ADF Quickwit logging epic #46
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Epic for ADF Quickwit log analysis and fleet health monitoring. This issue collects periodic log analysis reports from the log-analyst agent.
ADF Quickwit Log Analysis Report
Analysis window: All available data (2026-04-05 to 2026-05-06)
Data source:
http://127.0.0.1:7280/api/v1/adf-logs/search(adf-logsindex)Total documents: 35,857 | Exit events: 1,433 | Failures: 56 | WARN events: 3,016 | Wall-time outliers (>300s): 268
Failure Clusters
1. Unknown non-zero exits (severity: CRITICAL)
exit_class: "unknown"withexit_code: 1andmessage: "agent exited: unknown"2. Filesystem permission auto-rejects (severity: MEDIUM)
/opt/ai-dark-factory/reports/*-- 9 rejects (meta-coordinator)/home/alex/terraphim-ai/*-- 4 rejects (security-sentinel, test-guardian)/home/alex/*and systemd paths -- 3 rejects (drift-detector)3. Toolchain / compilation errors (severity: MEDIUM)
rch(remote compilation helper)rchhook errors and missing toolchainstable-2026-04-14-x86_64-unknown-linux-gnu)4. Wall-time outliers (severity: MEDIUM-HIGH)
product-development: max 6,597s (~110 minutes), median 1,410simplementation-swarm: max 5,519s (~92 minutes), median 897stest-guardian: max 3,598s (~60 minutes), median 1,199smeta-coordinator: max 4,649s (~77 minutes), median 1,209sAgent Success Rates (Ranked by Degradation)
Agents requiring immediate attention: build-runner, meta-learning, runtime-guardian, repo-steward.
Anomalies Detected
Universal unknown exits: Every agent type has experienced
exit_class: "unknown"failures. This indicates the orchestrator's exit classification is insufficient -- no stderr pattern matching is catching the actual failure modes.Build-runner collapse: With 181 WARN events and a 25% success rate, build-runner is the most degraded agent. The WARNs cluster around
rch(remote compilation hooks) and missing Rust toolchains.Wall-time regime shift: 268 runs exceeded 300s. The top 4 agents (implementation-swarm, test-guardian, product-development, meta-coordinator) account for 102 of these outliers. Maximum observed runtimes exceed 90 minutes.
Permission storm: meta-coordinator repeatedly attempts to write to
/opt/ai-dark-factory/reports/*and is auto-rejected. This is a known blocked path that generates noise without resolution.Top 3 Remediation Recommendations
1. Fix build-runner toolchain and rch hook errors (Confidence: HIGH 0.92)
stable-2026-04-14-x86_64-unknown-linux-gnuon build workersrchhook failures athook.rs:288,transfer.rs:965, etc. -- these suggest remote compilation sync issues2. Implement exit code classification and early stderr capture (Confidence: HIGH 0.89)
command not found,permission denied,connection refused,rate limit,OOM killedextrafieldexit_classvalues:tool_missing,permission_denied,network_error,rate_limit,oom,timeout3. Cap wall-time and throttle long-running agents (Confidence: HIGH 0.85)
implementation-swarm,product-development,test-guardian, andmeta-coordinatorto prevent resource contentionAgents to Disable or Reschedule
/opt/ai-dark-factory/reports/*or redirect output to approved workspaceReport generated by log-analyst agent on 2026-05-06 12:57 CEST
Next review recommended: after build-runner fix deployment
ADF Log Analysis Report -- 2026-05-09 03:54 CEST
Index:
adf-logsvia Quickwit athttp://127.0.0.1:7280Period: 2026-04-07 to 2026-05-08 (31 days)
Total events indexed: 46,066
Total hard failures (exit_code > 0): 62
WARN-level events: 6,348
Wall time outliers (>300s): 447
Failure Clusters by Root Cause
Cluster 1 -- Unknown exits (29 events, 46.8%) | Severity: HIGH
The orchestrator cannot classify why these agents exited. All have
exit_code=1with no model metadata (model: unknown).Root cause evidence:
build-runnerstderr contains git detached HEAD warnings:The build-runner is checking out a commit SHA rather than a branch ref, producing non-zero exits when subsequent git operations fail. The remaining 23 unknown exits across other agents are likely unhandled signal terminations (SIGKILL/SIGTERM) not surfaced by the orchestrator.
Cluster 2 -- Rate limits (29 events, 46.8%) | Severity: HIGH
log-analystaccounts for all 29 rate-limit exits attributed to its own runs -- a recursive problem: the log analyst itself is the most rate-limited agent.kimi-for-coding/k2p5is the primary model hitting quota (14 of 50 rate-limit events with model attribution).Cluster 3 -- Compilation errors (2 hard exits + 187 log events) | Severity: MEDIUM
Hard exits: 2 (build-runner, wall times 99s and 253s)
Compilation error log events by agent:
Note:
security-sentinelcompilation error events are false positives -- the agent is logging raw Claude API JSON (tool_use events) to stderr, and these match the error pattern. This is a logging pipeline issue, not actual compiler errors.Cluster 4 -- Timeout / model error (2 events, 3.2%) | Severity: LOW
timeoutexit: build-runner, wall_time 217smodel_errorexitAdditional timeout signals (208 events with "timed out" in message, not all hard exits):
Wall Time Anomalies
447 runs exceeded 300s wall time. Max observed: 2458s (40 minutes). P95: 1362s (22 minutes).
No hard upper bound is enforced -- agents run to completion regardless of wall time.
Degrading Agents
Agents showing combined failure signal (hard exits + wall time outliers + kill events):
Anomalies
Model metadata gap: 35 of 62 failures have
model: unknown. The orchestrator is not recording model at exit time -- this makes root cause attribution by model impossible.security-sentinel stderr JSON noise: Raw Claude API event JSON (
{"type":"tool_use",...}) is being written to stderr and indexed as log content. This pollutes compilation-error and kill-event queries with false positives. The session IDs visible (ses_2a1ed01...) confirm these are Claude Code internal events.Orchestrator spawn/exit balance: 51
agent spawnedvs 48agent exitedevents in the orchestrator source -- 3 agents spawned but no exit recorded. These may still be running or were killed without cleanup.Active fleet: Only
security-sentinelanddrift-detectorare active in the most recent window, both onk2p5model. The broader fleet appears idle.Trend Comparison
No prior analysis period baseline in index. Cannot compute delta. Recommend tagging analysis runs with a
report_periodfield going forward.Top 3 Remediation Recommendations
1. Fix orchestrator model metadata capture (Confidence: HIGH)
Record
modelat agent exit, not only at spawn. All build-runner failures and 35 of 62 total failures have no model attribution, making quota management blind. Proposed: writeagent_lifecycleevent with both spawn and exit fields in a single document.2. Add rate-limit backoff for log-analyst and k2p5 callers (Confidence: HIGH)
log-analystalone accounts for 29 rate-limit exits. Implement exponential backoff (initial 30s, max 300s) with jitter before each retry. Add a per-agentRATE_LIMIT_COOLDOWN_SECSconfig knob. Swaplog-analysttoopencode-go/minimax-m2.5for its Quickwit queries -- these are read-only and do not require a coding model.3. Fix build-runner git ref checkout (Confidence: HIGH)
Replace commit SHA checkout with branch-ref checkout or post-checkout
git switch -to restore HEAD. Add a pre-build guard: ifgit statusreports detached HEAD, abort with a classifiedexit_code: git_errorrather than genericunknown. This will immediately reduce Cluster 1 by at least 6 events per 31-day window.Agents Recommended for Schedule Adjustment
Report generated by Conduit (log-analyst run) -- 2026-05-09 03:54 CEST
Data source: Quickwit adf-logs index, 46,066 documents
Session Handover -- 2026-05-09 log-analyst
Outcome: SUCCESS -- analysis posted as comment #23325
Quickwit findings summary
Token / API notes for next agent
ADF Quickwit Log Analysis Report
Analysis window: Current 12h (2026-04-08 00:00 UTC onwards) vs Previous 12h (2026-04-07 12:00 to 2026-04-08 00:00 UTC)
Data source:
http://127.0.0.1:7280/api/v1/adf-logs/search(index:adf-logs)Generated by: log-analyst agent (Conduit) at 2026-05-11 10:54 CEST
1. Failure Clusters
1.1 Unknown non-zero exits (severity: High)
source:orchestrator AND message:"agent exited: unknown"exit_code: 1,exit_class: unknown,confidence: 0.0, andmatched_patterns: []. The orchestrator is unable to classify these exits, suggesting either a tool/runtime failure not captured by existing pattern matchers, or an early abort before classification logic runs. Wall times are short (27-181s), indicating rapid failure rather than timeout.1.2 Filesystem permission auto-rejects (severity: Medium)
source:stderr AND message:"permission requested: external_directory"/opt/ai-dark-factory/reports/*(9),/tmp/*(7),/home/alex/terraphim-ai/*(4)/opt/ai-dark-factory/reports/*path is the most targeted, suggesting multiple agents expect a report publishing directory that does not exist or is not allowlisted.1.3 Rate-limit exits (severity: Medium)
source:orchestrator AND message:"agent exited: rate_limit"1.4 Wall-time outliers (severity: Critical)
source:orchestrator AND wall_time_secs:>3002. Trend Comparison
Interpretation: The fleet is experiencing a compound degradation. Not only are more jobs failing, but the successful ones are taking dramatically longer. The permission rejection pattern is new and may be contributing to wall-time inflation as agents retry or hang waiting for filesystem access.
3. Agents with Degrading Success Rates
Stable agents: meta-coordinator (100%, 10/10), quality-coordinator (100%, 15/15), security-sentinel (100%, 23/23), spec-validator (100%, 11/11), test-guardian (100%, 18/18).
4. Anomalies
Wall-time regime shift: The number of jobs exceeding 300s jumped from 7 to 168. This is not explained by increased volume alone (total exits only doubled). Agents that previously completed in 60-180s are now routinely running 600-6,000s.
New permission rejection pattern: External directory auto-rejects went from 0 to 25. The meta-coordinator alone accounts for 10 of these. This suggests a configuration drift or a new agent behaviour attempting to write reports to
/opt/ai-dark-factory/reports/.Agent output gap: upstream-synchronizer had runs in previous window (1/1) but only 2/2 in current window with no failures. Low throughput but stable.
Rate-limit concentration on log-analyst: The log-analyst agent was rate-limited at least 5 times on 2026-04-08 alone. This creates a negative feedback loop where the agent tasked with monitoring fleet health cannot reliably query the health data source.
5. Top 3 Remediation Recommendations
R1. Investigate and cap wall-time outliers (Confidence: High — 0.92)
exit_class: timeoutand a clear signal.wall_time_secsto the orchestrator's spawn decision logic. If an agent's median wall time exceeds a threshold, stagger its schedule or reduce its parallelism.R2. Fix permission policy for report writers (Confidence: High — 0.88)
/opt/ai-dark-factory/reports/for agents that legitimately need to publish reports, or redirect report output to an approved workspace path (e.g.,/tmp/adf-reports/or a dedicated volume).R3. Classify unknown exit causes and add stderr capture (Confidence: High — 0.85)
agent exited: unknownto concrete classes by capturing the first 500 bytes of stderr when exit_code != 0 and no pattern matches. Common classes to detect:tool_missing,permission_denied,model_error,json_parse_failure,rate_limit.6. Agents Requiring Schedule Adjustment or Disablement
Appendix: Query Reference
Queries used for this analysis:
exit_code:>0— all failuressource:orchestrator AND message:"agent exited"— lifecycle eventssource:stderr AND message:external_directory— permission rejectionswall_time_secs:>300— runtime outliersmessage:"agent exited: rate_limit"— rate-limit exitsmessage:"agent exited: unknown"— unclassified failuresReport generated by Conduit (log-analyst) — PageRank workflow #46