fix(family): classify seteuid/setegid as Process for consistency

classify.go has KindNull entries for sys_enter_seteuid/sys_enter_setegid,
but family.go's FamilyProcess credential cluster omitted them, so
ClassifySyscallFamily returned Misc — inconsistent with their siblings
setuid/setgid/setresuid/setreuid/setfsuid. Add seteuid/setegid to the
FamilyProcess group with a comment noting they are latent: current kernels
expose no dedicated seteuid/setegid tracepoints (glibc wraps them over
setreuid/setresuid), so they never reach the generated tracepoint map or
docs/syscall-tracing-plan.md. mage generate confirmed idempotent with no
diff, so docs/drift test are untouched. Lock-in unit tests assert Process
for seteuid/setegid (enter+exit) by name directly, since no tracepoint exists.

Refs task 620.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2 files changed, 19 insertions, 5 deletions

diff --git a/internal/generate/family.go b/internal/generate/family.go
index 71ce724..fd61961 100644
--- a/internal/generate/family.go
+++ b/internal/generate/family.go
@@ -88,6 +88,14 @@ var syscallFamilies = map[string]SyscallFamily{
 	"setgroups": FamilyProcess, "setns": FamilyProcess, "setpgid": FamilyProcess,
 	"setpriority": FamilyProcess, "setregid": FamilyProcess, "setresgid": FamilyProcess,
 	"setresuid": FamilyProcess, "setreuid": FamilyProcess, "setrlimit": FamilyProcess,
+	// seteuid/setegid set the effective user/group ID (seteuid(2)) and belong
+	// with the rest of the credential-setting cluster (setuid/setgid/setresuid/
+	// setreuid/setfsuid) under Process. They are latent here: current kernels
+	// expose no dedicated seteuid/setegid tracepoints (glibc implements them as
+	// wrappers over setreuid/setresuid), so they never reach the generated
+	// tracepoint map or docs. Classified for consistency so that if such
+	// tracepoints ever appear they land in Process rather than falling to Misc.
+	"seteuid": FamilyProcess, "setegid": FamilyProcess,
 	"setsid": FamilyProcess, "setuid": FamilyProcess, "umask": FamilyProcess,
 	"unshare": FamilyProcess, "vfork": FamilyProcess, "vhangup": FamilyProcess,
 	"wait4": FamilyProcess, "waitid": FamilyProcess,
diff --git a/internal/generate/family_test.go b/internal/generate/family_test.go
index 50c8120..71f0d0d 100644
--- a/internal/generate/family_test.go
+++ b/internal/generate/family_test.go
@@ -210,13 +210,19 @@ func TestClassifySyscallFamily(t *testing.T) {
 		// setgid/setresgid/setregid/setfsgid/setgroups, and the matching credential
 		// readers getuid/geteuid/getgid/getegid/getresuid/getresgid/getgroups.
 		// Assert the cluster (enter and exit for setuid) so a stray
-		// reclassification of any one credential syscall trips this test. Note:
-		// seteuid/setegid have no dedicated kernel tracepoints (they are libc
-		// wrappers over setreuid/setresuid), so they never reach this classifier
-		// and are intentionally not asserted here. Keep in sync with the Process
-		// list in docs/syscall-tracing-plan.md.
+		// reclassification of any one credential syscall trips this test.
+		// seteuid/setegid (set effective uid/gid) belong with the cluster too,
+		// but have no dedicated kernel tracepoints (they are libc wrappers over
+		// setreuid/setresuid), so they never reach the generated tracepoint map
+		// or docs/syscall-tracing-plan.md. They are still classified as Process
+		// in family.go for consistency, so assert them here by name directly
+		// (no tracepoint required) to lock in that latent classification.
 		{"sys_enter_setuid", FamilyProcess},
 		{"sys_exit_setuid", FamilyProcess},
+		{"sys_enter_seteuid", FamilyProcess},
+		{"sys_exit_seteuid", FamilyProcess},
+		{"sys_enter_setegid", FamilyProcess},
+		{"sys_exit_setegid", FamilyProcess},
 		{"sys_enter_setresuid", FamilyProcess},
 		{"sys_enter_setreuid", FamilyProcess},
 		{"sys_enter_setfsuid", FamilyProcess},