cyvest 4.4.0__py3-none-any.whl → 5.1.0__py3-none-any.whl

cyvest/investigation.py

@@ -14,18 +14,19 @@ from typing import TYPE_CHECKING, Any, Literal
 
 from logurich import logger
 
+from cyvest import keys
 from cyvest.level_score_rules import recalculate_level_for_score
 from cyvest.levels import Level, normalize_level
 from cyvest.model import (
     AuditEvent,
     Check,
-    Container,
     Enrichment,
     InvestigationWhitelist,
     Observable,
     ObservableLink,
     ObservableType,
     Relationship,
+    Tag,
     Taxonomy,
     ThreatIntel,
 )
@@ -63,7 +64,7 @@ class Investigation:
             "fields": {"context", "data"},
             "dict_fields": {"data"},
         },
-        "container": {
+        "tag": {
             "fields": {"description"},
             "dict_fields": set(),
         },
@@ -104,7 +105,7 @@ class Investigation:
         self._checks: dict[str, Check] = {}
         self._threat_intels: dict[str, ThreatIntel] = {}
         self._enrichments: dict[str, Enrichment] = {}
-        self._containers: dict[str, Container] = {}
+        self._tags: dict[str, Tag] = {}
 
         # Internal components
         normalized_score_mode_obs = ScoreMode.normalize(score_mode_obs)
@@ -172,12 +173,12 @@ class Investigation:
         # Fallback if no INVESTIGATION_STARTED event (shouldn't happen)
         return datetime.now(timezone.utc)
 
-    def _add_threat_intel_to_observable(self, observable: Observable, ti: ThreatIntel) -> None:
+    def _link_threat_intel_to_observable(self, observable: Observable, ti: ThreatIntel) -> None:
         if any(existing.key == ti.key for existing in observable.threat_intels):
             return
         observable.threat_intels.append(ti)
 
-    def _add_relationship_internal(
+    def _create_relationship(
         self,
         source_obs: Observable,
         target_key: str,
@@ -190,7 +191,7 @@ class Investigation:
         if rel_tuple not in existing_rels:
             source_obs.relationships.append(rel)
 
-    def _add_check_observable_link(self, check: Check, link: ObservableLink) -> bool:
+    def _link_check_to_observable(self, check: Check, link: ObservableLink) -> bool:
         existing: dict[tuple[str, PropagationMode], int] = {}
         for idx, existing_link in enumerate(check.observable_links):
             existing[(existing_link.observable_key, existing_link.propagation_mode)] = idx
@@ -201,15 +202,12 @@ class Investigation:
         check.observable_links.append(link)
         return True
 
-    def _container_add_check(self, container: Container, check: Check) -> None:
-        if any(existing.key == check.key for existing in container.checks):
+    def _link_check_to_tag(self, tag: Tag, check: Check) -> None:
+        if any(existing.key == check.key for existing in tag.checks):
             return
-        container.checks.append(check)
+        tag.checks.append(check)
 
-    def _container_add_sub_container(self, parent: Container, child: Container) -> None:
-        parent.sub_containers[child.key] = child
-
-    def _infer_object_type(self, obj: Any) -> str | None:
+    def _get_object_type(self, obj: Any) -> str | None:
         if isinstance(obj, Observable):
             return "observable"
         if isinstance(obj, Check):
@@ -218,10 +216,28 @@ class Investigation:
             return "threat_intel"
         if isinstance(obj, Enrichment):
             return "enrichment"
-        if isinstance(obj, Container):
-            return "container"
+        if isinstance(obj, Tag):
+            return "tag"
         return None
 
+    @staticmethod
+    def _normalize_taxonomies(value: Any) -> list[Taxonomy]:
+        if value is None:
+            return []
+        if not isinstance(value, list):
+            raise TypeError("taxonomies must be a list of taxonomy objects.")
+        taxonomies = [Taxonomy.model_validate(item) for item in value]
+        seen: set[str] = set()
+        duplicates: set[str] = set()
+        for taxonomy in taxonomies:
+            if taxonomy.name in seen:
+                duplicates.add(taxonomy.name)
+            seen.add(taxonomy.name)
+        if duplicates:
+            dupes = ", ".join(sorted(duplicates))
+            raise ValueError(f"Duplicate taxonomy name(s): {dupes}")
+        return taxonomies
+
     def apply_score_change(
         self,
         obj: Any,
@@ -260,7 +276,7 @@ class Investigation:
 
         self._record_event(
             event_type=event_type,
-            object_type=self._infer_object_type(obj),
+            object_type=self._get_object_type(obj),
             object_key=getattr(obj, "key", None),
             reason=reason,
             details=details,
@@ -284,7 +300,7 @@ class Investigation:
         obj.level = new_level
         self._record_event(
             event_type=event_type,
-            object_type=self._infer_object_type(obj),
+            object_type=self._get_object_type(obj),
             object_key=getattr(obj, "key", None),
             reason=reason,
             details={
@@ -295,16 +311,16 @@ class Investigation:
         )
         return True
 
-    def _sync_check_links_for_observable(self, observable_key: str) -> None:
+    def _update_observable_check_links(self, observable_key: str) -> None:
         obs = self._observables.get(observable_key)
         if not obs:
             return
         check_keys = self._score_engine.get_check_links_for_observable(observable_key)
         obs._check_links = check_keys
 
-    def _refresh_check_links(self) -> None:
+    def _rebuild_all_check_links(self) -> None:
         for observable_key in self._observables:
-            self._sync_check_links_for_observable(observable_key)
+            self._update_observable_check_links(observable_key)
 
     def get_audit_log(self) -> list[AuditEvent]:
         """Return a deep copy of the audit log."""
@@ -342,8 +358,6 @@ class Investigation:
             details={"old_name": old_name, "new_name": name},
         )
 
-    # Private merge methods
-
     def _merge_observable(self, existing: Observable, incoming: Observable) -> tuple[Observable, list]:
         """
         Merge an incoming observable into an existing observable.
@@ -352,7 +366,7 @@ class Investigation:
         - Update score (take maximum)
         - Update level (take maximum)
         - Update extra (merge dicts)
-        - Concatenate comments
+        - Overwrite comment (if incoming is non-empty)
         - Merge threat intels
         - Merge relationships (defer if target missing)
         - Preserve provenance metadata
@@ -383,12 +397,9 @@ class Investigation:
         elif incoming.extra:
             existing.extra = dict(incoming.extra)
 
-        # Concatenate comments
+        # Overwrite comment if incoming is non-empty
         if incoming.comment:
-            if existing.comment:
-                existing.comment += "\n\n" + incoming.comment
-            else:
-                existing.comment = incoming.comment
+            existing.comment = incoming.comment
 
         # Merge whitelisted status (if either is whitelisted, result is whitelisted)
         existing.whitelisted = existing.whitelisted or incoming.whitelisted
@@ -400,7 +411,7 @@ class Investigation:
         existing_ti_keys = {ti.key for ti in existing.threat_intels}
         for ti in incoming.threat_intels:
             if ti.key not in existing_ti_keys:
-                self._add_threat_intel_to_observable(existing, ti)
+                self._link_threat_intel_to_observable(existing, ti)
                 existing_ti_keys.add(ti.key)
 
         # Merge relationships (defer if target not yet available)
@@ -408,7 +419,7 @@ class Investigation:
         for rel in incoming.relationships:
             if rel.target_key in self._observables:
                 # Target exists - add relationship immediately
-                self._add_relationship_internal(existing, rel.target_key, rel.relationship_type, rel.direction)
+                self._create_relationship(existing, rel.target_key, rel.relationship_type, rel.direction)
             else:
                 # Target doesn't exist yet - defer for Pass 2 of merge_investigation()
                 deferred_relationships.append((existing.key, rel))
@@ -423,7 +434,7 @@ class Investigation:
         - Update score (take maximum)
         - Update level (take maximum)
         - Update extra (merge dicts)
-        - Concatenate comments
+        - Overwrite comment (if incoming is non-empty)
         - Merge observable links (tuple-based deduplication, provenance-preserving)
 
         Args:
@@ -453,12 +464,9 @@ class Investigation:
         # Update extra (merge dictionaries)
         existing.extra.update(incoming.extra)
 
-        # Concatenate comments
+        # Overwrite comment if incoming is non-empty
         if incoming.comment:
-            if existing.comment:
-                existing.comment += "\n\n" + incoming.comment
-            else:
-                existing.comment = incoming.comment
+            existing.comment = incoming.comment
 
         existing_by_tuple: dict[tuple[str, PropagationMode], int] = {}
         for idx, existing_link in enumerate(existing.observable_links):
@@ -561,20 +569,19 @@ class Investigation:
 
         return existing
 
-    def _merge_container(self, existing: Container, incoming: Container) -> Container:
+    def _merge_tag(self, existing: Tag, incoming: Tag) -> Tag:
         """
-        Merge an incoming container into an existing container.
+        Merge an incoming tag into an existing tag.
 
         Strategy:
         - Merge checks (dict-based lookup for efficiency)
-        - Merge sub-containers recursively
 
         Args:
-            existing: The existing container
-            incoming: The incoming container to merge
+            existing: The existing tag
+            incoming: The incoming tag to merge
 
         Returns:
-            The merged container (existing is modified in place)
+            The merged tag (existing is modified in place)
         """
         # Update description if incoming has one
         if incoming.description:
@@ -589,20 +596,80 @@ class Investigation:
                 self._merge_check(existing_checks_dict[incoming_check.key], incoming_check)
             else:
                 # Add new check
-                self._container_add_check(existing, incoming_check)
-
-        # Merge sub-containers recursively
-        for sub_key, incoming_sub in incoming.sub_containers.items():
-            if sub_key in existing.sub_containers:
-                # Merge existing sub-container
-                self._merge_container(existing.sub_containers[sub_key], incoming_sub)
-            else:
-                # Add new sub-container
-                self._container_add_sub_container(existing, incoming_sub)
+                self._link_check_to_tag(existing, incoming_check)
 
         return existing
 
-    # Public add methods with merge-on-create
+    def _clone_for_merge(
+        self, other: Investigation
+    ) -> tuple[
+        dict[str, Observable],
+        dict[str, ThreatIntel],
+        dict[str, Check],
+        dict[str, Enrichment],
+        dict[str, Tag],
+    ]:
+        """Clone incoming models while preserving shared object references."""
+        incoming_threat_intels = {key: ti.model_copy(deep=True) for key, ti in other._threat_intels.items()}
+        incoming_checks = {key: check.model_copy(deep=True) for key, check in other._checks.items()}
+        incoming_enrichments = {key: enrichment.model_copy(deep=True) for key, enrichment in other._enrichments.items()}
+
+        orphan_threat_intels: dict[str, ThreatIntel] = {}
+
+        def _copy_threat_intel(ti: ThreatIntel) -> ThreatIntel:
+            if ti.key in incoming_threat_intels:
+                return incoming_threat_intels[ti.key]
+            existing = orphan_threat_intels.get(ti.key)
+            if existing:
+                return existing
+            copied = ti.model_copy(deep=True)
+            orphan_threat_intels[ti.key] = copied
+            return copied
+
+        incoming_observables: dict[str, Observable] = {}
+        for obs in other._observables.values():
+            copied_obs = obs.model_copy(deep=True)
+            if obs.threat_intels:
+                copied_obs.threat_intels = [_copy_threat_intel(ti) for ti in obs.threat_intels]
+            incoming_observables[obs.key] = copied_obs
+
+        orphan_checks: dict[str, Check] = {}
+
+        def _copy_check(check: Check) -> Check:
+            if check.key in incoming_checks:
+                return incoming_checks[check.key]
+            existing = orphan_checks.get(check.key)
+            if existing:
+                return existing
+            copied = check.model_copy(deep=True)
+            orphan_checks[check.key] = copied
+            return copied
+
+        incoming_tags: dict[str, Tag] = {}
+
+        def _copy_tag(tag: Tag) -> Tag:
+            existing = incoming_tags.get(tag.key)
+            if existing:
+                return existing
+            copied = Tag(
+                name=tag.name,
+                description=tag.description,
+                checks=[_copy_check(check) for check in tag.checks],
+                key=tag.key,
+            )
+            incoming_tags[tag.key] = copied
+            return copied
+
+        for tag in other._tags.values():
+            _copy_tag(tag)
+
+        return (
+            incoming_observables,
+            incoming_threat_intels,
+            incoming_checks,
+            incoming_enrichments,
+            incoming_tags,
+        )
 
     def add_observable(self, obs: Observable) -> tuple[Observable, list]:
         """
@@ -623,7 +690,7 @@ class Investigation:
         self._observables[obs.key] = obs
         self._score_engine.register_observable(obs)
         self._stats.register_observable(obs)
-        self._sync_check_links_for_observable(obs.key)
+        self._update_observable_check_links(obs.key)
         self._record_event(
             event_type="OBSERVABLE_CREATED",
             object_type="observable",
@@ -646,7 +713,7 @@ class Investigation:
             self._score_engine.rebuild_link_index()
             self._score_engine.recalculate_all()
             for link in r.observable_links:
-                self._sync_check_links_for_observable(link.observable_key)
+                self._update_observable_check_links(link.observable_key)
             return r
 
         if not getattr(check, "origin_investigation_id", None):
@@ -657,7 +724,7 @@ class Investigation:
         self._score_engine.register_check(check)
         self._stats.register_check(check)
         for link in check.observable_links:
-            self._sync_check_links_for_observable(link.observable_key)
+            self._update_observable_check_links(link.observable_key)
         self._record_event(
             event_type="CHECK_CREATED",
             object_type="check",
@@ -698,7 +765,7 @@ class Investigation:
         self._stats.register_threat_intel(ti)
 
         # Add to observable
-        self._add_threat_intel_to_observable(observable, ti)
+        self._link_threat_intel_to_observable(observable, ti)
 
         # Propagate score
         self._score_engine.propagate_threat_intel_to_observable(ti, observable)
@@ -787,32 +854,51 @@ class Investigation:
         )
         return enrichment
 
-    def add_container(self, container: Container) -> Container:
+    def add_tag(self, tag: Tag) -> Tag:
         """
-        Add or merge container.
+        Add or merge a tag, automatically creating ancestor tags.
+
+        When adding a tag with a hierarchical name (using ":" delimiter),
+        ancestor tags are automatically created if they don't exist.
+        For example, adding "header:auth:dkim" will auto-create
+        "header" and "header:auth" tags.
 
         Args:
-            container: Container to add or merge
+            tag: Tag to add or merge
 
         Returns:
-            The resulting container (either new or merged)
+            The resulting tag (either new or merged)
         """
-        if container.key in self._containers:
-            r = self._merge_container(self._containers[container.key], container)
+        # Auto-create ancestor tags
+        ancestor_names = keys.get_tag_ancestors(tag.name)
+        for ancestor_name in ancestor_names:
+            ancestor_key = keys.generate_tag_key(ancestor_name)
+            if ancestor_key not in self._tags:
+                ancestor_tag = Tag(name=ancestor_name)
+                self._tags[ancestor_key] = ancestor_tag
+                self._stats.register_tag(ancestor_tag)
+                self._record_event(
+                    event_type="TAG_CREATED",
+                    object_type="tag",
+                    object_key=ancestor_key,
+                    details={"auto_created": True, "descendant": tag.name},
+                )
+
+        # Add or merge the tag itself
+        if tag.key in self._tags:
+            r = self._merge_tag(self._tags[tag.key], tag)
             self._score_engine.recalculate_all()
             return r
 
-        # Register new container
-        self._containers[container.key] = container
-        self._stats.register_container(container)
+        # Register new tag
+        self._tags[tag.key] = tag
+        self._stats.register_tag(tag)
         self._record_event(
-            event_type="CONTAINER_CREATED",
-            object_type="container",
-            object_key=container.key,
+            event_type="TAG_CREATED",
+            object_type="tag",
+            object_key=tag.key,
         )
-        return container
-
-    # Relationship and linking methods
+        return tag
 
     def add_relationship(
         self,
@@ -868,7 +954,7 @@ class Investigation:
             raise KeyError(f"observable '{target_key}' not found in investigation.")
 
         # Add relationship using internal method
-        self._add_relationship_internal(source_obs, target_key, relationship_type, direction)
+        self._create_relationship(source_obs, target_key, relationship_type, direction)
 
         self._record_event(
             event_type="RELATIONSHIP_CREATED",
@@ -920,10 +1006,10 @@ class Investigation:
                 observable_key=observable_key,
                 propagation_mode=propagation_mode,
             )
-            created = self._add_check_observable_link(check, link)
+            created = self._link_check_to_observable(check, link)
             if created:
                 self._score_engine.register_check_observable_link(check_key=check.key, observable_key=observable_key)
-                self._sync_check_links_for_observable(observable_key)
+                self._update_observable_check_links(observable_key)
                 self._record_event(
                     event_type="CHECK_LINKED_TO_OBSERVABLE",
                     object_type="check",
@@ -943,85 +1029,133 @@ class Investigation:
 
         return check
 
-    def add_check_to_container(self, container_key: str, check_key: str) -> Container:
+    def add_check_to_tag(self, tag_key: str, check_key: str) -> Tag:
         """
-        Add a check to a container.
+        Add a check to a tag.
 
         Args:
-            container_key: Key of the container
+            tag_key: Key of the tag
             check_key: Key of the check
 
         Returns:
-            The container
+            The tag
 
         Raises:
-            KeyError: If the container or check does not exist
+            KeyError: If the tag or check does not exist
         """
-        container = self._containers.get(container_key)
+        tag = self._tags.get(tag_key)
         check = self._checks.get(check_key)
 
-        if container is None:
-            raise KeyError(f"container '{container_key}' not found in investigation.")
+        if tag is None:
+            raise KeyError(f"tag '{tag_key}' not found in investigation.")
         if check is None:
             raise KeyError(f"check '{check_key}' not found in investigation.")
 
-        if container and check:
-            self._container_add_check(container, check)
+        if tag and check:
+            self._link_check_to_tag(tag, check)
             self._record_event(
-                event_type="CONTAINER_CHECK_ADDED",
-                object_type="container",
-                object_key=container.key,
+                event_type="TAG_CHECK_ADDED",
+                object_type="tag",
+                object_key=tag.key,
                 details={"check_key": check.key},
             )
 
-        return container
+        return tag
+
+    def get_root(self) -> Observable:
+        """Get the root observable."""
+        return self._root_observable
+
+    def get_observable(self, key: str) -> Observable | None:
+        """Get observable by full key string."""
+        return self._observables.get(key)
+
+    def get_check(self, key: str) -> Check | None:
+        """Get check by full key string."""
+        return self._checks.get(key)
+
+    def get_tag(self, key: str) -> Tag | None:
+        """Get a tag by key."""
+        return self._tags.get(key)
 
-    def add_sub_container(self, parent_key: str, child_key: str) -> Container:
+    def get_tag_children(self, tag_name: str) -> list[Tag]:
         """
-        Add a sub-container to a container.
+        Get direct child tags of a tag.
 
         Args:
-            parent_key: Key of the parent container
-            child_key: Key of the child container
+            tag_name: Name of the parent tag
 
         Returns:
-            The parent container
+            List of direct child Tag objects
+        """
+        return [t for t in self._tags.values() if keys.is_tag_child_of(t.name, tag_name)]
 
-        Raises:
-            KeyError: If the parent or child container does not exist
+    def get_tag_descendants(self, tag_name: str) -> list[Tag]:
         """
-        parent = self._containers.get(parent_key)
-        child = self._containers.get(child_key)
+        Get all descendant tags of a tag.
 
-        if parent is None:
-            raise KeyError(f"container '{parent_key}' not found in investigation.")
-        if child is None:
-            raise KeyError(f"container '{child_key}' not found in investigation.")
+        Args:
+            tag_name: Name of the ancestor tag
 
-        if parent and child:
-            self._container_add_sub_container(parent, child)
-            self._record_event(
-                event_type="CONTAINER_SUBCONTAINER_ADDED",
-                object_type="container",
-                object_key=parent.key,
-                details={"child_container_key": child.key},
-            )
+        Returns:
+            List of all descendant Tag objects
+        """
+        return [t for t in self._tags.values() if keys.is_tag_descendant_of(t.name, tag_name)]
 
-        return parent
+    def get_tag_ancestors(self, tag_name: str) -> list[Tag]:
+        """
+        Get all ancestor tags of a tag.
 
-    # Query methods
+        Args:
+            tag_name: Name of the descendant tag
 
-    def get_observable(self, key: str) -> Observable | None:
-        """Get observable by full key string."""
-        return self._observables.get(key)
+        Returns:
+            List of ancestor Tag objects (in order from root to immediate parent)
+        """
+        ancestor_names = keys.get_tag_ancestors(tag_name)
+        result = []
+        for name in ancestor_names:
+            tag_key = keys.generate_tag_key(name)
+            if tag_key in self._tags:
+                result.append(self._tags[tag_key])
+        return result
+
+    def get_tag_aggregated_score(self, tag_name: str) -> Decimal:
+        """
+        Get aggregated score for a tag including all descendants.
 
-    def get_check(self, key: str) -> Check | None:
-        """Get check by full key string."""
-        return self._checks.get(key)
+        Args:
+            tag_name: Name of the tag
+
+        Returns:
+            Total score from direct checks and all descendant tag checks
+        """
+        tag_key = keys.generate_tag_key(tag_name)
+        tag = self._tags.get(tag_key)
+        if not tag:
+            return Decimal("0")
+
+        total = tag.get_direct_score()
+
+        # Add scores from direct children only (they will recursively add their children)
+        for child in self.get_tag_children(tag_name):
+            total += self.get_tag_aggregated_score(child.name)
+
+        return total
+
+    def get_tag_aggregated_level(self, tag_name: str) -> Level:
+        """
+        Get aggregated level for a tag including all descendants.
+
+        Args:
+            tag_name: Name of the tag
+
+        Returns:
+            Level based on aggregated score
+        """
+        from cyvest.levels import get_level_from_score
 
-    def get_container(self, key: str) -> Container | None:
-        """Get a container by key."""
-        return self._containers.get(key)
+        return get_level_from_score(self.get_tag_aggregated_score(tag_name))
 
     def get_enrichment(self, key: str) -> Enrichment | None:
         """Get an enrichment by key."""
@@ -1031,31 +1165,9 @@ class Investigation:
         """Get a threat intel by key."""
         return self._threat_intels.get(key)
 
-    @staticmethod
-    def _normalize_taxonomies(value: Any) -> list[Taxonomy]:
-        if value is None:
-            return []
-        if not isinstance(value, list):
-            raise TypeError("taxonomies must be a list of taxonomy objects.")
-        taxonomies = [Taxonomy.model_validate(item) for item in value]
-        seen: set[str] = set()
-        duplicates: set[str] = set()
-        for taxonomy in taxonomies:
-            if taxonomy.name in seen:
-                duplicates.add(taxonomy.name)
-            seen.add(taxonomy.name)
-        if duplicates:
-            dupes = ", ".join(sorted(duplicates))
-            raise ValueError(f"Duplicate taxonomy name(s): {dupes}")
-        return taxonomies
-
-    def get_root(self) -> Observable:
-        """Get the root observable."""
-        return self._root_observable
-
     def update_model_metadata(
         self,
-        model_type: Literal["observable", "check", "threat_intel", "enrichment", "container"],
+        model_type: Literal["observable", "check", "threat_intel", "enrichment", "tag"],
         key: str,
         updates: dict[str, Any],
         *,
@@ -1083,7 +1195,7 @@ class Investigation:
             "check": self._checks,
             "threat_intel": self._threat_intels,
             "enrichment": self._enrichments,
-            "container": self._containers,
+            "tag": self._tags,
         }
         store = store_lookup[model_type]
         target = store.get(key)
@@ -1152,11 +1264,9 @@ class Investigation:
         """Get all enrichments."""
         return self._enrichments.copy()
 
-    def get_all_containers(self) -> dict[str, Container]:
-        """Get all containers."""
-        return self._containers.copy()
-
-    # Scoring and statistics
+    def get_all_tags(self) -> dict[str, Tag]:
+        """Get all tags."""
+        return self._tags.copy()
 
     def get_global_score(self) -> Decimal:
         """Get the global investigation score."""
@@ -1313,7 +1423,7 @@ class Investigation:
 
             # Link the best starting node to root
             if best_node:
-                self._add_relationship_internal(self._root_observable, best_node, RelationshipType.RELATED_TO)
+                self._create_relationship(self._root_observable, best_node, RelationshipType.RELATED_TO)
                 self._record_event(
                     event_type="RELATIONSHIP_CREATED",
                     object_type="observable",
@@ -1327,8 +1437,6 @@ class Investigation:
                 )
         self._score_engine.recalculate_all()
 
-    # Investigation merging
-
     def merge_investigation(self, other: Investigation) -> None:
         """
         Merge another investigation into this one.
@@ -1397,11 +1505,10 @@ class Investigation:
                 "data": deepcopy(enrichment.data),
             }
 
-        def _snapshot_container(container: Container) -> dict[str, Any]:
+        def _snapshot_tag(tag: Tag) -> dict[str, Any]:
             return {
-                "description": container.description,
-                "checks": sorted(check.key for check in container.checks),
-                "sub_containers": sorted(container.sub_containers.keys()),
+                "description": tag.description,
+                "checks": sorted(check.key for check in tag.checks),
             }
 
         merge_summary: list[dict[str, Any]] = []
@@ -1411,7 +1518,7 @@ class Investigation:
             incoming_threat_intels,
             incoming_checks,
             incoming_enrichments,
-            incoming_containers,
+            incoming_tags,
         ) = self._clone_for_merge(other)
 
         # PASS 1: Merge observables and collect deferred relationships
@@ -1448,7 +1555,7 @@ class Investigation:
             source_obs = self._observables.get(source_key)
             if source_obs and rel.target_key in self._observables:
                 # Both source and target exist - add relationship
-                self._add_relationship_internal(source_obs, rel.target_key, rel.relationship_type, rel.direction)
+                self._create_relationship(source_obs, rel.target_key, rel.relationship_type, rel.direction)
             else:
                 # Genuine error - target still doesn't exist after Pass 2
                 logger.critical(
@@ -1524,13 +1631,13 @@ class Investigation:
                 }
             )
 
-        # Merge containers
-        for container in incoming_containers.values():
-            existing_container = self._containers.get(container.key)
-            before = _snapshot_container(existing_container) if existing_container else None
-            self.add_container(container)
-            if existing_container:
-                after = _snapshot_container(existing_container)
+        # Merge tags
+        for tag in incoming_tags.values():
+            existing_tag = self._tags.get(tag.key)
+            before = _snapshot_tag(existing_tag) if existing_tag else None
+            self.add_tag(tag)
+            if existing_tag:
+                after = _snapshot_tag(existing_tag)
                 changed_fields = _diff_fields(before, after) if before else []
                 action = "merged" if changed_fields else "skipped"
             else:
@@ -1538,8 +1645,8 @@ class Investigation:
                 action = "created"
             merge_summary.append(
                 {
-                    "object_type": "container",
-                    "object_key": container.key,
+                    "object_type": "tag",
+                    "object_key": tag.key,
                     "action": action,
                     "changed_fields": changed_fields,
                 }
@@ -1551,7 +1658,7 @@ class Investigation:
 
         # Rebuild link index after merges
         self._score_engine.rebuild_link_index()
-        self._refresh_check_links()
+        self._rebuild_all_check_links()
 
         # Final score recalculation
         self._score_engine.recalculate_all()
@@ -1568,77 +1675,3 @@ class Investigation:
                 "object_changes": merge_summary,
             },
         )
-
-    def _clone_for_merge(
-        self, other: Investigation
-    ) -> tuple[
-        dict[str, Observable],
-        dict[str, ThreatIntel],
-        dict[str, Check],
-        dict[str, Enrichment],
-        dict[str, Container],
-    ]:
-        """Clone incoming models while preserving shared object references."""
-        incoming_threat_intels = {key: ti.model_copy(deep=True) for key, ti in other._threat_intels.items()}
-        incoming_checks = {key: check.model_copy(deep=True) for key, check in other._checks.items()}
-        incoming_enrichments = {key: enrichment.model_copy(deep=True) for key, enrichment in other._enrichments.items()}
-
-        orphan_threat_intels: dict[str, ThreatIntel] = {}
-
-        def _copy_threat_intel(ti: ThreatIntel) -> ThreatIntel:
-            if ti.key in incoming_threat_intels:
-                return incoming_threat_intels[ti.key]
-            existing = orphan_threat_intels.get(ti.key)
-            if existing:
-                return existing
-            copied = ti.model_copy(deep=True)
-            orphan_threat_intels[ti.key] = copied
-            return copied
-
-        incoming_observables: dict[str, Observable] = {}
-        for obs in other._observables.values():
-            copied_obs = obs.model_copy(deep=True)
-            if obs.threat_intels:
-                copied_obs.threat_intels = [_copy_threat_intel(ti) for ti in obs.threat_intels]
-            incoming_observables[obs.key] = copied_obs
-
-        orphan_checks: dict[str, Check] = {}
-
-        def _copy_check(check: Check) -> Check:
-            if check.key in incoming_checks:
-                return incoming_checks[check.key]
-            existing = orphan_checks.get(check.key)
-            if existing:
-                return existing
-            copied = check.model_copy(deep=True)
-            orphan_checks[check.key] = copied
-            return copied
-
-        incoming_containers: dict[str, Container] = {}
-
-        def _copy_container(container: Container) -> Container:
-            existing = incoming_containers.get(container.key)
-            if existing:
-                return existing
-            copied = Container(
-                path=container.path,
-                description=container.description,
-                checks=[_copy_check(check) for check in container.checks],
-                sub_containers={},
-                key=container.key,
-            )
-            incoming_containers[container.key] = copied
-            for sub_key, sub in container.sub_containers.items():
-                copied.sub_containers[sub_key] = _copy_container(sub)
-            return copied
-
-        for container in other._containers.values():
-            _copy_container(container)
-
-        return (
-            incoming_observables,
-            incoming_threat_intels,
-            incoming_checks,
-            incoming_enrichments,
-            incoming_containers,
-        )