anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(ttp): E.1.2 bus topic contract — TTP_TAGGED, TTP_RULE_FIRED, TTP_RULE_SUPPRESSED, EMAIL_RECEIVED

Browse Source 
Second TTP-tagging contract commit. Constants only — no publishers,
no subscribers, no tests. (E.2.3 ships the bus-topic naming tests.)

- New roots: EMAIL, TTP.
- New leaves: EMAIL_RECEIVED ('received', single-token under EMAIL),
  TTP_TAGGED ('tagged'), TTP_RULE_FIRED ('rule.fired'),
  TTP_RULE_SUPPRESSED ('rule.suppressed'). Per-rule reload + state
  topics ship with the RuleStore (E.1.11) — co-located with
  producer.
- New builders: email_topic(event_type), ttp(event_type),
  ttp_rule_fired(technique_id). The ttp_rule_fired builder validates
  technique_id as a single segment so sub-techniques like T1110.001
  are rejected at construction; topic key is the parent technique,
  sub_technique lives in the payload.
- email_topic is named with the _topic suffix to avoid shadowing the
  Python email stdlib at import sites that pull both.
- TTP_TAGGING.md E.1.2 entry corrected: the spec referenced
  'ATTACKER_ENRICHED' but the actual constant is
  ATTACKER_INTEL_ENRICHED ('intel.enriched'). The existing constant
  covers the design intent (TTP intel_lifter wakes on
  attacker.intel.enriched). No rename — would break every existing
  subscriber.

Wiki update for the four new topics ships in a sibling commit in
wiki-checkout (separate repo per project layout).
This commit is contained in:
anti
2026-05-01 06:08:11 -04:00
parent ce7efdfdd2
commit e395306dcb
2 changed files with 87 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
development/TTP_TAGGING.md
View File

@@ -2249,11 +2249,15 @@ Contracts ship in this order, one commit per step:
**E.1.2 — Bus topic contract** (`decnet/bus/topics.py`)
**Status:** ✅ done.
- New constants: `TTP_TAGGED`, `TTP_RULE_FIRED`,
`TTP_RULE_SUPPRESSED`.
- Confirm `ATTACKER_ENRICHED` exists (it does — verify), confirm
`IDENTITY_FORMED` / `IDENTITY_MERGED` exist (they do).
- New `EMAIL_RECEIVED` topic constant.
- Confirm `ATTACKER_INTEL_ENRICHED` exists (it does — `"intel.enriched"`,
topic `attacker.intel.enriched`), confirm `IDENTITY_FORMED` /
`IDENTITY_MERGED` exist (they do).
- New `EMAIL_RECEIVED` topic constant + `EMAIL` / `TTP` root prefixes
+ builders `email_topic()`, `ttp()`, `ttp_rule_fired()`.
- Wiki update (`wiki-checkout/Service-Bus.md`) lands in the same
commit per project convention.