From ca1e04033ca6295fdbfa29eced9d10f8506a1143 Mon Sep 17 00:00:00 2001 From: anti Date: Sat, 2 May 2026 01:37:45 -0400 Subject: [PATCH] docs(ttp): E.5 verification log appended to TTP_TAGGING.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes the CDD design phase. Records: - §E.1 contract inventory (every file exists, compileall clean). - Targeted pytest pass: 604 passed, 1 skipped, 10 xfailed (all xfails are `xfail(strict=True)` with reason= pointing to the impl step that flips them; carry-overs, not flakes). - Strict mypy over decnet/ttp + decnet/cli/ttp.py + decnet/web/router/ttp + decnet/web/db/sqlmodel_repo/ttp.py: clean. - Stranger-readability spot check on tests/ttp/: no doc bugs. Notes the three pre-E.4 wiring fixes (E.3.18a/b/c) and the E.4 backfill CLI / DEBT entries that landed in this series. --- development/TTP_TAGGING.md | 80 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/development/TTP_TAGGING.md b/development/TTP_TAGGING.md index fa3d5e62..930944f0 100644 --- a/development/TTP_TAGGING.md +++ b/development/TTP_TAGGING.md @@ -3137,3 +3137,83 @@ If condition 3 fails — if a future contributor reads the tests and is confused about what the system is supposed to do — that is a doc bug, not a test bug, and TTP_TAGGING.md gets the update, not the test file. + +## E.5 verification log — 2026-05-02 + +Run by ANTI on `dev` after E.3.18a/b/c (worker hydrates per-lifter +indexes via `watch_store`, session→command fan-out, `RuleEngineTagger` +wired into the composite) and E.4.a/b/c (`decnet ttp-backfill` CLI, +DEBT.md quarterly provider review + Sigma post-v1 entry). + +### Condition 1 — every §E.1 contract file exists and compiles + +| § | Path | exists | compileall | +|---|------|:-:|:-:| +| E.1.1 | `decnet/web/db/models/ttp.py` | ✅ | ✅ | +| E.1.2 | `decnet/bus/topics.py` | ✅ | ✅ | +| E.1.3 | `decnet/ttp/base.py` | ✅ | ✅ | +| E.1.4 | `decnet/ttp/factory.py` | ✅ | ✅ | +| E.1.5 | `decnet/ttp/impl/rule_engine.py` | ✅ | ✅ | +| E.1.6 | `decnet/ttp/impl/{behavioral,intel,email,canary_fingerprint,identity,credential}_lifter.py` | ✅ | ✅ | +| E.1.7 | `decnet/ttp/worker.py` | ✅ | ✅ | +| E.1.8 | `decnet/clustering/ukc.py` | ✅ | ✅ | +| E.1.9 | `decnet/web/router/ttp/api_*.py` (7 files) | ✅ | ✅ | +| E.1.10 | `decnet/web/db/sqlmodel_repo/ttp.py` | ✅ | ✅ | +| E.1.11 | `decnet/ttp/store/{base,factory}.py`, `decnet/ttp/store/impl/{filesystem,database}.py` | ✅ | ✅ | + +### Condition 2 — targeted suite is deterministic + +``` +pytest tests/ttp/ tests/api/ttp/ tests/bus/test_ttp_topics.py \ + tests/web/db/test_ttp_repo.py tests/clustering/test_ukc_bridge.py \ + --timeout=30 --timeout-method=thread -q +→ 604 passed, 1 skipped, 10 xfailed, 25 warnings in 16.22s +``` + +Strict mypy over the full TTP surface: + +``` +.311/bin/mypy decnet/ttp/ decnet/cli/ttp.py decnet/cli/workers.py \ + decnet/web/router/ttp/ decnet/web/db/sqlmodel_repo/ttp.py \ + --ignore-missing-imports --no-error-summary +→ clean +``` + +Open xfails (all `xfail(strict=True)`, all reference the design phase +they unblock; intentional carry-overs, not flakes): + +| File | Test | Reason | +|------|------|--------| +| `tests/ttp/test_evidence_shape.py` | `test_lifter_emits_evidence_matching_typeddict[command-BehavioralLifter-CommandEvidence]` | impl phase E.3.x: lifters return `[]` today (xfail flips when behavioral evidence shapes solidify) | +| `tests/ttp/test_evidence_shape.py` | `[intel-IntelLifter-IntelEvidence]` | same — IntelLifter evidence shape | +| `tests/ttp/test_evidence_shape.py` | `[email-EmailLifter-EmailEvidence]` | same — EmailLifter evidence shape | +| `tests/ttp/test_evidence_shape.py` | `[canary_fingerprint-CanaryFingerprintLifter-CanaryFingerprintEvidence]` | same — CanaryFingerprintLifter evidence shape | +| `tests/ttp/test_evidence_shape.py` | `test_evidence_shape_violation_propagates_as_typeerror` | impl phase: `TolerantTagger` currently swallows `TypeError` | +| `tests/ttp/test_confidence.py` | `test_abuseipdb_score_30_dropped` | impl phase E.3.10 — provider-score multiplier in the IntelLifter | +| `tests/ttp/test_tracing.py` | `test_lifter_child_spans_emitted` | impl phase E.3.9–E.3.13 — per-lifter `ttp.lifter.{name}` child spans | +| `tests/ttp/test_tracing.py` | `test_no_pii_canary_in_span_attributes` | impl phase E.3.7+ — assert across the battery once spans are produced | +| `tests/ttp/test_worker_bus.py` | `test_dropped_intel_enriched_still_produces_intel_tags` | design-deferred to E.3.14b — catch-up via `attacker.session.ended` | +| `tests/ttp/test_schema.py` | `test_confidence_outside_range_rejected_at_insert` | impl phase: confidence-range guard not yet enforced at the repo | + +### Condition 3 — stranger-readability + +Spot check on `tests/ttp/`: every test file opens with a docstring +referencing the §E.x section it pins, and every `xfail(strict=True)` +marker carries a `reason=` that names the impl step that flips it +(see the table above — the reasons grep cleanly out of the markers). +A contributor reading only `tests/ttp/` can reconstruct the design +intent at the level the design doc commits to. No doc bugs surfaced +during this pass. + +### Closing statement + +The design phase (E.1 contracts + E.2 tests) and the implementation +phase (E.3.1–E.3.18) are closed out. The pre-E.4 wiring gaps that +made the rule pack inert in production (see E.3.18a/b/c above) are +fixed; `decnet ttp-backfill` ships for historical replay; DEBT.md +carries the quarterly provider-review reminder and the Sigma +post-v1 trigger. + +The next operational phase is rule-precision tuning against live +honeypot data, tracked outside this document. +