anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(ttp): /api/v1/ttp/rules returns the live rule catalogue

Browse Source 
The endpoint was a contract-phase stub returning `[]` even though the
RuleStore loaded all 58 YAML rules at worker startup. UI saw an empty
table; operators couldn't tell whether anything was wired up.

- `api_list_rules` now calls `get_rule_store().load_compiled()` and
  serializes each CompiledRule + its operational state into a
  RuleCatalogueRow. Sorted by rule_id for stable golden snapshots.
- Add `description: str` to RuleSchema (pydantic) and CompiledRule
  (NamedTuple, defaulted) + propagate through `_compile_one` so the
  catalogue surfaces the human-readable YAML description, not just
  the slug-style `name`.
- Update `tests/ttp/test_rule_engine.py` _fields assertion for the
  new column; new `tests/api/ttp/test_rules_catalogue.py` pins the
  catalogue contents (R0001/R0014 presence, row shape, sort order).

Worker behaviour is unchanged: it was already loading rules
correctly. This is purely a read-side wiring fix on the operator API.
This commit is contained in:
anti
2026-05-02 01:54:06 -04:00
parent 7ab0df3680
commit e08bfc4a73
5 changed files with 95 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
decnet/ttp/impl/rule_engine.py
View File

@@ -122,6 +122,11 @@ class CompiledRule(NamedTuple):
evidence_fields: tuple[str, ...]
#: Operational state stamped in by the store at compile time.
state: "RuleState"
#: Human-readable description from the YAML rule. Surfaced in the
#: ``GET /api/v1/ttp/rules`` catalogue. Default empty so existing
#: callers constructing ``CompiledRule`` (lifter unit tests) keep
#: working without churn.
description: str = ""
class RuleSchema(BaseModel):
@@ -137,6 +142,7 @@ class RuleSchema(BaseModel):
rule_id: str
rule_version: int
name: str
description: str = ""
applies_to: list[str]
match: dict[str, Any]
#: ``[{"tactic": "TA0007", "technique_id": "T1083",

1
decnet/ttp/store/impl/filesystem.py
View File

@@ -181,6 +181,7 @@ def _compile_one(parsed: RuleSchema, state: RuleState) -> CompiledRule:
emits=tuple(emits),
evidence_fields=tuple(parsed.evidence_fields),
state=state,
description=parsed.description,
)