sleighconfig: Add Signals config

[russellhancox]

Note: the field on Preflight is likely to be temporary - I think this will end up moving to be a rule type synced during RuleDownload - but is enough to get started

Part of WS-787

[github-actions]

The latest Buf updates on your PR. Results from workflow .github/workflows/update.yml / generate (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	⏩ skipped	✅ passed	Jun 12, 2026, 8:58 PM

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds a new CEL-based Signal schema (with Severity enum and description), integrates signals into sleigh telemetry export with per-signal summary response messages, and exposes signals via PreflightResponse in the sync protocol.

Changes

Signal Detection Schema and Integration

Layer / File(s)	Summary
Signal schema foundation common/signals.proto	New proto3 file defines Severity enum (SEVERITY_UNKNOWN through SEVERITY_CRITICAL) and Signal message with name, description, severity, and a CEL boolean expression over event.
Telemetry processing with signals telemetry/sleighconfig.proto	Imports commands/v1.proto and common/signals.proto, extends SleighExportTelemetry with repeated santa.common.v1.Signal signals = 6, and adds SignalReport, SleighExportTelemetryResponse (collection of reports), and SleighResponse oneof wrapper for export_telemetry or binary_upload.
Sync protocol signal exposure syncv2/v2.proto	Adds imports for common/signals.proto and telemetry/sleighconfig.proto, extends PreflightResponse with repeated santa.common.v1.Signal telemetry_signals = 38, and updates the next-ID comment to 39.

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding signals configuration to sleighconfig proto files.
Description check	✅ Passed	The description relates to the changeset by providing context about signals configuration and referencing the related work item WS-787.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch rah/signals

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

syncv2/v2.proto (1)

516-516: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Update the "next ID" comment to reflect the newly allocated field.

Line 516 states // next ID: 38, but field 38 (telemetry_signals) was just allocated on line 475. Update the comment to // next ID: 39 to prevent future field number collisions.

📝 Proposed fix

-  // next ID: 38
+  // next ID: 39

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@syncv2/v2.proto` at line 516, The trailing comment indicating the next
available protobuf field number is stale — update the `// next ID: 38` comment
to `// next ID: 39` to reflect that field 38 (`telemetry_signals`) was just
allocated (referenced in the proto near `telemetry_signals`), preventing future
field-number collisions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@telemetry/sleighconfig.proto`:
- Around line 22-23: The import statements in telemetry/sleighconfig.proto are
not formatted in buf's expected order/style; run `buf format -w` in the repo
root to auto-fix the import ordering and formatting for the lines containing
`import "commands/v1.proto";` and `import "common/signals.proto";`, then commit
the updated file so it passes buf format validation.

---

Outside diff comments:
In `@syncv2/v2.proto`:
- Line 516: The trailing comment indicating the next available protobuf field
number is stale — update the `// next ID: 38` comment to `// next ID: 39` to
reflect that field 38 (`telemetry_signals`) was just allocated (referenced in
the proto near `telemetry_signals`), preventing future field-number collisions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 57ac965b-b7c7-40e7-aee0-26f98e53784c

📥 Commits

Reviewing files that changed from the base of the PR and between 9543eff and 06c1034.

📒 Files selected for processing (3)

• common/signals.proto
• syncv2/v2.proto
• telemetry/sleighconfig.proto

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@common/signals.proto`:
- Around line 40-46: The Signal message is missing a description field required
by the downstream contract (SignalReport.description); update the Signal proto
by adding a string description field (e.g., add `string description = 4;`) to
the Signal message so Signal.description is echoed into
SignalReport.description; ensure the field number does not conflict with
existing fields (name=1, severity=2, expression=3) and include a brief comment
indicating it is echoed into SignalReport.description.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5469b4e-dac6-4355-9d2f-f38404c91ffd

📥 Commits

Reviewing files that changed from the base of the PR and between dee6765 and 9854186.

📒 Files selected for processing (1)

• common/signals.proto