feat(web/db): observations table + repo + bus prefix (BEHAVE-INTEGRATION Phase 1)
Additive Phase 1 of BEHAVE-INTEGRATION.md. Lays the storage layer the BEHAVE-SHELL extractor (DEBT-050) will write into. Nothing breaks; SessionProfile coexists for now and is dropped in the follow-up commit. decnet/web/db/models/observations.py — new ObservationRow SQLModel mirroring the BEHAVE Observation envelope field-for-field (core/decnet_behave_core/spec/envelope.py). ``id`` is a hex-string UUID (matching BEHAVE), not a typed UUID column. ``identity_ref`` is str | None — written by the future attribution engine, NULL until then. ``attacker_uuid`` is the one DECNET-side denormalisation; FK'd to attackers.uuid for cheap AttackerDetail joins. ``evidence_ref`` is NOT NULL for DECNET emissions even though the upstream envelope makes it optional — the worker's "already profiled?" check keys on it. UniqueConstraint(evidence_ref, primitive) enforces idempotency at the schema level so re-running the extractor on the same shard+sid produces a DB-side conflict the upsert path resolves deterministically. Class is named ``ObservationRow`` (not ``Observation``) to avoid colliding with the BEHAVE Pydantic envelope at sites that import both. decnet/web/db/sqlmodel_repo/observations.py — ObservationsMixin. Three public methods backing the canonical queries from BEHAVE-INTEGRATION.md §"Storage": ``upsert_observation`` (idempotent on the natural key), ``latest_observation_per_primitive`` (per- primitive MAX(ts) subquery, portable across SQLite and MySQL — no DISTINCT ON), ``observations_time_series`` (asc-by-ts). Plus ``has_observations_for_evidence`` for the worker's session-already- profiled check. decnet/bus/topics.py — ATTACKER_OBSERVATION_PREFIX = "observation" constant + ``attacker_observation(primitive)`` builder. Full topic shape ``attacker.observation.<primitive>`` matches what BEHAVE's spec.event_adapter.event_topic_for produces upstream. Documentation + pattern matching only — bus auth is socket file perms (DEBT-029 §2), not topic-level. decnet/web/db/repository.py — abstract ``upsert_observation``, ``latest_observation_per_primitive``, ``observations_time_series`` on BaseRepository. tests/db/test_observations.py — 11 tests covering upsert round-trip, idempotency under the unique constraint, latest-per-primitive ordering across multiple sessions, time-series asc-ordering, empty- attacker contract, every BEHAVE ValueKind round-tripping through the JSON column, and the has_observations_for_evidence check. tests/db/test_base_repo.py — DummyRepo gains the three new abstract overrides so its coverage suite still instantiates.
This commit is contained in:
@@ -17,6 +17,7 @@ Token structure (NATS-style, dot-separated):
|
||||
attacker.scored
|
||||
attacker.session.started
|
||||
attacker.session.ended
|
||||
attacker.observation.{primitive}
|
||||
identity.formed
|
||||
identity.observation.linked
|
||||
identity.merged
|
||||
@@ -129,6 +130,19 @@ ATTACKER_SESSION_ENDED = "session.ended"
|
||||
# returned a verdict). Payload carries the aggregate verdict + per-
|
||||
# provider summary so SIEM-bound webhooks don't need to re-query the DB.
|
||||
ATTACKER_INTEL_ENRICHED = "intel.enriched"
|
||||
# Per-primitive BEHAVE-SHELL observation. Full topic shape:
|
||||
# attacker.observation.<primitive>
|
||||
# e.g. ``attacker.observation.motor.input_modality``. Producer:
|
||||
# ``decnet/profiler/behave_shell/`` (extractor library called from the
|
||||
# profiler worker on ``attacker.session.ended``); consumers: dashboard
|
||||
# SSE relay, attribution engine state machine, federation gossip
|
||||
# (post-v0). See development/BEHAVE-INTEGRATION.md §"Bus topics" for
|
||||
# the wire-format contract — the prefix is documentation + pattern
|
||||
# match only; bus auth is socket file perms (DEBT-029 §2), not
|
||||
# topic-level. The ``primitive`` segment MAY contain dots
|
||||
# (``motor.shell_mastery.tab_completion``) — the same dotted-leaf
|
||||
# rule that ``attacker.session.ended`` uses.
|
||||
ATTACKER_OBSERVATION_PREFIX = "observation"
|
||||
|
||||
# Identity-resolution event types (second/third tokens under ``identity``).
|
||||
# Published by the (future) clusterer worker — see
|
||||
@@ -366,6 +380,28 @@ def attacker(event_type: str) -> str:
|
||||
return f"{ATTACKER}.{event_type}"
|
||||
|
||||
|
||||
def attacker_observation(primitive: str) -> str:
|
||||
"""Build ``attacker.observation.<primitive>``.
|
||||
|
||||
*primitive* is the fully-qualified BEHAVE-SHELL primitive path
|
||||
(e.g. ``motor.input_modality``,
|
||||
``cognitive.feedback_loop_engagement``,
|
||||
``motor.shell_mastery.tab_completion``). Dotted primitives are
|
||||
permitted — this matches the format
|
||||
``decnet_behave_shell.spec.event_adapter.event_topic_for`` produces
|
||||
upstream, and DECNET's bus admits the dotted leaf the same way
|
||||
:func:`attacker` does for ``session.started``.
|
||||
|
||||
Empty string is rejected so a downstream typo doesn't ship as
|
||||
``attacker.observation.``.
|
||||
"""
|
||||
if not primitive:
|
||||
raise ValueError(
|
||||
"attacker_observation topic requires a non-empty primitive",
|
||||
)
|
||||
return f"{ATTACKER}.{ATTACKER_OBSERVATION_PREFIX}.{primitive}"
|
||||
|
||||
|
||||
def campaign(event_type: str) -> str:
|
||||
"""Build ``campaign.<event_type>``.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user