feat(ttp): E.3.13 IdentityLifter + CredentialLifter (R0001-R0006)

IdentityLifter owns lifter:identity_* — currently R0003 (password spraying). CredentialLifter owns lifter:credential_* — R0001 generic auth brute, R0002 password guessing, R0004 credential reuse, R0005 valid-account use, R0006 default credentials. YAMLs R0001/R0002/R0003/R0005/R0006 had their match.kind normalised to fit the lifter prefix scheme — the design doc's promised "YAMLs normalised in a separate refactor commit" lands here. Identity-rollup tags null out attacker_uuid on emit so the worked- example invariant holds (the tag belongs to the Identity, never to one member IP). Tests: test_identity_lifter.py + test_credential_lifter.py cover each predicate's positive/negative path, state modulation (disabled/clipped/expired), source-kind gating, and idempotent replay. test_lifter_absence and test_lifters updated for the new ctor signature.
2026-05-01 20:52:56 -04:00
parent 62ad76615e
commit 322fd44d72
13 changed files with 638 additions and 44 deletions
--- a/tests/ttp/test_lifter_absence.py
+++ b/tests/ttp/test_lifter_absence.py
@@ -39,14 +39,9 @@ from tests.ttp._stub_store import StubRuleStore
 def _make_lifter(cls: type[TolerantTagger]) -> TolerantTagger:
    """Construct a lifter with whatever its current signature wants.

-    Implemented lifters (E.3.9–E.3.12) take a :class:`RuleStore`; the
-    still-empty IdentityLifter / CredentialLifter (E.3.13) take no args.
+    Every shipped lifter (E.3.9–E.3.13) takes a :class:`RuleStore`.
    """
-    if cls in {
-        BehavioralLifter, IntelLifter, CanaryFingerprintLifter, EmailLifter,
-    }:
-        return cls(StubRuleStore())  # type: ignore[call-arg]
-    return cls()
+    return cls(StubRuleStore())  # type: ignore[call-arg]


 def _ev(source_kind: str, payload: dict[str, Any] | None = None) -> TaggerEvent: