feat(ttp): E.1.6 per-lifter contracts — six TolerantTagger subclasses

2026-05-01 06:31:31 -04:00
parent cb9d183c20
commit 208ffd8f4f
8 changed files with 248 additions and 0 deletions
--- a/decnet/ttp/impl/intel_lifter.py
+++ b/decnet/ttp/impl/intel_lifter.py
@@ -0,0 +1,30 @@
+"""Intel lifter — opportunistic third-party verdict translator.
+
+Contract step E.1.6 of ``development/TTP_TAGGING.md``. Empty body.
+Implementation phase reads ``AttackerIntel`` rows and translates
+provider verdicts (AbuseIPDB categories, GreyNoise classification,
+Feodo / ThreatFox membership) into ATT&CK technique tags with
+confidence scaled by per-provider reliability.
+
+The decoupling rule (design doc §"Decoupling: bus-driven, never a
+hard dependency") is enforced statically by E.2.7: this module MUST
+NOT import from ``decnet.intel.{abuseipdb,greynoise,feodo,threatfox}``.
+Only ``decnet.web.db.models`` symbols are permitted.
+"""
+from __future__ import annotations
+
+from decnet.ttp.base import TaggerEvent, TolerantTagger
+from decnet.web.db.models.ttp import TTPTag
+
+
+class IntelLifter(TolerantTagger):
+    name = "intel"
+    #: ``intel`` events are bus-published when an ``AttackerIntel`` row
+    #: is upserted; the lifter treats absence as the steady state.
+    HANDLES = frozenset({"intel"})
+
+    async def _tag_impl(self, event: TaggerEvent) -> list[TTPTag]:
+        return []
+
+
+__all__ = ["IntelLifter"]