feat(ttp): inspector drawer surfaces evidence + rule_id behind each technique

The TTPsObservedSection rollup tells the operator "we saw T1059" but not why. Click any technique row → side drawer opens listing every ttp_tag row in scope with the persisted evidence JSON, firing rule_id / rule_version, source_kind / source_id, confidence, and created_at. Mirrors the CredentialReuseInspector / BountyInspector pattern (drawer-backdrop + bd-head/bd-body + kvs grid). Backend: - New `GET /api/v1/ttp/tags/by-{scope}/{uuid}/{technique_id}` (`scope ∈ {identity, attacker, session}`, optional `?sub_technique_id=`, `?limit=` capped to 1000). Returns raw TTPTag rows newest-first. - New `TTPTagDetailRow` Pydantic model + re-export. - New repo method `list_tags_by_scope_and_technique` on TTPMixin (+ abstract on BaseRepository) — single query branched on scope; identity scope projects through `Attacker.identity_id` the same way `list_techniques_by_identity` does. - Tests: evidence round-trips, sub_technique filter, JWT-required, empty scope, unknown scope rejected. Frontend: - New `TTPInspector.tsx` + `TTPInspector.css` (violet accent, slide animation, focus-trapped panel matching the existing inspector family). - `TTPsObservedSection`'s TechniqueBar is now click+keyboard activatable; clicking opens the inspector for that (technique, sub_technique) tuple. mypy clean. 532 passed in the targeted sweep.
2026-05-02 02:55:05 -04:00
parent c4e29e3bf9
commit 42e9492118
11 changed files with 661 additions and 2 deletions
--- a/decnet/web/db/repository.py
+++ b/decnet/web/db/repository.py
@@ -1377,6 +1377,25 @@ class BaseRepository(ABC):
        """Session-scoped TTP timeline."""
        raise NotImplementedError

+    @abstractmethod
+    async def list_tags_by_scope_and_technique(
+        self,
+        *,
+        scope: str,
+        uuid: str,
+        technique_id: str,
+        sub_technique_id: Optional[str] = None,
+        limit: int = 200,
+    ) -> list[dict[str, Any]]:
+        """Raw ``ttp_tag`` rows backing the operator inspector.
+
+        Surfaces evidence + rule_id / source_kind / source_id so the
+        UI can show *why* the engine flagged a technique. Filtered by
+        scope (identity / attacker / session) + technique
+        (+ optional sub_technique). Newest-first.
+        """
+        raise NotImplementedError
+
    @abstractmethod
    async def list_distinct_techniques(self) -> list[TechniqueRollupRow]:
        """Fleet-wide distinct-technique rollup."""