reduce per-call allocations in CEL FieldGetters

[YakirOren]

Summary by CodeRabbit

• Chores

  • Updated Go module dependency to a newer version.

• Performance

  • Optimized internal CEL field retrieval operations to reduce memory allocations and improve type handling efficiency.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates Go module dependency for xcel package and refactors CEL field getter callbacks to use typed primitives (celtypes.*) instead of raw Go types, replaces repeated error allocations with a shared sentinel error, and updates HTTP request field getters to consistently return CEL-typed values.

Changes

Cohort / File(s)	Summary
Dependency Update go.mod	Updates github.com/picatz/xcel dependency from pseudo-version 20250816143731-885b5f678a12 to 20260226001349-6958ffac5706.
CEL Field Getter Refactoring pkg/utils/cel.go	Replaces repeated fmt.Errorf calls with shared errCelObjectNil sentinel for nil object checks. Adjusts CEL field getter return values to use celtypes primitives (String, Uint, Int, Bool) instead of raw Go types across multiple field properties (IDs, ports, flags, layers, paths). Updates HTTP request nested field getters (host, method, url, path, body) to consistently return celtypes.String and use the shared error sentinel.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Hops excitedly through the CEL fields
Where types now bloom in celtypes yields,
No more scattered errors in the heap—
One sentinel stands, the promise we keep!
From Go's raw forms to typed disguise,
The refactor shines before our eyes. ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'reduce per-call allocations in CEL FieldGetters' accurately summarizes the main changes in the pull request, which focus on optimizing memory allocations in CEL FieldGetter callbacks by using a shared error sentinel and returning CEL-typed primitives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch perf/cel-fieldgetter-allocs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.165	0.159	-3.3%
Peak CPU (cores)	0.170	0.164	-3.5%
Avg Memory (MiB)	303.054	259.904	-14.2%
Peak Memory (MiB)	304.953	265.141	-13.1%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	1	0	0.0%
hardlink	6000	0	0.0%
http	1704	119456	98.6%
network	902	77916	98.9%
open	36218	620031	94.5%
symlink	6000	0	0.0%
syscall	974	1919	66.3%

Event Counters

Metric	BEFORE	AFTER
capability_counter	11	9
dns_counter	1459	1393
exec_counter	7297	7006
network_counter	95980	92098
open_counter	799529	766809
syscall_counter	3536	3523

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/utils/cel.go (1)

406-416: ⚠️ Potential issue | 🟡 Minor

uid getter is inconsistent — still returning the raw Go value.

All other UintType fields in this map (attrSize, cmd, pid, ppid) return celtypes.Uint(...), but uid still returns x.Raw.GetUid() unwrapped. This defeats the type-adaption savings the PR is targeting for this field.

♻️ Proposed fix

 	"uid": {
 		Type:  celtypes.UintType,
 		IsSet: isSet,
 		GetFrom: ref.FieldGetter(func(target any) (any, error) {
 			x := target.(*xcel.Object[CelEvent])
 			if x.Raw == nil {
 				return nil, errCelObjectNil
 			}
-			return x.Raw.GetUid(), nil
+			return celtypes.Uint(x.Raw.GetUid()), nil
 		}),
 	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/cel.go` around lines 406 - 416, The uid field's getter returns the
raw Go uint instead of a CEL uint value; inside the ref.FieldGetter for the
"uid" entry (the function that accesses x := target.(*xcel.Object[CelEvent]) and
calls x.Raw.GetUid()), wrap the returned value with celtypes.Uint(...) and
return that (keeping the existing nil check for x.Raw and errCelObjectNil), so
the getter returns a celtypes.Value like the other UintType fields (attrSize,
cmd, pid, ppid).

🧹 Nitpick comments (1)

pkg/utils/cel.go (1)

522-551: Nit: error branch returns a raw "" instead of celtypes.String("").

Minor consistency issue — every other return in this getter (and across the new HTTP getters) uses celtypes.String(...), but L545 returns a bare "". The value is ignored on the error path so this is purely cosmetic, but worth tightening for consistency.

♻️ Proposed tweak

 			if err != nil {
-				return "", err
+				return celtypes.String(""), err
 			}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/utils/cel.go` around lines 522 - 551, The error branch in the
ref.FieldGetter for the "body" field returns a raw "" string instead of a
celtypes.String, causing inconsistency with other returns; update the error
return within the getter (the branch that does io.ReadAll and checks err) to
return celtypes.String("") along with err (i.e., replace the bare "" return with
celtypes.String("")) so all successful/failed string returns use celtypes.String
consistently; locate this in the anonymous GetFrom function inside the "body"
Type definition in pkg/utils/cel.go (references: ref.FieldGetter,
xcel.Object[CelEvent], errCelObjectNil, req.GetRequest()/GetBuf()).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@pkg/utils/cel.go`:
- Around line 406-416: The uid field's getter returns the raw Go uint instead of
a CEL uint value; inside the ref.FieldGetter for the "uid" entry (the function
that accesses x := target.(*xcel.Object[CelEvent]) and calls x.Raw.GetUid()),
wrap the returned value with celtypes.Uint(...) and return that (keeping the
existing nil check for x.Raw and errCelObjectNil), so the getter returns a
celtypes.Value like the other UintType fields (attrSize, cmd, pid, ppid).

---

Nitpick comments:
In `@pkg/utils/cel.go`:
- Around line 522-551: The error branch in the ref.FieldGetter for the "body"
field returns a raw "" string instead of a celtypes.String, causing
inconsistency with other returns; update the error return within the getter (the
branch that does io.ReadAll and checks err) to return celtypes.String("") along
with err (i.e., replace the bare "" return with celtypes.String("")) so all
successful/failed string returns use celtypes.String consistently; locate this
in the anonymous GetFrom function inside the "body" Type definition in
pkg/utils/cel.go (references: ref.FieldGetter, xcel.Object[CelEvent],
errCelObjectNil, req.GetRequest()/GetBuf()).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fe68c5f1-320c-4ba9-a620-41b15c43b53d

📥 Commits

Reviewing files that changed from the base of the PR and between fb1560b and 87e7b54.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod
• pkg/utils/cel.go

[github-actions]

Performance Benchmark Results

Node-Agent Resource Usage

Metric	BEFORE	AFTER	Delta
Avg CPU (cores)	0.163	0.154	-5.7%
Peak CPU (cores)	0.170	0.162	-4.4%
Avg Memory (MiB)	322.420	259.522	-19.5%
Peak Memory (MiB)	324.820	265.230	-18.3%

Dedup Effectiveness (AFTER only)

Event Type	Passed	Deduped	Ratio
capabilities	1	0	0.0%
hardlink	6000	0	0.0%
http	1704	119456	98.6%
network	900	78000	98.9%
open	34959	621292	94.7%
symlink	6000	0	0.0%
syscall	981	1886	65.8%

Event Counters

Metric	BEFORE	AFTER
capability_counter	11	9
dns_counter	1424	1402
exec_counter	7124	7013
network_counter	93674	92235
open_counter	780375	768783
syscall_counter	3527	3455