DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	0510cde073	feat(profiler/behave_shell): Phase A — calibration floor green BEHAVE-EXTRACTOR.md Phase A Step 10. Closes the discriminative floor: six primitives emit, the five-class calibration grid is the binding regression test for every subsequent phase. * Phase A checklist boxes (Steps 0-10) ticked in development/BEHAVE-EXTRACTOR.md. * Phase A completion log appended inline to the design doc per the "append phase logs to design docs" memory rule — captures per-primitive confidence ranges and the 2026-05-02 empirical anchors that drove threshold calibration. * Hard gate: tests/profiler/behave_shell/test_calibration_grid.py parametrised over five class shards, all green; skips cleanly on BEHAVE_CALIBRATION_DIR unset. Phases B-G expand horizontally across the registry. Phase H is the full-corpus lockdown + v0 release. Worker (BEHAVE-INTEGRATION.md Phase 4) is unblocked at this milestone — it can wire per-session production against the Phase A engine without waiting for the rest of the Tier-A corpus.	2026-05-03 08:02:02 -04:00
anti	11f474556c	docs(behave): integration + extractor + attribution design (DEBT-050 / 051) Three sibling design docs plus DEBT.md updates that supersede the stale DEBT-036 with a BEHAVE-aligned plan. development/BEHAVE-INTEGRATION.md — five-phase rollout: storage (observations table mirroring the BEHAVE Observation envelope plus one DECNET-side denorm; UniqueConstraint(evidence_ref, primitive) enforcing idempotency); engine (in decnet/profiler/behave_shell/ sublibrary, no new daemon, not in BEHAVE — DECNET is the engine); BEHAVE pin; worker wire; UI panel + per-attacker SSE route; live smoke. Bus payload merges id/ts/v back in to preserve sensor identifiers across the bus envelope. development/BEHAVE-EXTRACTOR.md — engine route in eight phases (A–H). Phase A locks the 6-primitive calibration grid; Phases B–G expand horizontally; Phase H is the full Tier-A corpus + v0 release. v0 ships every shell-extractable primitive (37 of them); Tier B is cross-session and lives in the attribution engine; Tier C is network-domain (toolchain.) and lives elsewhere. development/ATTRIBUTION-ENGINE.md — sublibrary inside decnet/correlation/ that consumes attacker.observation. events and emits attribution.profile.* derived state. Five-state machine (unknown / stable / drifting / conflicted / multi_actor) with per- ValueKind merge functions. v0 closes DEBT-051; v1 adds the real clusterer; v2 federation gossip. The bright line forbidding attribution to natural persons is lifted directly from BEHAVE's envelope docstring. development/DEBT.md — DEBT-036 marked STALE; DEBT-050 and DEBT-051 entries added; summary table + open list updated.	2026-05-03 07:24:19 -04:00

Author

SHA1

Message

Date

anti

0510cde073

feat(profiler/behave_shell): Phase A — calibration floor green

BEHAVE-EXTRACTOR.md Phase A Step 10. Closes the discriminative
floor: six primitives emit, the five-class calibration grid is the
binding regression test for every subsequent phase.

* Phase A checklist boxes (Steps 0-10) ticked in
  development/BEHAVE-EXTRACTOR.md.
* Phase A completion log appended inline to the design doc per
  the "append phase logs to design docs" memory rule — captures
  per-primitive confidence ranges and the 2026-05-02 empirical
  anchors that drove threshold calibration.
* Hard gate: tests/profiler/behave_shell/test_calibration_grid.py
  parametrised over five class shards, all green; skips cleanly
  on BEHAVE_CALIBRATION_DIR unset.

Phases B-G expand horizontally across the registry. Phase H is
the full-corpus lockdown + v0 release. Worker
(BEHAVE-INTEGRATION.md Phase 4) is unblocked at this milestone —
it can wire per-session production against the Phase A engine
without waiting for the rest of the Tier-A corpus.

2026-05-03 08:02:02 -04:00

anti

11f474556c

docs(behave): integration + extractor + attribution design (DEBT-050 / 051)

Three sibling design docs plus DEBT.md updates that supersede the
stale DEBT-036 with a BEHAVE-aligned plan.

development/BEHAVE-INTEGRATION.md — five-phase rollout: storage
(observations table mirroring the BEHAVE Observation envelope plus
one DECNET-side denorm; UniqueConstraint(evidence_ref, primitive)
enforcing idempotency); engine (in decnet/profiler/behave_shell/
sublibrary, no new daemon, not in BEHAVE — DECNET is the engine);
BEHAVE pin; worker wire; UI panel + per-attacker SSE route; live
smoke. Bus payload merges id/ts/v back in to preserve sensor
identifiers across the bus envelope.

development/BEHAVE-EXTRACTOR.md — engine route in eight phases
(A–H). Phase A locks the 6-primitive calibration grid; Phases B–G
expand horizontally; Phase H is the full Tier-A corpus + v0
release. v0 ships every shell-extractable primitive (37 of them);
Tier B is cross-session and lives in the attribution engine; Tier
C is network-domain (toolchain.*) and lives elsewhere.

development/ATTRIBUTION-ENGINE.md — sublibrary inside
decnet/correlation/ that consumes attacker.observation.* events
and emits attribution.profile.* derived state. Five-state machine
(unknown / stable / drifting / conflicted / multi_actor) with per-
ValueKind merge functions. v0 closes DEBT-051; v1 adds the real
clusterer; v2 federation gossip. The bright line forbidding
attribution to natural persons is lifted directly from BEHAVE's
envelope docstring.

development/DEBT.md — DEBT-036 marked STALE; DEBT-050 and
DEBT-051 entries added; summary table + open list updated.

2026-05-03 07:24:19 -04:00

2 Commits