From afba077f6ffa027b4bf08d075ef0ec5a2d7575d7 Mon Sep 17 00:00:00 2001
From: m17hr1l <m17hr1l@wehackforyou.com>
Date: Sun, 17 May 2026 23:45:55 +0200
Subject: [PATCH] stage-4: ioc_extraction includes CVE-only cases

The ExampleBuilder guard checked urls/domains/ips/hashes but not cves, so
CISA KEV cases (CVE is their only observable) were silently dropped from the
ioc_extraction dataset. Now they produce CVE-extraction examples.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 src/psyc/lines/train.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/psyc/lines/train.py b/src/psyc/lines/train.py
index 1a534e0..0ebadd7 100644
--- a/src/psyc/lines/train.py
+++ b/src/psyc/lines/train.py
@@ -62,7 +62,7 @@ class DatasetReport(BaseModel):
 
 def _ex_ioc_extraction(case: Case) -> Optional[Example]:
     obs = case.observables
-    if not (obs.urls or obs.domains or obs.ips or obs.hashes):
+    if not (obs.urls or obs.domains or obs.ips or obs.hashes or obs.cves):
         return None
     threat = case.source_metadata.get("threat", "malware")
     tags = case.source_metadata.get("tags", "")