anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): E.3.10 IntelLifter (R0054-R0058)

Browse Source 
Per-provider verdict translator for AbuseIPDB, GreyNoise, Feodo Tracker,
and ThreatFox per Appendix A.10. Each rule's predicate inspects payload
fields produced by the enrich worker (no DB I/O, no decnet.intel.*
imports — E.2.7 decoupling guard preserved). AbuseIPDB confidence is
scaled by abuse_confidence_score / 100; categories drive per-technique
fan-out. R0058 aggregate-bump is a no-op in v0 (cross-tag bump deferred
to E.3.14 worker bootstrap).

Per-provider null tolerance is the steady state — a missing provider
column produces zero tags from that rule, never an error.

Tests:
- tests/ttp/test_intel_lifter.py — per-provider positive + negative +
  state modulation + decoupling source-import guard.
- tests/ttp/rule_precision/test_intel_rules.py — xfail flipped, real
  precision driven over seed_intel.jsonl (R0054-R0057 H-band ≥95%;
  R0058 skipped as bump-only).
- tests/ttp/test_lifter_absence.py — IntelLifter all-populated test
  flipped from xfail-strict to real assertion with realistic payload.
- tests/ttp/test_lifters.py — partial-null xfail flipped to real
  assertion.
This commit is contained in:
anti
2026-05-01 20:23:42 -04:00
parent eff3e4bce7
commit 7865e71aa9
7 changed files with 653 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tests/ttp/test_lifters.py
View File

@@ -24,7 +24,7 @@ from tests.ttp._stub_store import StubRuleStore
def _instantiate(cls: type[TolerantTagger]) -> TolerantTagger:
if cls is BehavioralLifter:
if cls in {BehavioralLifter, IntelLifter}:
return cls(StubRuleStore()) # type: ignore[call-arg]
return cls()
@@ -87,9 +87,12 @@ def test_lifter_instantiable(cls):
# ── E.2.6 deferred absence-tolerance behavior ──────────────────────
@pytest.mark.xfail(strict=True, reason="impl phase E.3 — IntelLifter null patterns")
def test_e26_intel_lifter_partial_provider_nulls():
raise AssertionError("not yet implemented")
"""E.3.10: with no actionable per-provider signal (e.g. score set
but categories absent), IntelLifter returns []. No errors."""
lifter = IntelLifter(StubRuleStore())
out = asyncio.run(lifter.tag(_ev("intel")))
assert out == []
def test_e26_behavioral_lifter_no_attacker_behavior_row():