Add gzip processing logic in alayzer

[yunwei37]

This pull request introduces a new HTTP decompression analyzer to the collector framework, enabling automatic decompression of gzip and deflate-encoded HTTP response bodies. The analyzer is integrated into the framework and includes comprehensive unit tests to verify its functionality. Key changes are grouped below:

New Feature: HTTP Decompression Analyzer

• Added the HTTPDecompressor analyzer, which detects and decompresses gzip and deflate-encoded HTTP response bodies, updates event data with decompressed content, and optionally preserves the original compressed data. (collector/src/framework/analyzers/http_decompressor.rs)

Framework Integration

• Registered the new analyzer module in the framework by updating imports and exports in mod.rs, making HTTPDecompressor available for use in the analyzer pipeline. (collector/src/framework/analyzers/mod.rs) [1] [2]

Dependency Management

• Added the flate2 crate to Cargo.toml to support gzip and deflate decompression. (collector/Cargo.toml)

Testing

• Added a dedicated test suite for the HTTP decompression logic, covering scenarios for gzip decompression, non-compressed responses, and requests (which are not decompressed). (collector/src/framework/analyzers/http_decompressor_test.rs)
• Included unit tests within the analyzer implementation itself to verify chunked transfer decoding, encoding detection, and decompression correctness. (collector/src/framework/analyzers/http_decompressor.rs)

[yunwei37]

@copilot help me fix ci

[Copilot]

@yunwei37 I've opened a new pull request, #25, to work on those changes. Once the pull request is ready, I'll request review from you.

[Copilot]

Pull request overview

This PR adds automatic decompression of gzip/deflate HTTP response bodies to the collector’s analyzer pipeline, primarily to make captured SSL HTTP traffic easier to inspect (e.g., OpenAI API responses). It also introduces an SSL event merger intended to reconstruct full HTTP messages spanning multiple SSL read calls.

Changes:

• Added HTTPDecompressor analyzer to detect Content-Encoding: gzip/deflate on parsed HTTP responses and replace the body with decompressed content.
• Added SSLMerger analyzer to merge consecutive ssl READ/RECV events into a single event before parsing as HTTP.
• Added flate2 dependency and new repro/tests/scripts related to gzip/chunked handling.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
script/test-python/test_openai_simple.py	Script to generate OpenAI API traffic for capture testing.
script/test-python/test_gzip_http.py	Script to generate local gzip-encoded HTTP traffic for capture testing.
collector/src/main.rs	Wires SSLMerger/HTTPDecompressor into analyzer pipelines.
collector/src/framework/analyzers/ssl_merger.rs	New analyzer to buffer/merge SSL reads into “complete” HTTP messages.
collector/src/framework/analyzers/http_decompressor.rs	New analyzer implementing gzip/deflate decompression (incl. chunked extraction).
collector/src/framework/analyzers/http_decompressor_test.rs	Added test file for decompressor logic (currently not wired into module tree).
collector/src/framework/analyzers/mod.rs	Exposes ssl_merger and http_decompressor modules/types.
collector/tests/test_chunked_gzip_bug.rs	Integration test reproducing chunked+gzip decompression scenario.
collector/test_chunked_gzip.rs	Standalone repro executable placed at crate root.
collector/Cargo.toml	Adds flate2 dependency.
collector/Cargo.lock	Locks flate2 (and transitive deps).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

HTTPDecompressor is added when enable_http_parser is true, but there’s no corresponding SSL read merging in this code path. Since HTTPParser operates on single SSL events, chunked/compressed responses spanning multiple READs may never be fully available to decompress, leading to persistent decompression_failed events. Consider adding SSLMerger (or equivalent buffering) in this pipeline when HTTP parsing/decompression is enabled, or updating HTTPParser to accumulate per connection/thread.

[Copilot]

Chunked completion detection only treats 0\r\n\r\n as the terminator. Chunked responses with trailer headers end with 0\r\n<trailers>\r\n, so this will never mark them complete and will rely on timeout flushing. Consider parsing the chunked framing more robustly (or at least detecting \r\n0\r\n followed by a final \r\n).

[Copilot]

extract_from_chunked parses the chunk size line with from_str_radix on the entire line. This will fail for valid chunk extensions (e.g. 1a;foo=bar) and cause chunked bodies to fall back to direct decoding (and likely decompression failure). Consider parsing only up to the first ; before hex decoding, and validating/consuming the required \r\n after each chunk.

[Copilot]

This file won’t be compiled or executed by Rust’s test runner unless it’s included from the module tree (e.g. #[cfg(test)] mod http_decompressor_test; in analyzers/mod.rs or by moving it under collector/tests/ as an integration test). As-is, the PR’s “dedicated test suite” here won’t run in CI.

[Copilot]

This appears to be a standalone debugging executable (has fn main() and lots of println!) placed at the crate root. Cargo won’t build/run it by default (binaries are usually under src/bin/ or declared in Cargo.toml), so it may be dead weight/confusing in the repository. Consider moving it to collector/examples/ or collector/src/bin/ (or removing it if it was only for local repro).

[Copilot]

When decompression fails, the error is discarded (Err(_err)), making it hard to debug why decompression failed in the field. Consider storing a short error string in the event (e.g. decompression_error) in addition to decompression_failed, potentially behind a debug flag if size/noise is a concern.

Suggested change

	Err(_err) => {
	// Decompression failed, pass through original event
	// Optionally add error metadata
	if let Some(data) = event.data.as_object_mut() {
	data.insert("decompression_failed".to_string(), serde_json::json!(true));
	Err(err) => {
	// Decompression failed, pass through original event
	// Optionally add error metadata
	if let Some(data) = event.data.as_object_mut() {
	data.insert("decompression_failed".to_string(), serde_json::json!(true));
	// Store a short error string to aid debugging. Truncate to limit size.
	let err_str = err.to_string();
	let max_len = 256;
	let truncated = if err_str.len() > max_len {
	format!("{}...", &err_str[..max_len.saturating_sub(3)])
	} else {
	err_str
	};
	data.insert("decompression_error".to_string(), serde_json::json!(truncated));

[Copilot]

create_gzip_compressed_data constructs strings containing literal \u00XX sequences, but the decompressor’s decode_json_escaped_string expects the parsed JSON string to already contain the corresponding Unicode codepoints (0..=255) for those bytes. If this test file is wired into the module tree, this encoding mismatch will make the decompression test unreliable. Consider generating the body by mapping each byte to char::from(byte) (0..=255), or by building a JSON string with \u00XX escapes and parsing it to obtain the decoded String.

Suggested change

	// Convert to the format that comes from eBPF (simulating JSON escaped string)
	compressed.iter().map(|&b| {
	if b < 128 {
	(b as char).to_string()
	} else {
	format!("\\u{:04x}", b)
	}
	}).collect()
	// Represent each byte as a single char with the corresponding codepoint (0..=255).
	// This matches the expectation of decode_json_escaped_string, which operates on
	// a parsed JSON string whose contents are already decoded bytes, not literal
	// "\uXXXX" escape sequences.
	compressed.iter().map(|&b| char::from(b)).collect()

[Copilot]

SSLMerger is inserted before SSEProcessor, but SSLMerger buffers SSL READ/RECV events until it sees a complete HTTP message (or times out). For streaming/SSE responses there is typically no terminating chunk, so this will delay or prevent SSEProcessor from seeing incremental chunks and can break SSE aggregation/latency. Consider moving SSLMerger after SSEProcessor (so SSE traffic is consumed first) and before HTTPParser, or make SSLMerger opt-in/conditional so it doesn't buffer SSE streams indefinitely.