Advanced tag-based targeting

[zhuoyuan-liu]

Update tagging and distributed query system to support advanced tag-based targeting: include/any (OR), all (AND), combinations using a simple query language; improve performance by optimizing query execution when related files change. We would like to implement the change in several steps: The MVP would be the following user story:

User Story 1 - Run Query to Nodes Matching ANY of Several Tags

As an operator I can run a distributed query to all nodes that have at least one of a set of specified tags (logical OR) so I can quickly scope incident response without crafting multiple separate queries.

Why this priority: Delivers immediate operational value and reduces time-to-action in investigations.

Acceptance Scenarios:

1. Given nodes tagged prod, pci, dev and an operator submits a query with expression prod OR pci, When dispatch occurs, Then only nodes with prod or pci receive task records.
2. Given no nodes have any of the requested tags, When the query is submitted, Then system records 0 targeted nodes and returns success without error.

Summary

Implement advanced tag expression parsing (AND/OR, parentheses, precedence) for distributed query targeting, preview capability with counts and sample, transactional dispatch re-evaluation, tag management CRUD & batch operations, and performance/observability instrumentation.

Expression Rules

• Operators: AND, OR (uppercase or lowercase) and parentheses.
• AND precedence > OR.
• Max tokens: 50, Max depth: 6.
• NOT unsupported (will error).
• Tags normalized to lowercase.

example expression: (prod AND linux) OR pci

Tags limitation

For tags, we would like to limit to lowercase only, but for user query input, it should be case-insensitive:

• Fields:
  • id - unique identifier
  • name (STRING, lowercase canonical) - validated [a-z0-9-_]{1,64}
  • created_at (TIMESTAMP)
• Constraints:
  • Unique name
  • Length ≤64
  • Charset [a-z0-9-_] only

I'll be sure to follow up with more details.