anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): E.1.1 schema contract — TTPTag, TTPRule, TTPRuleState, evidence TypedDicts, compute_tag_uuid

Browse Source 
First contract commit of TTP tagging. Shapes only — no behavior.

- TTPTag SQLModel: deterministic UUIDv5 PK; (source_kind, source_id)
  discriminated provenance; nullable attacker_uuid + identity_uuid
  with ON DELETE CASCADE; native sqlalchemy.JSON evidence column;
  required attack_release; CheckConstraint('attacker_uuid IS NOT
  NULL OR identity_uuid IS NOT NULL'); composite indexes for the
  primary query patterns (identity_uuid+technique_id,
  attacker_uuid+technique_id, technique_id+created_at); __init__
  guard raising ValueError with both anchor names in the message
  (belt-and-braces for MySQL <8.0.16 where CHECK is silent).
- compute_tag_uuid(): RFC-4122 UUIDv5 over the six tag-identity
  fields under a fixed _TTP_TAG_NS. Pure, deterministic, replay-safe.
- Per-source_kind evidence TypedDicts (CommandEvidence,
  IntelEvidence, EmailEvidence, CanaryFingerprintEvidence) — PII
  rule lives in the type: EmailEvidence has no field for raw rcpt
  addresses or body bytes.
- TTPRule + TTPRuleState tables for the DatabaseRuleStore (E.1.11).
- All symbols re-exported from decnet.web.db.models per the
  package's existing convention.

Tests for invariants (CHECK behavior, evidence round-trip across
SQLite+MySQL, idempotency property, init-guard ordering) land in
E.2.1/E.2.2 with xfail-strict markers per Appendix E discipline.
This commit is contained in:
anti
2026-05-01 06:03:45 -04:00
parent d09764beec
commit ce7efdfdd2
3 changed files with 258 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
decnet/web/db/models/__init__.py
View File

@@ -185,6 +185,16 @@ from .tarpit import (
TarpitRuleResponse,
TarpitStatusResponse,
)
from .ttp import (
CanaryFingerprintEvidence,
CommandEvidence,
EmailEvidence,
IntelEvidence,
TTPRule,
TTPRuleState,
TTPTag,
compute_tag_uuid,
)
__all__ = [
# _base
@@ -345,4 +355,13 @@ __all__ = [
"TarpitRule",
"TarpitRuleResponse",
"TarpitStatusResponse",
# ttp
"CanaryFingerprintEvidence",
"CommandEvidence",
"EmailEvidence",
"IntelEvidence",
"TTPRule",
"TTPRuleState",
"TTPTag",
"compute_tag_uuid",
]