@exellix/graph-composer 2.0.0

package/examples/network-vuln-subnet-triage.v2.json

@@ -0,0 +1,389 @@
+{
+  "id": "network-vuln-subnet-triage.v2",
+  "name": "Network vulnerability triage — subnet",
+  "description": "Step 1 of Network vulnerability triage (v2). Runs on one subnet snapshot at a time. Produces: subnet reachability, zone classification, composition, blast radius profile. CVSS-based tier skips LLM for low severity on input.raw. Output written to x-scoped-data (inferences + decisions) with scopingMapId xmemory:scopemap:v1:subnet-triage-verdicts.",
+  "variables": {
+    "locale": "en"
+  },
+  "woroxContractTarget": {
+    "version": 1,
+    "referenceRole": "network-vuln-subnet-triage.v2",
+    "intent": "Declarative integration target (.docs/worox-graph-format.md — Platform contract vs runtime guarantee). Runtime ignores this object; close gaps in upstream + executor.",
+    "targets": {
+      "nestedAnswerInMongo": true,
+      "xmemoryThingWithEdge": true,
+      "linkedFieldProvenanceOnRead": true,
+      "preSynthesisBeforeMainLLM": true,
+      "persistSynthesisOnScopedDoc": true,
+      "opaqueRecordMitigations": ["mitreAttack"]
+    }
+  },
+  "nodes": [
+    {
+      "id": "sq-4",
+      "type": "task",
+      "skillKey": "scoped-data-reader",
+      "metadata": {
+        "scopingMapId": "xmemory:scopemap:v1:subnet-asset-inventory",
+        "entityIdPath": "input.subnetId"
+      },
+      "outputMapping": {
+        "path": "scoped.subnet.importance",
+        "mode": "replace"
+      }
+    },
+    {
+      "id": "sq-10",
+      "type": "task",
+      "skillKey": "scoped-data-reader",
+      "metadata": {
+        "scopingMapId": "xmemory:scopemap:v1:subnet-risk-summary",
+        "entityIdPath": "input.subnetId"
+      },
+      "outputMapping": {
+        "path": "scoped.subnet.priority",
+        "mode": "replace"
+      }
+    },
+    {
+      "id": "sq-12",
+      "type": "task",
+      "skillKey": "scoped-data-reader",
+      "metadata": {
+        "scopingMapId": "xmemory:scopemap:v1:topology-to-subnet-exposure",
+        "entityIdPath": "input.subnetId"
+      },
+      "outputMapping": {
+        "path": "scoped.topology.subnet",
+        "mode": "replace"
+      }
+    },
+    {
+      "id": "iq-7",
+      "type": "task",
+      "skillKey": "deterministic-rule",
+      "metadata": {
+        "rules": [
+          {
+            "id": "dmz-external-adjacency",
+            "label": "DMZ/portal subnet with external adjacency → critical-zone",
+            "condition": {
+              "any": [
+                {
+                  "all": [
+                    { "path": "scoped.topology.subnet.fields.zoneClass.value", "in": ["DMZ", "dmz", "portal"] },
+                    { "path": "scoped.topology.subnet.fields.outsideExposure.value", "in": ["EXTERNALLY_ADJACENT", "PUBLIC_EDGE"] }
+                  ]
+                }
+              ]
+            },
+            "output": {
+              "context_verdict": "critical-zone",
+              "context_tag": "CONFIRMED"
+            }
+          },
+          {
+            "id": "high-connectivity-internal",
+            "label": "Internal subnet with >50 routable peers → high-connectivity-zone",
+            "condition": {
+              "all": [
+                { "path": "scoped.topology.subnet.fields.zoneClass.value", "eq": "internal" },
+                { "path": "scoped.topology.subnet.fields.routablePeerSubnetCount.value", "gte": 50 }
+              ]
+            },
+            "output": {
+              "context_verdict": "high-connectivity-zone",
+              "context_tag": "CONFIRMED"
+            }
+          },
+          {
+            "id": "standard-internal-low-risk",
+            "label": "Internal subnet with low overall risk → standard-zone",
+            "condition": {
+              "all": [
+                { "path": "scoped.topology.subnet.fields.zoneClass.value", "eq": "internal" },
+                { "path": "scoped.subnet.priority.fields.overallRisk.value", "in": ["Low", "low"] }
+              ]
+            },
+            "output": {
+              "context_verdict": "standard-zone",
+              "context_tag": "CONFIRMED"
+            }
+          },
+          {
+            "id": "internal-mapped",
+            "label": "Internal subnet (topology mapped) → standard-zone inferred",
+            "condition": {
+              "all": [
+                { "path": "scoped.topology.subnet.answer_status", "eq": "answered" },
+                { "path": "scoped.topology.subnet.fields.zoneClass.value", "eq": "internal" }
+              ]
+            },
+            "output": {
+              "context_verdict": "standard-zone",
+              "context_tag": "INFERRED"
+            }
+          },
+          {
+            "id": "topology-not-mapped",
+            "label": "Topology not mapped → unknown-context",
+            "condition": {
+              "any": [
+                { "path": "scoped.topology.subnet.answer_status", "in": ["not_found", "empty"] }
+              ]
+            },
+            "output": {
+              "context_verdict": "unknown-context",
+              "context_tag": "UNKNOWN"
+            }
+          }
+        ],
+        "firstMatchWins": true,
+        "defaultOutput": {
+          "context_verdict": "unknown-context",
+          "context_tag": "UNKNOWN"
+        }
+      },
+      "outputMapping": {
+        "path": "inference.subnet_context",
+        "mode": "replace"
+      }
+    },
+    {
+      "id": "resolve-subnet-tier",
+      "type": "task",
+      "skillKey": "deterministic-rule",
+      "metadata": {
+        "rules": [
+          {
+            "id": "tier-low-cvss",
+            "label": "CVSS base score present and < 4 → low tier (skip subnet LLM)",
+            "condition": {
+              "all": [
+                { "path": "input.raw.cvssBaseScore", "exists": true },
+                { "path": "input.raw.cvssBaseScore", "lt": 4 }
+              ]
+            },
+            "output": { "severity_tier": "low" }
+          },
+          {
+            "id": "tier-medium-cvss",
+            "label": "CVSS 4–6.9 → medium tier (full LLM)",
+            "condition": {
+              "all": [
+                { "path": "input.raw.cvssBaseScore", "exists": true },
+                { "path": "input.raw.cvssBaseScore", "gte": 4 },
+                { "path": "input.raw.cvssBaseScore", "lte": 6.9 }
+              ]
+            },
+            "output": { "severity_tier": "medium" }
+          }
+        ],
+        "firstMatchWins": true,
+        "defaultOutput": { "severity_tier": "full" }
+      },
+      "outputMapping": {
+        "path": "triage",
+        "mode": "replace",
+        "map": {
+          "severity_tier": "parsed.output.severity_tier",
+          "tier_rule_id": "parsed.rule_id"
+        }
+      }
+    },
+    {
+      "id": "iq-subnet-priority",
+      "type": "task",
+      "skillKey": "professional-answer",
+      "metadata": {
+        "aiTaskProfile": {
+          "preStrategyKey": "subnet-context-pre-v1",
+          "postStrategyKey": "subnet-answer-post-v1",
+          "webScoping": { "enabled": false },
+          "inputSynthesis": { "enabled": false }
+        },
+        "narrix": {
+          "datasetId": "network.subnets",
+          "layer": "subnet"
+        },
+        "outputConstraints": {
+          "format": "structured",
+          "requiredFields": ["priority_verdict", "priority_tag", "reasoning", "unknowns", "assumptions"],
+          "allowedValues": {
+            "priority_verdict": ["immediate_attention", "planned_review", "monitor", "acceptable"],
+            "priority_tag": ["CONFIRMED", "INFERRED", "ASSUMED"]
+          }
+        }
+      },
+      "taskVariable": {
+        "question": "You are acting as a professional security analyst. Operating assumptions: (1) Scope is this subnet only unless the record says otherwise. (2) Prefer instrumented and scoped-data signals; label gaps UNKNOWN. (3) Consider exposure, composition, and risk labels together. (4) When MITRE ATT&CK tactics/techniques appear on the record, reason about them; do not invent TTP IDs. (5) Web evidence is off for this node unless the deployment overrides it — treat claims as supplementary if enabled upstream. (6) Do not false-downgrade when KEV/active-exploitation signals exist on linked vulnerability context. Given the subnet's zone classification, external exposure, composition (asset types and count), recommended actions, and current risk label — what is the triage priority for this subnet and what should happen next?"
+      },
+      "inputs": {
+        "record": {
+          "type": "executionMemoryPath",
+          "path": "input.raw"
+        }
+      },
+      "outputMapping": {
+        "path": "inference.subnet_priority",
+        "mode": "replace",
+        "map": {
+          "answer": "output.parsed.answer",
+          "meta": "output.parsed.meta"
+        }
+      }
+    },
+    {
+      "id": "iq-subnet-priority-low",
+      "type": "task",
+      "skillKey": "deterministic-rule",
+      "metadata": {
+        "rules": [
+          {
+            "id": "subnet-priority-low-synth",
+            "label": "Low severity tier — deterministic subnet priority (no LLM)",
+            "condition": { "path": "input.raw", "exists": true },
+            "output": {
+              "priority_verdict": "monitor",
+              "priority_tag": "INFERRED",
+              "reasoning": "Low-severity call-budget path: subnet priority set to monitor without LLM (CVSS base score < 4 when present). Re-run as medium/full tier if severity context changes.",
+              "unknowns": [],
+              "assumptions": ["Assumes CVSS base score on input.raw reflects the driving vulnerability context for this subnet-level run."]
+            }
+          }
+        ],
+        "firstMatchWins": true,
+        "defaultOutput": {
+          "priority_verdict": "monitor",
+          "priority_tag": "INFERRED",
+          "reasoning": "Low-severity synthetic default.",
+          "unknowns": [],
+          "assumptions": []
+        }
+      },
+      "outputMapping": {
+        "path": "inference.subnet_priority",
+        "mode": "replace",
+        "map": {
+          "answer": "parsed.output"
+        }
+      }
+    },
+    {
+      "id": "assemble-subnet-payload",
+      "type": "task",
+      "skillKey": "scoped-answer-assembler",
+      "metadata": {
+        "mergeInferencePaths": [
+          "inference.subnet_context.output",
+          "inference.subnet_priority.answer"
+        ],
+        "mergeDecisionPaths": []
+      },
+      "outputMapping": {
+        "path": "scopedAnswer.subnet",
+        "mode": "replace",
+        "map": {
+          "inferences": "parsed.inferences",
+          "decisions": "parsed.decisions"
+        }
+      }
+    },
+    {
+      "id": "write-subnet-verdict",
+      "type": "task",
+      "skillKey": "scoped-answer-writer",
+      "metadata": {
+        "scopingMapId": "xmemory:scopemap:v1:subnet-triage-verdicts",
+        "entityIdPath": "input.subnetId",
+        "staticEntityType": "subnet",
+        "questionTitle": "Subnet triage: scoped inferences and decisions",
+        "payloadPath": "scopedAnswer.subnet",
+        "woroxContractTarget": {
+          "writer": {
+            "mongoUpsert": true,
+            "thingUpsert": true,
+            "thingType": "triage-scoped-answer",
+            "entityEdge": "has-triage-scoped-answer"
+          }
+        }
+      },
+      "outputMapping": {
+        "path": "scopedAnswer.write_result",
+        "mode": "replace"
+      }
+    },
+    {
+      "id": "finalize-subnet",
+      "type": "finalizer",
+      "finalizerType": "aggregate",
+      "inputs": {},
+      "config": {
+        "strategy": "report-schema",
+        "collect_tags": true,
+        "sections": {
+          "subnet_context": {
+            "path": "inference.subnet_context.output",
+            "title": "Subnet zone and context"
+          },
+          "subnet_priority": {
+            "path": "inference.subnet_priority.answer",
+            "title": "Subnet triage priority",
+            "optional": true
+          },
+          "topology": {
+            "path": "scoped.topology.subnet.fields",
+            "title": "Topology data",
+            "optional": true
+          },
+          "composition": {
+            "path": "scoped.subnet.importance.fields",
+            "title": "Asset composition",
+            "optional": true
+          },
+          "severity_tier": {
+            "path": "triage.severity_tier",
+            "title": "Call-budget severity tier",
+            "optional": true
+          },
+          "write_result": {
+            "path": "scopedAnswer.write_result",
+            "title": "Verdict write status",
+            "optional": true
+          }
+        },
+        "meta": {
+          "graph": "network-vuln-subnet-triage.v2",
+          "schemaVersion": "v2"
+        }
+      }
+    }
+  ],
+  "edges": [
+    { "from": "sq-4", "to": "iq-7" },
+    { "from": "sq-10", "to": "iq-7" },
+    { "from": "sq-12", "to": "iq-7" },
+    { "from": "iq-7", "to": "resolve-subnet-tier" },
+    {
+      "from": "resolve-subnet-tier",
+      "to": "iq-subnet-priority",
+      "when": {
+        "any": [
+          { "path": "executionMemory.triage.severity_tier", "eq": "full" },
+          { "path": "executionMemory.triage.severity_tier", "eq": "medium" }
+        ]
+      }
+    },
+    {
+      "from": "resolve-subnet-tier",
+      "to": "iq-subnet-priority-low",
+      "when": { "path": "executionMemory.triage.severity_tier", "eq": "low" }
+    },
+    { "from": "iq-subnet-priority", "to": "assemble-subnet-payload" },
+    { "from": "iq-subnet-priority-low", "to": "assemble-subnet-payload" },
+    { "from": "iq-7", "to": "assemble-subnet-payload" },
+    { "from": "sq-12", "to": "assemble-subnet-payload" },
+    { "from": "assemble-subnet-payload", "to": "write-subnet-verdict" },
+    { "from": "write-subnet-verdict", "to": "finalize-subnet" }
+  ]
+}