feat(sigil): Add sigil.receiver and sigil.write components

sigil.receiver listens on POST /api/v1/generations:export and forwards
raw request bytes to one or more downstream GenerationsReceiver targets.

sigil.write implements GenerationsReceiver by forwarding to remote Sigil
ingest endpoints with configurable backoff/retry and tenant header
rewriting.

Both components are marked StabilityExperimental.

Author: alexander-akhmetov

.github/ISSUE_TEMPLATE/blank.yaml

@@ -199,6 +199,8 @@ body:
       - remote.kubernetes.secret
       - remote.s3
       - remote.vault
+      - sigil.receiver
+      - sigil.write
       # End components list
   - type: textarea
     attributes:

.github/ISSUE_TEMPLATE/bug_report.yaml

@@ -199,6 +199,8 @@ body:
       - remote.kubernetes.secret
       - remote.s3
       - remote.vault
+      - sigil.receiver
+      - sigil.write
       # End components list
   - type: textarea
     attributes:

.github/ISSUE_TEMPLATE/docs.yaml

@@ -202,6 +202,8 @@ body:
       - remote.kubernetes.secret
       - remote.s3
       - remote.vault
+      - sigil.receiver
+      - sigil.write
       # End components list
   - type: textarea
     id: feedback

.github/ISSUE_TEMPLATE/feature_request.yaml

@@ -199,6 +199,8 @@ body:
       - remote.kubernetes.secret
       - remote.s3
       - remote.vault
+      - sigil.receiver
+      - sigil.write
       # End components list
   - type: textarea
     attributes:

.github/ISSUE_TEMPLATE/proposal.yaml

@@ -199,6 +199,8 @@ body:
       - remote.kubernetes.secret
       - remote.s3
       - remote.vault
+      - sigil.receiver
+      - sigil.write
       # End components list
   - type: textarea
     attributes:

docs/sources/reference/components/sigil/_index.md

@@ -0,0 +1,12 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/reference/components/sigil/
+description: Learn about the sigil components in Grafana Alloy
+title: sigil
+weight: 100
+---
+
+# `sigil`
+
+This section contains reference documentation for the `sigil` components.
+
+{{< section >}}

docs/sources/reference/components/sigil/sigil.receiver.md

@@ -0,0 +1,102 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/reference/components/sigil/sigil.receiver/
+description: Learn about sigil.receiver
+labels:
+  stage: experimental
+  products:
+    - oss
+title: sigil.receiver
+---
+
+# `sigil.receiver`
+
+{{< docs/shared lookup="stability/experimental.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+`sigil.receiver` receives Sigil AI generation export requests over HTTP and forwards them to `sigil.write` components or other components capable of receiving generations.
+
+The component starts an HTTP server that accepts `POST /api/v1/generations:export` requests.
+Request and response bodies are forwarded as opaque bytes without deserialization.
+
+## Usage
+
+```alloy
+sigil.receiver "<LABEL>" {
+  forward_to = <RECEIVER_LIST>
+}
+```
+
+## Arguments
+
+You can use the following arguments with `sigil.receiver`:
+
+| Name            | Type                         | Description                                          | Default  | Required |
+| --------------- | ---------------------------- | ---------------------------------------------------- | -------- | -------- |
+| `forward_to`    | `list(GenerationsReceiver)`  | List of receivers to send generations to.            |          | yes      |
+| `max_request_body_size` | `string`               | Maximum allowed request body size (e.g. `"20MiB"`).  | `"20MiB"`| no       |
+
+## Blocks
+
+You can use the following blocks with `sigil.receiver`:
+
+{{< docs/alloy-config >}}
+
+| Block                  | Description                                        | Required |
+| ---------------------- | -------------------------------------------------- | -------- |
+| [`http`][http]         | Configures the HTTP server that receives requests. | no       |
+| `http` > [`tls`][tls] | Configures TLS for the HTTP server.                | no       |
+
+[http]: #http
+[tls]: #tls
+
+{{< /docs/alloy-config >}}
+
+### `http`
+
+{{< docs/shared lookup="reference/components/server-http.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls`
+
+The `tls` block configures TLS for the HTTP server.
+
+{{< docs/shared lookup="reference/components/server-tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+## Exported fields
+
+`sigil.receiver` doesn't export any fields.
+
+## Component health
+
+`sigil.receiver` is reported as unhealthy if it's given an invalid configuration.
+
+## Debug metrics
+
+| Metric                                          | Type      | Description                                          |
+| ----------------------------------------------- | --------- | ---------------------------------------------------- |
+| `sigil_receiver_requests_total`                 | Counter   | Total number of generation export requests received. |
+| `sigil_receiver_request_body_bytes_total`       | Counter   | Total bytes received in generation export requests.  |
+| `sigil_receiver_request_duration_seconds`       | Histogram | Duration of generation export request handling.      |
+
+## Example
+
+This example creates a `sigil.receiver` that listens on the default address and forwards generation records to a `sigil.write` component.
+
+```alloy
+sigil.receiver "default" {
+  forward_to = [sigil.write.default.receiver]
+}
+
+sigil.write "default" {
+  endpoint {
+    url = "https://sigil.grafana.net"
+
+    basic_auth {
+      username = env("SIGIL_USER")
+      password = env("SIGIL_API_KEY")
+    }
+
+    headers = {
+      "X-Scope-OrgID" = env("SIGIL_TENANT_ID"),
+    }
+  }
+}
+```

docs/sources/reference/components/sigil/sigil.write.md

@@ -0,0 +1,167 @@
+---
+canonical: https://grafana.com/docs/alloy/latest/reference/components/sigil/sigil.write/
+description: Learn about sigil.write
+labels:
+  stage: experimental
+  products:
+    - oss
+title: sigil.write
+---
+
+# `sigil.write`
+
+{{< docs/shared lookup="stability/experimental.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+`sigil.write` receives Sigil AI generation records from other components and forwards them to remote Sigil ingest endpoints.
+
+Request and response bodies are forwarded as opaque bytes without deserialization.
+When multiple `endpoint` blocks are provided, generation records are concurrently forwarded to all configured locations.
+
+You can specify multiple `sigil.write` components by giving them different labels.
+
+## Usage
+
+```alloy
+sigil.write "<LABEL>" {
+  endpoint {
+    url = "<SIGIL_URL>"
+  }
+}
+```
+
+## Arguments
+
+`sigil.write` has no top-level arguments.
+
+## Blocks
+
+You can use the following blocks with `sigil.write`:
+
+{{< docs/alloy-config >}}
+
+| Block                                              | Description                                                | Required |
+| -------------------------------------------------- | ---------------------------------------------------------- | -------- |
+| [`endpoint`][endpoint]                             | Location to send generations to.                           | no       |
+| `endpoint` > [`authorization`][authorization]      | Configure generic authorization to the endpoint.           | no       |
+| `endpoint` > [`basic_auth`][basic_auth]            | Configure `basic_auth` for authenticating to the endpoint. | no       |
+| `endpoint` > [`oauth2`][oauth2]                    | Configure OAuth 2.0 for authenticating to the endpoint.    | no       |
+| `endpoint` > `oauth2` > [`tls_config`][tls_config] | Configure TLS settings for connecting to the endpoint.     | no       |
+| `endpoint` > [`tls_config`][tls_config]            | Configure TLS settings for connecting to the endpoint.     | no       |
+
+[endpoint]: #endpoint
+[authorization]: #authorization
+[basic_auth]: #basic_auth
+[oauth2]: #oauth2
+[tls_config]: #tls_config
+
+{{< /docs/alloy-config >}}
+
+### `endpoint`
+
+The `endpoint` block describes a single location to send generation records to.
+Multiple `endpoint` blocks can be provided to fan out to multiple locations.
+
+The following arguments are supported:
+
+| Name                     | Type                | Description                                                                                      | Default   | Required |
+| ------------------------ | ------------------- | ------------------------------------------------------------------------------------------------ | --------- | -------- |
+| `url`                    | `string`            | Full URL of the Sigil ingest endpoint.                                                           |           | yes      |
+| `bearer_token_file`      | `string`            | File containing a bearer token to authenticate with.                                             |           | no       |
+| `bearer_token`           | `secret`            | Bearer token to authenticate with.                                                               |           | no       |
+| `enable_http2`           | `bool`              | Whether HTTP2 is supported for requests.                                                         | `true`    | no       |
+| `follow_redirects`       | `bool`              | Whether redirects returned by the server should be followed.                                     | `true`    | no       |
+| `headers`                | `map(string)`       | Extra headers to deliver with the request.                                                       |           | no       |
+| `http_headers`           | `map(list(secret))` | Custom HTTP headers to be sent along with each request. The map key is the header name.          |           | no       |
+| `max_backoff_period`     | `duration`          | Maximum backoff time between retries.                                                            | `"5m"`    | no       |
+| `max_backoff_retries`    | `int`               | Maximum number of retries. 0 to retry infinitely.                                                | `10`      | no       |
+| `min_backoff_period`     | `duration`          | Initial backoff time between retries.                                                            | `"500ms"` | no       |
+| `name`                   | `string`            | Optional name to identify the endpoint in metrics.                                               |           | no       |
+| `no_proxy`               | `string`            | Comma-separated list of IP addresses, CIDR notations, and domain names to exclude from proxying. |           | no       |
+| `proxy_connect_header`   | `map(list(secret))` | Specifies headers to send to proxies during CONNECT requests.                                    |           | no       |
+| `proxy_from_environment` | `bool`              | Use the proxy URL indicated by environment variables.                                            | `false`   | no       |
+| `proxy_url`              | `string`            | HTTP proxy to send requests through.                                                             |           | no       |
+| `remote_timeout`         | `duration`          | Timeout for requests made to the URL.                                                            | `"10s"`   | no       |
+| `tenant_id`              | `string`            | Tenant ID to use for `X-Scope-OrgID` header. Overrides the value from the incoming request.      |           | no       |
+
+At most, one of the following can be provided:
+
+* [`authorization`][authorization] block
+* [`basic_auth`][basic_auth] block
+* [`bearer_token_file`][endpoint] argument
+* [`bearer_token`][endpoint] argument
+* [`oauth2`][oauth2] block
+
+{{< docs/shared lookup="reference/components/http-client-proxy-config-description.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+Requests are retried on HTTP 429, 408, and 5xx responses with exponential backoff. Requests that receive other 4xx responses are not retried.
+
+### `authorization`
+
+{{< docs/shared lookup="reference/components/authorization-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `basic_auth`
+
+{{< docs/shared lookup="reference/components/basic-auth-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `oauth2`
+
+{{< docs/shared lookup="reference/components/oauth2-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+### `tls_config`
+
+{{< docs/shared lookup="reference/components/tls-config-block.md" source="alloy" version="<ALLOY_VERSION>" >}}
+
+## Exported fields
+
+The following fields are exported and can be referenced by other components:
+
+| Name       | Type       | Description                                                     |
+| ---------- | ---------- | --------------------------------------------------------------- |
+| `receiver` | `receiver` | A value that other components can use to send generations to.   |
+
+## Component health
+
+`sigil.write` is only reported as unhealthy if given an invalid configuration.
+In those cases, exported fields are kept at their last healthy values.
+
+## Debug metrics
+
+| Metric                                | Type      | Description                                                    |
+| ------------------------------------- | --------- | -------------------------------------------------------------- |
+| `sigil_write_sent_bytes_total`        | Counter   | Total number of bytes sent to Sigil endpoints.                 |
+| `sigil_write_dropped_bytes_total`     | Counter   | Total number of bytes dropped by Sigil write.                  |
+| `sigil_write_requests_total`          | Counter   | Total number of requests sent to Sigil endpoints.              |
+| `sigil_write_retries_total`           | Counter   | Total number of retries to Sigil endpoints.                    |
+| `sigil_write_latency`                 | Histogram | Write latency for sending generations to Sigil endpoints.      |
+
+All metrics include an `endpoint` label identifying the specific endpoint URL.
+
+## Example
+
+This example forwards generation records to two Sigil endpoints with different tenant IDs.
+
+```alloy
+sigil.write "default" {
+  endpoint {
+    url = "https://sigil.grafana.net"
+
+    basic_auth {
+      username = env("SIGIL_USER")
+      password = env("SIGIL_API_KEY")
+    }
+
+    headers = {
+      "X-Scope-OrgID" = env("SIGIL_TENANT_ID"),
+    }
+  }
+
+  endpoint {
+    url = "https://sigil-staging.internal"
+    tenant_id = "staging"
+  }
+}
+
+sigil.receiver "default" {
+  forward_to = [sigil.write.default.receiver]
+}
+```

internal/component/all/all.go

@@ -181,4 +181,6 @@ import (
 	_ "github.com/grafana/alloy/internal/component/remote/kubernetes/secret"                 // Import remote.kubernetes.secret
 	_ "github.com/grafana/alloy/internal/component/remote/s3"                                // Import remote.s3
 	_ "github.com/grafana/alloy/internal/component/remote/vault"                             // Import remote.vault
+	_ "github.com/grafana/alloy/internal/component/sigil/receiver"                           // Import sigil.receiver
+	_ "github.com/grafana/alloy/internal/component/sigil/write"                              // Import sigil.write
 )

internal/component/sigil/receiver/arguments.go

@@ -0,0 +1,21 @@
+package receiver
+
+import (
+	"github.com/alecthomas/units"
+	fnet "github.com/grafana/alloy/internal/component/common/net"
+	"github.com/grafana/alloy/internal/component/sigil"
+)
+
+type Arguments struct {
+	Server             *fnet.ServerConfig          `alloy:",squash"`
+	ForwardTo          []sigil.GenerationsReceiver `alloy:"forward_to,attr"`
+	MaxRequestBodySize units.Base2Bytes            `alloy:"max_request_body_size,attr,optional"`
+}
+
+// SetToDefault implements syntax.Defaulter.
+func (a *Arguments) SetToDefault() {
+	*a = Arguments{
+		Server:             fnet.DefaultServerConfig(),
+		MaxRequestBodySize: 20 * units.MiB,
+	}
+}