sigmaforge 0.1.0__py3-none-any.whl

sigmaforge/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

sigmaforge/backtest/runner.py

@@ -0,0 +1,21 @@
+from concurrent.futures import ProcessPoolExecutor
+
+from sigmaforge.ingest.chunker import chunk_lines
+from sigmaforge.records import MatchRecord
+
+
+def aggregate(shard_results: list[list[MatchRecord]]) -> set[MatchRecord]:
+    merged: set[MatchRecord] = set()
+    for s in shard_results:
+        merged.update(s)  # set union = order-independent, dedup across shard boundaries
+    return merged
+
+
+def backtest(items, shard_size, workers, shard_fn) -> set[MatchRecord]:
+    shards = list(chunk_lines(items, shard_size))
+    if workers == 1:
+        results = [shard_fn(s) for s in shards]
+    else:
+        with ProcessPoolExecutor(max_workers=workers) as ex:
+            results = list(ex.map(shard_fn, shards))
+    return aggregate(results)

sigmaforge/banner.py

@@ -0,0 +1,15 @@
+"""sigmaforge banner — uses the Shipwright design system."""
+
+from __future__ import annotations
+
+import sys
+
+from shipwright_kit.design.banner import make_banner
+
+from sigmaforge import __version__
+
+
+def show_banner(*, quiet: bool = False) -> None:
+    if quiet or not sys.stderr.isatty():
+        return
+    print(make_banner("sigmaforge", __version__, "Honest Sigma-rule backtest harness"), file=sys.stderr)

sigmaforge/config.py

@@ -0,0 +1,34 @@
+"""sigmaforge configuration: ~/.sigmaforge/config.yaml + env > defaults."""
+
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Optional
+
+import yaml
+from pydantic import BaseModel
+from shipwright_kit.config import app_dir, load_config
+
+_APP_DIR = app_dir("sigmaforge")
+
+
+class OutputConfig(BaseModel):
+    default_format: str = "rich"
+
+
+class AppConfig(BaseModel):
+    output: OutputConfig = OutputConfig()
+
+
+def _load_yaml(path: Path) -> dict:
+    with open(path) as f:
+        return yaml.safe_load(f) or {}
+
+
+def load(config_path: Optional[Path] = None) -> AppConfig:
+    """Resolve config: explicit > ~/.sigmaforge/config.yaml > ./config.yaml > defaults."""
+    return load_config(
+        [config_path, _APP_DIR / "config.yaml", Path("config.yaml")],
+        loader=_load_yaml,
+        validator=AppConfig.model_validate,
+    )

sigmaforge/crosscheck/chainsaw.py

@@ -0,0 +1,12 @@
+def compare_loaded_intersection(z_hits, c_hits, z_loaded, c_loaded) -> dict:
+    """A6 cross-engine integrity: compare Zircolite vs Chainsaw ONLY over rules BOTH engines
+    loaded. Rules only one engine loaded are a load artifact, reported separately — never as
+    detection disagreement. z_hits/c_hits: dict[rule -> set[event_id]]."""
+    both = z_loaded & c_loaded
+    agree = {r for r in both if z_hits.get(r, set()) == c_hits.get(r, set())}
+    return {
+        "compared_rules": both,
+        "agree": agree,
+        "disagree": both - agree,
+        "load_artifact_only": z_loaded ^ c_loaded,  # symmetric difference = load artifact
+    }

sigmaforge/detect.py

@@ -0,0 +1,42 @@
+"""Example parse boundary — classify an untrusted input string.
+
+Framework input-contract rule: external/garbage input never raises;
+unrecognized input returns "unknown". Replace with your real logic.
+"""
+
+from __future__ import annotations
+
+import re
+
+_IPV4 = re.compile(r"^(?:\d{1,3}\.){3}\d{1,3}$")
+_HASH = re.compile(r"^[A-Fa-f0-9]{32,64}$")
+_DOMAIN = re.compile(r"^(?=.{1,253}$)(?!-)[A-Za-z0-9-]{1,63}(?:\.[A-Za-z]{2,})+$")
+# File extensions that look like TLDs but are not valid domains for our purposes.
+_FILE_EXTS = re.compile(
+    r"\.(dll|exe|so|dylib|sys|bin|bat|cmd|sh|ps1"
+    r"|py|js|ts|rb|go|rs|c|cpp|h|java|class|jar|war"
+    r"|zip|tar|gz|bz2|xz|7z|rar"
+    r"|pdf|doc|docx|xls|xlsx|ppt|pptx"
+    r"|png|jpg|jpeg|gif|svg|ico|mp3|mp4|avi|mov|mkv"
+    r"|log|txt|csv|json|xml|yaml|yml|toml|ini|cfg|conf|env)$",
+    re.IGNORECASE,
+)
+
+
+def classify(value: object) -> str:
+    """Return a coarse type for value. Never raises; unknown -> "unknown"."""
+    if not isinstance(value, str):
+        return "unknown"
+    v = value.strip()
+    if not v:
+        return "unknown"
+    if _IPV4.match(v):
+        parts = v.split(".")
+        if all(p.isdigit() and 0 <= int(p) <= 255 for p in parts):
+            return "ipv4"
+        return "unknown"
+    if _HASH.match(v):
+        return "hash"
+    if _DOMAIN.match(v) and not _FILE_EXTS.search(v):
+        return "domain"
+    return "unknown"

sigmaforge/ingest/chunker.py

@@ -0,0 +1,22 @@
+from typing import Iterator, Sequence, TypeVar
+
+T = TypeVar("T")
+
+
+def chunk_lines(items: Sequence[T], shard_size: int) -> Iterator[list[T]]:
+    """Partition items into chunks of shard_size.
+
+    Args:
+        items: Sequence to partition
+        shard_size: Size of each chunk (must be >= 1)
+
+    Yields:
+        Lists of items, each of size shard_size (except possibly the last chunk)
+
+    Raises:
+        ValueError: If shard_size < 1
+    """
+    if shard_size < 1:
+        raise ValueError("shard_size must be >= 1")
+    for i in range(0, len(items), shard_size):
+        yield list(items[i : i + shard_size])

sigmaforge/ingest/ruleload.py

@@ -0,0 +1,16 @@
+def _is_stateful(rule: dict) -> bool:
+    if "correlation" in rule:
+        return True
+    cond = str(rule.get("detection", {}).get("condition", ""))
+    return any(tok in cond for tok in ("count(", "sum(", "avg(", "| near", "temporal"))
+
+
+def select_by_level(rules: list[dict], levels: tuple[str, ...]) -> list[dict]:
+    return [r for r in rules if str(r.get("level", "")).lower() in levels]
+
+
+def partition_rules(rules: list[dict], levels: tuple[str, ...] = ("high", "critical")) -> tuple[list[dict], list[dict]]:
+    in_scope = select_by_level(rules, levels)
+    loaded = [r for r in in_scope if not _is_stateful(r)]
+    excluded = [r for r in in_scope if _is_stateful(r)]
+    return loaded, excluded

sigmaforge/ingest/zircolite_runner.py

@@ -0,0 +1,92 @@
+import hashlib
+import json
+import subprocess
+import tempfile
+
+from sigmaforge.records import MatchRecord
+
+ZIRCOLITE = ["uv", "run", "python", "Zircolite/zircolite.py"]  # vendored 3.7.6
+
+
+def _stable_event_id(row: dict) -> str:
+    """Globally-unique event key (fix C). EventRecordID is a PER-EVTX-FILE counter, so using it
+    alone collapses record 42 of fileA with record 42 of fileB across a multi-file attack run and
+    silently deflates recall. Hash the whole flattened row instead: it carries Computer/UtcTime/
+    Image/CommandLine/... which differ across files even when EventRecordID repeats. Two genuinely
+    identical events still hash-collapse — that is correct dedup, not a collision bug.
+    (On real data each row also carries Zircolite's autoincrement `row_id`, globally unique
+    across a single multi-file run, so real events never over-split. NB: if `--parallel`
+    ingestion is ever enabled, `row_id` resets per chunk — uniqueness then rests on the
+    content fields, UtcTime/ProcessGuid/etc., which the whole-row hash already includes.)"""
+    canonical = json.dumps(row, sort_keys=True, default=str)
+    return hashlib.sha1(canonical.encode()).hexdigest()
+
+
+def parse_detections(
+    detections: list[dict],
+    corpus_label: str | None = None,
+    file_technique_map: dict[str, str] | None = None,
+    event_technique_out: dict[str, str] | None = None,
+) -> list[MatchRecord]:
+    """Parse Zircolite detections into MatchRecords.
+
+    FIX B: when ``file_technique_map`` (source-EVTX basename -> ATT&CK technique) and
+    ``event_technique_out`` are supplied, also populate ``event_technique_out`` mapping
+    each fired event's ``event_id`` -> its ground-truth technique. The technique is keyed
+    on the SAME identity the engine emits (``_stable_event_id``), so a fire and its
+    technique join correctly downstream. The source file is read from each match row's
+    ``OriginalLogfile`` (the EVTX basename, set by Zircolite's streaming flattener)."""
+    out: list[MatchRecord] = []
+    for d in detections:
+        for m in d.get("matches", []):
+            # benign COMISET rows carry the injected hash; native-EVTX rows do NOT -> derive a
+            # globally-unique key from the row (NOT bare EventRecordID, which collides across files).
+            eid = m.get("sigmaforge_eid") or _stable_event_id(m)
+            label = m.get("sigmaforge_label") or corpus_label or "benign"
+            out.append(MatchRecord(rule_id=d["title"], event_id=str(eid), event_label=label))
+            if file_technique_map is not None and event_technique_out is not None:
+                src = m.get("OriginalLogfile")
+                tech = file_technique_map.get(src) if src else None
+                if tech:
+                    event_technique_out[str(eid)] = tech
+    return out
+
+
+def run_shard(
+    events_path: str,
+    ruleset_glob: str,
+    mapping_path: str | None = None,
+    json_input: bool = True,
+    xml_input: bool = False,
+    corpus_label: str | None = None,
+    file_technique_map: dict[str, str] | None = None,
+    event_technique_out: dict[str, str] | None = None,
+) -> list[MatchRecord]:
+    """Run Zircolite over a shard and parse detections.
+
+    FIX B: pass ``file_technique_map`` + ``event_technique_out`` to also harvest the
+    per-event ground-truth technique (see ``parse_detections``).
+
+    FIX B3: ``xml_input=True`` ingests EVTX-converted-to-XML files (one wrapped
+    ``<Events>...</Events>`` document per file, Zircolite ``--xml-input``). Like the
+    native-EVTX path, each event's ``OriginalLogfile`` is set to the .xml basename,
+    so the same ``file_technique_map`` (basename -> (sub-)technique) recall join
+    applies. ``json_input`` and ``xml_input`` are mutually exclusive."""
+    if json_input and xml_input:
+        raise ValueError("json_input and xml_input are mutually exclusive")
+    out = tempfile.NamedTemporaryFile(suffix=".json", delete=False).name
+    cmd = [*ZIRCOLITE, "--events", events_path, "--ruleset", ruleset_glob, "--outfile", out]
+    if json_input:
+        cmd += ["--json-input"]
+    if xml_input:
+        cmd += ["--xml-input"]
+    if mapping_path:
+        cmd += ["--config", mapping_path]
+    subprocess.run(cmd, check=True, cwd="/Users/christianhuhn/PycharmProjects/ai_project1/sigmaforge")
+    with open(out) as fh:
+        return parse_detections(
+            json.load(fh),
+            corpus_label=corpus_label,
+            file_technique_map=file_technique_map,
+            event_technique_out=event_technique_out,
+        )

sigmaforge/main.py

@@ -0,0 +1,73 @@
+"""sigmaforge — CLI entry point."""
+
+from __future__ import annotations
+
+from rich.console import Console
+from shipwright_kit.cli import build_typer
+
+from sigmaforge import __version__
+from sigmaforge.detect import classify as classify_input
+
+app = build_typer("sigmaforge", "Honest Sigma-rule backtest harness", version=__version__)
+console = Console()
+
+
+@app.command()
+def classify(value: str) -> None:
+    """Classify an input string (example parse boundary)."""
+    console.print(classify_input(value))
+
+
+@app.command()
+def backtest(
+    rules: str,
+    attack: str,
+    benign: str,
+    out: str,
+    mapping: str = "data/mappings/comiset.yaml",
+    workers: int = 4,
+    min_events: int = 1000,
+    attack_events: int = 0,
+) -> None:
+    """Backtest Sigma rules: recall on the native-EVTX attack corpus, precision@COMISET on
+    the benign corpus. Writes the FP-tuning report to OUT. (Live end-to-end run; meaningful
+    precision numbers require the COMISET benign sample.)"""
+    import json
+    from pathlib import Path
+
+    import yaml
+
+    from sigmaforge.ingest.ruleload import partition_rules
+    from sigmaforge.ingest.zircolite_runner import run_shard
+    from sigmaforge.orchestrate import run_backtest
+
+    rule_docs = [
+        doc
+        for p in Path(rules).rglob("*.yml")
+        for doc in [yaml.safe_load(p.read_text())]
+        if isinstance(doc, dict) and doc.get("title")
+    ]
+    loaded, _excluded = partition_rules(rule_docs)
+    benign_events = [json.loads(line) for line in Path(benign).read_text().splitlines()]
+    attack_fires = set(run_shard(attack, rules, json_input=False, corpus_label="malicious"))
+    benign_fires = set(run_shard(benign, rules, mapping_path=mapping, json_input=True))
+    pc_fired = any(f.event_label == "malicious" for f in benign_fires)
+    _rows, _funnel, md = run_backtest(
+        loaded,
+        attack_fires,
+        benign_fires,
+        benign_events,
+        n_attack_events=attack_events,  # attack-corpus event count = recall denominator (provide via --attack-events)
+        positive_control_fired=pc_fired,
+        min_events=min_events,
+    )
+    Path(out).write_text(md)
+    console.print(f"report written: {out}")
+
+
+def main() -> None:
+    app()
+
+
+if __name__ == "__main__":
+    main()

sigmaforge/orchestrate.py

@@ -0,0 +1,147 @@
+"""Pure backtest orchestration (testable without live Zircolite).
+
+Two-source scoring (EVTX-recall coherence):
+- RECALL from the native-EVTX attack corpus (all-malicious). FIX B: PER-TECHNIQUE
+  recall — each rule is measured against only the attack events of its own ATT&CK
+  technique(s) (denom = events of that technique, not the whole corpus). A rule
+  with no technique tag, or whose technique has zero attack events, is
+  "unmeasured". When the per-technique inputs are not supplied the recall falls
+  back to the legacy POOLED denominator `tp_recall / n_attack_events`.
+- PRECISION/FP from the COMISET benign corpus via the label-aware, deduping `score_rule`
+  (A3: a malicious-labelled hit in the benign corpus is a TP, not an FP; MAJOR-5: dedupe
+  per (rule_id, event_id)).
+Precision flows ONLY through `emit_precision` (A2/A12) — no ungated raw precision is emitted.
+"""
+
+from sigmaforge.records import MatchRecord
+from sigmaforge.report.render import render_report
+from sigmaforge.runmanifest import run_hash
+from sigmaforge.score.acceptance import assert_one_source
+from sigmaforge.score.adapter import score_rule
+from sigmaforge.score.coverage import (
+    benign_events_evaluated_for_rule,
+    events_evaluated_for_rule,
+    selection_fields,
+)
+from sigmaforge.score.recall import UNMEASURED, per_technique_recall, rule_techniques
+from sigmaforge.score.scorer import emit_precision
+
+
+def run_backtest(
+    loaded_rules: list[dict],
+    attack_fires: set[MatchRecord],  # from EVTX attack corpus (recall)
+    benign_fires: set[MatchRecord],  # from COMISET benign corpus (precision)
+    benign_events: list[dict],  # COMISET events, carry sigmaforge_label (for labels + coverage)
+    n_attack_events: int,  # total attack-corpus events (legacy pooled recall denominator)
+    positive_control_fired: bool,
+    min_events: int,
+    source: str = "COMISET",
+    # FIX B (per-technique recall). All three must be supplied together to enable it;
+    # if any is None, recall falls back to the legacy pooled denominator.
+    event_technique: dict[str, str] | None = None,  # event_id -> ATT&CK (sub-)technique
+    technique_event_counts: dict[str, int] | None = None,  # technique -> total attack PC events
+) -> tuple[list[dict], dict, str]:
+    per_technique = event_technique is not None and technique_event_counts is not None
+    titles = {r["title"] for r in loaded_rules}
+    # benign-corpus label split (A3): malicious-labelled benign-corpus events are TP, not FP
+    n_ben_mal = sum(1 for e in benign_events if e.get("sigmaforge_label") == "malicious")
+    n_ben_ben = len(benign_events) - n_ben_mal
+
+    scores = []
+    recall_by_rule: dict[str, float | str] = {}
+    recall_meta_by_rule: dict[str, dict] = {}
+    benign_cov_by_rule: dict[str, int] = {}
+    for rule in loaded_rules:
+        rid = rule["title"]
+        fields = selection_fields(rule)
+        cov = events_evaluated_for_rule(benign_events, fields)
+        # BLOCKER-2: how many BENIGN-labelled events could have produced an FP at all
+        benign_cov_by_rule[rid] = benign_events_evaluated_for_rule(benign_events, fields)
+        # precision side: label-aware + dedupe via score_rule on the benign corpus
+        b = [f for f in benign_fires if f.rule_id == rid]
+        s = score_rule(rid, b, n_malicious=n_ben_mal, n_benign=n_ben_ben, events_evaluated=cov)
+        scores.append(s)
+        # recall side: unique malicious hits on the all-malicious attack corpus
+        fired_eids = {f.event_id for f in attack_fires if f.rule_id == rid and f.event_label == "malicious"}
+        if per_technique:
+            # FIX B: measure the rule against only the events of its own technique(s)
+            techs = rule_techniques(rule)
+            recall, numer, denom, measured = per_technique_recall(
+                rid, techs, fired_eids, event_technique, technique_event_counts
+            )
+            recall_by_rule[rid] = recall
+            recall_meta_by_rule[rid] = {
+                "techniques": sorted(techs),
+                "measured_techniques": measured,
+                "recall_numer": numer,
+                "recall_denom": denom,
+                "recall_measurable": recall != UNMEASURED,
+            }
+        else:
+            # legacy POOLED recall (fallback when per-technique inputs absent)
+            recall_by_rule[rid] = (len(fired_eids) / n_attack_events) if n_attack_events else 0.0
+            recall_meta_by_rule[rid] = {"recall_measurable": None}
+
+    precisions = emit_precision(scores, positive_control_fired, min_events)  # the ONLY precision path
+    rows = []
+    for s in scores:
+        # BLOCKER-2 flag: a measured precision with zero benign exemplars carries NO FP signal
+        # (fp=0 is true by construction — no benign-labelled event matched the selection).
+        no_benign_exemplars = benign_cov_by_rule[s.rule_id] == 0
+        meta = recall_meta_by_rule[s.rule_id]
+        rows.append(
+            {
+                "rule": s.rule_id,
+                "recall": recall_by_rule[s.rule_id],
+                f"precision@{source}": precisions[s.rule_id],
+                "tp": s.tp,
+                "fp": s.fp,
+                "events_evaluated": s.events_evaluated,
+                "benign_events_evaluated": benign_cov_by_rule[s.rule_id],
+                "no_benign_exemplars": no_benign_exemplars,
+                # FIX B per-technique recall provenance (present even in pooled mode, with
+                # recall_measurable=None so the report can tell the two modes apart)
+                "recall_techniques": meta.get("techniques", []),
+                "recall_measured_techniques": meta.get("measured_techniques", []),
+                "recall_numer": meta.get("recall_numer"),
+                "recall_denom": meta.get("recall_denom"),
+                "recall_measurable": meta.get("recall_measurable"),
+            }
+        )
+    funnel = {
+        "candidate": len(loaded_rules),
+        "loaded": len(loaded_rules),
+        "stateless": len(loaded_rules),
+        "fires": len({s.rule_id for s in scores if s.tp or s.fp}),
+        "survives_fp": len([s for s in scores if s.fp == 0 and s.tp]),
+    }
+    # FIX H acceptance gate (reconcile-not-relabel): with a ONE-source ruleset
+    # (engine compiled from exactly the loaded set), every engine fire must be a
+    # loaded rule and engine fires must equal scored fires on BOTH corpora. The
+    # old code merely asserted scores ⊆ titles (always true, since scores are
+    # built from loaded_rules) and silently dropped engine fires outside `titles`
+    # (the 767->2 benign-side gap). This now raises on any such discrepancy.
+    assert all(s.rule_id in titles for s in scores)
+    assert_one_source(titles, attack_fires, benign_fires)
+    # A11: worker-invariant reproducibility stamp over the aggregated fire set
+    rh = run_hash(attack_fires | benign_fires)
+    if per_technique:
+        measurable = sum(1 for r in rows if r["recall_measurable"])
+        recall_note = (
+            "recall is **per-technique, sub-technique-granular** — each rule is measured against "
+            "only the attack events of its own ATT&CK (sub-)technique(s), NOT pooled over the whole "
+            "corpus and NOT diluted by sibling sub-techniques. A rule tagged `T1059.001` is scored "
+            "against `T1059.001` events ONLY (its `T1059.003` siblings are excluded); a rule with a "
+            "bare parent tag `T1059` covers all `T1059.*` children. Rules with no technique tag, or "
+            "whose tags match zero attack events in this corpus, are `unmeasured` (not 0). "
+            f"Recall-measurable rules: {measurable}/{len(rows)}."
+        )
+    else:
+        recall_note = (
+            "recall is **pooled** (tp / whole-corpus). Per-technique recall (FIX B) is not enabled for this run."
+        )
+    return (
+        rows,
+        funnel,
+        render_report(rows, funnel, source=source, min_events=min_events, run_hash=rh, recall_note=recall_note),
+    )

sigmaforge/records.py

@@ -0,0 +1,18 @@
+from dataclasses import dataclass
+
+
+@dataclass(frozen=True)
+class MatchRecord:
+    rule_id: str
+    event_id: str
+    event_label: str  # "benign" | "malicious"
+
+
+@dataclass
+class RuleScore:
+    rule_id: str
+    tp: int = 0
+    fp: int = 0
+    tn: int = 0
+    fn: int = 0
+    events_evaluated: int = 0

sigmaforge/report/render.py

@@ -0,0 +1,87 @@
+def render_report(
+    rows: list[dict],
+    funnel: dict,
+    source: str = "COMISET",
+    min_events: int = 1000,
+    fp_tuning_threshold: int = 5,
+    run_hash: str | None = None,
+    corpus_note: str | None = None,
+    recall_note: str | None = None,
+) -> str:
+    """A10/A8: the deliverable. A human-readable FP-tuning report.
+    Leads with the corpus-scope + noisy-label caveat; precision labelled precision@SOURCE.
+    `corpus_note` MUST disclose the benign corpus composition when it is blended (A8 honesty).
+    `recall_note` (FIX B) discloses how recall is measured (per-technique vs pooled)."""
+    lines = [
+        f"# Sigmaforge backtest report ({source})",
+        "",
+        *([f"_run hash (worker-invariant): `{run_hash}`_", ""] if run_hash else []),
+        f"> Precision is **precision@{source}**, measured on the benign corpus described below "
+        f"— not a general/cross-environment false-positive rate. "
+        f"Labels are NOISY ground truth (rule-pattern attributions, e.g. OneDrive.exe tagged "
+        f"as an ATT&CK technique), so a measured FP may be a mislabel. Recall is measured on "
+        f"the labeled native-EVTX attack corpora over PROCESS-CREATION events only (the loaded "
+        f"ruleset is 100% process_creation). Precision floor: {min_events} evaluated events.",
+        *([f"> **Benign corpus composition:** {corpus_note}"] if corpus_note else []),
+        *([f"> **Recall method (FIX B):** {recall_note}"] if recall_note else []),
+        "",
+        "> **Precision tautology caveat (BLOCKER-2):** a rule showing precision = 1.0 with fp = 0 "
+        "is only trustworthy if benign-labelled events actually matched its selection. Rules whose "
+        "benign-corpus coverage held **zero benign exemplars** are flagged `no-benign-exemplars` "
+        "below: their fp = 0 is true *by construction*, so precision = 1.0 carries **no "
+        "false-positive signal** — it is not evidence of FP-resistance.",
+        "",
+        "## Funnel",
+    ]
+    for stage in ("candidate", "loaded", "stateless", "fires", "survives_fp"):
+        if stage in funnel:
+            lines.append(f"- {stage}: {funnel[stage]}")
+    lines += [
+        "",
+        "## Per-rule",
+        "",
+        "| rule | recall | precision@"
+        + source
+        + " | tp | fp | events_evaluated | benign_events_evaluated | precision_signal |",
+        "|---|---|---|---|---|---|---|---|",
+    ]
+    for r in rows:
+        prec = r.get(f"precision@{source}", "unmeasured")
+        # precision_signal: does the precision number carry any FP information?
+        if prec == "unmeasured":
+            signal = "n/a (unmeasured)"
+        elif r.get("no_benign_exemplars"):
+            signal = "NONE (no-benign-exemplars)"
+        else:
+            signal = "real"
+        lines.append(
+            f"| {r.get('rule')} | {r.get('recall')} | {prec} "
+            f"| {r.get('tp')} | {r.get('fp')} | {r.get('events_evaluated')} "
+            f"| {r.get('benign_events_evaluated', 'n/a')} | {signal} |"
+        )
+    # FP-tuning section: surface over-broad rules (the analyst-judgment deliverable)
+    noisy = [r for r in rows if isinstance(r.get("fp"), int) and r["fp"] >= fp_tuning_threshold]
+    lines += ["", "## FP-tuning candidates (over-broad on real traffic)"]
+    if noisy:
+        for r in sorted(noisy, key=lambda x: -x["fp"]):
+            lines.append(
+                f"- **{r.get('rule')}** catches the attack but fires {r['fp']}x on benign "
+                f"activity — candidate for tightening."
+            )
+    else:
+        lines.append("- none above threshold")
+
+    # BLOCKER-2: rules whose measured precision is tautological (no benign exemplars).
+    tautology = [r for r in rows if r.get("no_benign_exemplars") and isinstance(r.get(f"precision@{source}"), float)]
+    lines += ["", "## Precision tautologies (no benign exemplars — precision carries no FP signal)"]
+    if tautology:
+        for r in sorted(tautology, key=lambda x: str(x.get("rule"))):
+            lines.append(
+                f"- **{r.get('rule')}** reports precision@{source} = {r.get(f'precision@{source}')} "
+                f"with fp = {r.get('fp')}, but **0 benign-labelled events matched its selection** — "
+                f"fp = 0 is true by construction. No FP-resistance is demonstrated; precision is "
+                f"effectively unmeasured for FP purposes."
+            )
+    else:
+        lines.append("- none (every measured rule had at least one benign exemplar)")
+    return "\n".join(lines)

sigmaforge/runmanifest.py

@@ -0,0 +1,23 @@
+import hashlib
+import json
+
+
+def build_manifest(**kw) -> dict:
+    """Pin everything that determines a metric, for reproducibility (A4)."""
+    kw["level"] = list(kw.get("level", ()))
+    return dict(sorted(kw.items()))
+
+
+def run_hash(aggregated_matches, workers=None) -> str:
+    """A4/A11: a stable hash of the aggregated (rule_id, event_id) set.
+    `workers` is intentionally NOT hashed — the metric must be worker-count invariant."""
+    payload = sorted(f"{r[0]}|{r[1]}" for r in _as_pairs(aggregated_matches))
+    return hashlib.sha256(json.dumps(payload).encode()).hexdigest()
+
+
+def _as_pairs(matches):
+    for m in matches:
+        if isinstance(m, tuple):
+            yield m
+        else:  # MatchRecord
+            yield (m.rule_id, m.event_id)

sigmaforge/score/acceptance.py

@@ -0,0 +1,96 @@
+"""FIX H acceptance gate: reconcile-not-relabel.
+
+The gap-review failure was a TWO-SOURCE join by title: the engine fired
+Zircolite's bundled 2680-rule snapshot, the scorer kept only the ~609 loaded
+SigmaHQ titles, so engine fires whose title was outside the 609 set were
+SILENTLY dropped (benign_fires=767 -> funnel fires=2). FIX H compiles ONE
+ruleset from exactly the loaded set, so the engine can only fire loaded rules.
+
+This module asserts that invariant after a run, on EACH corpus:
+
+  1. NO TITLE-DROP: every engine-fired rule_id is in the loaded title set.
+     (If a fire's title is not loaded, the engine ran a DIFFERENT ruleset than
+     the one scored — a real two-source regression, not something to suppress.)
+  2. ENGINE == SCORED: the number of distinct (rule_id, event_id) fires the
+     engine produced equals the number the scorer actually counted. A gap here
+     means fires were dropped between firing and scoring.
+
+A failure is a real discrepancy to SURFACE (raise), never relabel.
+"""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+
+from sigmaforge.records import MatchRecord
+
+
+@dataclass(frozen=True)
+class GateResult:
+    corpus: str
+    engine_fires: int  # distinct (rule_id, event_id) from the engine
+    scored_fires: int  # distinct (rule_id, event_id) the scorer counted
+    dropped_titles: tuple[str, ...]  # fired rule_ids NOT in the loaded set
+    ok: bool
+
+    def reason(self) -> str:
+        if self.ok:
+            return f"{self.corpus}: engine==scored ({self.engine_fires}), no title-drop"
+        parts = []
+        if self.dropped_titles:
+            parts.append(
+                f"{len(self.dropped_titles)} fired rule(s) outside the loaded set "
+                f"(title-drop / two-source skew): {list(self.dropped_titles)[:5]}"
+                + ("…" if len(self.dropped_titles) > 5 else "")
+            )
+        if self.engine_fires != self.scored_fires:
+            parts.append(f"engine fires ({self.engine_fires}) != scored fires ({self.scored_fires})")
+        return f"{self.corpus}: " + "; ".join(parts)
+
+
+def check_corpus(
+    corpus: str,
+    engine_fires: set[MatchRecord] | list[MatchRecord],
+    loaded_titles: set[str],
+) -> GateResult:
+    """Compute the gate result for one corpus.
+
+    `scored_fires` mirrors what the scorer counts: distinct (rule_id, event_id)
+    whose rule_id is in `loaded_titles`. `engine_fires` is the raw distinct
+    (rule_id, event_id) the engine emitted. With a one-source ruleset these
+    must be equal AND no fired title may fall outside `loaded_titles`.
+    """
+    engine_pairs = {(f.rule_id, f.event_id) for f in engine_fires}
+    scored_pairs = {(rid, eid) for (rid, eid) in engine_pairs if rid in loaded_titles}
+    dropped = tuple(sorted({rid for (rid, _eid) in engine_pairs if rid not in loaded_titles}))
+    ok = (not dropped) and (len(engine_pairs) == len(scored_pairs))
+    return GateResult(
+        corpus=corpus,
+        engine_fires=len(engine_pairs),
+        scored_fires=len(scored_pairs),
+        dropped_titles=dropped,
+        ok=ok,
+    )
+
+
+def assert_one_source(
+    loaded_titles: set[str],
+    attack_fires: set[MatchRecord] | list[MatchRecord],
+    benign_fires: set[MatchRecord] | list[MatchRecord],
+) -> list[GateResult]:
+    """Run the gate on BOTH corpora; raise on any discrepancy.
+
+    The 767->2 gap was benign-side, so the benign corpus MUST be checked too.
+    Returns the per-corpus results on success; raises AssertionError otherwise.
+    """
+    results = [
+        check_corpus("attack", attack_fires, loaded_titles),
+        check_corpus("benign", benign_fires, loaded_titles),
+    ]
+    failures = [r for r in results if not r.ok]
+    if failures:
+        raise AssertionError(
+            "FIX H acceptance gate FAILED (engine ruleset and scored ruleset disagree):\n"
+            + "\n".join("  - " + r.reason() for r in failures)
+        )
+    return results

sigmaforge/score/adapter.py

@@ -0,0 +1,19 @@
+from sigmaforge.records import MatchRecord, RuleScore
+
+
+def score_rule(
+    rule_id: str,
+    fires: list[MatchRecord],
+    n_malicious: int,
+    n_benign: int,
+    events_evaluated: int,
+) -> RuleScore:
+    # Zircolite concatenates filtered_rows across a rule's sigma_queries, so the same
+    # event can appear multiple times in `matches`. Dedupe per (rule_id, event_id) BEFORE
+    # counting, or tp/fp inflate past n_malicious/n_benign and tn/fn go negative.
+    unique = {(f.rule_id, f.event_id): f for f in fires}.values()
+    tp = sum(1 for f in unique if f.event_label == "malicious")
+    fp = sum(1 for f in unique if f.event_label == "benign")
+    fn = max(0, n_malicious - tp)
+    tn = max(0, n_benign - fp)
+    return RuleScore(rule_id, tp=tp, fp=fp, tn=tn, fn=fn, events_evaluated=events_evaluated)

sigmaforge/score/coverage.py

@@ -0,0 +1,28 @@
+def events_evaluated_for_rule(events: list[dict], selection_fields: set[str]) -> int:
+    """A2 coverage counter: how many events actually carry ALL of a rule's selection fields
+    (present + non-empty). Distinguishes 'low FP' from 'rule never ran'."""
+    return sum(1 for e in events if all(e.get(f) not in (None, "") for f in selection_fields))
+
+
+def benign_events_evaluated_for_rule(events: list[dict], selection_fields: set[str]) -> int:
+    """BLOCKER-2 precision-tautology guard: coverage restricted to BENIGN-labelled events.
+
+    A rule whose precision is 1.0 with fp=0 carries NO false-positive signal if zero
+    benign-labelled events ever carried its selection fields — there was no benign exemplar
+    that *could* have produced an FP. This counts the benign exemplars a rule was actually
+    exposed to, so the report can flag tautological precision honestly."""
+    benign = (e for e in events if e.get("sigmaforge_label") != "malicious")
+    return sum(1 for e in benign if all(e.get(f) not in (None, "") for f in selection_fields))
+
+
+def selection_fields(rule: dict) -> set[str]:
+    """Extract the Sigma field names a rule's detection.selection* blocks reference.
+    Field names may carry Sigma modifiers (e.g. 'CommandLine|contains') -> strip at the pipe."""
+    fields: set[str] = set()
+    detection = rule.get("detection", {})
+    for key, block in detection.items():
+        if key == "condition" or not isinstance(block, dict):
+            continue
+        for field in block:
+            fields.add(str(field).split("|", 1)[0])
+    return fields

sigmaforge/score/gates.py

@@ -0,0 +1,21 @@
+from sigmaforge.records import RuleScore
+
+
+def precision_or_unmeasured(s: RuleScore, min_events: int):
+    """A12 floor + A2 coverage: precision only when enough events were actually evaluated."""
+    if s.events_evaluated < min_events:
+        return "unmeasured"
+    denom = s.tp + s.fp
+    return s.tp / denom if denom else "unmeasured"
+
+
+def positive_control_ok(rule_fired: bool) -> bool:
+    """A2: the pinned known-malicious control event MUST fire before any precision is trusted.
+    If it does not fire, the field mapping/logsource is broken -> precision is unmeasurable."""
+    return rule_fired
+
+
+def overfit_flag(fires_original: bool, fires_mutated: bool) -> bool:
+    """A2 overfit guard: a behavioural rule fires on both the original and the literal-IOC-mutated
+    twin; a literal-string (IOC) rule fires only on the original. True = overfit (literal-only)."""
+    return fires_original and not fires_mutated

sigmaforge/score/recall.py

@@ -0,0 +1,123 @@
+"""Per-technique recall (FIX B), sub-technique-granular (FIX B2).
+
+The pooled recall `tp / n_attack_events` divides every rule's hits by the WHOLE
+process-creation attack corpus. A single-technique rule can match at most the
+events of its own technique, so a corpus-wide denominator caps its recall near
+zero by construction (a recall-side tautology). FIX B measures each rule against
+only the attack events of the rule's own ATT&CK technique(s).
+
+FIX B2 — SUB-TECHNIQUE-GRANULAR scoping (no sibling dilution): technique IDs are
+kept at full sub-technique granularity on BOTH sides (a rule tagged
+``attack.t1059.001`` yields ``T1059.001``; the corpus event keeps ``T1059.001``).
+An attack event of technique X counts toward rule R's recall iff (ASYMMETRIC rule):
+
+  * X is EXACTLY one of R's (sub-)technique tags
+    (a T1059.001 rule ↔ T1059.001 events ONLY — NOT its T1059.003 siblings), OR
+  * R carries a BARE parent tag (T1059 with no sub-technique) and X is ANY child
+    of it (T1059.* or bare T1059) — a generic rule legitimately covers the whole
+    technique.
+
+A T1059.001 rule is therefore NEVER scored against T1059.003 events (the sibling
+dilution that inflated the denominator and deflated recall). A bare-T1059 rule IS
+scored against all T1059.* events. Then:
+
+    denom = | attack events matching R per the rule above |
+    numer = | unique such events R fired on |
+    recall = numer / denom
+
+A rule with no usable technique tag, or whose tags match ZERO attack events in
+the corpus, is "unmeasured" (the sentinel string ``"unmeasured"``), NOT 0 and NOT
+pooled — there is simply no matching event to measure it against in this corpus.
+
+Identity contract: ``event_technique`` keys on the SAME event identity the
+engine emits (``MatchRecord.event_id`` == ``_stable_event_id``), so a fire and
+its ground-truth technique join correctly.
+"""
+
+import re
+
+UNMEASURED = "unmeasured"
+
+# Keep declared tag granularity: attack.t1059.001 -> T1059.001; bare attack.t1059 -> T1059.
+_TECH_TAG = re.compile(r"^attack\.(t\d{4}(?:\.\d{3})?)$", re.IGNORECASE)
+
+
+def rule_techniques(rule: dict) -> set[str]:
+    """ATT&CK technique IDs from a Sigma rule's tags, at the DECLARED granularity.
+
+    FIX B2: a rule tagged ``attack.t1059.001`` yields ``{"T1059.001"}`` (kept at
+    sub-technique granularity, NOT folded to T1059); a rule tagged bare
+    ``attack.t1059`` yields ``{"T1059"}``. Returns an empty set when no usable
+    technique tag is present.
+    """
+    out: set[str] = set()
+    for tag in rule.get("tags") or []:
+        m = _TECH_TAG.match(str(tag))
+        if m:
+            out.add(m.group(1).upper())
+    return out
+
+
+def _event_matches_rule(event_tech: str | None, techniques: set[str]) -> bool:
+    """ASYMMETRIC match (FIX B2): does an event of ``event_tech`` count for a rule
+    whose technique set is ``techniques``?
+
+    - exact (sub-)technique match: ``T1059.001`` event ↔ ``T1059.001`` rule tag, OR
+    - bare-parent rule covers all children: a rule tagged bare ``T1059`` matches
+      any ``T1059`` or ``T1059.*`` event.
+    A sub-technique rule (``T1059.001``) does NOT match a sibling (``T1059.003``)
+    nor the bare parent's other children.
+    """
+    if event_tech is None:
+        return False
+    if event_tech in techniques:
+        return True
+    parent = event_tech.split(".", 1)[0]
+    return parent in techniques  # bare-parent rule tag covers this child
+
+
+def _technique_event_count_for_rule(
+    techniques: set[str], technique_event_counts: dict[str, int]
+) -> tuple[int, list[str]]:
+    """denom + the corpus technique IDs that contribute to it, per the asymmetric rule.
+
+    A bare-parent tag (T1059) absorbs every corpus T1059 / T1059.* bucket; a
+    sub-technique tag (T1059.001) absorbs only the exact T1059.001 bucket.
+    """
+    contributing: dict[str, int] = {}
+    for corpus_tech, count in technique_event_counts.items():
+        if count > 0 and _event_matches_rule(corpus_tech, techniques):
+            contributing[corpus_tech] = count
+    denom = sum(contributing.values())
+    return denom, sorted(contributing)
+
+
+def per_technique_recall(
+    rule_id: str,
+    techniques: set[str],
+    fired_event_ids: set[str],
+    event_technique: dict[str, str],
+    technique_event_counts: dict[str, int],
+) -> tuple[float | str, int, int, list[str]]:
+    """Return (recall, numer, denom, measured_techniques).
+
+    - ``techniques``: the rule's (sub-)technique set (may be empty -> unmeasured).
+    - ``fired_event_ids``: unique attack event_ids the rule fired on.
+    - ``event_technique``: event_id -> technique (ground truth, sub-technique-granular).
+    - ``technique_event_counts``: technique -> total attack PC events of that technique.
+
+    recall is ``UNMEASURED`` when the rule has no technique tag OR no corpus
+    technique matches its tags per the asymmetric rule (denom == 0). Otherwise
+    numer/denom, where numer counts only fires that land on an event whose
+    technique matches the rule (a fire on an off-technique / sibling event does
+    NOT count toward this rule's recall).
+    """
+    if not techniques:
+        return UNMEASURED, 0, 0, []
+
+    denom, measured = _technique_event_count_for_rule(techniques, technique_event_counts)
+    if denom == 0:
+        return UNMEASURED, 0, 0, []
+
+    numer = sum(1 for eid in fired_event_ids if _event_matches_rule(event_technique.get(eid), techniques))
+    return numer / denom, numer, denom, measured

sigmaforge/score/scorer.py

@@ -0,0 +1,23 @@
+from shipwright_kit.eval import EvalResult
+
+from sigmaforge.records import RuleScore
+from sigmaforge.score.gates import positive_control_ok, precision_or_unmeasured
+
+
+def metrics(s: RuleScore) -> dict:
+    # A9: reuse the validated shipwright_kit.eval math; do not re-derive precision/recall/fpr.
+    r = EvalResult(tp=s.tp, fp=s.fp, tn=s.tn, fn=s.fn)
+    return {
+        "precision": r.precision,
+        "recall": r.recall,
+        "fpr": r.false_positive_rate,
+        "f1": r.f1,
+    }
+
+
+def emit_precision(scores: list[RuleScore], positive_control_fired: bool, min_events: int) -> dict:
+    """A2/A12: the ONLY sanctioned precision path. If the positive control did not fire (mapping
+    broken), NO rule gets a precision number. Otherwise each rule is floor-gated per coverage."""
+    if not positive_control_ok(positive_control_fired):
+        return {s.rule_id: "unmeasured" for s in scores}
+    return {s.rule_id: precision_or_unmeasured(s, min_events) for s in scores}

sigmaforge-0.1.0.dist-info/METADATA

@@ -0,0 +1,121 @@
+Metadata-Version: 2.4
+Name: sigmaforge
+Version: 0.1.0
+Summary: Honest Sigma-rule backtest harness
+Author-email: Christian Huhn <duathron@gmail.com>
+License-Expression: MIT
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: typer>=0.12.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: pydantic>=2.7.0
+Requires-Dist: shipwright-kit>=0.8.0
+Dynamic: license-file
+
+# sigmaforge
+
+**Honest Sigma-rule backtest harness.** Measures detection rules against real log
+corpora and reports two numbers per rule — **recall** (does it catch attacks of its
+ATT&CK sub-technique?) and **precision / false-positives** (does it fire on benign
+activity?) — with honesty gates that return `unmeasured` instead of a fake `0` or a
+tautological `1.0` when the data can't support a number.
+
+[![CI](https://github.com/duathron/sigmaforge/actions/workflows/ci.yml/badge.svg)](https://github.com/duathron/sigmaforge/actions/workflows/ci.yml)
+![python](https://img.shields.io/badge/python-3.11%2B-blue)
+![license](https://img.shields.io/badge/license-MIT-green)
+
+> [!NOTE]
+> **Learning / portfolio project, built by directing AI coding agents.** Christian
+> Huhn (photography → SOC career change) designed, reviewed, and gated the work; the
+> implementation was AI-pair-programmed. It is an honest measurement harness, not a
+> polished product — see *Status* below for exactly what works and what doesn't yet.
+
+## What problem it solves
+
+Every SOC ships dozens to hundreds of detection rules and rarely measures them.
+sigmaforge answers two questions with reproducible evidence:
+
+- **Which rules are noise generators?** (high false-positives on legitimate activity)
+- **Which rules catch nothing?** (zero recall against real attacks of their technique)
+
+Example finding from a real run: *Suspicious Windows Service Tampering* produced 66
+false-positives on a benign corpus — every one a Ninite / TeamViewer installer, not
+an attack.
+
+## How it actually works
+
+```mermaid
+flowchart LR
+    R[SigmaHQ rules] -->|partition high/critical| C[compile to one Zircolite ruleset]
+    C --> E[Zircolite engine]
+    A[(attack corpus<br/>sub-technique-labeled)] --> E
+    B[(benign corpus<br/>Nextron + OpTC)] --> E
+    E --> S[score: recall per technique<br/>+ precision/FP label-aware]
+    S --> G[honesty gates<br/>floor · positive-control · no-self-review]
+    G --> O[report.md + manifest]
+```
+
+The real pipeline is **script-driven** (`scripts/run6_backtest.py` is the current
+end-to-end path):
+
+```bash
+uv run python scripts/compile_loaded_ruleset.py   # rules -> one Zircolite ruleset
+uv run python scripts/run6_backtest.py            # backtest -> reports/run6.md
+```
+
+> [!WARNING]
+> The shipped CLI (`sigmaforge backtest`) is a **weaker, work-in-progress path** and
+> is not the way the real reports were produced. Use the scripts above. The CLI is
+> kept for the future one-command experience, not parity.
+
+## Status
+
+| Area | State |
+|------|-------|
+| Recall (per sub-technique, no sibling dilution) | **Working** — 338/609 rules measurable, 70 fire (run5) |
+| Precision / false-positives (label-aware, gated) | **Working** — 7/609 measurable on current benign corpus (run6) |
+| Honesty gates (floor, positive-control, no-self-review) | **Working** |
+| Reproducible manifest (run_hash, corpus SHAs, provenance) | **Working** |
+| One-command CLI (`sigmaforge backtest`) | **WIP** — weaker than the scripts |
+| Self-generated benign corpus | **Kit ready** (`scripts/selfgen/`), needs a Windows VM run |
+
+> [!IMPORTANT]
+> **The log corpora are not shipped.** They are large, separately licensed, and
+> gitignored. `pip install sigmaforge` installs the harness code, not the data — a
+> full end-to-end backtest needs the corpora and a local Zircolite checkout (also not
+> bundled). The package is useful as a library / reference; the runnable pipeline
+> needs the local setup documented in `scripts/`.
+
+## Install
+
+```bash
+pip install sigmaforge
+```
+
+Installs the harness package and the `sigmaforge` CLI. The detection engine
+([Zircolite](https://github.com/wagga40/Zircolite)) and the log corpora are obtained
+separately (see above).
+
+## Corpora used (all verified, portfolio-safe licenses)
+
+| Corpus | Role | License |
+|--------|------|---------|
+| [splunk/attack_data](https://github.com/splunk/attack_data) | recall (sub-technique-labeled attacks) | Apache-2.0 |
+| [DARPA OpTC](https://github.com/FiveDirections/OpTC-data) | precision (real enterprise benign week) | Public domain |
+| [NextronSystems/evtx-baseline](https://github.com/NextronSystems/evtx-baseline) | precision (goodware baseline) | Apache-2.0 |
+| Self-generated (`scripts/selfgen/`) | precision (targeted admin/LOLBin noise) | your own lab |
+
+## Development
+
+Built with the [Shipwright](https://github.com/duathron/shipwright) dev framework.
+
+```bash
+uv sync --dev
+uv run pytest        # 108 tests
+uv run ruff check .
+```
+
+## License
+
+MIT © Christian Huhn. Corpus data retains its upstream license (see table above).

sigmaforge-0.1.0.dist-info/RECORD

@@ -0,0 +1,31 @@
+sigmaforge/__init__.py,sha256=kUR5RAFc7HCeiqdlX36dZOHkUI5wI6V_43RpEcD8b-0,22
+sigmaforge/banner.py,sha256=esg3wB57cukVZ8guPCnG3KApopi4BXgyMgKRnx1DXpQ,413
+sigmaforge/config.py,sha256=6l67AKgYb2h7lb3CnwiTivw9HFi47V8EZdH1_lZDBZw,863
+sigmaforge/detect.py,sha256=D5diyPAXSQknxBVkenvOCyRgzAJ7J5D5EEYnZqFy60M,1401
+sigmaforge/main.py,sha256=lJ7smiZ-SCeNuJuTKPRHhwuZ_mrMNVsmOl7Lw5mOrEk,2263
+sigmaforge/orchestrate.py,sha256=Y93RmJMMVSt4bHMmEB4UkTxsYJZgDEE2Rnqo93E-UOw,7964
+sigmaforge/records.py,sha256=L0lWV1IYOYoexd1rWohrVwbQEdmOpSkwEEV85cua1Kk,302
+sigmaforge/runmanifest.py,sha256=omfAjgkHaVA_g45TJNb-BkpPiKDPyCJ4vGviRRjwlrE,759
+sigmaforge/backtest/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sigmaforge/backtest/runner.py,sha256=_dEkj8m-G67NMC7G7nE7trIs4Z30VyX8i7QJ3RaQvXM,741
+sigmaforge/crosscheck/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sigmaforge/crosscheck/chainsaw.py,sha256=VVzgnMbNLIURvqrWKMxRNwdJotDh91-19N7BTQskaIs,649
+sigmaforge/ingest/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sigmaforge/ingest/chunker.py,sha256=Pn82EGIqAJhMj29VWHcoY7-RlU7nGgqhTm65qOC0ny0,615
+sigmaforge/ingest/ruleload.py,sha256=3s6VB4ScbfZ-RYVJiTmWJf2ec-eSyG_06xd1EjBL8F4,706
+sigmaforge/ingest/zircolite_runner.py,sha256=eHP9ndwDZ-J4tNCmEjPEOqaA1w6UxzffDeSoZJ0pnUc,4526
+sigmaforge/report/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sigmaforge/report/render.py,sha256=5Z_0V4j4NTiit7UB757PO6NVH5GZJqLT12gG48I5_wg,4535
+sigmaforge/score/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+sigmaforge/score/acceptance.py,sha256=Ck9aA5C-_L8HfXoCVrOHu_Pj9_ePoIEf0JTbrINPPXM,3923
+sigmaforge/score/adapter.py,sha256=cvb6z0fMZTjxSk0pERuaySwB5j42JrOQL6R-E7iRA-g,811
+sigmaforge/score/coverage.py,sha256=WDi-sS6uoL6NHvLGs_8n6w5qe7R3uzUQmFrTYX0Gxt0,1576
+sigmaforge/score/gates.py,sha256=htzBavPzv5Bg0XJqJnYFSptnCGZv0sN1cehunWK9Rvw,924
+sigmaforge/score/recall.py,sha256=URqTfP6sYFce2SwNvR0KsO_IuNx7ploiDtSSBtq_Ao0,5427
+sigmaforge/score/scorer.py,sha256=vpDS04LOA8d9Hfsx5LxyEv15Gdl4DPchm-FYqLHLLT4,980
+sigmaforge-0.1.0.dist-info/licenses/LICENSE,sha256=BVf5pqest078hZ5byAbwbvGWuPUYGwdeNp7gnRaJebU,1071
+sigmaforge-0.1.0.dist-info/METADATA,sha256=YnsPfuCAO1bJ7-e4uHXjWhj9X1INjeMq3ac0Knu_O_M,5021
+sigmaforge-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+sigmaforge-0.1.0.dist-info/entry_points.txt,sha256=-mfqUFO_dOojOBqMCxSDn521tzCBKZZqNHItaHIqkME,52
+sigmaforge-0.1.0.dist-info/top_level.txt,sha256=6rhsK1MwVzIwuB9v78C9W4kNivGlm2Lh4W0FFH7gbJc,11
+sigmaforge-0.1.0.dist-info/RECORD,,

sigmaforge-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

sigmaforge-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+sigmaforge = sigmaforge.main:main

sigmaforge-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Christian Huhn
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

sigmaforge-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+sigmaforge