feat(ttp): E.4.a extract decnet/cli/ttp.py with worker run + backfill CLI

The TTP worker entry moved out of decnet/cli/workers.py into its own module so the TTP CLI surface (worker + admin verbs) is colocated, mirroring decnet/cli/canary.py / webhook.py / swarm.py. - New `decnet/cli/ttp.py` with `decnet ttp` (worker, ExecStart-stable for decnet-ttp.service) and `decnet ttp-backfill --since-days N`. - `decnet ttp-backfill` walks Attacker.commands and CanaryTrigger history, dispatches each row through the live CompositeTagger, persists tags via repo.insert_tags (idempotent INSERT OR IGNORE). --dry-run / --source command|canary|all / --batch-size supported. - Backfill deliberately bypasses bus publish — historical replay must not re-trigger SIEM/webhook fan-out per TTP_TAGGING.md §"Bus topics" loop-prevention invariant. - Added `iter_attacker_commands_since` / `iter_canary_triggers_since` read-only iterators on TTPMixin + abstract bindings on BaseRepository. - Master-only via gating; both `ttp` and `ttp-backfill` listed in MASTER_ONLY_COMMANDS.
2026-05-02 01:35:17 -04:00
parent e84b522fd3
commit 301d3feee9
7 changed files with 673 additions and 55 deletions
--- a/decnet/web/db/repository.py
+++ b/decnet/web/db/repository.py
@@ -1,4 +1,6 @@
 from abc import ABC, abstractmethod
+from collections.abc import AsyncIterator
+from datetime import datetime
 from typing import Any, Optional

 from decnet.web.db.models.topology import DeckyRow, EdgeRow, LANRow, TopologySummary
@@ -1320,6 +1322,24 @@ class BaseRepository(ABC):
        """
        raise NotImplementedError

+    @abstractmethod
+    def iter_attacker_commands_since(
+        self, since: "datetime",
+    ) -> "AsyncIterator[tuple[Any, list[dict[str, Any]]]]":
+        """Yield (Attacker, decoded_commands) pairs since *since*.
+
+        Used by ``decnet ttp backfill`` (E.4) to replay shell-command
+        history through the live tagger. Read-only.
+        """
+        raise NotImplementedError
+
+    @abstractmethod
+    def iter_canary_triggers_since(
+        self, since: "datetime",
+    ) -> "AsyncIterator[Any]":
+        """Yield ``CanaryTrigger`` rows since *since*. Used by backfill."""
+        raise NotImplementedError
+
    @abstractmethod
    async def list_techniques_by_identity(
        self, uuid: str,
--- a/decnet/web/db/sqlmodel_repo/ttp.py
+++ b/decnet/web/db/sqlmodel_repo/ttp.py
@@ -12,6 +12,9 @@ per-dialect ``SQLiteRepository`` / ``MySQLRepository`` subclasses
 """
 from __future__ import annotations

+import json
+from collections.abc import AsyncIterator
+from datetime import datetime
 from typing import Any

 from sqlalchemy import func, select
@@ -25,6 +28,7 @@ from decnet.web.db.models import (
    TechniqueRollupRow,
    TTPTag,
 )
+from decnet.web.db.models.canary import CanaryTrigger
 from decnet.web.db.sqlmodel_repo._helpers import _MixinBase


@@ -275,6 +279,55 @@ class TTPMixin(_MixinBase):
                for r in res.all()
            ]

+    # ── Backfill iterators (E.4) ────────────────────────────────────
+    #
+    # Read-only iterators consumed by ``decnet ttp backfill`` to replay
+    # historical events through the live :class:`CompositeTagger`. The
+    # CLI builds :class:`TaggerEvent` objects from these and persists
+    # results via :meth:`insert_tags` — same idempotent path the bus
+    # worker uses, no bus publish.
+    #
+    # Per TTP_TAGGING.md §"Order of work" / §"Bus topics" the historical
+    # replay deliberately bypasses bus publish so SIEM/webhook fan-out
+    # does not re-fire on already-attributed events.
+
+    async def iter_attacker_commands_since(
+        self, since: datetime,
+    ) -> AsyncIterator[tuple[Attacker, list[dict[str, Any]]]]:
+        """Yield ``(Attacker, decoded_commands)`` pairs since *since*.
+
+        Walks every :class:`Attacker` whose ``last_seen >= since`` and
+        decodes the JSON ``commands`` blob; non-list / malformed
+        payloads are skipped silently (the JSON column is best-effort
+        per the model docstring).
+        """
+        async with self._session() as session:
+            stmt: Any = (
+                select(Attacker).where(col(Attacker.last_seen) >= since)
+            )
+            res = await session.execute(stmt)
+            for row in res.scalars().all():
+                try:
+                    decoded = json.loads(row.commands or "[]")
+                except (ValueError, TypeError):
+                    continue
+                if not isinstance(decoded, list):
+                    continue
+                yield row, [c for c in decoded if isinstance(c, dict)]
+
+    async def iter_canary_triggers_since(
+        self, since: datetime,
+    ) -> AsyncIterator[CanaryTrigger]:
+        """Yield :class:`CanaryTrigger` rows fired since *since*."""
+        async with self._session() as session:
+            stmt: Any = (
+                select(CanaryTrigger)
+                .where(col(CanaryTrigger.occurred_at) >= since)
+            )
+            res = await session.execute(stmt)
+            for row in res.scalars().all():
+                yield row
+
    async def list_distinct_techniques(self) -> list[TechniqueRollupRow]:
        """Fleet-wide distinct-technique rollup with counts +
        most-recent-seen timestamps.