anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
33f7d5a9ff572682d2a2798ca2ba348b9881ddbc
DECNET/decnet/web/router/attackers/api_get_attacker_attribution.py
anti 33f7d5a9ff feat(web): expose attribution state on AttackerDetail backend (Phase 6) 
GET /api/v1/attackers/{uuid}/attribution

Returns the merger output for an attacker's identity:

    {
        "identity_uuid": "abc..." | null,
        "primitives": [
            {primitive, current_value, state, confidence,
             observation_count, last_change_ts, last_observation_ts},
            ...
        ]
    }

Pre-attribution-worker: identity_uuid=null, primitives=[]. Surfacing
identity_uuid keeps the cross-attacker rollup story visible to the
frontend ahead of v1's clusterer landing.

api_events SSE relay also subscribes to attribution.> and forwards
to the AttackerDetail page filtered on payload.identity_uuid (the
identity is resolved at stream open from the URL's attacker_uuid;
attribution payloads are identity-keyed, not attacker-keyed). New
SSE event names: attribution.state_changed,
attribution.multi_actor_suspected.

Frontend (AttackerDetail.tsx badge rendering, useAttackerStream
consumer) deferred — there's already WIP on AttackerDetail.tsx in
the working tree; merging the badge logic is a separate commit
once that lands.

Tests: 4 endpoint scenarios — 401 unauth, 404 unknown attacker,
200 empty (no stub), 200 with primitive-ordered rows.
2026-05-09 02:21:59 -04:00

93 lines
3.1 KiB
Python
Raw Blame History

"""GET /api/v1/attackers/{uuid}/attribution — per-primitive
attribution state for one attacker.
Returns the merger output produced by
:mod:`decnet.correlation.attribution_worker` over the observations
linked to this attacker's identity. Pre-clusterer (v0), every
attacker has a 1:1 stub identity, so the returned set is the merger
output for the single attacker; v1's clusterer makes the rollup
cross-attacker.
Empty ``primitives`` is the honest answer when:
- The attribution worker has not yet processed an observation for
this attacker (race with first-sight + behave-shell ingest), OR
- The attacker has fewer than ``MIN_OBSERVATIONS_FOR_STATE``
observations of any primitive — every state row would be ``unknown``,
and the worker writes those, so the empty case is genuinely "engine
hasn't run yet".
The response includes ``identity_uuid`` so AttackerDetail can render
a "rolls up to identity X" hint ahead of the v1 IdentityDetail wire-
up — we don't pretend the keying is per-attacker.
"""
from __future__ import annotations
from typing import Any
from fastapi import APIRouter, Depends
from decnet.telemetry import traced as _traced
from decnet.web.dependencies import repo, require_viewer
from ._guards import get_attacker_or_404
router = APIRouter()
@router.get(
"/attackers/{uuid}/attribution",
tags=["Attacker Profiles"],
responses={
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Attacker not found"},
},
)
@_traced("api.get_attacker_attribution")
async def get_attacker_attribution(
uuid: str,
user: dict = Depends(require_viewer),
) -> dict[str, Any]:
"""Return per-primitive attribution state for an attacker.
Shape::
{
"identity_uuid": "abc123..." | null,
"primitives": [
{
"primitive": "motor.input_modality",
"current_value": "pasted",
"state": "stable",
"confidence": 0.91,
"observation_count": 7,
"last_change_ts": 1714521660.456,
"last_observation_ts": 1714521660.456
},
...
]
}
"""
attacker = await get_attacker_or_404(uuid)
identity_uuid = attacker.get("identity_id") if isinstance(attacker, dict) else None
if not identity_uuid:
# Attacker exists but the attribution worker has not yet
# stamped a stub identity on first observation.
return {"identity_uuid": None, "primitives": []}
rows = await repo.get_attribution_state_for_identity(identity_uuid)
primitives = [
{
"primitive": row["primitive"],
"current_value": row["current_value"],
"state": row["state"],
"confidence": row["confidence"],
"observation_count": row["observation_count"],
"last_change_ts": row["last_change_ts"],
"last_observation_ts": row["last_observation_ts"],
}
for row in rows
]
return {"identity_uuid": identity_uuid, "primitives": primitives}
Reference in New Issue View Git Blame Copy Permalink