DECNET

anti/DECNET

Fork 0

Commit Graph

Author	SHA1	Message	Date
anti	5116023bf7	feat(profiler/behave_shell): stamp attacker_uuid on bus payload (Phase 5 prep) The profiler worker's per-observation publish now re-merges attacker_uuid into the bus payload alongside id/ts/v. Same shape as the existing DECNET-side deviation from BEHAVE's wire-format docstring (BEHAVE-INTEGRATION.md §339-366) — widens the deviation by one DECNET denorm field. Phase 5's per-attacker SSE route can now filter attacker.observation.* events to one attacker in O(1) without a repo round-trip per event. identity_ref stays None today (until the attribution engine ships); attacker_uuid is independent. Two test changes: * test_happy_path_persists_and_publishes asserts attacker_uuid is in every published payload. * New test_attacker_uuid_in_payload_for_filter pins the field explicitly and confirms it doesn't conflate with identity_ref.	2026-05-08 20:18:32 -04:00
anti	5ff89eefe7	feat(profiler): wire BEHAVE-SHELL extraction onto attacker.session.ended The profiler worker now consumes attacker.session.ended on the bus AND walks unprofiled session_recorded log rows on every tick. Both paths converge on a single handler that: 1. Validates required payload fields (session_id, decky_id, service, attacker_ip, shard_path). 2. Builds evidence_ref shard:{decky}/{service}/{shard_basename}#{sid} and skips when has_observations_for_evidence is True (idempotent re-runs). 3. Resolves attacker_uuid via get_attacker_uuid_by_ip; defers if the profiler tick hasn't materialised the row yet. 4. Reads the asciinema shard, slices events for the sid, calls extract_session, persists each Observation via upsert_observation (per-row; batch transaction filed as follow-up), then publishes each on the bus best-effort (fire-and-forget per DEBT-029 §6). Architecture: * Handler lives in decnet/profiler/behave_shell/_handler.py — pure function, unit-tested in isolation. * Worker.py adds _behave_pump (queue feed), _drain_behave_queue (per-tick drain), _behave_poll_tick (cursor scan over session_recorded logs), and _payload_from_log_row (Log → bus-shape payload projection). * Poll cursor uses a separate state key (attacker_worker_session_cursor) so the correlation tick's cursor doesn't conflate. * has_observations_for_evidence promoted to BaseRepository abstract. 22 new tests across handler / drain / poll layers covering happy path, all skip paths, isolation against handler exceptions, idempotency on re-run, and cursor key separation. TTP worker bus tests still green — payload field is purely additive. Closes BEHAVE-INTEGRATION.md Phase 4.	2026-05-08 18:57:45 -04:00

Author

SHA1

Message

Date

anti

5116023bf7

feat(profiler/behave_shell): stamp attacker_uuid on bus payload (Phase 5 prep)

The profiler worker's per-observation publish now re-merges
attacker_uuid into the bus payload alongside id/ts/v. Same shape as
the existing DECNET-side deviation from BEHAVE's wire-format
docstring (BEHAVE-INTEGRATION.md §339-366) — widens the deviation
by one DECNET denorm field.

Phase 5's per-attacker SSE route can now filter
attacker.observation.* events to one attacker in O(1) without a repo
round-trip per event. identity_ref stays None today (until the
attribution engine ships); attacker_uuid is independent.

Two test changes:
* test_happy_path_persists_and_publishes asserts attacker_uuid is in
  every published payload.
* New test_attacker_uuid_in_payload_for_filter pins the field
  explicitly and confirms it doesn't conflate with identity_ref.

2026-05-08 20:18:32 -04:00

anti

5ff89eefe7

feat(profiler): wire BEHAVE-SHELL extraction onto attacker.session.ended

The profiler worker now consumes attacker.session.ended on the bus
AND walks unprofiled session_recorded log rows on every tick. Both
paths converge on a single handler that:

1. Validates required payload fields (session_id, decky_id, service,
   attacker_ip, shard_path).
2. Builds evidence_ref shard:{decky}/{service}/{shard_basename}#{sid}
   and skips when has_observations_for_evidence is True (idempotent
   re-runs).
3. Resolves attacker_uuid via get_attacker_uuid_by_ip; defers if the
   profiler tick hasn't materialised the row yet.
4. Reads the asciinema shard, slices events for the sid, calls
   extract_session, persists each Observation via upsert_observation
   (per-row; batch transaction filed as follow-up), then publishes
   each on the bus best-effort (fire-and-forget per DEBT-029 §6).

Architecture:
* Handler lives in decnet/profiler/behave_shell/_handler.py — pure
  function, unit-tested in isolation.
* Worker.py adds _behave_pump (queue feed), _drain_behave_queue
  (per-tick drain), _behave_poll_tick (cursor scan over
  session_recorded logs), and _payload_from_log_row (Log → bus-shape
  payload projection).
* Poll cursor uses a separate state key
  (attacker_worker_session_cursor) so the correlation tick's cursor
  doesn't conflate.
* has_observations_for_evidence promoted to BaseRepository abstract.

22 new tests across handler / drain / poll layers covering happy
path, all skip paths, isolation against handler exceptions,
idempotency on re-run, and cursor key separation. TTP worker bus
tests still green — payload field is purely additive.

Closes BEHAVE-INTEGRATION.md Phase 4.

2026-05-08 18:57:45 -04:00

2 Commits