feat(ttp): E.1.6 per-lifter contracts — six TolerantTagger subclasses

2026-05-01 06:31:31 -04:00
parent cb9d183c20
commit 208ffd8f4f
8 changed files with 248 additions and 0 deletions
--- a/decnet/ttp/impl/behavioral_lifter.py
+++ b/decnet/ttp/impl/behavioral_lifter.py
@@ -0,0 +1,26 @@
+"""Behavioral lifter — derives techniques from cross-event session signal.
+
+Contract step E.1.6 of ``development/TTP_TAGGING.md``. Empty body.
+Implementation phase reads ``AttackerBehavior`` rows assembled by the
+profiler and emits techniques the rule engine cannot see (timing,
+ordering, command-graph shape). Inherits :class:`TolerantTagger` so a
+missing ``AttackerBehavior`` join silently returns ``[]`` — sibling
+worker absence is the steady state, not an error.
+"""
+from __future__ import annotations
+
+from decnet.ttp.base import TaggerEvent, TolerantTagger
+from decnet.web.db.models.ttp import TTPTag
+
+
+class BehavioralLifter(TolerantTagger):
+    name = "behavioral"
+    #: Session-level events triggering a behavior-graph lookup. The
+    #: lifter reads ``AttackerBehavior`` keyed on the session.
+    HANDLES = frozenset({"session"})
+
+    async def _tag_impl(self, event: TaggerEvent) -> list[TTPTag]:
+        return []
+
+
+__all__ = ["BehavioralLifter"]