+56

.github/workflows/mdbook.yml

reviewed

··· 1 1 + name: Deploy mdBook site to Pages 2 2 + 3 3 + on: 4 4 + # Runs on pushes targeting the default branch 5 5 + push: 6 6 + branches: ["main"] 7 7 + 8 8 + # Allows you to run this workflow manually from the Actions tab 9 9 + workflow_dispatch: 10 10 + 11 11 + # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages 12 12 + permissions: 13 13 + contents: read 14 14 + pages: write 15 15 + id-token: write 16 16 + 17 17 + # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued. 18 18 + # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete. 19 19 + concurrency: 20 20 + group: "pages" 21 21 + cancel-in-progress: false 22 22 + 23 23 + jobs: 24 24 + # Build job 25 25 + build: 26 26 + runs-on: ubuntu-latest 27 27 + env: 28 28 + MDBOOK_VERSION: 0.5.2 29 29 + steps: 30 30 + - uses: actions/checkout@v4 31 31 + - name: Install mdBook 32 32 + run: | 33 33 + curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf -y | sh 34 34 + rustup update 35 35 + cargo install --version ${MDBOOK_VERSION} mdbook 36 36 + - name: Setup Pages 37 37 + id: pages 38 38 + uses: actions/configure-pages@v5 39 39 + - name: Build with mdBook 40 40 + run: mdbook build docs 41 41 + - name: Upload artifact 42 42 + uses: actions/upload-pages-artifact@v3 43 43 + with: 44 44 + path: ./docs/book 45 45 + 46 46 + # Deployment job 47 47 + deploy: 48 48 + environment: 49 49 + name: github-pages 50 50 + url: ${{ steps.deployment.outputs.page_url }} 51 51 + runs-on: ubuntu-latest 52 52 + needs: build 53 53 + steps: 54 54 + - name: Deploy to GitHub Pages 55 55 + id: deployment 56 56 + uses: actions/deploy-pages@v4

+3

.gitignore

reviewed

··· 306 306 # End of https://www.toptal.com/developers/gitignore/api/python,rust,pycharm 307 307 308 308 .claude 309 309 + 310 310 + # docs output 311 311 + book/

+22 -99

README.md

reviewed

··· 1 1 - # ROOST - Osprey 2 2 - 3 3 - <img width="200" height="64" alt="Copy of ROOST-Mark-Yellow" src="/images/ROOST-Horizontal-Yellow.png" /> 4 4 - 5 5 - # Welcome to Osprey 6 6 - 7 7 - <img alt="Osprey UI Sample" src="./images/query-and-charts.png" /> 8 8 - 9 9 - 10 10 - ## Overview 1 1 + <img width="200" height="64" alt="ROOST logo" src="images/ROOST-Horizontal-Yellow.png" /> 11 2 12 12 - This repository is home to one of ROOST’s safety tools, the Osprey rules engine. Osprey is an open-source event stream decisions engine and analysis UI designed to investigate and take automatic action on events and their properties as they happen in real-time. Originally developed internally at [Discord](https://discord.com/) to combat spam, abuse, botting, and scripting across its platform, Osprey has now been open-sourced to help other platforms facing similar challenges. 3 3 + # Osprey 13 4 14 14 - Osprey is a library for processing actions through human-written rules and outputting verdicts & custom effects back to configurable output sinks. It evaluates events using structured rule logic (SML) that is extendable via user-defined functions (UDFs). Osprey can also track state across events by labelling entities if implementers provide a labels service backend (see [labels_service.py](./example_plugins/src/services/labels_service.py) for a Postgres-backed labels service example) 15 15 - 16 16 - This 'Rules \+ Investigation' tool is able to: 5 5 + **Automate the obvious and investigate the ambiguous.** High-performance safety rules engine for real-time event processing at scale. 17 6 18 7 - take action based on user behavior 19 8 - combine actions with human written rules 20 9 - let operators query human actions and past decisions 21 10 - perform investigations or write new rules based on decisions 22 11 23 23 - ## v0 Release Notes 24 24 - The v0 release is built for engineers and Trust & Safety teams who want to explore, test, and integrate Osprey's core capabilities into their platform for incident response and Trust & Safety investigation. 12 12 + Osprey is an event stream decisions engine and analysis UI designed to investigate and take automatic action on events and their properties as they happen in real-time. Originally developed internally at [Discord](https://discord.com/) to combat spam, abuse, botting, and scripting across its platform, Osprey has been open-sourced to help other platforms facing similar challenges. 25 13 26 26 - Some UI features have been planned for the v1 release to ensure a solid foundation for experimentation: 14 14 +  27 15 28 28 - - **Bulk actions** - Mass investigation and response operations through the UI 29 29 - - **Labels** - Visual entity tagging and categorization systems in the interface 30 30 - - **Event stream in UI** - Real-time event monitoring and alert dashboard 31 31 - - **Load Balancing** - Better performance efficiency and management of sync/async rules 16 16 + Osprey is a library for processing actions through human-written rules and outputting verdicts & custom effects back to configurable output sinks. It evaluates events using structured rule logic (SML) that is extendable via user-defined functions (UDFs). Osprey can also track state across events by labelling entities if implementers provide a labels service backend (see [labels_service.py](./example_plugins/src/services/labels_service.py) for a Postgres-backed labels service example). 32 17 33 33 - ### Feedback Wanted 34 34 - This is a working system, not a prototype. Try it locally, connect your data, write some rules, and tell us what's missing for your use case. We're particularly interested in: 18 18 + Osprey is built for engineers and Trust & Safety teams who want to explore, test, and integrate its core capabilities into their platform for incident response and Trust & Safety investigation. [Read more about user research and personas](docs/user_personas.md). 35 19 36 36 - - Integration challenges with your existing platform infrastructure 37 37 - - Performance characteristics with your event volumes and rule complexity 38 38 - - Missing detection capabilities or response actions you need 39 39 - - API improvements that would make adoption easier for your team 20 20 + ## Development 40 21 41 41 - Your experimentation feedback will directly shape v1 priorities and help us build the most useful Trust & Safety tooling for the community. 22 22 + - See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for comprehensive development setup and workflow documentation 23 23 + - All code changes should pass linting (Ruff) and type checking (MyPy) 24 24 + - Pre-commit hooks automatically run on each commit to maintain code quality 42 25 43 26 ## Join Us 27 27 + 44 28 Writing code is not the only way to help the project. Reviewing pull requests, answering questions to help others on mailing lists or issues, providing feedback from a domain expert perspective, organizing and teaching tutorials, working on the website, improving the documentation, are all priceless contributions. 45 29 46 46 - - Join us on [Discord server](https://discord.gg/5Csqnw2FSQ) 30 30 + - Join us in [our Discord server](https://discord.gg/5Csqnw2FSQ) 47 31 - Join our [newsletter](https://roost.tools/#get-started) for more announcements and information 48 32 - Follow us on [Bluesky](https://bsky.app/profile/roost.tools) or [LinkedIn](https://www.linkedin.com/company/roost-tools/) 49 33 50 50 - _ROOST (Robust Open Online Safety Tools), a non-profit organization that brings together expertise, resources, and investments from major technology companies and philanthropies to build scalable, interoperable safety infrastructure for the AI era._ 34 34 + _[ROOST](https://roost.tools) (Robust Open Online Safety Tools) is a non-profit organization that brings together expertise, resources, and investments from major technology companies and philanthropies to build scalable, interoperable safety infrastructure for the AI era._ 51 35 52 52 - ## 🚀 Quick Start 36 36 + ### Feedback Wanted 53 37 54 54 - ### Prerequisites 38 38 + This is a working system, not a prototype. Try it locally, connect your data, write some rules, and tell us what's missing for your use case. We're particularly interested in: 55 39 56 56 - - Python 3.11 or higher 57 57 - - Git 58 58 - - [uv](https://docs.astral.sh/uv/) (Python package manager) or python package manager of choice 40 40 + - Integration challenges with your existing platform infrastructure 41 41 + - Performance characteristics with your event volumes and rule complexity 42 42 + - Missing detection capabilities or response actions you need 43 43 + - API improvements that would make adoption easier for your team 59 44 60 60 - ### Installation 45 45 + Your experimentation feedback will directly shape future priorities and help us build the most useful Trust & Safety tooling for the community. 61 46 62 62 - 1. **Clone the repository:** 47 47 + ## Recognition 63 48 64 64 - ```bash 65 65 - git clone git@github.com:roostorg/osprey.git 66 66 - cd osprey 67 67 - ``` 68 68 - 69 69 - 2. **Install dependencies using uv:** 70 70 - 71 71 - ```bash 72 72 - uv sync 73 73 - ``` 74 74 - 75 75 - 3. **Set up development tools:** 76 76 - 77 77 - ```bash 78 78 - uv run pre-commit install 79 79 - ``` 80 80 - 81 81 - 4. **Verify setup:** 82 82 - 83 83 - ```bash 84 84 - # Test linting 85 85 - uv run ruff check 86 86 - uv run mypy . 87 87 - 88 88 - # Test formatting 89 89 - uv run ruff format --diff 90 90 - 91 91 - # Test pre-commit hooks 92 92 - uv run pre-commit run --all-files 93 93 - 94 94 - 5. **Start Services:** 95 95 - 96 96 - ```bash 97 97 - docker compose up -d 98 98 - ``` 99 99 - 100 100 - or using the wrapper script 101 101 - 102 102 - ```bash 103 103 - ./start.sh 104 104 - ``` 105 105 - 106 106 - this starts the osprey-worker on its own along with all its required dependencies. 107 107 - 108 108 - alternatively, you can start Osprey with `osprey-coordinator`, refer to the [Coordinator README](./example_docker_compose/run_osprey_with_coordinator/README.md) for more information 109 109 - 110 110 - 6. (Optional) **Open ports for the UI/UI API:** 111 111 - 112 112 - By default, the `docker-compose.yaml` binds running services to `127.0.0.1`. If you are running the docker compose on a headless machine, you may need to modify this configuration and/or make changes to your firewall, specifically for ports `5002` and `5004`. 113 113 - 114 114 - For example, if you use Tailscale to access your Osprey instance, you may change `127.0.0.1:5002:5002` to `<Tailscale IP>:5002:5002`. Alternatively, if you wish for your instance to be accessible from the public internet, you may set it simply to `5002:5002` to bind to `0.0.0.0`. 115 115 - 116 116 - Be aware that some firewalls like iptables/UFW do _not_ prevent access to ports being used by Docker networking. Not explicitly setting a bind address with only UFW as a firewall will not prevent access from the public internet unless [properly configured](https://github.com/chaifeng/ufw-docker). 117 117 - 118 118 - ### Development Workflow 119 119 - 120 120 - - See [DEVELOPMENT.md](./docs/DEVELOPMENT.md) for comprehensive development setup and workflow documentation 121 121 - - All code changes should pass linting (Ruff) and type checking (MyPy) 122 122 - - Pre-commit hooks automatically run on each commit to maintain code quality 123 123 - 124 124 - 125 125 - ## Recognition 126 49 Discord uses Osprey to quickly detect and remove new types of harm that put users at risk. Rather than leaving other platforms to build similar tools from scratch, ROOST and Discord have open-sourced this powerful rule engine in collaboration with [internet.dev](https://internet.dev/) to make it available for anyone who needs it.

+15

book.toml

reviewed

··· 1 1 + [book] 2 2 + title = "Osprey Documentation" 3 3 + authors = ["ROOST"] 4 4 + language = "en" 5 5 + src = "docs" 6 6 + 7 7 + [build] 8 8 + build-dir = "book" 9 9 + 10 10 + [output.html] 11 11 + edit-url-template = "https://github.com/roostorg/osprey/edit/main/{path}" 12 12 + git-repository-url = "https://github.com/roostorg/osprey" 13 13 + 14 14 + [output.html.print] 15 15 + enable = false

+30 -325

docs/DEVELOPMENT.md

reviewed

··· 1 1 - # Development 2 2 - Welcome to the development guide for Osprey. This document will help you get started with contributing to the project. 3 3 - 4 4 - ## Reporting a Bug or Issue 5 5 - Found a bug or have a feature request? We'd love to hear from you! When opening an issue, please use our templates: 6 6 - 7 7 - * [Bug Report](https://github.com/roostorg/osprey/issues/new?template=bug_report.md) 8 8 - * [Feature Request](https://github.com/roostorg/osprey/issues/new?template=feature_request.md) 9 9 - * [Submit an Egg (new tool idea) to ROOST!](https://github.com/roostorg/osprey/issues/new?template=documentation.md) 10 10 - 11 1 # Setup Guide 12 2 13 3 This guide provides comprehensive instructions for setting up a development environment for Osprey. 14 4 15 5 ## Prerequisites 16 6 17 17 - ### System Requirements 18 18 - 19 19 - - **Python 3.11 or higher** - Check with `python --version` 20 20 - - **Git** - Version control system 21 7 - **Operating System**: macOS, Linux, or Windows (with WSL recommended) 22 22 - 23 23 - ### Package Manager: UV 24 24 - 25 25 - Osprey uses [uv](https://docs.astral.sh/uv/) as the Python package manager for fast, reliable dependency management. 26 26 - 27 27 - #### Install UV 28 28 - 29 29 - **macOS/Linux:** 30 30 - 31 31 - ```bash 32 32 - curl -LsSf https://astral.sh/uv/install.sh | sh 33 33 - ``` 34 34 - 35 35 - **Windows:** 36 36 - 37 37 - ```bash 38 38 - powershell -c "irm https://astral.sh/uv/install.ps1 | iex" 39 39 - ``` 40 40 - 41 41 - **Alternative (via pip):** 42 42 - 43 43 - ```bash 44 44 - pip install uv 45 45 - ``` 46 46 - 47 47 - **Verify installation:** 48 48 - 49 49 - ```bash 50 50 - uv --version 51 51 - ``` 8 8 + - **[Python](https://www.python.org/) 3.11 or higher** (check with `python --version`) 9 9 + - **[Git](https://git-scm.com/)** for version control 10 10 + - **[uv](https://docs.astral.sh/uv/)** for Python package management 11 11 + - **[npm](https://nodejs.org/en/download)** 52 12 53 13 ## Project Setup 54 14 ··· 113 73 docker compose up -d 114 74 ``` 115 75 76 76 + or using the wrapper script 77 77 + 78 78 + ```bash 79 79 + ./start.sh 80 80 + ``` 81 81 + 116 82 This starts up many services, including: 117 83 - **Osprey Worker**: The main engine that processes input events given the rules and UDFs 118 84 - **Test Data Producer**: Optional with `--profile test_data` ··· 122 88 - **Postgres**: A database that the Worker, UI API, and Druid use for various reasons, such as the Postgres-backed Labels Service (in the example plugins) 123 89 - **Druid**: A database that consumes Osprey Worker outputs to power the UI API for real-time querying 124 90 91 91 + Alternatively, you can start Osprey with `osprey-coordinator`, refer to the [Coordinator README](./example_docker_compose/run_osprey_with_coordinator/README.md) for more information 125 92 126 126 - ### 6. Access the Application 127 127 - The UI will automatically connect to the backend services running in Docker containers. 93 93 + ### 6. (Optional) Open ports for the UI/UI API 94 94 + 95 95 + By default, the `docker-compose.yaml` binds running services to `127.0.0.1`. If you are running the docker compose on a headless machine, you may need to modify this configuration and/or make changes to your firewall, specifically for ports `5002` and `5004`. 128 96 129 129 - - Osprey UI: http://localhost:5002 130 130 - - Backend API: http://localhost:5004 131 131 - - Worker Service: http://localhost:5001 97 97 + For example, if you use Tailscale to access your Osprey instance, you may change `127.0.0.1:5002:5002` to `<Tailscale IP>:5002:5002`. Alternatively, if you wish for your instance to be accessible from the public internet, you may set it simply to `5002:5002` to bind to `0.0.0.0`. 132 98 99 99 + Be aware that some firewalls like iptables/UFW do _not_ prevent access to ports being used by Docker networking. Not explicitly setting a bind address with only UFW as a firewall will not prevent access from the public internet unless [properly configured](https://github.com/chaifeng/ufw-docker). 133 100 134 134 - #### Plugins 101 101 + ### 7. Access the Application 102 102 + 103 103 + The UI will automatically connect to the backend services running in Docker containers. 104 104 + 105 105 + - Osprey UI: [localhost:5002](http://localhost:5002) 106 106 + - Backend API: [localhost:5004](http://localhost:5004) 107 107 + - Worker Service: [localhost:5001](http://localhost:5001) 108 108 + 109 109 + ## Plugins 135 110 136 111 In Osprey, UDFs and output sinks are designed to be easily portable. This is done through a plugin system based on pluggy. An example plugin package has been provided for reference, see `example_plugins/register_plugins.py`: 137 112 ··· 150 125 # Register AST validators 151 126 ``` 152 127 153 153 - #### Rules 128 128 + ## Rules 154 129 155 130 Rules are written in SML, some examples are provided in `example_rules/` with YAML config, the rules are mounted to the worker processes when the containers start via environment variables. ex: 156 131 ··· 158 133 OSPREY_RULES=./example_rules uv run python3.11 osprey_worker/src/osprey/worker/cli/sinks.py run-rules-sink 159 134 ``` 160 135 161 161 - #### Test Data 136 136 + [More about rules →](rules.md) 137 137 + 138 138 + ## Test Data 162 139 163 140 Generate sample JSON actions: 164 141 ```bash 165 165 - docker compose --profile test_data up kafka-test-data-producer -d 142 142 + docker compose --profile test_data up osprey-kafka-test-data-producer -d 166 143 ``` 167 144 168 145 Produces user login events with timestamps, user IDs, and IP addresses to `osprey.actions_input` topic. 169 169 - 170 170 - ## Development Workflow 171 171 - 172 172 - ### Branch Management 173 173 - 174 174 - - **Branch naming convention**: Use `github_username/description` format (e.g., `caidanw/feature-auth`, `caidanw/fix-database-timeout`) 175 175 - - **Base branch**: Always branch from `main` 176 176 - - **Create new branch**: `git checkout -b username/feature-name` 177 177 - 178 178 - ### Code Quality Standards 179 179 - 180 180 - #### Automated Checks 181 181 - 182 182 - Every commit automatically runs: 183 183 - 184 184 - 1. **Trailing whitespace removal** 185 185 - 2. **End-of-file fixing** 186 186 - 3. **YAML/JSON/TOML validation** 187 187 - 4. **Ruff linting and formatting** 188 188 - 189 189 - #### Manual Checks 190 190 - 191 191 - Before pushing, run: 192 192 - 193 193 - ```bash 194 194 - # Comprehensive linting check 195 195 - uv run ruff check 196 196 - 197 197 - # Format all code 198 198 - uv run ruff format 199 199 - 200 200 - # Type checking (on specific files/modules) 201 201 - uv run mypy osprey_worker/src/osprey_worker/lib 202 202 - # Or you can type check every module (this will happen in CI) 203 203 - uv run mypy . 204 204 - 205 205 - # Run all pre-commit hooks 206 206 - uv run pre-commit run --all-files 207 207 - ``` 208 208 - 209 209 - ### Commit Standards 210 210 - 211 211 - Follow [Conventional Commits](https://www.conventionalcommits.org/) format: 212 212 - 213 213 - ``` 214 214 - feat: add user authentication system 215 215 - fix: resolve database connection timeout 216 216 - docs: update API documentation 217 217 - refactor: simplify rule evaluation logic 218 218 - ``` 219 219 - 220 220 - **Examples:** 221 221 - 222 222 - - `feat:` - New features 223 223 - - `fix:` - Bug fixes 224 224 - - `docs:` - Documentation changes 225 225 - - `refactor:` - Code refactoring 226 226 - - `test:` - Adding or updating tests 227 227 - - `chore:` - Maintenance tasks 228 228 - 229 229 - ### Making Changes 230 230 - 231 231 - 1. **Create a new branch:** 232 232 - 233 233 - ```bash 234 234 - git checkout -b username/feature-name 235 235 - ``` 236 236 - 237 237 - 2. **Make your changes** 238 238 - 239 239 - 3. **Run quality checks:** 240 240 - 241 241 - ```bash 242 242 - uv run ruff check --fix 243 243 - uv run ruff format 244 244 - ``` 245 245 - 246 246 - 4. **Test your changes** (if tests exist) 247 247 - 248 248 - 5. **Commit your changes:** 249 249 - 250 250 - ```bash 251 251 - git add . 252 252 - git commit -m "feat: descriptive commit message" 253 253 - ``` 254 254 - 255 255 - Pre-commit hooks will run automatically and may fix formatting issues. 256 256 - 257 257 - 6. **Push your branch:** 258 258 - 259 259 - ```bash 260 260 - git push origin username/feature-name 261 261 - ``` 262 262 - 263 263 - ## Development Tools Overview 264 264 - 265 265 - ### Ruff - Linting and Formatting 266 266 - 267 267 - **Purpose**: Replaces Black, isort, Flake8, and other tools 268 268 - 269 269 - **Configuration**: Located in `pyproject.toml` under `[tool.ruff]` 270 270 - 271 271 - **Key Rules Enabled**: 272 272 - 273 273 - - `E` - pycodestyle errors 274 274 - - `F` - pyflakes 275 275 - - `I` - isort (import sorting) 276 276 - - `B006` - flake8-bugbear (mutable default arguments) 277 277 - 278 278 - **Commands**: 279 279 - 280 280 - ```bash 281 281 - # Check for issues 282 282 - uv run ruff check 283 283 - 284 284 - # Fix auto-fixable issues 285 285 - uv run ruff check --fix 286 286 - 287 287 - # Format code 288 288 - uv run ruff format 289 289 - 290 290 - # Check specific files 291 291 - uv run ruff check path/to/file.py 292 292 - ``` 293 293 - 294 294 - ### MyPy - Type Checking 295 295 - 296 296 - **Purpose**: Static type checking for Python 297 297 - 298 298 - **Configuration**: Located in `pyproject.toml` under `[tool.mypy]` 299 299 - 300 300 - **Key Features**: 301 301 - 302 302 - - Pydantic plugin support 303 303 - - SQLAlchemy plugin support 304 304 - - Relaxed strict mode (matching legacy codebase) 305 305 - - Ignores protobuf generated files 306 306 - 307 307 - **Commands**: 308 308 - 309 309 - ```bash 310 310 - # Type check entire project 311 311 - uv run mypy . 312 312 - 313 313 - # Type check specific files 314 314 - uv run mypy path/to/file.py 315 315 - 316 316 - # Type check entire module 317 317 - uv run mypy osprey_worker/ 318 318 - 319 319 - # Check with verbose output 320 320 - uv run mypy --show-traceback path/to/file.py 321 321 - ``` 322 322 - 323 323 - ### Pre-commit - Git Hooks 324 324 - 325 325 - **Purpose**: Automated quality checks before commits 326 326 - 327 327 - **Configuration**: Located in `.pre-commit-config.yaml` 328 328 - 329 329 - **Commands**: 330 330 - 331 331 - ```bash 332 332 - # Run all hooks on staged files 333 333 - uv run pre-commit run 334 334 - 335 335 - # Run all hooks on all files 336 336 - uv run pre-commit run --all-files 337 337 - 338 338 - # Run specific hook 339 339 - uv run pre-commit run ruff 340 340 - 341 341 - # Update hook versions 342 342 - uv run pre-commit autoupgrade 343 343 - 344 344 - # Bypass hooks (emergency only) 345 345 - git commit --no-verify 346 346 - ``` 347 347 - 348 348 - ### UV - Package Management 349 349 - 350 350 - **Purpose**: Fast Python package manager and environment management 351 351 - 352 352 - **Key Commands**: 353 353 - 354 354 - ```bash 355 355 - # Install dependencies 356 356 - uv sync 357 357 - 358 358 - # Add new dependency 359 359 - uv add package-name 360 360 - 361 361 - # Add development dependency 362 362 - uv add --group dev package-name 363 363 - 364 364 - # Remove dependency 365 365 - uv remove package-name 366 366 - 367 367 - # Run command in environment 368 368 - uv run command-name 369 369 - 370 370 - # Update dependencies 371 371 - uv lock --upgrade 372 372 - ``` 373 373 - 374 374 - ## Troubleshooting 375 375 - 376 376 - ### Common Issues 377 377 - 378 378 - #### "uv: command not found" 379 379 - 380 380 - **Solution**: Install uv using the installation script or pip: 381 381 - 382 382 - ```bash 383 383 - curl -LsSf https://astral.sh/uv/install.sh | sh 384 384 - # Then restart your terminal 385 385 - ``` 386 386 - 387 387 - #### Pre-commit hooks failing 388 388 - 389 389 - **Solution**: Run hooks manually to see detailed errors: 390 390 - 391 391 - ```bash 392 392 - uv run pre-commit run --all-files 393 393 - ``` 394 394 - 395 395 - #### MyPy errors on protobuf files 396 396 - 397 397 - **Solution**: Protobuf generated files are excluded in configuration. If you see errors, check that files match the exclusion patterns in `pyproject.toml`. 398 398 - 399 399 - #### Import errors during type checking 400 400 - 401 401 - **Solution**: Ensure all dependencies are installed: 402 402 - 403 403 - ```bash 404 404 - uv sync 405 405 - ``` 406 406 - 407 407 - ### Getting Help 408 408 - 409 409 - 1. **Check this documentation** for common setup issues 410 410 - 2. **Review error messages** carefully - they often contain solutions 411 411 - 3. **Run commands with verbose flags** for more detailed output 412 412 - 4. **Check configuration files** (`pyproject.toml`, `.pre-commit-config.yaml`) 413 413 - 414 414 - ## Next Steps 415 415 - 416 416 - - Check the [contributing guidelines](https://github.com/roostorg/.github/blob/main/CONTRIBUTING.md) for project-specific rules 417 417 - - Explore the codebase structure in `osprey_worker/`, `osprey_common/`, and `osprey_rpc/` 418 418 - 419 419 - ## IDE Setup Recommendations 420 420 - 421 421 - ### VS Code 422 422 - 423 423 - Install these extensions for the best development experience: 424 424 - 425 425 - - **Python** (Microsoft) 426 426 - - **Ruff** (Astral Software) 427 427 - - **MyPy Type Checker** (Microsoft) 428 428 - 429 429 - **Settings** (add to `.vscode/settings.json`): 430 430 - 431 431 - ```json 432 432 - { 433 433 - "python.defaultInterpreterPath": ".venv/bin/python", 434 434 - "ruff.enable": true, 435 435 - "ruff.organizeImports": true, 436 436 - "python.analysis.typeCheckingMode": "basic" 437 437 - } 438 438 - ``` 439 439 - 440 440 - This completes the development setup! You're now ready to contribute to Osprey.

+8

docs/README.md

reviewed

··· 11 11 3. **[Development Guide](DEVELOPMENT.md)** - Set up your development environment and get started using Osprey 12 12 4. **[Osprey UI](UI.md)** - Understand how to use and navigate the UI 13 13 14 14 + ## Reporting a Bug or Issue 15 15 + 16 16 + Found a bug or have a feature request? We'd love to hear from you! When opening an issue, please use our templates: 17 17 + 18 18 + * [Bug Report](https://github.com/roostorg/osprey/issues/new?template=bug_report.md) 19 19 + * [Feature Request](https://github.com/roostorg/osprey/issues/new?template=feature_request.md) 20 20 + * [Submit an Egg (new tool idea) to ROOST!](https://github.com/roostorg/osprey/issues/new?template=documentation.md) 21 21 + 14 22 ## Need Help? 15 23 16 24 If you can't find what you're looking for in these documents, please:

+16

docs/SUMMARY.md

reviewed

··· 1 1 + # Summary 2 2 + 3 3 + [Getting Started](README.md) 4 4 + 5 5 + - [Development](DEVELOPMENT.md) 6 6 + - [Workflow](development/workflow.md) 7 7 + - [Tools Overview](development/tools.md) 8 8 + - [Troubleshooting](development/troubleshooting.md) 9 9 + - [IDE Setup](development/ide.md) 10 10 + - [User Interface](UI.md) 11 11 + - [Writing Rules](rules.md) 12 12 + - [User Research & Personas](user_personas.md) 13 13 + 14 14 + --- 15 15 + 16 16 + [Contribute to these docs](docs.md)

+43 -62

docs/UI.md

reviewed

··· 1 1 - # **Osprey User Interface Guide** 2 2 - 1 1 + # Osprey User Interface Guide 3 2 4 3 ## Getting Started 5 4 ··· 11 10 12 11 The Osprey UI has several pages accessible by a left-hand menu: 13 12 14 14 -  15 15 - 13 13 +  16 14 17 15 Home will bring you to the default page of Osprey, with three main columns. 18 16 19 19 - **NOTE: The Event Stream in the right column is not yet in v0, and will be available before or in v1.** 20 20 - 21 21 -  17 17 +  22 18 23 19 ### Left Column: Query 24 20 25 25 - #### **Query Box** 21 21 + #### Query Box 26 22 27 23 The Osprey Query UI uses the same SML syntax as rules, but for searching and filtering near-real-time and historical data rather than creating new rules. Using the test data generator, you can try writing a query to look for an action called “create\_post” specifically from a given User ID. 28 28 -  29 24 25 25 +  30 26 31 27 You can also use a UDF in your query. If you ever forget what a UDF does, you can hover on the information symbol for a tip: 32 32 -  28 28 + 29 29 +  33 30 34 31 A query can be run against a time window ranging from the last second to the last 3 months (and also a custom range): 35 35 -  36 32 33 33 +  37 34 38 35 The Osprey UI is designed to be dynamic and update in real-time. If any other component in the other two columns is interacted with, the query will automatically update and vice versa. The query also automatically populates the URL. This can be handy for sharing a specific query with someone on a team, but may present privacy risks. 39 36 40 40 -  37 37 +  41 38 42 42 - #### **History** 39 39 + #### History 43 40 44 41 Every query is logged in the Query History view, and there is a dropdown filter to only show queries that you have run. 45 42 46 43 When you hover over the query, it will also show the Top N Charts used during the query session (more on that below). 47 44 48 48 -  45 45 +  49 46 50 47 The Query History can also be accessed and seen in a different format via the left-side menu. From here you can filter by the user who ran the query, view the original query, and run it using the same time range the original query used. 51 48 52 52 -  49 49 +  53 50 54 54 - #### **Saved Queries** 51 51 + #### Saved Queries 55 52 56 53 If there are specific queries that are used often, Osprey provides the ability to save a query: 57 54 58 58 -  55 55 +  59 56 60 57 The user who initiated the query and when the query was first run is logged as part of the Saved Query. Saved Queries can also be accessed via the left-side menu. The user who saved the query and what time it was saved is logged and visible. There is a drop-down menu at the top to filter saved queries by users. 61 58 62 62 -  59 59 +  63 60 64 61 ### Middle Column: Charts 65 62 66 63 The middle column in Osprey shows two types of charts: **Time Series** and **Top N Results**. Both sections provide the ability to add extra charts to see different slices of time or types of top results. 67 64 68 68 -  65 65 +  69 66 70 70 - #### **Time Series Chart** 67 67 + #### Time Series Chart 71 68 72 69 The Time Series chart shows a visualization of the results in the query over a period of time. The time ranges include: 73 70 ··· 80 77 * Month 81 78 82 79 Hovering over a bar in the time series chart shows how many events took place during that time. 83 83 -  84 80 81 81 +  85 82 86 83 There is also a time and date picker above the time series chart where you can set a custom range: 87 87 -  84 84 + 85 85 +  88 86 89 87 An extra table can be added for another view of a different unit of time. To get rid of the table, you can “[yeet](https://www.urbandictionary.com/define.php?term=Yeet) it”. 90 90 -  91 88 89 89 +  92 90 93 93 - #### **Top N Results** 91 91 + #### Top N Results 94 92 95 93 Adding a Top N Results table populates a table with the top results for the results of the query. You can view and assign labels to a specific entity by hovering over it and clicking “Edit Labels” 96 96 -  97 94 98 98 - **NOTE: Labels are not yet in v0** 95 95 +  99 96 100 100 -  97 97 +  101 98 102 99 You can also select PoP (Period over Period) to compare the query results with results from a window of time in the past to see the delta. 103 100 104 104 -  101 101 +  105 102 106 103 ### Right Column: Event Stream 107 104 108 108 - **The Event Stream is not yet in v0, and will be available before or in v1.** 109 109 - 110 105 The Event Stream is essentially Osprey's "live feed" and investigation dashboard where security teams can: 111 106 112 107 * Monitor real-time activity ··· 116 111 * Drill down into specific users/entities 117 112 118 113 It provides a more detailed view of each event that matches the query. The Event Stream can show metadata related to accounts that can link to other internal tools that provide detailed information about an account and/or further enforcement actions. 119 119 -  120 120 - 114 114 +  121 115 122 116 The event stream is also viewable in a card format vs a list format (list format shown in the screenshot). 123 117 124 118 Osprey users may have personal preferences on how to do investigations and what information is most helpful for them. Osprey makes it easy to customize the types of information shown in the Event Stream by clicking “Summary Features” 125 125 -  126 126 - 119 119 +  127 120 128 121 ### Labeling 129 122 130 130 - **Note: Labels are not yet in v0, but will come in v1** 131 123 Any unique entity can be labeled in the Osprey UI. This manual labeling tool is used by Safety teams to tag individual entities (users, IPs, emails, etc.) with labels. Labels are essentially the manual annotation tool that feeds into Osprey's automated rule system, allowing human judgment to enhance machine detection. Labels can be positive, negative, or neutral. Examples: 132 124 133 125 **Negative Labels: Harmful/problematic behavior** ··· 139 131 **Neutral Labels: Informational tags** 140 132 * Examples: "new\_user", "from\_mobile", "beta\_tester" 141 133 142 142 - 143 143 - Below are examples of a new label interface from v0, and an example from Discord’s usage of labels (coming in v1). 144 144 -  145 145 -  146 146 - 134 134 +  135 135 +  147 136 148 137 ### UDF Documentation 149 138 150 139 The UDF Documentation page can be accessed via the left-side menu. It dynamically updates based on the code, so any new UDFs added will show up on this page. This page essentially serves as the "API reference" for the SML language, making it easy for users to discover and properly use all available functions when writing rules and queries. 151 151 -  140 140 +  152 141 153 142 This page can be used as a manual for writing SML rules or queries, guide for understanding parameter types and requirements, and act as a plugin discovery portal to explore what custom UDFs are loaded. 154 143 155 144 ### Bulk Labeling 156 156 - 157 157 - **Note: Since Bulk Labeling relies on Labels, it does not yet work in v0.** 158 145 159 146 There are two ways to bulk label items in Osprey: the left-side menu and via the chart column. In this example, you can bulk label all the users that have posted a message that is not empty: 160 160 -  161 147 148 148 +  162 149 163 150 **Bulk labels can be dangerous if there’s a false positive\!** Osprey provides a counter of how many unique entities are about to be bulk labeled at the top. Labels can be positive, negative, or neutral. A reason must be provided when labeling anything. Each bulk job will create a unique task ID and log the user who initiated the bulk job, the status of the bulk labeling, and a link to the query that the bulk job originated from. 164 151 165 152 To view all bulk labeling jobs that have been done, click into “Bulk Job History” from the left-side menu. You’ll need the unique task ID to look up a bulk job. 166 166 -  167 153 154 154 +  168 155 169 156 ### Rule Visualizer 170 170 - 171 171 - **Note: Since the Rule Visualizer relies on Labels, it does not yet work in v0.** 172 157 173 158 The Rule Visualizer shows how upstream labels, rules, and downstream labels interact with one another. To use it, select an Action or a Label. A graph view will appear showing the relations between rules and labels. 174 159 ··· 176 161 * **Blue square:** rule 177 162 * **Green circle:** label downstream of a rule 178 163 179 179 -  180 180 - 164 164 +  181 165 182 166 ### Query Syntax 183 167 184 184 - #### **Actions** 168 168 + #### Actions 185 169 186 170 Actions are events that are sent to Osprey. An event is simply something that happens. When a user does something like create a post, send a message, change their username, etc an event happens to represent that. There are probably a lot of events emitted in your org, and Osprey doesn’t need to consume all of them. 187 171 ··· 212 196 * Post Text 213 197 * Internet Service Provider 214 198 215 215 - #### **Effects** 199 199 + #### Effects 216 200 217 201 Effects can be triggered when one or many rules are evaluated to be true. These are validated and handled in aggregate at the end of an execution output. For example, an effect might apply a label to an entity marking it as a “Spammer”. 218 202 ··· 227 211 MessageText != Null 228 212 ``` 229 213 230 230 - #### **Combining Conditions** 214 214 + #### Combining Conditions 231 215 232 216 Let’s say you’re looking for any matches where a user tried to login more than 3 times. You can create a query to check for two types of data fields: “EventType” and “LoginAttempts”. 233 217 ··· 242 226 (UserId == 123) or (UserId == 456) 243 227 ``` 244 228 245 245 - #### **Using UDFs in Queries** 229 229 + #### Using UDFs in Queries 246 230 247 247 - UDFs (read more [here](https://github.com/roostorg/osprey/blob/f16da6e5c32ae124c3cc6e2d7efded7cea1ac726/docs/rules.md#user-defined-functions-udfs)) are a powerful part of queries. Once you define a UDF with the specific desired logic, you can reference it in a query. 231 231 + UDFs (read more [here](rules.md#user-defined-functions-udfs)) are a powerful part of queries. Once you define a UDF with the specific desired logic, you can reference it in a query. 248 232 249 249 - **NOTE: If you try to query a UDF that doesn’t exist, Osprey will silently fail with a 500 error.** 233 233 + > [!NOTE] 234 234 + > If you try to query a UDF that doesn’t exist, Osprey will silently fail with a 500 error. 250 235 251 236 ```py 252 237 # Text search ··· 257 242 ListLength(list=UserConnections) > 10 258 243 ``` 259 244 260 260 - #### **Label Queries** 261 261 - 262 262 - **Important Note: Labels are not yet in v0, so these will not work in the UI.** 245 245 + #### Label Queries 263 246 264 247 Since the UI searches across actions/events: 265 248 266 266 - * **Don't use:** HasLabel() \- won't work in Query UI 267 267 - * **Use instead**: DidAddLabel() \- shows when an action added a label 249 249 + * **Don't use:** HasLabel() - won't work in Query UI 250 250 + * **Use instead**: DidAddLabel() - shows when an action added a label 268 251 269 252 ```py 270 253 # Find actions that added specific labels 271 254 DidAddLabel(entity_type="UserId", label_name="likely_spammer") 272 255 DidAddLabel(entity_type="IpAddress", label_name="suspicious") 273 256 ``` 274 274 - 275 275 - ### 276 257 277 258 ### Example Queries 278 259

+20

docs/development/ide.md

reviewed

··· 1 1 + # IDE Setup Recommendations 2 2 + 3 3 + ## VS Code 4 4 + 5 5 + Install these extensions for the best development experience: 6 6 + 7 7 + - **Python** (Microsoft) 8 8 + - **Ruff** (Astral Software) 9 9 + - **MyPy Type Checker** (Microsoft) 10 10 + 11 11 + **Settings** (add to `.vscode/settings.json`): 12 12 + 13 13 + ```json 14 14 + { 15 15 + "python.defaultInterpreterPath": ".venv/bin/python", 16 16 + "ruff.enable": true, 17 17 + "ruff.organizeImports": true, 18 18 + "python.analysis.typeCheckingMode": "basic" 19 19 + } 20 20 + ```

+110

docs/development/tools.md

reviewed

··· 1 1 + # Development Tools Overview 2 2 + 3 3 + ## Ruff - Linting and Formatting 4 4 + 5 5 + **Purpose**: Replaces Black, isort, Flake8, and other tools 6 6 + 7 7 + **Configuration**: Located in `pyproject.toml` under `[tool.ruff]` 8 8 + 9 9 + **Key Rules Enabled**: 10 10 + 11 11 + - `E` - pycodestyle errors 12 12 + - `F` - pyflakes 13 13 + - `I` - isort (import sorting) 14 14 + - `B006` - flake8-bugbear (mutable default arguments) 15 15 + 16 16 + **Commands**: 17 17 + 18 18 + ```bash 19 19 + # Check for issues 20 20 + uv run ruff check 21 21 + 22 22 + # Fix auto-fixable issues 23 23 + uv run ruff check --fix 24 24 + 25 25 + # Format code 26 26 + uv run ruff format 27 27 + 28 28 + # Check specific files 29 29 + uv run ruff check path/to/file.py 30 30 + ``` 31 31 + 32 32 + ## MyPy - Type Checking 33 33 + 34 34 + **Purpose**: Static type checking for Python 35 35 + 36 36 + **Configuration**: Located in `pyproject.toml` under `[tool.mypy]` 37 37 + 38 38 + **Key Features**: 39 39 + 40 40 + - Pydantic plugin support 41 41 + - SQLAlchemy plugin support 42 42 + - Relaxed strict mode (matching legacy codebase) 43 43 + - Ignores protobuf generated files 44 44 + 45 45 + **Commands**: 46 46 + 47 47 + ```bash 48 48 + # Type check entire project 49 49 + uv run mypy . 50 50 + 51 51 + # Type check specific files 52 52 + uv run mypy path/to/file.py 53 53 + 54 54 + # Type check entire module 55 55 + uv run mypy osprey_worker/ 56 56 + 57 57 + # Check with verbose output 58 58 + uv run mypy --show-traceback path/to/file.py 59 59 + ``` 60 60 + 61 61 + ## Pre-commit - Git Hooks 62 62 + 63 63 + **Purpose**: Automated quality checks before commits 64 64 + 65 65 + **Configuration**: Located in `.pre-commit-config.yaml` 66 66 + 67 67 + **Commands**: 68 68 + 69 69 + ```bash 70 70 + # Run all hooks on staged files 71 71 + uv run pre-commit run 72 72 + 73 73 + # Run all hooks on all files 74 74 + uv run pre-commit run --all-files 75 75 + 76 76 + # Run specific hook 77 77 + uv run pre-commit run ruff 78 78 + 79 79 + # Update hook versions 80 80 + uv run pre-commit autoupgrade 81 81 + 82 82 + # Bypass hooks (emergency only) 83 83 + git commit --no-verify 84 84 + ``` 85 85 + 86 86 + ## UV - Package Management 87 87 + 88 88 + **Purpose**: Fast Python package manager and environment management 89 89 + 90 90 + **Key Commands**: 91 91 + 92 92 + ```bash 93 93 + # Install dependencies 94 94 + uv sync 95 95 + 96 96 + # Add new dependency 97 97 + uv add package-name 98 98 + 99 99 + # Add development dependency 100 100 + uv add --group dev package-name 101 101 + 102 102 + # Remove dependency 103 103 + uv remove package-name 104 104 + 105 105 + # Run command in environment 106 106 + uv run command-name 107 107 + 108 108 + # Update dependencies 109 109 + uv lock --upgrade 110 110 + ```

+32

docs/development/troubleshooting.md

reviewed

··· 1 1 + # Troubleshooting 2 2 + 3 3 + ## Common Issues 4 4 + 5 5 + ### "uv: command not found" 6 6 + 7 7 + **Solution**: Install uv using the installation script or pip: 8 8 + 9 9 + ```bash 10 10 + curl -LsSf https://astral.sh/uv/install.sh | sh 11 11 + # Then restart your terminal 12 12 + ``` 13 13 + 14 14 + ### Pre-commit hooks failing 15 15 + 16 16 + **Solution**: Run hooks manually to see detailed errors: 17 17 + 18 18 + ```bash 19 19 + uv run pre-commit run --all-files 20 20 + ``` 21 21 + 22 22 + ### MyPy errors on protobuf files 23 23 + 24 24 + **Solution**: Protobuf generated files are excluded in configuration. If you see errors, check that files match the exclusion patterns in `pyproject.toml`. 25 25 + 26 26 + ### Import errors during type checking 27 27 + 28 28 + **Solution**: Ensure all dependencies are installed: 29 29 + 30 30 + ```bash 31 31 + uv sync 32 32 + ```

+92

docs/development/workflow.md

reviewed

··· 1 1 + # Development Workflow 2 2 + 3 3 + ## Branch Management 4 4 + 5 5 + - **Branch naming convention**: Use `github_username/description` format (e.g., `caidanw/feature-auth`, `caidanw/fix-database-timeout`) 6 6 + - **Base branch**: Always branch from `main` 7 7 + - **Create new branch**: `git checkout -b username/feature-name` 8 8 + 9 9 + ## Code Quality Standards 10 10 + 11 11 + ### Automated Checks 12 12 + 13 13 + Every commit automatically runs: 14 14 + 15 15 + 1. **Trailing whitespace removal** 16 16 + 2. **End-of-file fixing** 17 17 + 3. **YAML/JSON/TOML validation** 18 18 + 4. **Ruff linting and formatting** 19 19 + 20 20 + ### Manual Checks 21 21 + 22 22 + Before pushing, run: 23 23 + 24 24 + ```bash 25 25 + # Comprehensive linting check 26 26 + uv run ruff check 27 27 + 28 28 + # Format all code 29 29 + uv run ruff format 30 30 + 31 31 + # Type checking (on specific files/modules) 32 32 + uv run mypy osprey_worker/src/osprey_worker/lib 33 33 + # Or you can type check every module (this will happen in CI) 34 34 + uv run mypy . 35 35 + 36 36 + # Run all pre-commit hooks 37 37 + uv run pre-commit run --all-files 38 38 + ``` 39 39 + 40 40 + ## Commit Standards 41 41 + 42 42 + Follow [Conventional Commits](https://www.conventionalcommits.org/) format: 43 43 + 44 44 + ``` 45 45 + feat: add user authentication system 46 46 + fix: resolve database connection timeout 47 47 + docs: update API documentation 48 48 + refactor: simplify rule evaluation logic 49 49 + ``` 50 50 + 51 51 + **Examples:** 52 52 + 53 53 + - `feat:` - New features 54 54 + - `fix:` - Bug fixes 55 55 + - `docs:` - Documentation changes 56 56 + - `refactor:` - Code refactoring 57 57 + - `test:` - Adding or updating tests 58 58 + - `chore:` - Maintenance tasks 59 59 + 60 60 + ## Making Changes 61 61 + 62 62 + 1. **Create a new branch:** 63 63 + 64 64 + ```bash 65 65 + git checkout -b username/feature-name 66 66 + ``` 67 67 + 68 68 + 2. **Make your changes** 69 69 + 70 70 + 3. **Run quality checks:** 71 71 + 72 72 + ```bash 73 73 + uv run ruff check --fix 74 74 + uv run ruff format 75 75 + ``` 76 76 + 77 77 + 4. **Test your changes** (if tests exist) 78 78 + 79 79 + 5. **Commit your changes:** 80 80 + 81 81 + ```bash 82 82 + git add . 83 83 + git commit -m "feat: descriptive commit message" 84 84 + ``` 85 85 + 86 86 + Pre-commit hooks will run automatically and may fix formatting issues. 87 87 + 88 88 + 6. **Push your branch:** 89 89 + 90 90 + ```bash 91 91 + git push origin username/feature-name 92 92 + ```

+20

docs/docs.md

reviewed

··· 1 1 + # Contribute to these docs 2 2 + 3 3 + This documentation site is built using [mdBook](https://rust-lang.github.io/mdBook/) and deployed to GitHub Pages. Changes merged into the `main` branch will automatically be built and deployed. 4 4 + 5 5 + Documentation can be edited directly in the GitHub web UI for existing pages, or by selecting the **🖉 Suggest an edit** icon at the top of the docs site. To create a new page, be sure to update `SUMMARY.md` as well. Once you're done with your changes, open a pull request for review. 6 6 + 7 7 + To understand more about how mdBook works, learn about the [anatomy of a book](https://rust-lang.github.io/mdBook/guide/creating.html#anatomy-of-a-book). 8 8 + 9 9 + ## Developing locally 10 10 + 11 11 + To build the site locally, clone this repository and install `mdbook` (follow the [official installation instructions](https://rust-lang.github.io/mdBook/guide/installation.html)). 12 12 + 13 13 + Once installed, use the `mdbook` command-line tool from the root of this repo. For example, to automatically start watching, building, and serving the site: 14 14 + 15 15 + ```shell 16 16 + mdbook serve 17 17 + ``` 18 18 + 19 19 + Then make your changes, preview them in your web browser (at [http://localhost:3000](http://localhost:3000) by default), commit, push, and open a pull request like any other git project. 20 20 +

+3 -8

docs/rules.md

reviewed

··· 1 1 - # Osprey Docs 2 2 - 3 3 - # Osprey Docs 1 1 + # Osprey Rules 4 2 5 3  6 4 7 7 - ## Rules 8 8 - 9 9 - ### Creating Rules 5 5 + ## Creating Rules 10 6 11 7 Rules in Osprey are written in `Some Madeup Language (SML)` and follow most syntax conventions present in the Osprey Query UI. SML is a subset of Python with additional restrictions to make the rules simpler to craft. 12 8 ··· 58 54 ) 59 55 ``` 60 56 61 61 - ### Instrumenting Rules with WhenRules 57 57 + ## Instrumenting Rules with WhenRules 62 58 63 59 The `WhenRules()` function allows for the connection of rules with external services, declarations or internal label modifications by listing Rule objects in sequence within the `rules_any=[]` parameter and `EffectBase`. By default, operators and designers can utilize UDFs with predefined effects such as `DeclareVerdict()`, `LabelAdd()`, and `LabelRemove()` on positive rule evaluations. 64 60 ··· 179 175 UDF outputs can also implement the `CustomExtractedFeature` interface - which get persisted in the outputs for the UI. `EffectToCustomExtractedFeatureBase` can also be used when effects need additional processing for use in the UI. 180 176 181 177 ## Labels 182 182 - **NOTE: Labels are currently not in v0, so users will be unable to add or edit labels via the UI** 183 178 184 179 Labels are a standard plugin that enable stateful rules, and touch many parts of Osprey. They are effectively tags on various entities, which can be arbitrarily defined. 185 180

images/Rules_Engine_Overview.jpeg docs/images/Rules_Engine_Overview.jpeg

reviewed

images/add-labels.png docs/images/add-labels.png

reviewed

images/bulk-job-history.png docs/images/bulk-job-history.png

reviewed

images/bulk-label.png docs/images/bulk-label.png

reviewed

images/charts.png docs/images/charts.png

reviewed

images/complete-label.png docs/images/complete-label.png

reviewed

images/empty-label.png docs/images/empty-label.png

reviewed

images/event-stream.png docs/images/event-stream.png

reviewed

images/hover-query-history.png docs/images/hover-query-history.png

reviewed

images/hover-time-series.png docs/images/hover-time-series.png

reviewed

images/left-side-menu.png docs/images/left-side-menu.png

reviewed

images/multiple-time-series.png docs/images/multiple-time-series.png

reviewed

images/multiple-top-charts.png docs/images/multiple-top-charts.png

reviewed

images/osprey-home.png docs/images/osprey-home.png

reviewed

images/pop.png docs/images/pop.png

reviewed

images/query-and-charts.png docs/images/query-and-charts.png

reviewed

images/query-box.png docs/images/query-box.png

reviewed

images/query-history-page.png docs/images/query-history-page.png

reviewed

images/query-history-save.png docs/images/query-history-save.png

reviewed

images/query-history-search.png docs/images/query-history-search.png

reviewed

images/query-history.png docs/images/query-history.png

reviewed

images/query-time-range.png docs/images/query-time-range.png

reviewed

images/query-udf-hover.png docs/images/query-udf-hover.png

reviewed

images/rules-visualizer.png docs/images/rules-visualizer.png

reviewed

images/saved-queries-page.png docs/images/saved-queries-page.png

reviewed

images/summary-features.png docs/images/summary-features.png

reviewed

images/time-date-picker.png docs/images/time-date-picker.png

reviewed

images/top-n-charts.png docs/images/top-n-charts.png

reviewed

images/udf-documentation.png docs/images/udf-documentation.png

reviewed