From 9310b54d439d4a1a8d4d337987aa63884df0af76 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Wed, 20 May 2026 11:38:19 +0300
Subject: feat: add syscall aggregate sampling infrastructure (task 17)

---
 internal/c/maps.h | 36 ++++++++++++++++++++++++++++++++++++
 1 file changed, 36 insertions(+)

(limited to 'internal/c/maps.h')

diff --git a/internal/c/maps.h b/internal/c/maps.h
index 665e4ff..79a1367 100644
--- a/internal/c/maps.h
+++ b/internal/c/maps.h
@@ -5,6 +5,21 @@ struct {
     __uint(max_entries, 1 << 24);
 } event_map SEC(".maps");
 
+struct syscall_enter_state {
+    __u64 start_ns;
+    __u32 enter_trace_id;
+    __u8 emit_event;
+};
+
+struct syscall_aggregate {
+    __u64 count;
+    __u64 errors;
+    __u64 total_duration_ns;
+    __u64 min_duration_ns;
+    __u64 max_duration_ns;
+    __u64 duration_histogram[8];
+};
+
 struct socketpair_ctx {
     __u64 usockvec;
     __s32 family;
@@ -37,3 +52,24 @@ struct {
     __type(key, __u32);
     __type(value, __s32);
 } eventfd_flags_map SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 32768);
+    __type(key, __u32);
+    __type(value, struct syscall_enter_state);
+} syscall_enter_state_map SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 4096);
+    __type(key, __u32);
+    __type(value, struct syscall_aggregate);
+} syscall_aggregate_map SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 4096);
+    __type(key, __u32);
+    __type(value, __u32);
+} syscall_sampling_rate_map SEC(".maps");
-- 
cgit v1.2.3