/** * ATR Rule Quality Contract — the single source of truth for what a rule's * maturity means, which detection lane it may fire in, and whether its * contract-level fields are valid. * * Every pipeline (the engine, the schema validators, rule producers, and the * promotion gate) imports from HERE instead of reimplementing its own notion of * "is this rule good / mature / allowed to block". Change the contract once and * every consumer stays consistent; a new pipeline inherits it by importing. * * This module is PURE (no engine / corpus / IO dependency) so it can be imported * everywhere without cycles. The precision/promotion GATES that need the engine + * corpus live in `./rule-gates.ts`. * * @module agent-threat-rules/quality/rule-contract */ /** Canonical maturity ladder. The ONLY allowed values; producers must emit one. */ export declare const MATURITIES: readonly ["draft", "experimental", "test", "stable", "deprecated"]; export type Maturity = (typeof MATURITIES)[number]; /** Detection lanes. enforce=auto-block, alert=analyst/correlation, hunt=advisory. */ export declare const LANES: readonly ["enforce", "alert", "hunt"]; export type Lane = (typeof LANES)[number]; /** Allowed values for a rule's `confirm` field (require a second-stage confirm). */ export declare const CONFIRM_METHODS: readonly ["embedding"]; export type ConfirmMethod = (typeof CONFIRM_METHODS)[number]; /** * Detection methods for which `confirm: embedding` is meaningful — content-matching * methods whose hit can be re-checked against attack-content similarity. `trace` and * `behavioral` are intentionally EXCLUDED: their signal is structural/temporal, not * content, so an embedding content-similarity confirm does not apply. */ export declare const CONFIRM_COMPATIBLE_METHODS: readonly ["pattern", "signature", "semantic"]; /** * Normalize a possibly-missing/empty/odd maturity to the canonical set. * Safe-fail: anything unrecognized becomes 'experimental' (so a rule-authoring * typo is treated as not-production, never silently reaching the enforce lane). */ export declare function normalizeMaturity(m: unknown): Maturity; /** * Lane gate: may a rule of this maturity fire in this lane? * enforce -> stable only (lowest FP; the auto-block lane) * alert -> stable + test (analyst / correlation lane) * hunt -> all (except deprecated) (advisory / eval; default) * Self-contained: a `deprecated` maturity never fires in ANY lane (it is retired), * so a consumer that calls this without the engine's status-skip can't misroute it. */ export declare function laneAllows(maturity: unknown, lane: Lane): boolean; /** Does a rule require embedding-confirmation before it may fire in enforce/alert? */ export declare function requiresConfirm(rule: { confirm?: unknown; }): boolean; /** * Structural validation of the contract-level fields (maturity + confirm). * Returns a list of human-readable errors (empty = valid). Schema validators and * the loader call this so an invalid maturity (e.g. the legacy `needs-human-poc`) * or a bad `confirm` value can no longer pass silently. */ export declare function validateContract(rule: { maturity?: unknown; confirm?: unknown; detection?: { method?: string; }; }): string[]; //# sourceMappingURL=rule-contract.d.ts.map