anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): E.4.a extract decnet/cli/ttp.py with worker run + backfill CLI

Browse Source 
The TTP worker entry moved out of decnet/cli/workers.py into its own
module so the TTP CLI surface (worker + admin verbs) is colocated,
mirroring decnet/cli/canary.py / webhook.py / swarm.py.

- New `decnet/cli/ttp.py` with `decnet ttp` (worker, ExecStart-stable
  for decnet-ttp.service) and `decnet ttp-backfill --since-days N`.
- `decnet ttp-backfill` walks Attacker.commands and CanaryTrigger
  history, dispatches each row through the live CompositeTagger,
  persists tags via repo.insert_tags (idempotent INSERT OR IGNORE).
  --dry-run / --source command|canary|all / --batch-size supported.
- Backfill deliberately bypasses bus publish — historical replay
  must not re-trigger SIEM/webhook fan-out per TTP_TAGGING.md
  §"Bus topics" loop-prevention invariant.
- Added `iter_attacker_commands_since` / `iter_canary_triggers_since`
  read-only iterators on TTPMixin + abstract bindings on
  BaseRepository.
- Master-only via gating; both `ttp` and `ttp-backfill` listed in
  MASTER_ONLY_COMMANDS.
This commit is contained in:
anti
2026-05-02 01:35:17 -04:00
parent e84b522fd3
commit 301d3feee9
7 changed files with 673 additions and 55 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
decnet/web/db/repository.py
View File

@@ -1,4 +1,6 @@
from abc import ABC, abstractmethod
from collections.abc import AsyncIterator
from datetime import datetime
from typing import Any, Optional
from decnet.web.db.models.topology import DeckyRow, EdgeRow, LANRow, TopologySummary
@@ -1320,6 +1322,24 @@ class BaseRepository(ABC):
"""
raise NotImplementedError
@abstractmethod
def iter_attacker_commands_since(
self, since: "datetime",
) -> "AsyncIterator[tuple[Any, list[dict[str, Any]]]]":
"""Yield (Attacker, decoded_commands) pairs since *since*.
Used by ``decnet ttp backfill`` (E.4) to replay shell-command
history through the live tagger. Read-only.
"""
raise NotImplementedError
@abstractmethod
def iter_canary_triggers_since(
self, since: "datetime",
) -> "AsyncIterator[Any]":
"""Yield ``CanaryTrigger`` rows since *since*. Used by backfill."""
raise NotImplementedError
@abstractmethod
async def list_techniques_by_identity(
self, uuid: str,