anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): E.3.14 worker bootstrap (insert + ttp.tagged publish)

Browse Source 
Inner loop drains a per-process asyncio.Queue populated by one pump
task per topic in _TOPICS, dispatches each event through
CompositeTagger, persists via repo.insert_tags(), and publishes
ttp.tagged + per-technique ttp.rule.fired.<id> only when the insert
returned a non-zero rowcount.

CompositeTagger seeded with all six lifters (Behavioral, Intel,
CanaryFingerprint, Email, Identity, Credential).

Loop-prevention invariant from TTP_TAGGING.md §"Bus topics" enforced:
N replays of the same upstream event publish exactly one ttp.tagged
event. test_worker_bus covers both the direct invocation path and
the idempotency replay path.

Intel catch-up via attacker.session.ended is intentionally deferred
to E.3.14b — needs a session→intel join the repo doesn't expose yet.
This commit is contained in:
anti
2026-05-01 20:57:57 -04:00
parent 322fd44d72
commit 101127247e
5 changed files with 499 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
development/TTP_TAGGING.md
View File

@@ -3036,7 +3036,20 @@ Order:
14. **Worker bootstrap** — wire up the loop, the
`CompositeTagger`, the bus subscriptions, the `RuleEngine`
watching the `RuleStore`. `test_worker_bus.py` green
end-to-end.
end-to-end. ✅ done. Inner loop drains a per-process queue
populated by one pump task per topic, dispatches each event
through `CompositeTagger.tag()`, persists via
`repo.insert_tags()` (which already drops sub-0.3 confidence
and ON-CONFLICT-DO-NOTHING via the dialect hook), and
publishes `ttp.tagged` plus per-technique `ttp.rule.fired.*`
only when the insert returned a non-zero rowcount —
enforcing the loop-prevention invariant. CompositeTagger
seeded with all six lifters (Behavioral, Intel,
CanaryFingerprint, Email, Identity, Credential). The
intel-catch-up via `attacker.session.ended` is intentionally
deferred to E.3.14b — today the worker is 1:1 source-kind →
lifter; the catch-up rewrite needs a session→intel join the
repo doesn't expose yet.
15. **UKC bridge** — implement `tactic_to_ukc_phase` and inverse.
Rewrite the campaign clusterer's
`IdentityFeatures.commands_by_phase_on_decky` adapter to read