adaptive_export: replace PoC with production AE (rev-3 streaming + write-integrity)

.github/workflows/vizier_release.yaml

@@ -15,7 +15,7 @@ jobs:
       image-base-name: "dev_image_with_extras"
   build-release:
     name: Build Release
-    runs-on: oracle-16cpu-64gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: get-dev-image
     permissions:
       contents: read
@@ -29,6 +29,10 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        # dx is a private submodule (src/vizier/services/dx -> entlein/dx); pull it
+        # with the read PAT, same pattern as entlein/bob in k8sstormcenter/bob.
+        submodules: 'recursive'
+        token: ${{ secrets.DX_ENTLEIN_PAT }}
     - name: Add pwd to git safe dir
       run: git config --global --add safe.directory `pwd`
     - name: Use github bazel config
@@ -140,7 +144,7 @@ jobs:
         git commit -s -m "Release Helm chart Vizier ${VERSION}"
         git push origin "gh-pages"
   update-gh-artifacts-manifest:
-    runs-on: oracle-8cpu-32gb-x86-64
+    runs-on: oracle-vm-16cpu-64gb-x86-64
     needs: [get-dev-image, create-github-release]
     container:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "src/vizier/services/dx"]
+	path = src/vizier/services/dx
+	url = git@github.com:entlein/dx.git

k8s/vizier/BUILD.bazel

@@ -26,6 +26,13 @@ VIZIER_IMAGE_TO_LABEL = {
     "$(IMAGE_PREFIX)/vizier-adaptive_export_image:$(BUNDLE_VERSION)": "//src/vizier/services/adaptive_export:adaptive_export_image",
     "$(IMAGE_PREFIX)/vizier-cert_provisioner_image:$(BUNDLE_VERSION)": "//src/utils/cert_provisioner:cert_provisioner_image",
     "$(IMAGE_PREFIX)/vizier-cloud_connector_server_image:$(BUNDLE_VERSION)": "//src/vizier/services/cloud_connector:cloud_connector_server_image",
+    # dx_daemon_image rides the same vizier-release flow as the rest of the
+    # bundle. BUILD lives inside the private entlein/dx submodule mounted at
+    # src/vizier/services/dx (pulled in CI via secrets.DX_ENTLEIN_PAT). See
+    # the AE PR comment thread for the BUILD.bazel templates committed
+    # inside the submodule (top-level pl_go_image + cmd/pl_go_binary +
+    # per-internal go_library).
+    "$(IMAGE_PREFIX)/vizier-dx_daemon_image:$(BUNDLE_VERSION)": "//src/vizier/services/dx:dx_daemon_image",
     "$(IMAGE_PREFIX)/vizier-kelvin_image:$(BUNDLE_VERSION)": "//src/vizier/services/agent/kelvin:kelvin_image",
     "$(IMAGE_PREFIX)/vizier-metadata_server_image:$(BUNDLE_VERSION)": "//src/vizier/services/metadata:metadata_server_image",
     "$(IMAGE_PREFIX)/vizier-pem_image:$(BUNDLE_VERSION)": "//src/vizier/services/agent/pem:pem_image",

skaffold/skaffold_vizier.yaml

@@ -36,8 +36,8 @@ build:
     bazel:
       target: //src/vizier/services/cloud_connector:cloud_connector_server_image.tar
       args:
-        - --config=x86_64_sysroot
-        - --compilation_mode=opt
+      - --config=x86_64_sysroot
+      - --compilation_mode=opt
   - image: vizier-cert_provisioner_image
     context: .
     bazel:
@@ -52,6 +52,16 @@ build:
       args:
       - --config=x86_64_sysroot
       - --compilation_mode=opt
+  # vizier-dx_daemon_image — Go binary built from the private entlein/dx
+  # submodule mounted at src/vizier/services/dx (pulled in CI via
+  # DX_ENTLEIN_PAT; mirrors the entlein/bob → k8sstormcenter/bob pattern).
+  - image: vizier-dx_daemon_image
+    context: .
+    bazel:
+      target: //src/vizier/services/dx:dx_daemon_image.tar
+      args:
+      - --config=x86_64_sysroot
+      - --compilation_mode=opt
   tagPolicy:
     dateTime: {}
   local:

src/api/go/pxapi/opts.go

@@ -82,3 +82,17 @@ func WithDirectCredsInsecure() ClientOption {
 		c.insecureDirect = true
 	}
 }
+
+// WithDirectTLSSkipVerify is the secure-by-default option for direct (standalone /
+// node-local PEM) connections: the transport IS TLS-encrypted, but the server cert
+// is not chain/hostname-verified. Use this instead of WithDirectCredsInsecure when
+// the direct endpoint serves TLS with a self-signed / service cert whose SAN does
+// not match the node IP (e.g. vizier-pem's direct-query port served with
+// service-tls-certs, dialed at HOST_IP). Unlike WithDisableTLSVerification it does
+// NOT require a "cluster.local" address, so it works for the node-IP direct dial.
+// Bearer creds (the minted JWT) therefore ride an encrypted channel, never plaintext.
+func WithDirectTLSSkipVerify() ClientOption {
+	return func(c *Client) {
+		c.disableTLSVerification = true
+	}
+}

src/stirling/source_connectors/socket_tracer/testing/container_images/BUILD.bazel

@@ -24,29 +24,29 @@ package(default_visibility = [
 
 # Generate all Go container library permutations for supported Go versions.
 go_container_libraries(
-    container_type = "grpc_server",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "grpc_server",
     prebuilt_container_versions = pl_go_test_versions,
 )
 
 # Stirling test cases usually test server side tracing. Therefore
 # we only need to provide the bazel SDK versions for the client containers.
 go_container_libraries(
-    container_type = "grpc_client",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "grpc_client",
 )
 
 go_container_libraries(
-    container_type = "tls_server",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "tls_server",
     prebuilt_container_versions = pl_go_test_versions,
 )
 
 # Stirling test cases usually test server side tracing. Therefore
 # we only need to provide the bazel SDK versions for the client containers.
 go_container_libraries(
-    container_type = "tls_client",
     bazel_sdk_versions = pl_all_supported_go_sdk_versions,
+    container_type = "tls_client",
 )
 
 pl_cc_test_library(

src/vizier/services/adaptive_export/BUILD.bazel

@@ -14,6 +14,8 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
+load("@io_bazel_rules_docker//container:container.bzl", "container_bundle")
+load("@io_bazel_rules_docker//contrib:push-all.bzl", "container_push")
 load("//bazel:pl_build_system.bzl", "pl_go_image")
 
 pl_go_image(
@@ -24,3 +26,27 @@ pl_go_image(
         "//src/vizier:__subpackages__",
     ],
 )
+
+# Single-image bundle + push targets — same shape as
+# //k8s/vizier:image_bundle / vizier_images_push, but scoped to ONLY
+# the adaptive_export image so the SBOB PoC can rebuild this one
+# component without rebuilding kelvin / pem / metadata. Consumed by
+# .github/workflows/adaptive_export_image.yaml via
+# `bazel run :adaptive_export_image_push` with the standard
+# --//k8s:image_repository / --//k8s:image_version overrides.
+container_bundle(
+    name = "adaptive_export_image_bundle",
+    images = {
+        "$(IMAGE_PREFIX)/vizier-adaptive_export_image:$(BUNDLE_VERSION)": ":adaptive_export_image",
+    },
+    toolchains = [
+        "//k8s:image_prefix",
+        "//k8s:bundle_version",
+    ],
+)
+
+container_push(
+    name = "adaptive_export_image_push",
+    bundle = ":adaptive_export_image_bundle",
+    format = "Docker",
+)

src/vizier/services/adaptive_export/cmd/BUILD.bazel

@@ -24,10 +24,18 @@ go_library(
     visibility = ["//visibility:private"],
     deps = [
         "//src/api/go/pxapi",
+        "//src/vizier/services/adaptive_export/internal/activeset",
+        "//src/vizier/services/adaptive_export/internal/clickhouse",
         "//src/vizier/services/adaptive_export/internal/config",
+        "//src/vizier/services/adaptive_export/internal/control",
+        "//src/vizier/services/adaptive_export/internal/controller",
         "//src/vizier/services/adaptive_export/internal/pixie",
+        "//src/vizier/services/adaptive_export/internal/pixieapi",
         "//src/vizier/services/adaptive_export/internal/pxl",
         "//src/vizier/services/adaptive_export/internal/script",
+        "//src/vizier/services/adaptive_export/internal/sink",
+        "//src/vizier/services/adaptive_export/internal/streaming",
+        "//src/vizier/services/adaptive_export/internal/trigger",
         "@com_github_sirupsen_logrus//:logrus",
     ],
 )