cyvest 4.4.0__py3-none-any.whl → 5.1.0__py3-none-any.whl

cyvest/io_rich.py

@@ -50,8 +50,8 @@ def _sort_key_by_score(item: Any) -> tuple[Decimal, str]:
     except (TypeError, ValueError, InvalidOperation):
         decimal_score = Decimal(0)
 
-    item_id = getattr(item, "check_id", "")
-    return (-decimal_score, item_id)
+    item_name = getattr(item, "check_name", "")
+    return (-decimal_score, item_name)
 
 
 def _get_direction_symbol(rel: Relationship, reversed_edge: bool) -> str:
@@ -373,59 +373,14 @@ def display_summary(
     table.add_column("Score", justify="right")
     table.add_column("Level", justify="center")
 
-    # Checks section
-    rule = Rule("[bold magenta]CHECKS[/bold magenta]")
-    table.add_row(rule, "-", "-")
-
-    # Organize checks by scope
-    checks_by_scope: dict[str, list[Any]] = {}
-    for check in cv.check_get_all().values():
-        if check.level in resolved_excluded_levels:
-            continue
-        if check.scope not in checks_by_scope:
-            checks_by_scope[check.scope] = []
-        checks_by_scope[check.scope].append(check)
-
-    for scope_name, checks in checks_by_scope.items():
-        scope_rule = Align(f"[bold magenta]{scope_name}[/bold magenta]", align="left")
-        table.add_row(scope_rule, "-", "-")
-        checks = sorted(checks, key=_sort_key_by_score)
-        for check in checks:
-            color_level = get_color_level(check.level)
-            color_score = get_color_score(check.score)
-            name = f"  {check.check_id}"
-            score = f"[{color_score}]{check.score_display}[/{color_score}]"
-            level = f"[{color_level}]{check.level.name}[/{color_level}]"
-            table.add_row(name, score, level)
-
-    # Containers section (if any)
-    if cv.container_get_all():
-        table.add_section()
-        rule = Rule("[bold magenta]CONTAINERS[/bold magenta]")
-        table.add_row(rule, "-", "-")
-
-        for container in cv.container_get_all().values():
-            agg_score = container.get_aggregated_score()
-            agg_level = container.get_aggregated_level()
-            color_level = get_color_level(agg_level)
-            color_score = get_color_score(agg_score)
-
-            name = f"  {container.path}"
-            score = f"[{color_score}]{agg_score:.2f}[/{color_score}]"
-            level = f"[{color_level}]{agg_level.name}[/{color_level}]"
-            table.add_row(name, score, level)
-
     # Checks by level section
-    table.add_section()
-    rule = Rule("[bold magenta]BY LEVEL[/bold magenta]")
+    rule = Rule(f"[bold magenta]CHECKS[/bold magenta]: {len(cv.check_get_all())} checks")
     table.add_row(rule, "-", "-")
 
-    for level_enum in [Level.MALICIOUS, Level.SUSPICIOUS, Level.NOTABLE, Level.SAFE, Level.INFO, Level.TRUSTED]:
+    for level_enum in sorted(Level, reverse=True):
         if level_enum in resolved_excluded_levels:
             continue
-        checks = [
-            c for c in cv.check_get_all().values() if c.level == level_enum and c.level not in resolved_excluded_levels
-        ]
+        checks = [c for c in cv.check_get_all().values() if c.level == level_enum]
         checks = sorted(checks, key=_sort_key_by_score)
         if checks:
             color_level = get_color_level(level_enum)
@@ -437,11 +392,28 @@ def display_summary(
 
             for check in checks:
                 color_score = get_color_score(check.score)
-                name = f"  {check.check_id}"
+                name = f"  {check.check_name}"
                 score = f"[{color_score}]{check.score_display}[/{color_score}]"
                 level = f"[{color_level}]{check.level.name}[/{color_level}]"
                 table.add_row(name, score, level)
 
+    # Tags section (if any)
+    if cv.tag_get_all():
+        table.add_section()
+        rule = Rule(f"[bold magenta]TAGS[/bold magenta]: {len(cv.tag_get_all())} tags")
+        table.add_row(rule, "-", "-")
+
+        for tag in cv.tag_get_all().values():
+            agg_score = tag.get_aggregated_score()
+            agg_level = tag.get_aggregated_level()
+            color_level = get_color_level(agg_level)
+            color_score = get_color_score(agg_score)
+
+            name = f"  {tag.name}"
+            score = f"[{color_score}]{agg_score:.2f}[/{color_score}]"
+            level = f"[{color_level}]{agg_level.name}[/{color_level}]"
+            table.add_row(name, score, level)
+
     # Enrichments section (if any)
     if cv.enrichment_get_all():
         table.add_section()
@@ -558,11 +530,11 @@ def display_statistics(cv: Cyvest, rich_print: Callable[[Any], None]) -> None:
     # Check statistics table
     rich_print("")
     check_table = Table(title="Check Statistics")
-    check_table.add_column("Scope", style="cyan")
+    check_table.add_column("Level", style="cyan")
     check_table.add_column("Count", justify="right")
 
-    for scope, count in stats.checks_by_scope.items():
-        check_table.add_row(scope, str(count))
+    for level, count in stats.checks_by_level.items():
+        check_table.add_row(level, str(count))
 
     rich_print(check_table)
 
@@ -577,3 +549,118 @@ def display_statistics(cv: Cyvest, rich_print: Callable[[Any], None]) -> None:
             ti_table.add_row(source, str(count))
 
         rich_print(ti_table)
+
+
+def _format_level_score(
+    level: Level | None,
+    score: Decimal | None,
+    score_rule: str | None = None,
+) -> str:
+    """Format level and score for display."""
+    if level is None and score is None and not score_rule:
+        return "[dim]-[/dim]"
+
+    parts: list[str] = []
+    if level:
+        color = get_color_level(level)
+        parts.append(f"[{color}]{level.name}[/{color}]")
+
+    if score_rule:
+        parts.append(score_rule)
+    elif score is not None:
+        color = get_color_score(score)
+        parts.append(f"[{color}]{_format_score_decimal(score)}[/{color}]")
+
+    return " ".join(parts) if parts else "[dim]-[/dim]"
+
+
+def display_diff(
+    diffs: list,
+    rich_print: Callable[[Any], None],
+    title: str = "Diff",
+) -> None:
+    """
+    Display investigation diff in a rich table with tree structure.
+
+    Args:
+        diffs: List of DiffItem objects representing differences
+        rich_print: A rich renderable handler called with renderables for output
+        title: Title for the diff table
+    """
+    # Import here to avoid circular dependency
+    from cyvest.compare import DiffStatus
+
+    # Count diffs by status
+    added = sum(1 for d in diffs if d.status == DiffStatus.ADDED)
+    removed = sum(1 for d in diffs if d.status == DiffStatus.REMOVED)
+    mismatch = sum(1 for d in diffs if d.status == DiffStatus.MISMATCH)
+
+    # Build caption with combined legend and counts
+    caption = (
+        f"[green]+ {added}[/green] added | [red]- {removed}[/red] removed | [yellow]\u2717 {mismatch}[/yellow] mismatch"
+    )
+
+    table = Table(title=title, caption=caption)
+    table.add_column("Key")
+    table.add_column("Expected", justify="center")
+    table.add_column("Actual", justify="center")
+    table.add_column("Status", justify="center", width=8)
+
+    status_styles = {
+        DiffStatus.ADDED: "green",
+        DiffStatus.REMOVED: "red",
+        DiffStatus.MISMATCH: "yellow",
+    }
+
+    for idx, diff in enumerate(diffs):
+        # Add section separator between checks (except before first)
+        if idx > 0:
+            table.add_section()
+
+        status_style = status_styles.get(diff.status, "white")
+
+        # Check row (main row)
+        expected_str = _format_level_score(diff.expected_level, diff.expected_score, diff.expected_score_rule)
+        actual_str = _format_level_score(diff.actual_level, diff.actual_score)
+
+        table.add_row(
+            escape(diff.key),
+            expected_str,
+            actual_str,
+            f"[{status_style}]{diff.status.value}[/{status_style}]",
+        )
+
+        # Observable rows (indented with └──)
+        for obs_idx, obs in enumerate(diff.observable_diffs):
+            is_last_obs = obs_idx == len(diff.observable_diffs) - 1
+            obs_prefix = "└──" if is_last_obs else "├──"
+
+            obs_label = obs.observable_key
+            obs_expected = _format_level_score(obs.expected_level, obs.expected_score)
+            obs_actual = _format_level_score(obs.actual_level, obs.actual_score)
+
+            table.add_row(
+                f"{obs_prefix} [cyan]{escape(obs_label)}[/cyan]",
+                obs_expected,
+                obs_actual,
+                "",
+            )
+
+            # Threat intel rows (indented further with │   └── or     └──)
+            for ti_idx, ti in enumerate(obs.threat_intel_diffs):
+                is_last_ti = ti_idx == len(obs.threat_intel_diffs) - 1
+                # Use │ continuation if not last observable, else spaces
+                continuation = "│   " if not is_last_obs else "    "
+                ti_prefix = "└──" if is_last_ti else "├──"
+
+                ti_expected = _format_level_score(ti.expected_level, ti.expected_score)
+                ti_actual = _format_level_score(ti.actual_level, ti.actual_score)
+
+                table.add_row(
+                    f"{continuation}{ti_prefix} [magenta]{escape(ti.source)}[/magenta]",
+                    ti_expected,
+                    ti_actual,
+                    "",
+                )
+
+    rich_print(table)

cyvest/io_schema.py

@@ -26,7 +26,7 @@ def get_investigation_schema() -> dict[str, Any]:
     matches the actual `model_dump()` output structure.
 
     The returned schema automatically includes all referenced entity types
-    (Observable, Check, ThreatIntel, Enrichment, Container, InvestigationWhitelist)
+    (Observable, Check, ThreatIntel, Enrichment, Tag, InvestigationWhitelist)
     in the `$defs` section.
 
     Returns:

cyvest/io_serialization.py

@@ -12,7 +12,7 @@ from pathlib import Path
 from typing import TYPE_CHECKING, Any
 
 from cyvest.levels import Level, normalize_level
-from cyvest.model import AuditEvent, Check, Container, Enrichment, Observable, Relationship, ThreatIntel
+from cyvest.model import AuditEvent, Check, Enrichment, Observable, Relationship, Tag, ThreatIntel
 from cyvest.model_enums import ObservableType
 from cyvest.model_schema import InvestigationSchema
 from cyvest.score import ScoreMode
@@ -37,18 +37,14 @@ def serialize_investigation(inv: Investigation, *, include_audit_log: bool = Tru
     Returns:
         InvestigationSchema instance (use .model_dump() for dict)
     """
-    inv._refresh_check_links()
+    inv._rebuild_all_check_links()
     observables = dict(inv.get_all_observables())
     threat_intels = dict(inv.get_all_threat_intels())
     enrichments = dict(inv.get_all_enrichments())
-    containers = dict(inv.get_all_containers())
+    tags = dict(inv.get_all_tags())
 
-    # Build checks organized by scope (resolve proxies)
-    checks_by_scope: dict[str, list[Check]] = {}
-    for check in inv.get_all_checks().values():
-        if check.scope not in checks_by_scope:
-            checks_by_scope[check.scope] = []
-        checks_by_scope[check.scope].append(check)
+    # Get all checks
+    checks = dict(inv.get_all_checks())
 
     # Get root type
     root = inv.get_root()
@@ -64,10 +60,10 @@ def serialize_investigation(inv: Investigation, *, include_audit_log: bool = Tru
         whitelists=list(inv.get_whitelists()),
         audit_log=inv.get_audit_log() if include_audit_log else None,
         observables=observables,
-        checks=checks_by_scope,
+        checks=checks,
         threat_intels=threat_intels,
         enrichments=enrichments,
-        containers=containers,
+        tags=tags,
         stats=inv.get_statistics(),
         data_extraction={
             "root_type": root_type_value,
@@ -95,7 +91,7 @@ def save_investigation_json(inv: Investigation, filepath: str | Path, *, include
 
 def generate_markdown_report(
     inv: Investigation,
-    include_containers: bool = False,
+    include_tags: bool = False,
     include_enrichments: bool = False,
     include_observables: bool = True,
 ) -> str:
@@ -104,7 +100,7 @@ def generate_markdown_report(
 
     Args:
         inv: Investigation
-        include_containers: Include containers section in the report (default: False)
+        include_tags: Include tags section in the report (default: False)
         include_enrichments: Include enrichments section in the report (default: False)
         include_observables: Include observables section in the report (default: True)
 
@@ -150,19 +146,16 @@ def generate_markdown_report(
                 lines.append(f"  - Justification: {entry.justification}")
         lines.append("")
 
-    # Checks by Scope
-    lines.append("## Checks by Scope")
+    # Checks
+    lines.append("## Checks")
+    lines.append("")
+    for check in inv.get_all_checks().values():
+        if check.level != Level.NONE:
+            lines.append(f"- **{check.check_name}**: Score: {check.score_display}, Level: {check.level.name}")
+            lines.append(f"  - Description: {check.description}")
+            if check.comment:
+                lines.append(f"  - Comment: {check.comment}")
     lines.append("")
-    for scope, _count in inv.get_statistics().checks_by_scope.items():
-        lines.append(f"### {scope}")
-        lines.append("")
-        for check in inv.get_all_checks().values():
-            if check.scope == scope and check.level != Level.NONE:
-                lines.append(f"- **{check.check_id}**: Score: {check.score_display}, Level: {check.level.name}")
-                lines.append(f"  - Description: {check.description}")
-                if check.comment:
-                    lines.append(f"  - Comment: {check.comment}")
-        lines.append("")
 
     # Observables
     if include_observables and inv.get_all_observables():
@@ -205,17 +198,17 @@ def generate_markdown_report(
             lines.append(f"- **Data:** {json.dumps(enr.data, indent=2)}")
             lines.append("")
 
-    # Containers
-    if include_containers and inv.get_all_containers():
-        lines.append("## Containers")
+    # Tags
+    if include_tags and inv.get_all_tags():
+        lines.append("## Tags")
         lines.append("")
-        for ctr in inv.get_all_containers().values():
-            lines.append(f"### {ctr.path}")
-            lines.append(f"- **Description:** {ctr.description}")
-            lines.append(f"- **Aggregated Score:** {ctr.get_aggregated_score():.2f}")
-            lines.append(f"- **Aggregated Level:** {ctr.get_aggregated_level().name}")
-            lines.append(f"- **Checks:** {len(ctr.checks)}")
-            lines.append(f"- **Sub-containers:** {len(ctr.sub_containers)}")
+        for tag in inv.get_all_tags().values():
+            lines.append(f"### {tag.name}")
+            lines.append(f"- **Description:** {tag.description}")
+            lines.append(f"- **Direct Score:** {tag.get_direct_score():.2f}")
+            lines.append(f"- **Aggregated Score:** {inv.get_tag_aggregated_score(tag.name):.2f}")
+            lines.append(f"- **Aggregated Level:** {inv.get_tag_aggregated_level(tag.name).name}")
+            lines.append(f"- **Direct Checks:** {len(tag.checks)}")
             lines.append("")
 
     return "\n".join(lines)
@@ -224,7 +217,7 @@ def generate_markdown_report(
 def save_investigation_markdown(
     inv: Investigation,
     filepath: str | Path,
-    include_containers: bool = False,
+    include_tags: bool = False,
     include_enrichments: bool = False,
     include_observables: bool = True,
 ) -> None:
@@ -234,21 +227,21 @@ def save_investigation_markdown(
     Args:
         inv: Investigation to save
         filepath: Path to save the Markdown file
-        include_containers: Include containers section in the report (default: False)
+        include_tags: Include tags section in the report (default: False)
         include_enrichments: Include enrichments section in the report (default: False)
         include_observables: Include observables section in the report (default: True)
     """
-    markdown = generate_markdown_report(inv, include_containers, include_enrichments, include_observables)
+    markdown = generate_markdown_report(inv, include_tags, include_enrichments, include_observables)
     with open(filepath, "w", encoding="utf-8") as f:
         f.write(markdown)
 
 
-def load_investigation_json(filepath: str | Path) -> Cyvest:
+def load_investigation_dict(data: dict[str, Any]) -> Cyvest:
     """
-    Load an investigation from a JSON file into a Cyvest object.
+    Load an investigation from a dictionary (parsed JSON) into a Cyvest object.
 
     Args:
-        filepath: Path to the JSON file
+        data: Dictionary containing the serialized investigation data
 
     Returns:
         Reconstructed Cyvest investigation
@@ -256,9 +249,6 @@ def load_investigation_json(filepath: str | Path) -> Cyvest:
     from cyvest.cyvest import Cyvest
     from cyvest.investigation import Investigation
 
-    with open(filepath, encoding="utf-8") as handle:
-        data = json.load(handle)
-
     investigation_id = data.get("investigation_id")
     if not isinstance(investigation_id, str) or not investigation_id.strip():
         raise ValueError("Serialized investigation must include 'investigation_id'.")
@@ -380,35 +370,32 @@ def load_investigation_json(filepath: str | Path) -> Cyvest:
             cv._investigation.add_threat_intel(ti, observable)
 
     # Checks - leverage Pydantic model_validate
-    for scope_checks in data.get("checks", {}).values():
-        for check_info in scope_checks:
-            raw_links = check_info.get("observable_links", []) or []
-            normalized_links = []
-            for link in raw_links:
-                if isinstance(link, dict):
-                    normalized_links.append(
-                        {
-                            "observable_key": link.get("observable_key", ""),
-                            "propagation_mode": link.get("propagation_mode", "LOCAL_ONLY"),
-                        }
-                    )
-                else:
-                    normalized_links.append(link)
-            check_data = {
-                "check_id": check_info.get("check_id", ""),
-                "scope": check_info.get("scope", ""),
-                "description": check_info.get("description", ""),
-                "comment": check_info.get("comment", ""),
-                "extra": check_info.get("extra", {}),
-                "score": Decimal(str(check_info.get("score", 0))),
-                "level": check_info.get("level", "NONE"),
-                "origin_investigation_id": check_info.get("origin_investigation_id")
-                or cv._investigation.investigation_id,
-                "observable_links": normalized_links,
-                "key": check_info.get("key", ""),
-            }
-            check = Check.model_validate(check_data)
-            cv._investigation.add_check(check)
+    for check_info in data.get("checks", {}).values():
+        raw_links = check_info.get("observable_links", []) or []
+        normalized_links = []
+        for link in raw_links:
+            if isinstance(link, dict):
+                normalized_links.append(
+                    {
+                        "observable_key": link.get("observable_key", ""),
+                        "propagation_mode": link.get("propagation_mode", "LOCAL_ONLY"),
+                    }
+                )
+            else:
+                normalized_links.append(link)
+        check_data = {
+            "check_name": check_info.get("check_name", ""),
+            "description": check_info.get("description", ""),
+            "comment": check_info.get("comment", ""),
+            "extra": check_info.get("extra", {}),
+            "score": Decimal(str(check_info.get("score", 0))),
+            "level": check_info.get("level", "NONE"),
+            "origin_investigation_id": check_info.get("origin_investigation_id") or cv._investigation.investigation_id,
+            "observable_links": normalized_links,
+            "key": check_info.get("key", ""),
+        }
+        check = Check.model_validate(check_data)
+        cv._investigation.add_check(check)
 
     # Enrichments - leverage Pydantic model_validate
     for enr_info in data.get("enrichments", {}).values():
@@ -421,31 +408,27 @@ def load_investigation_json(filepath: str | Path) -> Cyvest:
         enrichment = Enrichment.model_validate(enr_data)
         cv._investigation.add_enrichment(enrichment)
 
-    # Containers
-    def build_container(container_info: dict[str, Any]) -> Container:
-        container_data = {
-            "path": container_info.get("path", ""),
-            "description": container_info.get("description", ""),
-            "key": container_info.get("key", ""),
+    # Tags
+    def build_tag(tag_info: dict[str, Any]) -> Tag:
+        tag_data = {
+            "name": tag_info.get("name", ""),
+            "description": tag_info.get("description", ""),
+            "key": tag_info.get("key", ""),
         }
-        container = Container.model_validate(container_data)
-        container = cv._investigation.add_container(container)
+        tag = Tag.model_validate(tag_data)
+        tag = cv._investigation.add_tag(tag)
 
-        for check_key in container_info.get("checks", []):
+        for check_key in tag_info.get("checks", []):
             check = cv._investigation.get_check(check_key)
             if check:
-                cv._investigation.add_check_to_container(container.key, check.key)
-
-        for sub_info in container_info.get("sub_containers", {}).values():
-            sub_container = build_container(sub_info)
-            cv._investigation.add_sub_container(container.key, sub_container.key)
+                cv._investigation.add_check_to_tag(tag.key, check.key)
 
-        return container
+        return tag
 
-    for container_info in data.get("containers", {}).values():
-        build_container(container_info)
+    for tag_info in data.get("tags", {}).values():
+        build_tag(tag_info)
 
-    cv._investigation._refresh_check_links()
+    cv._investigation._rebuild_all_check_links()
 
     audit_log = []
     for event_info in data.get("audit_log", []) or []:
@@ -457,3 +440,19 @@ def load_investigation_json(filepath: str | Path) -> Cyvest:
     cv._investigation._audit_enabled = True
 
     return cv
+
+
+def load_investigation_json(filepath: str | Path) -> Cyvest:
+    """
+    Load an investigation from a JSON file into a Cyvest object.
+
+    Args:
+        filepath: Path to the JSON file
+
+    Returns:
+        Reconstructed Cyvest investigation
+    """
+    with open(filepath, encoding="utf-8") as handle:
+        data = json.load(handle)
+
+    return load_investigation_dict(data)

cyvest/keys.py

@@ -56,22 +56,20 @@ def generate_observable_key(obs_type: str, value: str) -> str:
     return f"obs:{normalized_type}:{normalized_value}"
 
 
-def generate_check_key(check_id: str, scope: str) -> str:
+def generate_check_key(check_name: str) -> str:
     """
     Generate a unique key for a check.
 
-    Format: chk:{check_id}:{scope}
+    Format: chk:{check_name}
 
     Args:
-        check_id: Identifier of the check
-        scope: Scope of the check
+        check_name: Name of the check
 
     Returns:
         Unique check key
     """
-    normalized_id = _normalize_value(check_id)
-    normalized_scope = _normalize_value(scope)
-    return f"chk:{normalized_id}:{normalized_scope}"
+    normalized_name = _normalize_value(check_name)
+    return f"chk:{normalized_name}"
 
 
 def generate_threat_intel_key(source: str, observable_key: str) -> str:
@@ -111,22 +109,67 @@ def generate_enrichment_key(name: str, context: str = "") -> str:
     return f"enr:{normalized_name}"
 
 
-def generate_container_key(path: str) -> str:
+def generate_tag_key(name: str) -> str:
     """
-    Generate a unique key for a container.
+    Generate a unique key for a tag.
 
-    Format: ctr:{normalized_path}
+    Format: tag:{normalized_name}
 
     Args:
-        path: Path of the container (can use / or . as separator)
+        name: Name of the tag (uses : as hierarchy delimiter)
 
     Returns:
-        Unique container key
+        Unique tag key
     """
-    # Normalize path separators
-    normalized_path = path.replace("\\", "/").strip("/")
-    normalized_path = _normalize_value(normalized_path)
-    return f"ctr:{normalized_path}"
+    normalized_name = _normalize_value(name)
+    return f"tag:{normalized_name}"
+
+
+def get_tag_ancestors(name: str) -> list[str]:
+    """
+    Get all ancestor tag names from a hierarchical tag name.
+
+    Uses ":" as the hierarchy delimiter.
+
+    Args:
+        name: Tag name (e.g., "header:auth:dkim")
+
+    Returns:
+        List of ancestor names (e.g., ["header", "header:auth"])
+    """
+    parts = name.split(":")
+    return [":".join(parts[: i + 1]) for i in range(len(parts) - 1)]
+
+
+def is_tag_child_of(child_name: str, parent_name: str) -> bool:
+    """
+    Check if a tag is a direct child of another tag.
+
+    Args:
+        child_name: Potential child tag name
+        parent_name: Potential parent tag name
+
+    Returns:
+        True if child_name is a direct child of parent_name
+    """
+    if not child_name.startswith(parent_name + ":"):
+        return False
+    remaining = child_name[len(parent_name) + 1 :]
+    return ":" not in remaining
+
+
+def is_tag_descendant_of(descendant_name: str, ancestor_name: str) -> bool:
+    """
+    Check if a tag is a descendant (child, grandchild, etc.) of another tag.
+
+    Args:
+        descendant_name: Potential descendant tag name
+        ancestor_name: Potential ancestor tag name
+
+    Returns:
+        True if descendant_name is a descendant of ancestor_name
+    """
+    return descendant_name.startswith(ancestor_name + ":")
 
 
 def parse_key_type(key: str) -> str | None:
@@ -137,7 +180,7 @@ def parse_key_type(key: str) -> str | None:
         key: The key to parse
 
     Returns:
-        Type prefix (obs, chk, ti, enr, ctr) or None if invalid
+        Type prefix (obs, chk, ti, enr, tag) or None if invalid
     """
     if ":" in key:
         return key.split(":", 1)[0]
@@ -185,7 +228,7 @@ def validate_key(key: str, expected_type: str | None = None) -> bool:
         return False
 
     key_type = parse_key_type(key)
-    if key_type not in ("obs", "chk", "ti", "enr", "ctr"):
+    if key_type not in ("obs", "chk", "ti", "enr", "tag"):
         return False
 
     if expected_type and key_type != expected_type: