feat(eventviewerx): add typed live/catalog query executors

[PrzemyslawKlys]

Summary

• add typed EventViewerX contracts + executors for:
  • event catalog queries (channels/providers)
  • live event query
  • live event stats query
  • EVTX event projection report
• move session/open/query/aggregation/projection logic behind stable engine-level APIs
• add focused tests for new executors and validation paths

Why

This lets IntelligenceX.Tools.EventLog remain thin wrappers and removes direct EventLogSession/live query loops and EVTX event projection loops from Tools.

Validation

• dotnet build Sources/EventViewerX/EventViewerX.csproj -c Debug -v minimal
• dotnet test Sources/EventViewerX.Tests/EventViewerX.Tests.csproj -c Debug -v minimal --filter "TestEventCatalogQueryExecutor|TestLiveEventQueryExecutor|TestLiveStatsQueryExecutor|TestEvtxEventReportBuilder"

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, add credits to your account and enable them for code reviews in your settings.

[claude]

Claude finished @PrzemyslawKlys's task —— View job

---

PR Review: EventViewerX Live/Catalog Query Executors

I've completed my review of this PR. Here's my comprehensive feedback:

Todo List:

• Read repository guidelines (CLAUDE.md)
• Analyze contract definitions and architecture
• Review executor implementations
• Evaluate test coverage and quality
• Check for potential bugs and security issues
• Provide comprehensive feedback

Summary

This is a well-architected addition that introduces typed contracts and executors for EventViewerX operations. The code follows good patterns with proper error handling, input validation, and structured result types.

Code Quality Assessment

✅ Strengths

Strong Architecture:

• Clear separation of concerns with dedicated contract and executor classes
• Consistent error handling patterns across all executors
• Well-defined result types with proper truncation indicators
• Comprehensive input validation with detailed error messages

Good Defensive Programming:

• All executors include null checks and parameter validation
• Safe accessors for potentially throwing properties (SafeGetUserSid, SafeGetMessage)
• Proper exception handling with categorized failure types
• Cancellation token support throughout

Consistent API Design:

• All executors follow the same Try* pattern returning bool with out parameters
• Uniform failure categorization (InvalidArgument, AccessDenied, Timeout, Exception)
• Clear documentation with XML comments
• Consistent naming conventions

🔍 Areas for Improvement

Code Duplication:

• The IsTimeoutLike method is duplicated in LiveEventQueryExecutor.cs:180-187 and LiveStatsQueryExecutor.cs:212-219
• SafeGetUserSid and SafeGetMessage are duplicated between LiveEventQueryExecutor.cs:154-168 and EvtxEventReportBuilder.cs:88-102
• TruncateSafe is duplicated between the same files

Minor Issues:

• In LiveStatsQueryExecutor.cs:53-56, the break logic inside the time range check could be more efficient if moved outside the loop condition check
• Some magic numbers like MaxMessageChars = 4000 in contracts could be documented constants

Performance Consideration:

• EventCatalogQueryExecutor.cs:201-212 converts enumerable to list twice (once for filtering, once for sorting). Could be optimized with a single pass.

Security Assessment

✅ Security Strengths

• No sensitive information exposed in error messages
• Safe handling of potentially malicious message content via truncation
• Proper timeout handling prevents resource exhaustion
• Input validation prevents injection attacks through parameter validation

🔒 No Security Concerns Found

• No credential handling or sensitive data logging
• Proper use of StringComparison.Ordinal for dictionary operations
• Safe exception handling without exposing stack traces

Test Coverage Evaluation

✅ Good Coverage Areas

• All executors have validation tests for key failure scenarios
• Tests cover null inputs, invalid parameters, and boundary conditions
• Proper assertion patterns with expected failure kinds

📋 Test Coverage Gaps

• Limited integration tests (mainly validation-focused)
• No tests for successful execution paths with actual data
• Missing tests for edge cases like:
  • Very large result sets
  • Network timeout scenarios
  • Cancellation token behavior
  • Message truncation logic

Performance Considerations

Potential Optimizations:

• Consider using StringBuilder for large message concatenations
• The sorting in EventCatalogQueryExecutor.BuildNameRows could be expensive for large datasets
• Time range filtering in LiveStatsQueryExecutor processes all events before applying time filters

Resource Management:

• Proper using statements for disposable resources
• Appropriate collection sizing where known

Recommendations

High Priority

1. Extract shared utilities - Create a common utilities class for SafeGetUserSid, SafeGetMessage, TruncateSafe, and IsTimeoutLike methods to eliminate duplication

Medium Priority

2. Optimize filtering logic - In LiveStatsQueryExecutor, apply time filtering during event enumeration rather than after
3. Add integration tests - Include tests that verify successful execution with mock data
4. Performance documentation - Document expected performance characteristics for large datasets

Low Priority

5. Extract constants - Define common defaults like message length limits as named constants
6. Enhanced error context - Consider adding more context to exception messages where helpful for debugging

Overall Assessment

This is a high-quality implementation that demonstrates good software engineering practices. The code is well-structured, properly documented, and includes appropriate error handling. The minor issues identified are primarily around code reuse and optimization opportunities rather than functional correctness.

The PR successfully achieves its goal of providing stable, typed APIs for EventViewerX operations while maintaining consistency with existing patterns in the codebase.

Recommendation: Approve with suggested improvements

---