Two new bus signals from the v0 attribution engine
(decnet.correlation.attribution_worker):
* attribution.profile.state_changed — per-(identity, primitive)
state transition. State vocabulary frozen at five values:
unknown / stable / drifting / conflicted / multi_actor. Phase 1
ships the constants only; Phase 4 lights the producer.
* attribution.profile.multi_actor_suspected — cross-primitive
correlator output. Single-primitive multi_actor is too noisy;
fires when ≥ 2 primitives co-flag the same identity. Confidence
capped at 0.6 (see _thresholds.MULTI_ACTOR_MAX_CONFIDENCE).
Co-commits with DECNET dev c2891d6c (feat(correlation/attribution):
substrate + idle handler).
Service-Bus: document email.received mal_hash_match field (DEBT-046)
Update the email.received row to reflect the actual ingester-emitted
payload shape (now that the SMTP services emit it, vs the
"reserved/no publisher yet" status from the original landing). Add
the new mal_hash_match field with its absence-vs-False-vs-True
semantics, and a one-line note on the observed_attachments
companion table.
New derived event published by the prober (via
decnet.correlation.fingerprint_rotation) when a probe produces a
different hash than the last persisted hash for the same
(attacker_uuid, port, probe_type) triple. Carries both old_hash and
new_hash so consumers don't have to join. See DECNET commit 6c6f97e8
for the producer-side implementation.
Service-Bus: TTP worker now publishes ttp.tagged + ttp.rule.fired
Flips the 'reserved (TTP worker)' annotations on ttp.tagged and
ttp.rule.fired.{technique_id} to actual publisher attribution
(decnet.ttp.worker), reflecting the E.3.14 worker bootstrap that
landed in DECNET. ttp.rule.suppressed stays reserved — v0 drops
sub-floor confidence at the repo layer and the bus event is
unwired pending E.3.14b.
Per-rule fan-out topics fired by FilesystemRuleStore (E.3.5);
DatabaseRuleStore (E.3.6) will publish the same topics. Land here in
the same logical change as decnet/bus/topics.py per the project's
wiki-checkout discipline.
Sibling of decnet@e395306 (E.1.2 of the TTP-tagging rollout). The
producers don't exist yet — these rows are reserved entries so
subscribers can wire patterns now and consume the moment publishers
land. PII discipline on email.received is captured inline so it
can't get lost in folklore.
Heartbeat extra.realism={llm_enabled, llm_backend, llm_model,
llm_breaker_state} feeds the dashboard's worker-panel LLM status
badge. Required by feedback_wiki_bus_signals.md any time the bus
contract changes.
Document the realism content engine, the orchestrator service collapse,
and every public surface change from the migration on dev.
Page-level changes:
- Realism.md (new) — operator walkthrough of the realism library:
ContentClass taxonomy, persona pools (topology vs global), diurnal
gating, edit-in-place, LLM enrichment with circuit breaker, and 3%
canary cultivation. Configuration table and CLI surface.
- Module-Reference-Core.md — new "decnet/realism/" section covering
taxonomy / planner / naming / bodies / personas / LLM backend /
prompts. Notes the env-var rename.
- Module-Reference-Workers.md — new "Orchestrator" section covering
the unified worker, action-kind weights, drivers (ActivityDriver
ABC, plant_file/read_file contract, _run_edit), and the email
delivery surface that stayed put (events / threads / scheduler).
- Service-Bus.md — fix orchestrator topic table: emailgen producer
attribution is gone (orchestrator owns email now), system.emailgen.*
topics removed.
- CLI-Reference.md — new "decnet orchestrate" and "decnet realism
import-personas" sections plus DECNET_REALISM_* / DECNET_CANARY_*
rows in the env summary.
- Environment-Variables.md — new "Realism content engine" and
"Canary worker" sections; starter .env.local entries appended.
- Systemd-Setup.md — bundled decnet-orchestrator.service template
with the realism env block; explicit note that decnet-emailgen
is gone post-migration.
- Design-Overview.md — Orchestrator + Canary rows added to the
microservice table; Realism cross-link in the Related Pages list.
- Roadmap-and-Known-Debt.md — moved orchestrator-fake-files and
emailgen-twin-worker entries to "Recently closed" with a pointer
to the migration history.
- Home.md, _Sidebar.md — Realism added to the user-docs nav.
docs(wiki): Identity-Resolution page + identity.* topics in Service-Bus
Documents the observation/identity/campaign three-level hierarchy, the
read-only API surface, the deferred clusterer worker, and how to test
the substrate. Companion to development/IDENTITY_RESOLUTION.md in the
main repo.
Service-Bus.md gains the three identity.* topic rows (reserved for the
future clusterer); sidebar links Identity-Resolution under Developer
docs alongside Campaign-Clustering.
Documents the host-local UNIX-socket pub/sub transport: architecture,
topic hierarchy, env vars, code examples (publish/subscribe +
get_app_bus for the API), at-most-once delivery semantics, the
live-topology-mutation worked example, testing helpers, and
troubleshooting. Linked from the user-docs section of the sidebar
between Systemd setup and Logging.
