/** * Flywheel Manager -- automates the threat detection → rule generation → promotion cycle. * * Flow: * 1. Tier 4 (LLM) detects novel threat → auto-scaffold rule * 2. Rule enters shadow mode → ShadowEvaluator tracks FP rate * 3. FP < threshold after N evaluations → auto-promote to stable * 4. Promoted rule distributes to all users via Threat Cloud * * Machine speed, not human speed. No manual proposals or voting required. * * @module agent-threat-rules/flywheel */ import type { ATRRule, ATRMatch, AgentEvent } from './types.js'; import { type PromotionCandidate } from './shadow-evaluator.js'; export interface FlywheelConfig { /** Max FP rate for auto-promotion (default: 0.001 = 0.1%) */ readonly maxFPRate?: number; /** Minimum shadow evaluations before promotion (default: 1000) */ readonly minEvaluations?: number; /** Callback when a rule is auto-promoted */ readonly onPromote?: (rule: ATRRule, stats: PromotionCandidate['stats']) => void | Promise; /** Callback when a new shadow rule is generated */ readonly onShadowRule?: (rule: ATRRule) => void | Promise; } export declare class FlywheelManager { private readonly scaffolder; private readonly shadow; private readonly config; private readonly existingIds; constructor(config?: FlywheelConfig); /** * Called when Tier 4 (LLM semantic) detects a novel threat. * Auto-generates a shadow rule from the detection. */ onTier4Detection(match: ATRMatch, event: AgentEvent): Promise; /** * Called for every event -- runs shadow evaluation. * Returns shadow matches (for logging only, not verdict). */ evaluateShadow(event: AgentEvent): readonly ATRMatch[]; /** Record user feedback on a shadow match */ recordFeedback(ruleId: string, isTruePositive: boolean): void; /** * Check for rules ready to promote and execute promotion. * Call periodically (e.g., every 15 minutes). */ promoteReady(): Promise; /** Get shadow evaluator stats */ getShadowStats(): ReadonlyMap; /** Number of rules in shadow mode */ shadowRuleCount(): number; } //# sourceMappingURL=flywheel.d.ts.map