feat(ttp): add Ipv6LinkLocalLeakEvidence TypedDict + EVIDENCE_SCHEMA entry

Pins the evidence shape for IPv6 link-local leakage findings. All fields optional (total=False) so partial observation (passive sniffer vs active solicitation) fills whatever the vector provides. Lifter lands in a subsequent commit.
2026-05-17 20:10:51 -04:00
parent 3e6587e073
commit b390a35262
2 changed files with 23 additions and 0 deletions
--- a/tests/ttp/test_evidence_shape.py
+++ b/tests/ttp/test_evidence_shape.py
@@ -30,6 +30,7 @@ from decnet.web.db.models.ttp import (
    EmailEvidence,
    HttpFingerprintEvidence,
    IntelEvidence,
+    Ipv6LinkLocalLeakEvidence,
    TTPTag,
    compute_tag_uuid,
 )
@@ -96,6 +97,17 @@ def test_http_fingerprint_evidence_keys() -> None:
    assert keys == {"kind", "hash", "protocol", "client_ip", "seen_at", "raw"}


+def test_ipv6_link_local_leak_evidence_keys() -> None:
+    keys = (
+        Ipv6LinkLocalLeakEvidence.__required_keys__
+        | Ipv6LinkLocalLeakEvidence.__optional_keys__
+    )
+    assert keys == {
+        "addr", "mac_oui", "iid_kind", "vector",
+        "on_iface", "attacker_v4", "observed_at",
+    }
+
+
 # ── Per-lifter parametrized positive case ───────────────────────────