heidi-dang · heidi-dang · Feb 19, 2026 · Feb 19, 2026 · Feb 19, 2026 · gemini-code-assist
diff --git a/include/heidi-kernel/gov_rule.h b/include/heidi-kernel/gov_rule.h
@@ -4,6 +4,7 @@
 #include <cstdint>
 #include <optional>
 #include <string>
+#include <string_view>
 
 namespace heidi {
 namespace gov {
@@ -42,6 +43,7 @@ struct CpuPolicy {
   std::optional<int8_t> nice;
   std::optional<uint8_t> max_pct;
   std::optional<uint32_t> period_us;
+  std::optional<uint64_t> quota_us;
 };
 
 struct MemPolicy {

diff --git a/include/heidi-kernel/group_policy_store.h b/include/heidi-kernel/group_policy_store.h
@@ -0,0 +1,95 @@
+#pragma once
+
+#include "heidi-kernel/gov_rule.h"
+
+#include <array>
+#include <cstdint>
+#include <optional>
+#include <string>
+
+namespace heidi {
+namespace gov {
+
+constexpr size_t kMaxGroups = 256;
+constexpr size_t kMaxPidGroupMap = 8192;
+
+struct GroupPolicy {
+  std::array<char, kMaxGroupIdLen + 1> group_id{};
+  uint64_t last_update_ns = 0;
+
+  std::optional<uint8_t> cpu_max_pct;
+  std::optional<uint32_t> cpu_quota_us;
+  std::optional<uint32_t> cpu_period_us;
+
+  std::optional<uint64_t> mem_max_bytes;
+  std::optional<uint64_t> mem_high_bytes;
+
+  std::optional<uint32_t> pids_max;
+
+  std::optional<ViolationAction> default_action;
+  std::optional<uint32_t> apply_deadline_ms;
+
+  bool has_any_policy() const;
+};
+
+class GroupPolicyStore {
+public:
+  enum class EvictReason : uint8_t {
+    NONE = 0,
+    GROUP_EVICTED = 1,
+    PIDMAP_EVICTED = 2,
+  };
+
+  struct Stats {
+    size_t group_count = 0;
+    size_t pid_group_map_count = 0;
+    uint64_t group_evictions = 0;
+    uint64_t pidmap_evictions = 0;
+    uint64_t attach_failures = 0;
+    uint64_t cgroup_unavailable_count = 0;
+    int last_err = 0;
+  };
+
+  bool upsert_group(const char* group_id, const GovApplyMsg& msg);
+  bool map_pid_to_group(int32_t pid, const char* group_id);
+  const GroupPolicy* get_group(const char* group_id) const;
+  const char* get_group_for_pid(int32_t pid) const;
+  Stats get_stats() const;
+  void clear();
+
+  void set_time_for_test(uint64_t seq) {
+    test_seq_ = seq;
+  }
+  uint64_t get_time_for_test() const {
+    return test_seq_;
+  }
+  void tick();
+
+  static constexpr uint64_t kTimeIncrement = 1000000000ULL;
+
+private:
+  uint64_t get_time() const;
+  void evict_oldest_group();
+  void evict_oldest_pid_entry();
+
+  struct GroupEntry {
+    GroupPolicy policy;
+    bool in_use = false;
+  };
+
+  struct PidEntry {
+    std::array<char, kMaxGroupIdLen + 1> group_id{};
+    uint64_t last_seen_ns = 0;
+    bool in_use = false;
+  };
-  struct PidEntry {
-    std::array<char, kMaxGroupIdLen + 1> group_id{};
-    uint64_t last_seen_ns = 0;
-    bool in_use = false;
-  };
+  struct PidEntry {
+    int32_t pid = -1;
+    std::array<char, kMaxGroupIdLen + 1> group_id{};
+    uint64_t last_seen_ns = 0;
+    bool in_use = false;
+  };
-  struct PidEntry {
-    std::array<char, kMaxGroupIdLen + 1> group_id{};
-    uint64_t last_seen_ns = 0;
-    bool in_use = false;
-  };
+  struct PidEntry {
+    int32_t pid = -1;
+    std::array<char, kMaxGroupIdLen + 1> group_id{};
+    uint64_t last_seen_ns = 0;
+    bool in_use = false;
+  };
+
+  GroupEntry groups_[kMaxGroups];
+  PidEntry pid_map_[kMaxPidGroupMap];
+  size_t group_count_ = 0;
+  size_t pid_map_count_ = 0;
+  Stats stats_;
+  uint64_t test_seq_ = 0;
+};
+
+} // namespace gov
+} // namespace heidi
diff --git a/include/heidi-kernel/process_governor.h b/include/heidi-kernel/process_governor.h
@@ -1,6 +1,8 @@
 #pragma once
 
+#include "heidi-kernel/cgroup_driver.h"
 #include "heidi-kernel/gov_rule.h"
+#include "heidi-kernel/group_policy_store.h"
 
 #include <atomic>
 #include <cstdint>
@@ -16,6 +18,36 @@
 namespace heidi {
 namespace gov {
 
+enum class GovEventType : uint8_t {
+  APPLY_SUCCESS = 0,
+  APPLY_FAILURE = 1,
+  PID_EXIT = 2,
+  PID_EVICTED = 3,
+  GROUP_EVICTED = 4,
+  PIDMAP_EVICTED = 5,
+  CGROUP_UNAVAILABLE = 6,
+};
+
+constexpr inline const char* gov_event_name(GovEventType e) {
+  switch (e) {
+  case GovEventType::APPLY_SUCCESS:
+    return "APPLY_SUCCESS";
+  case GovEventType::APPLY_FAILURE:
+    return "APPLY_FAILURE";
+  case GovEventType::PID_EXIT:
+    return "PID_EXIT";
+  case GovEventType::PID_EVICTED:
+    return "PID_EVICTED";
+  case GovEventType::GROUP_EVICTED:
+    return "GROUP_EVICTED";
+  case GovEventType::PIDMAP_EVICTED:
+    return "PIDMAP_EVICTED";
+  case GovEventType::CGROUP_UNAVAILABLE:
+    return "CGROUP_UNAVAILABLE";
+  }
+  return "UNKNOWN";
+}
+
 struct ApplyResult {
   bool success = false;
   int err = 0;
@@ -55,6 +87,9 @@ class ProcessGovernor {
     size_t tracked_pids = 0;
     uint64_t pid_exit_events = 0;
     uint64_t evicted_events = 0;
+    uint64_t group_evictions = 0;
+    uint64_t pidmap_evictions = 0;
+    uint64_t cgroup_unavailable_events = 0;
   };
   Stats get_stats() const;
 
@@ -68,6 +103,8 @@ class ProcessGovernor {
   void epoll_loop();
 
   ApplyResult apply_rules(int32_t pid, const GovApplyMsg& msg);
+  ApplyResult apply_group_policy(int32_t pid, const GovApplyMsg& msg);
+  ApplyResult apply_cgroup_policy(int32_t pid, const GroupPolicy& group_policy);
 
   ApplyResult apply_affinity(int32_t pid, const std::string& affinity);
   ApplyResult apply_nice(int32_t pid, int8_t nice);
@@ -98,6 +135,11 @@ class ProcessGovernor {
 
   std::function<void(uint8_t event_type, const GovApplyMsg& msg, int err)> event_callback_;
 
+  GroupPolicyStore group_store_;
+  CgroupDriver cgroup_driver_;
+  uint64_t last_cgroup_unavailable_ns_ = 0;
+  static constexpr uint64_t kCgroupUnavailableRateLimitNs = 1000000000ULL;
+
   Stats stats_;
 };