feat(engine): per-objective corroboration from agent behaviors (JEF-49)#24
Merged
Merged
Conversation
Fill the deferred arms in `corroborates(behavior, attack)` so the agent's
own runtime behaviors corroborate a threat chain, keyed on the objective's
ATT&CK tactic:
- NetworkConnection{internet:true} -> EXFILTRATION (T1041)
- SecretRead -> CREDENTIAL_ACCESS (T1552)
- LibraryLoaded -> FOOTHOLD / Initial Access (T1190)
The Falco Alert arm still corroborates any objective (unchanged). FileRead
never reaches here. Shadow-gated per ADR-0014: this only sets
corroborated=true; actuation stays gated behind engine.enable (empty =
shadow). No default/enable config changed.
Adds direct unit tests for each mapping, a negative case (wrong-tactic
behavior + in-cluster connection do not corroborate), an alert-still-broad
regression guard, and an end-to-end check through `prove`.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01VtjoJttCvBY4dzCoE4f9vP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fills the deferred arms in
corroborates(behavior, attack)inengine/src/engine/reason/proof.rsso the agent's OWN runtime behaviors corroborate a threat chain (setcorroborated=true), not only FalcoAlert. Each behavior corroborates only the objective class whose ATT&CK tactic it evidences:NetworkConnection { internet: true }Tactic::Exfiltration)SecretRead { .. }Tactic::CredentialAccess)LibraryLoaded { .. }Tactic::InitialAccess)internet: false) corroborates nothing — only egress is exfil evidence.Alertstill corroborates any objective (unchanged — no regression).FileReadnever reaches here (the RuntimeAdapter refines it toSecretReador drops it).Matching is keyed on
attack.tacticrather than the precise technique, because the tactic is the stable objective-class key the recognizers tag with.Shadow-gated (ADR-0014)
These arms only set
corroborated=true. Actuation stays gated behindengine.enable(empty = shadow) — they are inert for action until the shadow bake clears and an operator setsenable. No default/enable config is touched in this PR.Tests
network_internet_corroborates_exfiltrationsecret_read_corroborates_credential_accesslibrary_load_corroborates_footholdbehavior_does_not_corroborate_unrelated_objective(negative: wrong-tactic behaviors + in-cluster connection)alert_still_corroborates_any_objective(regression guard)secret_read_signal_corroborates_credential_chain_end_to_end(fullprovepath)cargo build,cargo test -p protector(114 passed, 0 failed), andcargo clippy -p protector --all-targets -- -D warningsall green;cargo fmtapplied.🤖 Generated with Claude Code
https://claude.ai/code/session_01VtjoJttCvBY4dzCoE4f9vP