feat(command): add replay subcommand

[josedonizetti]

Add tracee replay command

This PR introduces a new tracee replay subcommand that allows replaying previously captured events from a JSON Lines file and processing them through the detector engine.

Features

• Replay events from JSON Lines format files (as produced by tracee --output json:file.json)
• Process replayed events through detectors (both built-in Go detectors and YAML detectors)
• Support for detector chaining (detector outputs can trigger other detectors)
• Filter out detector events automatically (only low-level events are replayed)
• Only detector outputs are printed (low-level events are processed but not printed)
• Support for standard flags: --output, --detectors, --logging

Limitations

• Enrichment (environment variables, exec hashes, container info) is not supported yet - coming in a future PR
• Data stores are not supported yet - coming in a future PR

Implementation Notes

This is a first version that maintains the same event processing approach as the old analyze tracee command. The implementation uses a simplified event processing pipeline that reads events from a file and dispatches them to the detector engine.

In the future, we plan to refactor this to use the same unified pipeline as the main tracee command to ensure consistency and reduce code duplication.

Usage

# Capture events
tracee --events execve,openat --output json:events.json

# Replay events (all detector outputs)
tracee replay events.json --output table --detectors /path/to/detectors

# Replay with multiple detector directories
tracee replay events.json --detectors /path/to/detectors

[codecov]

Codecov Report

❌ Patch coverage is 34.24318% with 265 lines in your changes missing coverage. Please review.
✅ Project coverage is 35.67%. Comparing base (235daa0) to head (84e73df).
⚠️ Report is 152 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/cmd/tracee.go	0.00%	89 Missing ⚠️
cmd/tracee/cmd/replay.go	25.25%	74 Missing ⚠️
pkg/replay/replay.go	70.62%	36 Missing and 11 partials ⚠️
pkg/cmd/cobra/cobra.go	0.00%	41 Missing ⚠️
pkg/events/event_id_translation.go	0.00%	14 Missing ⚠️

❌ Your patch check has failed because the patch coverage (34.24%) is below the target coverage (60.00%). You can increase the patch coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5200      +/-   ##
==========================================
+ Coverage   33.51%   35.67%   +2.16%     
==========================================
  Files         250      239      -11     
  Lines       28908    31549    +2641     
==========================================
+ Hits         9688    11255    +1567     
- Misses      18609    19569     +960     
- Partials      611      725     +114     

Flag	Coverage Δ
unit	35.67% <34.24%> (+2.16%)	⬆️

Files with missing lines	Coverage Δ
pkg/events/event_id_translation.go	39.13% <0.00%> (-60.87%)	⬇️
pkg/cmd/cobra/cobra.go	0.00% <0.00%> (ø)
pkg/replay/replay.go	70.62% <70.62%> (ø)
cmd/tracee/cmd/replay.go	25.25% <25.25%> (ø)
pkg/cmd/tracee.go	0.00% <0.00%> (ø)

... and 98 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[geyslan]

LGTM. Dropped observations.

[geyslan]

What about placing ReplayRunner definition/logic in its own file?

[geyslan]

TranslateFromProtoEventID does a linear search for every event replayed. Could we create the reversed table of EventTranslationTable in memory, in a init() for instance? And to not waste memory it could be instantiated only in replay mode.

[geyslan]

Consider making the channel size configurable or documenting the choice.