Mirror/intercept
1
0
Fork 0
mirror of https://github.com/smittix/intercept.git synced 2026-04-26 15:50:00 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
b628a5f751c626f336028df8f84adcb5a6338797
intercept/docs/PROFESSIONAL_OPS_MVP.md
Smittix b628a5f751 Add drone ops mode and retire DMR support
2026-02-20 17:02:16 +00:00

193 lines
11 KiB
Markdown
Raw Blame History

# Professional Ops + Drone Capability Matrix (MVP)
This plan enables full professional capability (passive, active testing, and evidence workflows) while keeping strict authorization, approvals, and auditability.
## 1) Capability Matrix (Feature Availability)
| Capability | Passive (Observe) | Active (Controlled Test) | Evidence / Audit | Reuse in Current Codebase | MVP Build Additions |
|---|---|---|---|---|---|
| Drone detection and classification | Detect likely drone entities from WiFi/BLE/RF metadata | Trigger controlled test sessions to validate detector quality | Store detections with source, confidence, and timestamps | `/wifi/v2/*`, `/api/bluetooth/*`, `/subghz/*`, `utils/tscm/detector.py` | New detector adapters in `utils/drone/` and aggregation API |
| Remote ID intelligence | Parse and display drone/operator identifiers and telemetry | Run controlled replay/simulation inputs for validation | Persist decoded records and parser provenance | `routes/wifi_v2.py`, `routes/bluetooth_v2.py`, `utils/event_pipeline.py` | `utils/drone/remote_id.py`, `/drone-ops/remote-id/*` endpoints |
| C2 and video link analysis | Identify likely C2/video channels and protocol patterns | Controlled injection/exercise mode for authorized ranges | Save link assessments and confidence history | `routes/listening_post.py`, `routes/subghz.py`, `static/js/components/signal-guess.js` | `utils/drone/link_analysis.py`, `/drone-ops/links/*` |
| Multi-agent geolocation | Estimate emitter/drone position from distributed observations | Active test mode to validate location solver error bounds | Capture estimate history with confidence ellipse | `routes/controller.py` location endpoints | `/drone-ops/geolocate/*` wrapper over controller location APIs |
| Operator/drone correlation | Correlate drone, operator, and nearby device candidates | Active proximity probes in controlled tests | Store correlation graph and confidence deltas | `/correlation`, `/analytics/target`, TSCM identity clustering | `utils/drone/correlation.py`, `/drone-ops/correlations/*` |
| Geofence and rules | Alert on zone breach and route/altitude anomalies | Zone-based active scenario testing | Immutable breach timeline and alert acknowledgements | `utils/geofence.py`, `/analytics/geofences`, `/alerts/*` | Drone-specific alert templates and rule presets |
| Incident command workflow | Build incident timeline from detections/alerts/tracks | Execute approved active tasks per playbook | Case package with linked artifacts and operator notes | TSCM cases and notes in `routes/tscm.py`, `utils/database.py` | Drone case types + incident board UI in Drone Ops mode |
| Replay and reporting | In-app replay of full incident event stream | Replay active test sessions for after-action review | Export signed package (JSONL + summary + hashes) | `/recordings/*`, Analytics replay UI, TSCM report generation | Evidence manifest + integrity hashing + chain-of-custody log |
| Active action controls | N/A | Full active actions available when armed/approved | Every action requires explicit reason and audit record | Existing active surfaces in `/wifi/deauth`, `/subghz/transmit` | Approval workflow (`two-person`) + command gate middleware |
| Access control and approvals | Role-based read access | Role + arming + approval enforced per action class | Full action audit trail with actor, approver, and case ID | `users.role` and session role in `app.py` | `utils/authz.py`, approval/audit tables, route decorators |
## 2) Architecture Mapping to Existing Routes/UI
## Backend routes to reuse directly
- Detection feeds:
- `routes/wifi_v2.py` (`/wifi/v2/stream`, `/wifi/v2/networks`, `/wifi/v2/clients`, `/wifi/v2/probes`)
- `routes/bluetooth_v2.py` (`/api/bluetooth/stream`, `/api/bluetooth/devices`)
- `routes/subghz.py` (`/subghz/stream`, receive/decode status)
- Correlation and analytics:
- `routes/correlation.py`
- `routes/analytics.py` (`/analytics/target`, `/analytics/patterns`, `/analytics/geofences`)
- Multi-agent geolocation:
- `routes/controller.py` (`/controller/api/location/estimate`, `/controller/api/location/observe`, `/controller/api/location/all`)
- Alerts and recording:
- `routes/alerts.py` and `utils/alerts.py`
- `routes/recordings.py` and `utils/recording.py`
- Shared pipeline in `utils/event_pipeline.py`
- Case and reporting substrate:
- `routes/tscm.py` (`/tscm/cases`, `/tscm/report/pdf`, playbooks)
- TSCM persistence in `utils/database.py`
## New backend module for MVP
- Add `routes/drone_ops.py` with URL prefix `/drone-ops`.
- Add `utils/drone/` package:
- `aggregator.py` (normalize events from WiFi/BLE/RF)
- `remote_id.py` (parsers + confidence attribution)
- `link_analysis.py` (C2/video heuristics)
- `geo.py` (adapter to controller location estimation)
- `policy.py` (arming, approval, role checks)
## Frontend integration points
- Navigation:
- `templates/partials/nav.html` add `droneops` entry (Intel group).
- Mode panel:
- `templates/partials/modes/droneops.html`
- `static/js/modes/droneops.js`
- `static/css/modes/droneops.css`
- Main mode loader wiring:
- `templates/index.html` for new panel include + script/css registration.
- Cross-mode widgets:
- Reuse `static/js/components/signal-cards.js`, `timeline-heatmap.js`, `activity-timeline.js`.
## 3) Proposed MVP API Surface (`/drone-ops`)
| Endpoint | Method | Purpose |
|---|---|---|
| `/drone-ops/status` | `GET` | Health, active session, arming state, policy snapshot |
| `/drone-ops/session/start` | `POST` | Start passive/active Drone Ops session with metadata |
| `/drone-ops/session/stop` | `POST` | Stop session and finalize summary |
| `/drone-ops/detections` | `GET` | Current detection list with filters |
| `/drone-ops/stream` | `GET` (SSE) | Unified live stream (detections, tracks, alerts, approvals) |
| `/drone-ops/remote-id/decode` | `POST` | Decode submitted frame payload (test and replay support) |
| `/drone-ops/tracks` | `GET` | Track list and selected track history |
| `/drone-ops/geolocate/estimate` | `POST` | Request geolocation estimate from distributed observations |
| `/drone-ops/correlations` | `GET` | Drone/operator/device correlation graph |
| `/drone-ops/incidents` | `POST` / `GET` | Create/list incidents |
| `/drone-ops/incidents/<id>` | `GET` / `PUT` | Incident detail and status updates |
| `/drone-ops/incidents/<id>/artifacts` | `POST` | Attach notes, detections, tracks, alerts, recordings |
| `/drone-ops/actions/arm` | `POST` | Arm active action plane with reason + case/incident ID |
| `/drone-ops/actions/request` | `POST` | Submit active action requiring approval policy |
| `/drone-ops/actions/approve/<id>` | `POST` | Secondary approval (if required) |
| `/drone-ops/actions/execute/<id>` | `POST` | Execute approved action via gated dispatcher |
## 4) Data Model Additions (SQLite, MVP)
Add to `utils/database.py`:
- `drone_sessions`
- `id`, `started_at`, `stopped_at`, `mode` (`passive`/`active`), `operator`, `metadata`
- `drone_detections`
- `id`, `session_id`, `first_seen`, `last_seen`, `source`, `identifier`, `confidence`, `payload_json`
- `drone_tracks`
- `id`, `detection_id`, `timestamp`, `lat`, `lon`, `altitude_m`, `speed_mps`, `heading_deg`, `quality`
- `drone_correlations`
- `id`, `drone_identifier`, `operator_identifier`, `method`, `confidence`, `evidence_json`, `created_at`
- `drone_incidents`
- `id`, `title`, `status`, `severity`, `opened_by`, `opened_at`, `closed_at`, `summary`
- `drone_incident_artifacts`
- `id`, `incident_id`, `artifact_type`, `artifact_ref`, `added_by`, `added_at`, `metadata`
- `action_requests`
- `id`, `incident_id`, `action_type`, `requested_by`, `requested_at`, `status`, `payload_json`
- `action_approvals`
- `id`, `request_id`, `approved_by`, `approved_at`, `decision`, `notes`
- `action_audit_log`
- `id`, `request_id`, `event_type`, `actor`, `timestamp`, `details_json`
- `evidence_manifests`
- `id`, `incident_id`, `created_at`, `hash_algo`, `manifest_json`, `signature`
Note: existing `recording_sessions` and `alert_events` remain the primary event substrate; drone tables link to those records for case assembly.
## 5) Authorization and Arming Model (All Features Available)
All features remain implemented and reachable in code. Execution path depends on policy state.
- Roles (extend `users.role` semantics):
- `viewer`: read-only
- `analyst`: passive + evidence operations
- `operator`: passive + active request submission
- `supervisor`: approval authority
- `admin`: full control + policy management
- Active command state machine:
- `DISARMED` (default): active commands denied
- `ARMED` (time-bound): request creation allowed with incident ID and reason
- `APPROVED`: dual-approval actions executable
- `EXECUTED`: immutable audit records written
- Enforcement:
- Add decorators in `utils/authz.py`:
- `@require_role(...)`
- `@require_armed`
- `@require_two_person_approval`
## 6) MVP Delivery Plan (6 Weeks)
## Phase 0 (Week 1): Scaffolding
- Add `routes/drone_ops.py` blueprint and register in `routes/__init__.py`.
- Add `utils/drone/` package with aggregator skeleton.
- Add Drone Ops UI placeholders (`droneops.html`, `droneops.js`, `droneops.css`) and nav wiring.
- Add DB migration/create statements for drone tables.
Exit criteria:
- Drone Ops mode loads, API health endpoint returns, empty-state UI renders.
## Phase 1 (Weeks 1-2): Passive Drone Ops
- Unified ingest from WiFi/BLE/SubGHz streams.
- Detection cards, live timeline, map tracks, geofence alert hooks.
- Remote ID decode endpoint and parser confidence model.
- Alert rule presets for drone intrusions.
Exit criteria:
- Passive session can detect/classify, map updates in real time, alerts generated.
## Phase 2 (Weeks 3-4): Correlation + Geolocation + Incident Workflow
- Correlation graph (drone/operator/nearby device candidates).
- Multi-agent geolocation adapter using controller location endpoints.
- Incident creation and artifact linking.
- Replay integration using existing recordings/events APIs.
Exit criteria:
- Operator can open incident, attach artifacts, replay key timeline, export preliminary report.
## Phase 3 (Weeks 5-6): Active Actions + Evidence Integrity
- Arming and approval workflows (`action_requests`, `action_approvals`).
- Active action dispatcher with role/policy checks.
- Evidence manifest export with hashes and chain-of-custody entries.
- Audit dashboards for who requested/approved/executed.
Exit criteria:
- Active commands require approvals, all operations are auditable and exportable.
## 7) Immediate Build Backlog (First Sprint)
1. Create `routes/drone_ops.py` with `status`, `session/start`, `session/stop`, `stream`.
2. Add drone tables in `utils/database.py` and lightweight DAO helpers.
3. Add mode shell UI files and wire mode into `templates/index.html` and `templates/partials/nav.html`.
4. Implement aggregator wiring to existing WiFi/BT/SubGHz feeds via `utils/event_pipeline.py`.
5. Add `actions/arm` endpoint with role + incident requirement and TTL-based disarm.
6. Add baseline tests:
- `tests/test_drone_ops_routes.py`
- `tests/test_drone_ops_policy.py`
- `tests/test_drone_ops_remote_id.py`
## 8) Risk Controls
- False attribution risk: every correlation/geolocation output carries confidence and evidence provenance.
- Policy bypass risk: active command execution path only through centralized dispatcher.
- Evidence integrity risk: hash all exported artifacts and include manifest references.
- Operational safety risk: require explicit incident linkage and arming expiration.
Reference in New Issue View Git Blame Copy Permalink