fix(sight): change cgroup gate to OR semantics and add trace_cgroup F…

[shawtao]

feat(sight): upgrade cgroup gate to OR semantics and add trace_cgroup FFI interface

1. Add traced_pid_cgroup_gate_allow() with OR semantics to cgroup_helper.h: admit if PID is traced OR cgroup is in filter map.

2. Replace AND gate logic in filewatch, filewrite, proctrace (execve_enter) with traced_pid_cgroup_gate_allow() OR call.

3. Add dynamic cgroup filter FFI interface:

   • ProbeCommand channel in ffi.rs for thread-safe probe control
   • agentsight_add_traced_cgroup() / agentsight_remove_traced_cgroup() C exports
   • src/agentsight/include/agentsight.h C header

Stdout/exit paths retain child_pids gate to avoid high-frequency flood.

Description

The existing cgroup filter implementation (merged in 367c6fa) uses AND logic: events pass only when both PID is in traced_processes AND cgroup is in cgroup_filter. This causes a critical issue — when only cgroup_ids are registered (no PIDs in traced_processes), all events are silently dropped because the PID check fails first.

This PR fixes the gate semantics and exposes the dynamic cgroup control via C FFI:

1. Add traced_pid_cgroup_gate_allow() with OR semantics to cgroup_helper.h: admit if PID is traced OR cgroup is in filter map.

2. Replace AND gate logic in filewatch.bpf.c, filewrite.bpf.c, proctrace.bpf.c (execve_enter) with the unified OR gate call.

3. Add dynamic cgroup filter FFI interface:

   • ProbeCommand channel in ffi.rs for thread-safe probe control from caller thread to background pipeline
   • agentsight_add_traced_cgroup() / agentsight_remove_traced_cgroup() C exports
   • src/agentsight/include/agentsight.h C header

Stdout/exit paths retain child_pids gate to avoid high-frequency flood on write(2)/sched_process_exit.

Related Issue

no-issue: semantic fix for cgroup filter gate logic introduced in 367c6fa

Type of Change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional change)
• Performance improvement
• CI/CD or build changes

Scope

• sight (agentsight)

Checklist

• I have read the Contributing Guide
• My code follows the project's code style
• I have added tests that prove my fix is effective or that my feature works
• I have updated the documentation accordingly
• For sight: cargo clippy -- -D warnings and cargo fmt --check pass
• Lock files are up to date (package-lock.json / Cargo.lock)

Testing

• Verified OR semantics: when filter_cgroup_enabled = true and only cgroup IDs are registered (no PIDs), events from processes in those cgroups now pass the gate.
• Verified backward compatibility: when filter_cgroup_enabled = false, behavior is identical to pre-patch (pure PID gate).
• FFI interface tested via agentsight_add_traced_cgroup() / agentsight_remove_traced_cgroup() — commands are enqueued and drained by the background thread's event loop.

Additional Notes

• The NO_CGROUP_FILTER macro path (used by procmon.bpf.c) degrades to pure pid_allow, preserving full-system audit semantics.
• filewatch/filewrite event pid field switched from is_pid_traced() return value to current_ns_pid() since the OR gate no longer guarantees PID registration on cgroup-only admission.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}