Skip to content

feat(forensics): forensic CLI commands (timeline / trace / snapshot / evaluations / transitions)#19

Merged
caballeto merged 1 commit into
mainfrom
feat/forensics
Apr 29, 2026
Merged

feat(forensics): forensic CLI commands (timeline / trace / snapshot / evaluations / transitions)#19
caballeto merged 1 commit into
mainfrom
feat/forensics

Conversation

@caballeto
Copy link
Copy Markdown
Member

@caballeto caballeto commented Apr 29, 2026

Summary

Adds a new `forensics` topic to the DevHelm CLI with 5 read-only commands that surface the event-sourced detection forensic model:

Command Description
`devhelm forensics timeline ` Full state-transition / triggering-evaluation / policy-snapshot timeline for an incident
`devhelm forensics trace ` Everything the engine recorded for a single check execution
`devhelm forensics snapshot ` Fetch a content-addressed policy snapshot
`devhelm forensics evaluations --monitor-id ` Paginated rule evaluations (filters: `--rule-type`, `--region`, `--only-matched`, `--from`, `--to`)
`devhelm forensics transitions --monitor-id ` Paginated state transitions (filters: `--from`, `--to`)

All commands honour `--output table|json|yaml`. Schemas regenerated from the latest `monitoring-api.json`.

Companion PRs

  • API: devhelmhq/mono `feat/detection-forensic-model`
  • SDKs: devhelmhq/sdk-python and devhelmhq/sdk-js `feat/forensics`
  • MCP: devhelmhq/mcp-server `feat/forensics`

Test plan

  • `npm run typecheck` passes
  • `npm run lint` clean
  • `npm test` passes
  • CLI surface smoke (in mono `tests/surfaces/cli/test_smoke.py`) confirms `forensics` topic + all 5 subcommands present
  • Surface integration tests pass against the API on `feat/detection-forensic-model`

Made with Cursor

@caballeto
feat(forensics): forensic CLI commands (timeline / trace / snapshot /…
6cd8139 
… evaluations / transitions)

Surfaces the read-only forensic model from the API:

- forensics timeline <incident-id> — full state-transition / triggering-evaluation
  / policy-snapshot timeline for a single incident
- forensics trace <check-id> — everything the engine recorded for one check
- forensics snapshot <hash-hex> — fetch a content-addressed policy snapshot
- forensics evaluations --monitor-id <id> [--rule-type --region --only-matched
  --from --to --page --size] — paginated rule evaluations
- forensics transitions --monitor-id <id> [--from --to --page --size] —
  paginated state transitions

All commands honour --output table|json|yaml. Schemas regenerated from the
latest monitoring-api.json so api.generated.ts and api-zod.generated.ts pick
up the new IncidentTimelineDto / CheckTraceDto / PolicySnapshotDto /
RuleEvaluationDto / IncidentStateTransitionDto types.

Made-with: Cursor
@caballeto caballeto merged commit 37ab3aa into main Apr 29, 2026
3 checks passed
@caballeto caballeto deleted the feat/forensics branch April 29, 2026 14:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@caballeto