feat(ttp): E.1.9 API contract — seven router endpoints, admin-gated state mutations, response models

Mounts /api/v1/ttp/* with empty-list / empty-Navigator responses. GET endpoints viewer-gated; POST/DELETE /rules/{rule_id}/state admin-gated server-side. POST parses JSON manually so a malformed body returns the documented 400 (per feedback_schemathesis_400). Drops xfail-strict markers from E.2.8 tests now that the router is mounted; 26 tests pass against the contract handlers.
2026-05-01 07:20:13 -04:00
parent cfbfaabfcd
commit b7f206c8c5
15 changed files with 515 additions and 56 deletions
--- a/decnet/web/router/ttp/api_export_navigator.py
+++ b/decnet/web/router/ttp/api_export_navigator.py
@@ -0,0 +1,56 @@
+"""GET /api/v1/ttp/export/navigator{,/identity/{uuid}} — Navigator JSON layer.
+
+Empty-but-valid Navigator layer at contract phase per TTP_TAGGING.md
+§"UI surface — Empty state": a SOC analyst pasting the JSON into the
+official MITRE ATT&CK Navigator sees the file load with no
+highlighted techniques — correct, not broken.
+"""
+from __future__ import annotations
+
+from typing import Any
+
+from fastapi import APIRouter, Depends
+
+from decnet.telemetry import traced as _traced
+from decnet.web.db.models import NavigatorLayer
+from decnet.web.dependencies import require_viewer
+
+router = APIRouter()
+
+
+@router.get(
+    "/ttp/export/navigator",
+    tags=["TTP Tagging"],
+    response_model=NavigatorLayer,
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+    },
+)
+@_traced("api.ttp.export_navigator_fleet")
+async def api_export_navigator_fleet(
+    user: dict[str, Any] = Depends(require_viewer),
+) -> NavigatorLayer:
+    """Fleet-wide Navigator layer. Empty-but-valid at contract phase."""
+    return NavigatorLayer(name="DECNET TTP coverage — fleet")
+
+
+@router.get(
+    "/ttp/export/navigator/identity/{identity_uuid}",
+    tags=["TTP Tagging"],
+    response_model=NavigatorLayer,
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
+        404: {"description": "Identity not found"},
+    },
+)
+@_traced("api.ttp.export_navigator_identity")
+async def api_export_navigator_identity(
+    identity_uuid: str,
+    user: dict[str, Any] = Depends(require_viewer),
+) -> NavigatorLayer:
+    """Per-Identity Navigator layer (the SOC demo)."""
+    return NavigatorLayer(
+        name=f"DECNET TTP coverage — identity {identity_uuid}",
+    )