cel-programs
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesecel-programs
CEL程序开发
When to use
使用场景
Use this skill when tasks include:
- creating or editing agent stream templates
cel.yml.hbs - configuring data stream manifests for the input type
cel - writing CEL programs with pagination, cursor management, or authentication
- testing or debugging a CEL program locally with mito
- setting up system tests with mock APIs for CEL-based data streams
- prototyping a new CEL-based data stream's collection logic
- any CEL or mito question, regardless of context
当任务包含以下内容时,请使用此技能:
- 创建或编辑agent流模板
cel.yml.hbs - 为输入类型配置数据流manifest
cel - 编写包含分页、游标管理或认证逻辑的CEL程序
- 使用mito在本地测试或调试CEL程序
- 为基于CEL的数据流设置带模拟API的系统测试
- 为新的基于CEL的数据流的收集逻辑制作原型
- 任何CEL或mito相关问题,无论上下文如何
When not to use
非使用场景
Do not use this skill as the primary guide for:
- ingest pipeline processor design ()
ingest-pipelines - ECS field mapping ()
ecs-field-mappings - package scaffolding ()
create-integration - system test execution with the Elastic stack (→
integration-testing)references/system-testing.md
请勿将此技能作为以下工作的主要指南:
- 摄入管道处理器设计()
ingest-pipelines - ECS字段映射()
ecs-field-mappings - 包脚手架搭建()
create-integration - 使用Elastic栈执行系统测试(→
integration-testing)references/system-testing.md
Mandatory workflow — mock → mito → template
强制工作流 — 模拟 → mito → 模板
This is not a suggestion. Every CEL program MUST be developed in this order. The subagent must not write until the CEL program has been validated with mito against a running mock. Skipping steps or reordering causes failures that are hard to debug.
cel.yml.hbsDo NOT write more than ~10–15 new lines of CEL before running mito. Build the program incrementally in phases (skeleton → error handling → event mapping → pagination → cursor guard), validating with mito after each phase. Writing a large program in one shot leads to cascading compilation errors that are extremely hard to debug. Follow the phased approach in .
references/cel-incremental-build.md| Step | Action | Output |
|---|---|---|
| 1. Create the system test mock | Write the | Mock config file, docker-compose service, test config |
| 2. Start the mock locally | | Running mock at |
3. Create a plain | Write the CEL program as a standalone | |
| 4. Run mito and iterate | Build incrementally per | Validated CEL program |
5. ONLY THEN write | Copy the working CEL expression into | Final integration template |
Step 3 detail — translating template vars to mito state: When the future will have a block like and , the for mito testing uses the same key names with literal test values:
cel.yml.hbsstate:api_key: {{api_key}}batch_size: {{batch_size}}state.jsonjson
{
"url": "http://localhost:8090",
"api_key": "test-key",
"batch_size": 50,
"initial_interval": "24h"
}This mirrors the runtime state the CEL input would provide. Add to test subsequent-run behavior.
cursorFor the full mock-first workflow details, CLI flags, execution model, and quality standards: load .
references/mito-reference.md这不是建议。每个CEL程序都必须按照此顺序开发。 在CEL程序通过mito针对运行中的模拟环境验证之前,子代理不得编写。跳过步骤或更改顺序会导致难以调试的故障。
cel.yml.hbs在运行mito之前,请勿编写超过约10-15行新的CEL代码。 分阶段逐步构建程序(框架 → 错误处理 → 事件映射 → 分页 → 游标防护),每个阶段后使用mito验证。一次性编写大型程序会导致级联编译错误,极难调试。请遵循中的分阶段方法。
references/cel-incremental-build.md| 步骤 | 操作 | 输出 |
|---|---|---|
| 1. 创建系统测试模拟环境 | 在 | 模拟配置文件、docker-compose服务、测试配置 |
| 2. 启动本地模拟环境 | | 在 |
3. 创建纯 | 将CEL程序编写为独立的 | |
| 4. 运行mito并迭代 | 按照 | 已验证的CEL程序 |
5. 仅在此时编写 | 将可运行的CEL表达式复制到Handlebars模板的 | 最终集成模板 |
步骤3细节 — 将模板变量转换为mito状态: 当未来的将包含块(如和)时,用于mito测试的使用相同的键名和字面测试值:
cel.yml.hbsstate:api_key: {{api_key}}batch_size: {{batch_size}}state.jsonjson
{
"url": "http://localhost:8090",
"api_key": "test-key",
"batch_size": 50,
"initial_interval": "24h"
}这与CEL输入将提供的运行时状态一致。添加以测试后续运行行为。
cursor有关完整的先模拟后开发工作流细节、CLI标志、执行模型和质量标准:加载。
references/mito-reference.mdcel.yml.hbs template anatomy
cel.yml.hbs模板结构
The file at is a Handlebars template that renders the final CEL input configuration. It has these sections in order:
cel.yml.hbsdata_stream/<stream>/agent/stream/cel.yml.hbsyaml
interval: {{interval}}
resource.tracer:
enabled: {{enable_request_tracer}}
filename: "../../logs/cel/http-request-trace-*.ndjson"
maxbackups: 5
{{#if proxy_url}}
resource.proxy_url: {{proxy_url}}
{{/if}}
{{#if ssl}}
resource.ssl: {{ssl}}
{{/if}}
{{#if http_client_timeout}}
resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: <constructed from vars>
state:
<credentials and pagination config from vars>
redact:
fields:
- <sensitive state keys>
max_executions: <number, for heavy pagination>
program: |
<CEL expression>
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}位于的文件是一个Handlebars模板,用于渲染最终的CEL输入配置。它按顺序包含以下部分:
data_stream/<stream>/agent/stream/cel.yml.hbscel.yml.hbsyaml
interval: {{interval}}
resource.tracer:
enabled: {{enable_request_tracer}}
filename: "../../logs/cel/http-request-trace-*.ndjson"
maxbackups: 5
{{#if proxy_url}}
resource.proxy_url: {{proxy_url}}
{{/if}}
{{#if ssl}}
resource.ssl: {{ssl}}
{{/if}}
{{#if http_client_timeout}}
resource.timeout: {{http_client_timeout}}
{{/if}}
resource.url: <constructed from vars>
state:
<credentials and pagination config from vars>
redact:
fields:
- <sensitive state keys>
max_executions: <number, for heavy pagination>
program: |
<CEL expression>
tags:
{{#if preserve_original_event}}
- preserve_original_event
{{/if}}
{{#each tags as |tag|}}
- {{tag}}
{{/each}}
{{#contains "forwarded" tags}}
publisher_pipeline.disable_host: true
{{/contains}}
{{#if processors}}
processors:
{{processors}}
{{/if}}Handlebars patterns
Handlebars模式
| Pattern | Purpose |
|---|---|
| Direct variable substitution |
| Conditional block for optional config |
| Iteration over list vars |
| Check if list contains value |
| 模式 | 用途 |
|---|---|
| 直接变量替换 |
| 可选配置的条件块 |
| 遍历列表变量 |
| 检查列表是否包含指定值 |
Key template fields
关键模板字段
- — base URL, often constructed from multiple vars (e.g.,
resource.url){{url}}/api/v1/endpoint - (ga 8.18.1) — static headers the same for every request (
resource.headers,Content-Type, API version headers). Set here rather than in-program when headers never vary. Applied before auth headers.Accept - — block where manifest vars are injected as CEL state; credentials and pagination settings go here
state: - — list state keys containing secrets to redact from debug logs
redact.fields - — override default 1000 for integrations with heavy pagination (e.g., 5000)
max_executions - — the CEL expression; must be a YAML literal block scalar
program: |
- — 基础URL,通常由多个变量构造(例如
resource.url){{url}}/api/v1/endpoint - (ga 8.18.1) — 每个请求都相同的静态头(
resource.headers、Content-Type、API版本头)。当头从不变化时,在此处设置而非在程序中设置。在认证头之前应用。Accept - — 将manifest变量注入为CEL状态的块;凭证和分页设置放在此处
state: - — 包含敏感信息的状态键列表,将从调试日志中脱敏
redact.fields - — 为具有大量分页的集成覆盖默认值1000(例如5000)
max_executions - — CEL表达式;必须是YAML字面块标量
program: |
Do NOT set data_stream.dataset
in integration packages
data_stream.dataset请勿在集成包中设置data_stream.dataset
data_stream.datasetIntegration packages () must never include in or define a manifest var. The framework automatically routes documents to the correct data stream. Setting overrides this routing and causes documents to land in the wrong index — typically resulting in "0 hits" during system tests.
type: integrationdata_stream.datasetcel.yml.hbsdata_stream.datasetdata_stream.datasetOnly input-type packages () use because they have no predefined data streams.
type: inputdata_stream.dataset集成包()必须绝不在中包含,也不得定义 manifest变量。框架会自动将文档路由到正确的数据流。设置会覆盖此路由,导致文档进入错误的索引——通常会在系统测试中导致“0命中”。
type: integrationcel.yml.hbsdata_stream.datasetdata_stream.datasetdata_stream.dataset只有输入类型包()使用,因为它们没有预定义的数据流。
type: inputdata_stream.datasetData stream manifest configuration
数据流manifest配置
The data stream defines the CEL input stream and its variables.
manifest.yml数据流定义了CEL输入流及其变量。
manifest.ymlStandard vars every CEL stream should include
每个CEL流应包含的标准变量
| Var | Type | Purpose |
|---|---|---|
| text | API base URL |
| text | Polling interval (e.g., |
| text | Lookback window on first run (e.g., |
| bool | Enable HTTP request tracing |
| text | Request timeout (e.g., |
| text | HTTP proxy URL |
| yaml | TLS configuration |
| text (multi) | Event tags |
| bool | Keep original event |
| yaml | Beat processors |
Auth-specific vars depend on the API (API key, OAuth client_id/secret/token_url, bearer token, etc.).
Declare in the data stream manifest, not at the input level. Input-level tracing enables logging for all data streams in the policy.
enable_request_tracer| 变量 | 类型 | 用途 |
|---|---|---|
| 文本 | API基础URL |
| 文本 | 轮询间隔(例如 |
| 文本 | 首次运行的回溯窗口(例如 |
| 布尔值 | 启用HTTP请求追踪 |
| 文本 | 请求超时(例如 |
| 文本 | HTTP代理URL |
| yaml | TLS配置 |
| 文本(多值) | 事件标签 |
| 布尔值 | 保留原始事件 |
| yaml | Beat处理器 |
认证相关变量取决于API(API密钥、OAuth client_id/secret/token_url、Bearer令牌等)。
在数据流manifest中声明,而非在输入级别。输入级别追踪会启用策略中所有数据流的日志记录。
enable_request_tracerPackage-level vs data-stream-level vars
包级别与数据流级别变量
- Package-level vars in the root under
manifest.yml: shared across streams (e.g.,policy_templates[].inputs[].vars, auth credentials)url - Data-stream-level vars in under
data_stream/<stream>/manifest.yml: stream-specific (e.g.,streams[].vars,interval,batch_size)initial_interval
- 包级别变量:位于根的
manifest.yml下;在所有流之间共享(例如policy_templates[].inputs[].vars、认证凭证)url - 数据流级别变量:位于的
data_stream/<stream>/manifest.yml下;特定于流(例如streams[].vars、interval、batch_size)initial_interval
Scope of the CEL program
CEL程序的职责范围
The CEL program's responsibility is data collection only:
- Fetch data from the API endpoint(s)
- Handle pagination — walk through all pages within a single polling cycle
- Manage cursor state — store timestamps or page tokens in so the next polling interval resumes where the last one left off, avoiding re-collection of already-fetched events
cursor - Emit raw events — output for each record
{"message": e.encode_json()}
The CEL program does not handle:
- Elasticsearch-level deduplication — if overlapping time windows cause a few duplicate events to be collected, that is acceptable. The ingest pipeline or Elasticsearch routing handles dedup at index time, not the CEL program.
_id - Field mapping or transformation — the ingest pipeline handles parsing, ECS mapping, and enrichment.
- Filtering by content — unless the API supports server-side filtering parameters, do not filter events in the CEL program. Emit everything and let the pipeline decide.
Do not search the codebase for , , or deduplication patterns. These are not CEL concerns.
_iddocument_idCEL程序的职责仅为数据收集:
- 从API端点获取数据
- 处理分页 — 在单个轮询周期内遍历所有页面
- 管理游标状态 — 在中存储时间戳或页面令牌,以便下一个轮询间隔从上次结束的位置继续,避免重新收集已获取的事件
cursor - 输出原始事件 — 为每条记录输出
{"message": e.encode_json()}
CEL程序不处理:
- Elasticsearch级别去重 — 如果重叠时间窗口导致收集到少量重复事件,这是可接受的。摄入管道或Elasticsearch的路由会在索引时处理去重,而非CEL程序。
_id - 字段映射或转换 — 摄入管道处理解析、ECS映射和 enrichment。
- 按内容过滤 — 除非API支持服务器端过滤参数,否则请勿在CEL程序中过滤事件。输出所有内容,让管道决定。
请勿在代码库中搜索、或去重模式。这些不属于CEL的职责范围。
_iddocument_idCEL program structure patterns
CEL程序结构模式
Pagination strategy selection
分页策略选择
| API behavior | Pattern | Key indicators |
|---|---|---|
| Returns total count + supports offset | Offset pagination | |
| Returns records since a timestamp | Timestamp cursor | Time-range params, no explicit page tokens |
Returns | Link header | |
| Returns next-page URL in response body | Next-URL | |
GraphQL with | GraphQL cursor | |
| Multi-phase subscription/content flow | Multi-step state machine | Multiple API calls with work queues in state |
Cursor timestamp selection — use the last record's timestamp when the API sorts ascending; first when descending; with a regression guard when sort order is not guaranteed.
max()Full code, package references, and YAML snippets for each pattern: .
references/cel-pagination-patterns.md| API行为 | 模式 | 关键指标 |
|---|---|---|
| 返回总数 + 支持偏移量 | 偏移量分页 | 请求/响应中的 |
| 返回时间戳之后的记录 | 时间戳游标 | 时间范围参数,无显式页面令牌 |
返回带有下一页URL的 | Link头 | 响应头中的 |
| 在响应体中返回下一页URL | 下一页URL | JSON中的 |
带有 | GraphQL游标 | |
| 多阶段订阅/内容流 | 多步骤状态机 | 状态中包含工作队列的多个API调用 |
游标时间戳选择 — 当API按升序排序时,使用最后一条记录的时间戳;按降序排序时使用第一条;当排序顺序不保证时,使用并添加回归防护。
max()每个模式的完整代码、包引用和YAML片段:。
references/cel-pagination-patterns.mdAuthentication patterns
认证模式
Three strategies: header (credentials in , passed via map), query parameter (credentials appended to URL via ), signed query (HMAC signature computed in CEL). Config-level // applies to all requests including ; / applies only to direct calls (, ). Prefer input-level auth over in-program token fetching.
state:Header.format_query()auth.oauth2auth.digestauth.aws.do_request()auth.basicauth.tokenget()post()For full code examples, optional-header syntax, and config-level auth scope details: load .
references/cel-auth-patterns.md三种策略:头认证(凭证在中,通过映射传递)、查询参数认证(凭证通过附加到URL)、签名查询认证(在CEL中计算HMAC签名)。配置级别的//适用于所有请求,包括;/仅适用于直接调用(、)。优先使用输入级认证而非程序内令牌获取。
state:Header.format_query()auth.oauth2auth.digestauth.aws.do_request()auth.basicauth.tokenget()post()有关完整代码示例、可选头语法和配置级认证范围细节:加载。
references/cel-auth-patterns.mdState management rules
状态管理规则
- is populated from
state.urlconfig; must be preserved in output or hardcodedresource.url - is the only state persisted across input restarts; store pagination positions and timestamps here
cursor - array is removed after each evaluation; never rely on it in subsequent runs
events - triggers immediate re-evaluation, but only if
want_more: trueis non-empty. Pagination continuation guardrail: when a next-page cursor/token exists, always seteventsregardless of how many events were collected on the current page. Tyingwant_more: truetowant_morestalls pagination silently — the next cursor is valid, and an emptysize(events) > 0array is safe to emit. The correct pattern isevents."want_more": next_cursor != "" - All other state keys are retained within a session but lost on restart — use to propagate them automatically
state.with() - Numbers are serialized as floats in state JSON; cast with when using as integers
int() - Optional access with prevents errors when cursor is absent
state.?cursor.last_timestamp.orValue(default) - Secrets — every sensitive field in must have a corresponding
stateentry.redactis always redacted automatically. Whenstate.secret(ga 9.4.0) is available, prefer it.secret_state - Cursor updates require a published event — the input only persists cursor updates when at least one event is published. If a program updates the cursor but returns zero events, the cursor change is lost.
- Do not duplicate request/response handling across branches — when an initialization branch (cursor creation, subscription, token exchange) and a steady-state branch both need the same fetch logic, consolidate it. Two approaches: split the init into a separate evaluation via (Technique 6 Variant A), or use an intermediate result map to unify the branches within one evaluation (Variant B). Both are valid — see
want_more: trueTechnique 6 and the init-then-steady-state pattern inreferences/cel-code-style.md.references/cel-pagination-patterns.md - Nesting depth — chain depth must not exceed 5 levels on any execution path. HTTP programs must target 2 levels inside
.as()(state.with()+resp). Cursor defaults, window bounds, and page tokens must be extracted as pre-bindings beforebody. Single-use values such asstate.with()must be inlined at the call site, not wrapped inint(state.batch_size). Load.as()for flattening techniques and before/after examples.references/cel-code-style.md
- 由
state.url配置填充;必须在输出中保留或硬编码resource.url - 是输入重启后唯一持久化的状态;在此存储分页位置和时间戳
cursor - 数组在每次评估后被移除;切勿在后续运行中依赖它
events - 触发立即重新评估,但仅当
want_more: true非空时。分页继续防护: 当存在下一页游标/令牌时,无论当前页收集了多少事件,始终设置events。将want_more: true与want_more关联会导致分页静默停滞——下一个游标是有效的,空的size(events) > 0数组可以安全输出。正确的模式是events。"want_more": next_cursor != "" - 所有其他状态键 在会话内保留,但重启后丢失——使用自动传播它们
state.with() - 数字 在状态JSON中序列化为浮点数;当用作整数时,使用转换
int() - 可选访问 使用可防止游标不存在时出错
state.?cursor.last_timestamp.orValue(default) - 敏感信息 — 中的每个敏感字段都必须有对应的
state条目。redact始终自动脱敏。当state.secret(ga 9.4.0)可用时,优先使用它。secret_state - 游标更新需要发布事件 — 只有当至少发布一个事件时,输入才会持久化游标更新。如果程序更新了游标但返回零事件,游标更改将丢失。
- 请勿在分支间重复请求/响应处理 — 当初始化分支(游标创建、订阅、令牌交换)和稳态分支都需要相同的获取逻辑时,将其合并。两种方法:通过将初始化拆分为单独的评估(技术6变体A),或使用中间结果映射在一次评估内统一分支(变体B)。两种方法均有效——请参阅
want_more: true中的技术6和references/cel-code-style.md中的初始化后稳态模式。references/cel-pagination-patterns.md - 嵌套深度 — 在任何执行路径上,链的深度不得超过5级。HTTP程序必须在
.as()内控制在2级(state.with()+resp)。游标默认值、窗口边界和页面令牌必须在body之前提取为预绑定。单次使用的值(如state.with())必须内联在调用点,而非包装在int(state.batch_size)中。加载.as()以获取扁平化技术和前后示例。references/cel-code-style.md
Map merge and field removal
映射合并与字段移除
with()with_replace()with_update()drop()with()references/cel-code-style.mdwith()with_replace()with_update()drop()with()references/cel-code-style.mdEvent output format
事件输出格式
Events must contain ONLY — . Do not set or any other field; the framework adds , and duplicates cause silent document rejection in ES 9.x. See for correct/incorrect examples.
"message"{"message": e.encode_json()}@timestamp@timestampreferences/cel-idioms.md事件必须仅包含 — 。请勿设置或任何其他字段;框架会添加,重复设置会导致ES 9.x中静默拒绝文档。有关正确/错误示例,请参阅。
"message"{"message": e.encode_json()}@timestamp@timestampreferences/cel-idioms.mdResponse handling
响应处理
resp.Body.decode_json()bytes(resp.Body)resp.Body.decode_json()resp.Body.decode_json()bytes(resp.Body)resp.Body.decode_json()Error handling
错误处理
Every CEL program must handle HTTP errors. Two forms:
- Single-object error (retry): — logs at ERROR, sets degraded status, deletes the cursor so the next evaluation retries. Use when data was not collected.
"events": {"error": {...}} - Array error (advance): — cursor is updated. Use when the program should advance past the error. Requires a
"events": [{"error": {...}}]processor in the ingest pipeline (ES 8.16.0+).terminate
Error message format: . Code examples: .
"METHOD path: body-or-status"references/cel-idioms.md每个CEL程序都必须处理HTTP错误。两种形式:
- 单对象错误(重试): — 在ERROR级别记录日志,设置降级状态,删除游标以便下一次评估重试。当未收集到数据时使用。
"events": {"error": {...}} - 数组错误(推进): — 游标会被更新。当程序应跳过错误继续时使用。需要摄入管道中的
"events": [{"error": {...}}]处理器(ES 8.16.0+)。terminate
错误消息格式:。代码示例:。
"METHOD path: body-or-status"references/cel-idioms.mdPlaceholder events
占位符事件
When advancing the cursor with no real events, emit a placeholder () and add a entry in the section so it is discarded before indexing. Full pattern and alternatives: .
[{"retry": true}]- drop_event.when.equals.retry: trueprocessors:references/cel-idioms.md当没有真实事件但需要推进游标时,输出占位符()并在部分添加条目,以便在索引前将其丢弃。完整模式和替代方案:。
[{"retry": true}]processors:- drop_event.when.equals.retry: truereferences/cel-idioms.mdRate limiting and retry
速率限制与重试
Do NOT implement rate limiting or retry logic in the CEL program. No calls, no state propagation, no 429-specific branches, no retry loops. These add excessive nesting and complexity for marginal benefit.
rate_limit()"rate_limit"When an API has a documented rate limit, use config-only YAML settings in :
cel.yml.hbsyaml
resource.rate_limit.limit: 10 # max requests per second
resource.rate_limit.burst: 5 # max burst above sustained rateWhen custom retry behavior is needed, use config-only YAML settings:
yaml
resource.retry.max_attempts: 5 # default: 5
resource.retry.wait_min: 1s # default: 1s
resource.retry.wait_max: 60s # default: 60sThe input framework enforces both transparently. See for guidance on when to add these settings.
references/cel-rate-limiting.md请勿在CEL程序中实现速率限制或重试逻辑。 不要调用,不要传播状态,不要处理429特定分支,不要使用重试循环。这些会增加过多的嵌套和复杂性,而收益甚微。
rate_limit()"rate_limit"当API有文档化的速率限制时,在中使用仅配置的YAML设置:
cel.yml.hbsyaml
resource.rate_limit.limit: 10 # 每秒最大请求数
resource.rate_limit.burst: 5 # 超过持续速率的最大突发请求数当需要自定义重试行为时,使用仅配置的YAML设置:
yaml
resource.retry.max_attempts: 5 # 默认值:5
resource.retry.wait_min: 1s # 默认值:1s
resource.retry.wait_max: 60s # 默认值:60s输入框架会透明地执行这些设置。有关何时添加这些设置的指南,请参阅。
references/cel-rate-limiting.mdType safety
类型安全
Avoid — defeats type checking. Rarely needed in practice.
dyn()All numbers are float64 — the CEL input transmits all numbers as . Numbers >=1e7 render in scientific notation in Elasticsearch. Convert intended-integer fields to strings in the CEL program or via ingest pipeline. Safe integer range: [-(2^53 - 1), 2^53 - 1].
float64避免使用 — 会破坏类型检查。实际上很少需要。
dyn()所有数字都是float64 — CEL输入将所有数字作为传输。大于等于1e7的数字在Elasticsearch中会以科学计数法显示。在CEL程序或摄入管道中将预期为整数的字段转换为字符串。安全整数范围:[-(2^53 - 1), 2^53 - 1]。
float64Debugging aids
调试工具
- — logs to
debug(tag, value)at DEBUG level.cel_debug - /
try(expr)— structured error handling without crashing the program.is_error(value) - (ga 8.18.0) — full evaluation state dump on failure. Note: dumps may contain secrets.
failure_dump - (ga 9.2) — how many evaluations remain in the
remaining_executionsbudget.max_executions
- — 在DEBUG级别记录到
debug(tag, value)。cel_debug - /
try(expr)— 结构化错误处理,不会导致程序崩溃。is_error(value) - (ga 8.18.0) — 失败时转储完整评估状态。注意:转储可能包含敏感信息。
failure_dump - (ga 9.2) —
remaining_executions预算中剩余的评估次数。max_executions
Mito CLI
Mito CLI
Mito () is the local CEL evaluation CLI. A CEL program that has not been tested with mito is not acceptable. Follow the mandatory workflow at the top of this skill: mock → mito → template. Do NOT write until the program passes mito validation.
github.com/elastic/mitocel.yml.hbsFor installation, CLI flags, input state structure, execution model, the full mock-first workflow steps, mito→integration mapping, and quality standards: load .
references/mito-reference.mdMito()是本地CEL评估CLI。未通过mito测试的CEL程序是不可接受的。 请遵循本技能顶部的强制工作流:模拟 → mito → 模板。在程序通过mito验证之前,请勿编写。
github.com/elastic/mitocel.yml.hbs有关安装、CLI标志、输入状态结构、执行模型、完整的先模拟后开发工作流步骤、mito到集成的映射以及质量标准:加载。
references/mito-reference.mdData anonymization
数据匿名化
All data committed to the repository must be fully anonymized. This applies to default values in manifest vars (use ), example values in CEL state, mock API responses, pipeline test fixtures from CEL output, and sample payloads captured during mito prototyping.
https://api.example.comRefer to the skill for the full anonymization policy and placeholder conventions.
anonymize-logs提交到仓库的所有数据必须完全匿名化。 这适用于manifest变量中的默认值(使用)、CEL状态中的示例值、模拟API响应、CEL输出的管道测试 fixture,以及mito原型制作期间捕获的示例负载。
https://api.example.com有关完整的匿名化策略和占位符约定,请参阅技能。
anonymize-logsHandoff to other skills
移交到其他技能
- →
integration-testingto run system tests (the mock API is already in place from CEL development)references/system-testing.md - →
integration-testingto validate ingest pipeline behavior on CEL-produced eventsreferences/pipeline-testing.md - skill for overall package layout
create-integration
- →
integration-testing运行系统测试(CEL开发阶段已准备好模拟API)references/system-testing.md - →
integration-testing验证摄入管道对CEL生成事件的处理行为references/pipeline-testing.md - 技能用于整体包布局
create-integration
Reference files
参考文件
IMPORTANT: These reference files contain the actual working code examples and patterns. The summaries above are not sufficient to write correct CEL programs — you MUST load the relevant references before writing code.
Always load these five when building a CEL program — in this order (mock/mito before templates):
| File | Contains | Load order |
|---|---|---|
| Mock API setup with elastic/stream, docker-compose config, rule format, variable-capture patterns, GraphQL mock examples, hit_count calculation, and debugging 0-hits failures | 1st — you need this before writing any CEL |
| Mandatory phased build ladder (skeleton → error handling → events → pagination → cursor), syntax anti-patterns that cause compilation failures ( | 2nd — you MUST follow this phased approach; do not write the full program before validating a skeleton |
| Mito CLI flags, input state structure, mock-first workflow, translating template vars to state.json, extension library quick-reference, syntax pitfalls, testscript harness | 3rd — you need this to develop and validate the program |
| Complete working | 4th — only needed at step 5 of the workflow |
| Nesting discipline: the 3-level HTTP core rule, six flattening/structuring techniques (including intermediate result maps for shared logic), shallow merge semantics, cursor namespacing with clobber, merge strategies ( | 5th — read this before writing your CEL program so structure is right from the start |
Load these based on the task:
| File | Load when |
|---|---|
| Writing any pagination logic — all 6 patterns with code |
| Implementing authentication — header, query param, signed, and config-level auth patterns |
| Rate limiting policy — config-only approach, when to add |
| Quick-reference for common idioms, HTTP request patterns, structure conventions |
| Choosing between pure-CEL, mito lib, and config approaches for auth, headers, rate limiting — version-tagged |
| Expression-specific reference: interface contract, translation framing (Python→CEL), incremental build phases, core structure, event output, error handling, pagination, state management, syntax rules, quality checklist |
| Taxonomy classification: pagination and state management classes, least-complexity principle, mapping to skill vocabulary, how to classify from test-api.py |
| Per-pattern-class complexity baselines from a ceplx survey of 316 programs, skip threshold, reviewer challenge examples, diagnostic interpretation |
| Subagent operating manual for the cel-expression-builder: translates test-api.py into a validated |
| Subagent operating manual for the cel-expression-reviewer: checks generated CEL against complexity baselines and source fidelity, produces specific challenges or accepts |
| Looking up available CEL functions per extension and their first mito version |
| Subagent operating manual for the cel-program-builder orchestrator: scope boundaries, skill-load sequence, the 9-step mock-first / mito-incremental workflow with mock completeness gate, delegation to cel-expression-builder, reporting contract. The orchestrator dispatches subagents by passing this file's path in the task prompt; the subagent reads it itself in its own fresh context. Do NOT embed/paste its contents into the task prompt. |
重要提示:这些参考文件包含实际可运行的代码示例和模式。上面的摘要不足以编写正确的CEL程序——在编写代码之前,必须加载相关参考文件。
构建CEL程序时,请始终按以下顺序加载这五个文件(先模拟/mito,后模板):
| 文件 | 包含内容 | 加载顺序 |
|---|---|---|
| 使用elastic/stream设置模拟API、docker-compose配置、规则格式、变量捕获模式、GraphQL模拟示例、hit_count计算,以及调试0命中故障 | 第1个 — 在编写任何CEL之前需要此文件 |
| 强制分阶段构建步骤(框架 → 错误处理 → 事件 → 分页 → 游标)、导致编译失败的语法反模式( | 第2个 — 必须遵循此分阶段方法;在验证框架之前请勿编写完整程序 |
| Mito CLI标志、输入状态结构、先模拟后开发工作流、将模板变量转换为state.json、扩展库快速参考、语法陷阱、testscript工具 | 第3个 — 需要此文件来开发和验证程序 |
| 完整可运行的 | 第4个 — 仅在工作流的步骤5中需要 |
| 嵌套规范:3级HTTP核心规则、六种扁平化/结构化技术(包括用于共享逻辑的中间结果映射)、浅合并语义、使用覆盖的游标命名空间、合并策略( | 第5个 — 在编写CEL程序之前阅读此文件,确保从一开始结构就正确 |
根据任务加载以下文件:
| 文件 | 加载时机 |
|---|---|
| 编写任何分页逻辑时 — 包含所有6种模式的代码 |
| 实现认证时 — 头、查询参数、签名和配置级认证模式 |
| 速率限制策略 — 仅配置方法、何时添加 |
| 常见习语、HTTP请求模式、结构约定的快速参考 |
| 为认证、头、速率限制选择纯CEL、mito库和配置方法 — 带版本标记 |
| 表达式特定参考:接口契约、翻译框架(Python→CEL)、分阶段构建步骤、核心结构、事件输出、错误处理、分页、状态管理、语法规则、质量检查表 |
| 分类学分类:分页和状态管理类别、最低复杂度原则、与技能词汇的映射、如何通过test-api.py分类 |
| 基于316个程序的ceplx调查得出的每个模式类别的复杂度基线、跳过阈值、评审挑战示例、诊断解释 |
| cel-expression-builder子代理操作手册:将test-api.py转换为已验证的 |
| cel-expression-reviewer子代理操作手册:检查生成的CEL是否符合复杂度基线和源保真度,生成特定挑战或接受 |
| 查找每个扩展可用的CEL函数及其首个mito版本 |
| cel-program-builder编排器子代理操作手册:范围边界、技能加载序列、带模拟完整性门的9步先模拟后开发/mito分阶段工作流、委托给cel-expression-builder、报告契约。编排器通过在任务提示中传递此文件的路径来调度子代理;子代理在自己的新上下文中自行读取它。请勿将其内容嵌入/粘贴到任务提示中。 |