feat(correlation,profiler): publish attacker.observed on first sighting (DEBT-031 worker 3)

Browse Source

CorrelationEngine gains an optional publish_fn hook fired once per unique
attacker IP.  The profiler worker — sole caller of the engine today —
carries the bus physically, builds a thread-safe publisher, and wraps it
with the attacker.observed topic before handing it in.

Bus stays optional: if get_bus() fails or DECNET_BUS_ENABLED=false, the
engine runs publish_fn=None and the worker degrades to DB-only.  Hook
failures log a warning and never break ingestion.

...

This commit is contained in:

anti

2026-04-21 16:53:03 -04:00

parent 34d9e37ab0

commit e51b65d7c3

4 changed files with 224 additions and 8 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

0

tests/correlation/__init__.py Normal file