edited
Loading

Files inventory check summary

File checks results against ancestor 8f67edd8:

Results for datadog-agent_7.80.0~devel.git.486.d1bab2e.pipeline.111593521-1_amd64.deb:

No change detected

@dd-octo-sts
Copy link
Copy Markdown
Contributor

dd-octo-sts Bot commented May 5, 2026
edited
Loading

Static quality checks

✅ Please find below the results from static quality gates
Comparison made with ancestor 8f67edd
📊 Static Quality Gates Dashboard
🔗 SQG Job

32 successful checks with minimal change (< 2 KiB)
Quality gate Current Size
agent_deb_amd64 740.963 MiB
agent_deb_amd64_fips 699.147 MiB
agent_heroku_amd64 309.076 MiB
agent_rpm_amd64 740.946 MiB
agent_rpm_amd64_fips 699.131 MiB
agent_rpm_arm64 719.021 MiB
agent_rpm_arm64_fips 680.300 MiB
agent_suse_amd64 740.946 MiB
agent_suse_amd64_fips 699.131 MiB
agent_suse_arm64 719.021 MiB
agent_suse_arm64_fips 680.300 MiB
docker_agent_amd64 801.342 MiB
docker_agent_arm64 804.245 MiB
docker_agent_jmx_amd64 992.262 MiB
docker_agent_jmx_arm64 983.943 MiB
docker_cluster_agent_amd64 206.603 MiB
docker_cluster_agent_arm64 220.634 MiB
docker_cws_instrumentation_amd64 7.142 MiB
docker_cws_instrumentation_arm64 6.689 MiB
docker_host_profiler_amd64 301.101 MiB
docker_host_profiler_arm64 312.622 MiB
docker_dogstatsd_amd64 39.374 MiB
docker_dogstatsd_arm64 37.628 MiB
dogstatsd_deb_amd64 30.032 MiB
dogstatsd_deb_arm64 28.173 MiB
dogstatsd_rpm_amd64 30.032 MiB
dogstatsd_suse_amd64 30.032 MiB
iot_agent_deb_amd64 44.462 MiB
iot_agent_deb_arm64 41.439 MiB
iot_agent_deb_armhf 42.179 MiB
iot_agent_rpm_amd64 44.462 MiB
iot_agent_suse_amd64 44.462 MiB
On-wire sizes (compressed)
Quality gate Change Size (prev → curr → max)
agent_deb_amd64 +33.02 KiB (0.02% increase) 175.252 → 175.285 → 179.160
agent_deb_amd64_fips -17.38 KiB (0.01% reduction) 167.041 → 167.024 → 174.440
agent_heroku_amd64 +11.15 KiB (0.01% increase) 74.949 → 74.960 → 80.310
agent_rpm_amd64 +9.71 KiB (0.01% increase) 177.289 → 177.298 → 182.080
agent_rpm_amd64_fips -23.53 KiB (0.01% reduction) 168.418 → 168.395 → 174.140
agent_rpm_arm64 +3.62 KiB (0.00% increase) 159.375 → 159.378 → 163.610
agent_rpm_arm64_fips -23.57 KiB (0.02% reduction) 151.753 → 151.730 → 156.850
agent_suse_amd64 +9.71 KiB (0.01% increase) 177.289 → 177.298 → 182.080
agent_suse_amd64_fips -23.53 KiB (0.01% reduction) 168.418 → 168.395 → 174.140
agent_suse_arm64 +3.62 KiB (0.00% increase) 159.375 → 159.378 → 163.610
agent_suse_arm64_fips -23.57 KiB (0.02% reduction) 151.753 → 151.730 → 156.850
docker_agent_amd64 neutral 267.709 MiB → 272.990
docker_agent_arm64 +4.23 KiB (0.00% increase) 254.715 → 254.719 → 261.470
docker_agent_jmx_amd64 neutral 336.343 MiB → 341.610
docker_agent_jmx_arm64 -5.71 KiB (0.00% reduction) 319.363 → 319.358 → 326.050
docker_cluster_agent_amd64 neutral 72.424 MiB → 73.460
docker_cluster_agent_arm64 neutral 67.884 MiB → 68.680
docker_cws_instrumentation_amd64 neutral 2.999 MiB → 3.330
docker_cws_instrumentation_arm64 neutral 2.729 MiB → 3.090
docker_host_profiler_amd64 neutral 110.740 MiB → 125.600
docker_host_profiler_arm64 neutral 105.089 MiB → 120.000
docker_dogstatsd_amd64 neutral 15.240 MiB → 15.870
docker_dogstatsd_arm64 neutral 14.558 MiB → 14.890
dogstatsd_deb_amd64 neutral 7.943 MiB → 8.830
dogstatsd_deb_arm64 neutral 6.827 MiB → 7.750
dogstatsd_rpm_amd64 neutral 7.952 MiB → 8.840
dogstatsd_suse_amd64 neutral 7.952 MiB → 8.840
iot_agent_deb_amd64 -2.12 KiB (0.02% reduction) 11.702 → 11.700 → 13.210
iot_agent_deb_arm64 neutral 9.995 MiB → 11.620
iot_agent_deb_armhf +2.39 KiB (0.02% increase) 10.209 → 10.212 → 11.780
iot_agent_rpm_amd64 neutral 11.721 MiB → 13.230
iot_agent_suse_amd64 neutral 11.721 MiB → 13.230

@cit-pr-commenter-54b7da
Copy link
Copy Markdown

cit-pr-commenter-54b7da Bot commented May 5, 2026
edited
Loading

Regression Detector

Regression Detector Results

Metrics dashboard
Target profiles
Run ID: 6b8a6277-91c6-47aa-b363-fdcce175306b

Baseline: 8f67edd
Comparison: d1bab2e
Diff

Optimization Goals: ✅ No significant changes detected

Experiments ignored for regressions

Regressions in experiments with settings containing erratic: true are ignored.

perf experiment goal Δ mean % Δ mean % CI trials links
docker_containers_cpu % cpu utilization +1.05 [-1.87, +3.96] 1 Logs

Fine details of change detection per experiment

perf experiment goal Δ mean % Δ mean % CI trials links
docker_containers_cpu % cpu utilization +1.05 [-1.87, +3.96] 1 Logs
ddot_logs memory utilization +0.78 [+0.72, +0.85] 1 Logs
quality_gate_metrics_logs memory utilization +0.67 [+0.42, +0.92] 1 Logs bounds checks dashboard
quality_gate_security_idle memory utilization +0.26 [+0.19, +0.33] 1 Logs bounds checks dashboard
quality_gate_idle_all_features memory utilization +0.25 [+0.21, +0.29] 1 Logs bounds checks dashboard
quality_gate_security_no_fs_load memory utilization +0.24 [+0.15, +0.34] 1 Logs bounds checks dashboard
ddot_metrics memory utilization +0.22 [+0.03, +0.42] 1 Logs
ddot_metrics_sum_delta memory utilization +0.21 [+0.03, +0.39] 1 Logs
docker_containers_memory memory utilization +0.20 [+0.10, +0.30] 1 Logs
quality_gate_security_mean_fs_load memory utilization +0.17 [+0.13, +0.20] 1 Logs bounds checks dashboard
file_to_blackhole_1000ms_latency egress throughput +0.07 [-0.36, +0.50] 1 Logs
otlp_ingest_metrics memory utilization +0.07 [-0.08, +0.23] 1 Logs
file_to_blackhole_0ms_latency egress throughput +0.01 [-0.51, +0.53] 1 Logs
uds_dogstatsd_to_api_v3 ingress throughput +0.01 [-0.19, +0.22] 1 Logs
tcp_dd_logs_filter_exclude ingress throughput +0.01 [-0.08, +0.11] 1 Logs
file_to_blackhole_100ms_latency egress throughput -0.03 [-0.17, +0.12] 1 Logs
uds_dogstatsd_to_api ingress throughput -0.04 [-0.26, +0.18] 1 Logs
file_to_blackhole_500ms_latency egress throughput -0.04 [-0.44, +0.36] 1 Logs
ddot_metrics_sum_cumulativetodelta_exporter memory utilization -0.09 [-0.33, +0.15] 1 Logs
ddot_metrics_sum_cumulative memory utilization -0.15 [-0.31, +0.01] 1 Logs
uds_dogstatsd_20mb_12k_contexts_20_senders memory utilization -0.27 [-0.32, -0.22] 1 Logs
quality_gate_idle memory utilization -0.43 [-0.48, -0.38] 1 Logs bounds checks dashboard
quality_gate_logs % cpu utilization -0.74 [-1.73, +0.24] 1 Logs bounds checks dashboard
tcp_syslog_to_blackhole ingress throughput -0.75 [-0.96, -0.55] 1 Logs
otlp_ingest_logs memory utilization -0.92 [-1.04, -0.81] 1 Logs

Bounds Checks: ✅ Passed

perf experiment bounds_check_name replicates_passed observed_value links
docker_containers_cpu simple_check_run 10/10 576 ≥ 26
docker_containers_memory memory_usage 10/10 241.85MiB ≤ 370MiB
docker_containers_memory simple_check_run 10/10 723 ≥ 26
file_to_blackhole_0ms_latency memory_usage 10/10 0.16GiB ≤ 1.20GiB
file_to_blackhole_0ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_1000ms_latency memory_usage 10/10 0.21GiB ≤ 1.20GiB
file_to_blackhole_1000ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_100ms_latency memory_usage 10/10 0.17GiB ≤ 1.20GiB
file_to_blackhole_100ms_latency missed_bytes 10/10 0B = 0B
file_to_blackhole_500ms_latency memory_usage 10/10 0.19GiB ≤ 1.20GiB
file_to_blackhole_500ms_latency missed_bytes 10/10 0B = 0B
quality_gate_idle intake_connections 10/10 3 ≤ 4 bounds checks dashboard
quality_gate_idle memory_usage 10/10 140.34MiB ≤ 147MiB bounds checks dashboard
quality_gate_idle_all_features intake_connections 10/10 3 ≤ 4 bounds checks dashboard
quality_gate_idle_all_features memory_usage 10/10 471.50MiB ≤ 495MiB bounds checks dashboard
quality_gate_logs intake_connections 10/10 3 ≤ 6 bounds checks dashboard
quality_gate_logs memory_usage 10/10 174.58MiB ≤ 195MiB bounds checks dashboard
quality_gate_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_metrics_logs cpu_usage 10/10 386.83 ≤ 2000 bounds checks dashboard
quality_gate_metrics_logs intake_connections 10/10 4 ≤ 6 bounds checks dashboard
quality_gate_metrics_logs memory_usage 10/10 384.29MiB ≤ 430MiB bounds checks dashboard
quality_gate_metrics_logs missed_bytes 10/10 0B = 0B bounds checks dashboard
quality_gate_security_idle cpu_usage 10/10 24.93 ≤ 40 bounds checks dashboard
quality_gate_security_idle memory_usage 10/10 287.44MiB ≤ 330MiB bounds checks dashboard
quality_gate_security_mean_fs_load cpu_usage 10/10 55.12 ≤ 70 bounds checks dashboard
quality_gate_security_mean_fs_load memory_usage 10/10 265.17MiB ≤ 320MiB bounds checks dashboard
quality_gate_security_no_fs_load cpu_usage 10/10 20.94 ≤ 40 bounds checks dashboard
quality_gate_security_no_fs_load memory_usage 10/10 274.20MiB ≤ 320MiB bounds checks dashboard

Explanation

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

Performance changes are noted in the perf column of each table:

  • ✅ = significantly better comparison variant performance
  • ❌ = significantly worse comparison variant performance
  • ➖ = no significant change in performance

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

  1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

  2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

  3. Its configuration does not mark it "erratic".

CI Pass/Fail Decision

Passed. All Quality Gates passed.

  • quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_idle, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
  • quality_gate_security_no_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_no_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_mean_fs_load, bounds check memory_usage: 10/10 replicas passed. Gate passed.
  • quality_gate_security_mean_fs_load, bounds check cpu_usage: 10/10 replicas passed. Gate passed.

@preinlein preinlein force-pushed the paul.reinlein/explain-lading branch from 7177145 to cb02849 Compare May 5, 2026 15:05
@preinlein preinlein force-pushed the paul.reinlein/explain-quality-gate branch from fd9ffcc to ac43e30 Compare May 5, 2026 15:05
@preinlein preinlein added the qa/no-code-change No code change in Agent code requiring validation label May 5, 2026
@preinlein preinlein force-pushed the paul.reinlein/explain-quality-gate branch from ac43e30 to c44c9ae Compare May 5, 2026 15:12
@preinlein preinlein force-pushed the paul.reinlein/explain-lading branch 2 times, most recently from 23b3368 to 11959ed Compare May 5, 2026 17:31
@preinlein preinlein force-pushed the paul.reinlein/explain-quality-gate branch from c44c9ae to e9a34d9 Compare May 5, 2026 17:31
@preinlein preinlein marked this pull request as ready for review May 5, 2026 17:54
@preinlein preinlein requested a review from a team as a code owner May 5, 2026 17:54
@preinlein preinlein mentioned this pull request May 5, 2026
Closed
chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed May 5, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: e9a34d9f73

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread .claude/skills/analyze-quality-gate-security-mean-fs-load/SKILL.md Outdated
@github-actions github-actions Bot added the medium review PR review might take time label May 5, 2026
@preinlein preinlein force-pushed the paul.reinlein/explain-quality-gate branch from e9a34d9 to 134a9e3 Compare May 5, 2026 18:37
goxberry
goxberry reviewed May 5, 2026
View reviewed changes
Comment thread .claude/skills/analyze-quality-gate-security-mean-fs-load/SKILL.md Outdated
goxberry
goxberry reviewed May 5, 2026
View reviewed changes
Comment thread .claude/skills/analyze-quality-gate-security-mean-fs-load/SKILL.md
pup metrics query --query 'avg:single_machine_performance.regression_detector.capture.datadog.runtime_security.perf_buffer.events.write{event_type:open,variant:comparison,experiment:quality_gate_security_no_fs_load} by {job_id}.as_rate()' --from 1d --to now
```

For each returned series, read its `scope` (contains `job_id:<UUID>`) and its `pointlist`. Null-safe: drop points whose value is `None`. Per job, record the timestamp of the **last non-zero point**. The `job_id` with the most recent last-non-zero timestamp is "the latest job" for that experiment.
Copy link
Copy Markdown
Contributor

@goxberry goxberry May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part seems potentially scriptable in the future. I don't think it's worth blocking on writing a script for this operation -- I'd rather have the skill in the repo sooner -- but worth noting as a potential variance-reducing optimization.

goxberry
goxberry reviewed May 5, 2026
View reviewed changes
Comment thread .claude/skills/analyze-quality-gate-security-mean-fs-load/SKILL.md
When reporting `capture_first_ts` / `capture_last_ts`, do not compute ISO strings by hand, use:

```bash
python3 -c "from datetime import datetime, timezone; print(datetime.fromtimestamp($(( MS / 1000 )), timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ'))"
Copy link
Copy Markdown
Contributor

@goxberry goxberry May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1; Python is probably more cross-platform than date from GNU Coreutils.

goxberry
goxberry reviewed May 5, 2026
View reviewed changes
Comment thread .claude/skills/analyze-quality-gate-security-mean-fs-load/SKILL.md
### 3c. Sanity checks

- If fewer than ~5 non-zero points come back for a latest job, the capture may be in flight or interrupted. Try the second-most-recent `job_id` and report both so the reviewer can judge.
- If the `mean_fs_load` and `no_fs_load` latest `job_id`s ran more than 24 h apart, flag the staleness — background noise floor drifts over time.
Copy link
Copy Markdown
Contributor

@goxberry goxberry May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The background noise floor drift is an interesting observation. I wonder if we can model that in the future.

goxberry
goxberry reviewed May 5, 2026
View reviewed changes
Comment thread .claude/skills/analyze-quality-gate-security-mean-fs-load/SKILL.md

- If fewer than ~5 non-zero points come back for a latest job, the capture may be in flight or interrupted. Try the second-most-recent `job_id` and report both so the reviewer can judge.
- If the `mean_fs_load` and `no_fs_load` latest `job_id`s ran more than 24 h apart, flag the staleness — background noise floor drifts over time.
- Never fall back to wider windows with coarser rollups (≥300 s intervals) as a substitute — rollup gap-fill deflates per-job means when a capture only partially occupies a bucket.
Copy link
Copy Markdown
Contributor

@goxberry goxberry May 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call-out here.

@preinlein preinlein force-pushed the paul.reinlein/explain-lading branch from 11959ed to 2fd3f25 Compare May 5, 2026 19:35
@preinlein preinlein force-pushed the paul.reinlein/explain-quality-gate branch from 134a9e3 to ac40a1f Compare May 5, 2026 19:35
@preinlein preinlein force-pushed the paul.reinlein/explain-quality-gate branch from ac40a1f to d1bab2e Compare May 5, 2026 19:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@goxberry goxberry goxberry approved these changes

Assignees

No one assigned

Labels

changelog/no-changelog No changelog entry needed medium review PR review might take time qa/no-code-change No code change in Agent code requiring validation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@preinlein @goxberry