3f18e5aa8e
Adds the end-to-end demo chain. PyNaCl sealed boxes implement the dossier's Model A authority public-key encryption; SQLAlchemy ledger records every submission and every policy-blocked route. Cockpit gains /ledger and an enriched case detail (sealed-package card, routes panel, per-case audit). Mock CERT FastAPI app on :8770 stands in for the real authority endpoints. `psyc demo` runs the whole chain on a fresh URLhaus row. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
psyc
Validate the signal, protect the evidence, route only what each destination is authorized to receive, and prove every external action through an immutable ledger.
Defensive cyber-threat-intelligence routing & evidence-sealing platform. Built as a 48h hackathon project on 2026-05-13. Active development.
Architecture
Sensors
→ Scoutline fetch, parse, dedup, signal
→ Proofline validate indicators, score confidence
→ Mapline resolve victim, actor, jurisdiction, CERT route
→ Classifyline severity, TLP, incident type, internal class
→ Sealine authority-sealed evidence encryption
→ Routeline pick destinations, build payloads, submit
→ Ledgerline immutable audit, receipts, outcomes
→ Publishline sanitized public intelligence after mitigation
→ Trainline lawful intel → LoRA-ready training data
→ Cockpit operator UI (FastAPI + Jinja)
Each -line is a stage in a small-worker mesh; each worker performs one
narrow job and passes a normalized Case object to the next stage. Heavy
models are reserved for judgment-heavy tasks. Humans approve everything
sensitive before it leaves the platform.
Full architecture: docs/dossier.md — consolidated read of
the original individual records (still in docs/archive/).
Quick start
python3 -m virtualenv .venv
.venv/bin/pip install -e .
.venv/bin/psyc init # create the sqlite db
.venv/bin/psyc fetch-urlhaus --limit 50 # ingest a URLhaus pass
.venv/bin/psyc serve --port 8767 # cockpit at http://127.0.0.1:8767
.venv/bin/psyc status # count of ingested cases
Code layout
src/psyc/
models.py # normalized Case object (Pydantic)
db.py # SQLAlchemy Core; cases + ledger tables
result.py # Ok / Err / Result[T, E]
log.py # structlog configuration
cli.py # flat Typer commands
lines/ # one file per worker line
scout.py # Fetcher + Signalizer (URLhaus today)
cockpit/ # FastAPI + Jinja operator UI
app.py
templates/
static/
docs/
dossier.md # full architecture (consolidated)
style.md # 12-fold Python style guide
archive/ # original architecture docs + logo variants
Style
All code follows docs/style.md: Optional[X] / List[X]
from typing, Field(default_factory=...) for Pydantic mutables, Result[T, E]
types for expected failures (raise reserved for true exceptions), class X(str, Enum)
for closed string sets, structlog with area.action event names, SQLAlchemy Core
(no ORM), flat Typer commands with hyphenated names. Ruff config in pyproject.toml
enforces the bits a linter can check; UP006/UP007/UP035 are disabled so the
typing-import rules stand.
Scope
Lawful, white-hat defensive operations only. psyc routes intelligence to victims, CERT/CSIRTs, sector ISACs, provider/registrar abuse desks, and trusted CTI communities. It will not:
- amplify stolen data
- expose victims prematurely
- interact with criminal actors
- distribute exploitation content
- submit evidence that exceeds a destination's max TLP
The boundaries are defined in docs/dossier.md §5 Destination Minimization,
§10 TLP Enforcement, and §16 Public Reporting Rules. The Ledger records
every external submission and destructive action; sensitive evidence is
encrypted to authorized recipients via Sealine before any routing decision.
Status
Day 2 of a 48h build. Stage 1 shipped (Scoutline → DB → Cockpit list & detail).
Stage 2 next: Classifyline → Sealine (PyNaCl sealed boxes) → Routeline →
mock CERT destination → Ledgerline writes + /ledger cockpit page.
License
Unset for the hackathon. Choose before any external release.