saas-dr: phase 3 detection packs scaffolding by dcoln25-writer · Pull Request #158 · writer/aperio

dcoln25-writer · 2026-06-17T07:11:04Z

Why

Phase 3 of the SaaS DR pivot is curated, versioned detection packs. Today the worker has 16 built-in rules in a flat catalog. Operators have no way to reason about coverage in bundles ("what does Aperio detect on Google Workspace for mailbox exfiltration?") and no way to pivot from a finding to MITRE ATT&CK context.

What

DetectionPack model in internal/ingestionworker/detection_packs.go with 6 initial packs (GitHub core, Slack core, Okta core, Google Workspace identity / mail / drive). Each pack carries a stable id, semver version, provider, and analyst-facing description.
RuleCatalogEntry extension: PackID, MitreTechniques, Intent, Tags. All 16 existing rules backfilled with MITRE ATT&CK mappings (e.g. T1078.004, T1098.003, T1556.006, T1530, T1114.003), attacker-intent statements, and canonical cross-provider tags from tags.go.
ListDetectionPacks Connect RPC with an optional provider filter, Go handler in internal/bootstrap/detection_packs.go, TS client wrapper, and fetchDetectionPacks on apps/web/lib/api.ts.
Tests pin pack registry shape (semver, unique ids, known providers), rule-to-pack linkage, MITRE technique id shape, canonical-tag membership, rules-in-pack ordering, and end-to-end proto hydration.

What is NOT in this PR (intentional)

The 3 new detections originally drafted (github.branch_protection_disabled, slack.external_user_added_to_private_channel, google_workspace.mass_drive_download) are deferred to saas-dr: phase 3 expansion - new detections with TS-parity fixtures #157 so they ship with full TS-parity fixtures and matrix entries.
Phase 2 nice-to-haves moved to saas-dr: AddFindingToSaasIncident / RemoveFindingFromSaasIncident RPCs #151 saas-dr: UpdateSaasIncident RPC for assignee, owner team, summary, severity #152 saas-dr: user-authored note timeline events on SaaS incidents #153 saas-dr: CancelSaasResponseAction to revoke a proposed action #154 saas-dr: SLA breach reactor and timeline event #155 saas-dr: dashboard widget surfacing SaaS incident counts and recent activity #156.
No UI changes yet; the catalog page consuming fetchDetectionPacks is the natural next step.

Validation

go test ./... green
npm run guardrails:migration green (156 tests)
npm run test:api green (156 tests)
node_modules/.bin/tsc -p tsconfig.json --noEmit green
npm run proto:check green
npm run db:validate green
npx next build apps/web green

Closes the scaffolding scope of Phase 3.
Follow-ups: saas-dr: phase 3 expansion - new detections with TS-parity fixtures #157 (new detections), saas-dr: AddFindingToSaasIncident / RemoveFindingFromSaasIncident RPCs #151-saas-dr: dashboard widget surfacing SaaS incident counts and recent activity #156 (Phase 2 nice-to-haves).

Introduces a versioned detection-pack model that groups built-in rules into curated bundles per provider, so operators can reason about Aperio's SaaS detection coverage in coherent chunks instead of a flat toggle list. - New DetectionPack type and registry in internal/ingestionworker with 6 initial packs across GitHub, Slack, Okta, and Google Workspace (identity, mail, drive). - RuleCatalogEntry extended with PackID, MitreTechniques, Intent, and Tags. All 16 existing rules backfilled with MITRE ATT&CK mappings, attacker-intent statements, and canonical cross-provider tags. - New ListDetectionPacks Connect RPC with provider filter, Go handler in internal/bootstrap, TypeScript client wrapper, and fetchDetectionPacks on apps/web/lib/api.ts. - Tests pin pack-registry shape (semver, unique ids, known providers), catalog-to-pack linkage, MITRE id shape, canonical-tag membership, rules-in-pack ordering, and proto hydration. New evaluators (github.branch_protection_disabled, slack.external_user_added_to_private_channel, google_workspace.mass_drive_download) are tracked separately in #157 and will ship with their TS-parity fixtures. Phase 2 nice-to-haves moved to follow-ups: #151 (link/unlink findings), #152 (UpdateSaasIncident), #153 (note timeline events), #154 (CancelSaasResponseAction), #155 (SLA breach reactor), #156 (dashboard incidents widget). Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T07:11:42Z

Droid finished @dcoln25-writer's task —— View job

Solid scaffolding for the Phase 3 detection-pack model: the registry shape, MITRE backfill, proto/Connect wiring, and test coverage are all well-structured. Three minor issues to address: a dead-code nil-guard in the Connect handler that misrepresents the framework contract, a documentation-contract mismatch in RulesInPack (says "returns nil" but returns an empty slice), and pack descriptions that advertise threat coverage the current rule catalog does not yet provide.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T07:53:54Z

Droid encountered an error —— View job

Droid is reviewing code and running a security check…

Pack descriptions are analyst-facing capability statements per the DetectionPack doc comment, so they cannot claim coverage that does not yet ship. Trim three packs to match only the rules backing them in this PR; the deferred detections in #157 will reintroduce the broader coverage language when they land. Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T07:58:55Z

Droid finished @dcoln25-writer's task —— View job

The detection-pack scaffolding is well-structured: registry shape, MITRE backfill, proto/Connect wiring, and test coverage are all solid, and the latest commit correctly trimmed the drive, slack, and github pack descriptions that the prior review flagged. One description oversight remains: the aperio.google_workspace.mail.v1 pack still advertises "send-as" as an independent detection capability, but no standalone send-as rule exists -- only the combo rule fires when all three conditions are present simultaneously.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T08:09:19Z

Droid finished @dcoln25-writer's task —— View job

The detection-pack scaffolding is well-structured overall: the registry shape, proto wiring, Connect handler, and TypeScript client are all correct, and all three previously flagged issues (nil guard, RulesInPack doc comment, and pack description over-claims) have been addressed. Two issues remain: a MITRE technique misassignment (T1556.003 -- Linux PAM -- used for a Google Workspace recovery-email rule) and four catalog Tags entries that under-report relative to the tags the same rules' evaluators actually emit at runtime, which will cause silent gaps in any tag-based catalog filtering once the UI is built.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T08:25:06Z

Droid finished @dcoln25-writer's task —— View job

All issues from prior review rounds have been resolved: the nil guard dead code, RulesInPack doc comment contract, three pack description over-claims, the mail pack send-as false claim, the T1556.003 MITRE misassignment, and the risky_oauth_grant tag under-reporting are all fixed in HEAD. One new catalog-vs-evaluator tag mismatch was found: google_workspace.external_sharing_enabled declares only TagDataExternalShare in the catalog but the worker evaluator emits both TagDataExternalShare and TagPolicyWeakened, causing ListDetectionPacks to under-report this rule's tags. No security vulnerabilities were found in the new ListDetectionPacks RPC or related code paths.

factory-droid

Reviewed the detection-packs scaffolding. The implementation is well-structured and all new fields (PackID, MitreTechniques, Intent, Tags) are consistently populated. One blocking issue: detection_packs_test.go has two extra trailing blank lines that fail the gofmt CI check. Everything else — the proto definition, the Go handler, the connect-TS client, and the test coverage — looks correct.

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T08:43:19Z

Droid finished @dcoln25-writer's task —— View job

The detection-pack scaffolding is well-structured and all issues from prior review rounds have been addressed. Three concrete evaluator-vs-catalog tag mismatches remain in the mail pack rules (email_forwarding_enabled, mailbox_delegation_granted, and forwarding_delegate_send_as_combo all emit additional tags at runtime that the catalog does not declare), and the MITRE technique assignment for github.public_repository_created is incorrect (T1213 is a Collection-phase read technique; T1567.001 correctly covers exfiltration to a code repository).

Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>

github-actions · 2026-06-17T19:02:21Z

Droid finished @dcoln25-writer's task —— View job

All issues raised in prior review rounds have been resolved at HEAD: the Connect handler nil-guard dead code, the RulesInPack doc-comment contract, all pack description over-claims, the T1556.003/T1213 MITRE misassignments, and every catalog-vs-evaluator tag mismatch are fixed. The detection-pack scaffolding, proto wiring, TypeScript client, and test coverage are all correct. No new issues found; no security vulnerabilities identified in the new ListDetectionPacks RPC.

github-actions · 2026-06-17T19:28:03Z

Droid finished @dcoln25-writer's task —— View job

LGTM — no issues found. All items raised in prior review rounds (nil-guard dead code, RulesInPack doc comment, pack description over-claims, T1556.003/T1213 MITRE misassignments, and catalog-vs-evaluator tag mismatches) are resolved at HEAD. The detection-pack scaffolding, proto/Connect wiring, TypeScript client, and test coverage are all correct, and no security vulnerabilities were identified in the new ListDetectionPacks RPC.

github-actions · 2026-06-17T22:47:40Z

Droid finished @dcoln25-writer's task —— View job

LGTM — no issues found. The detection-pack scaffolding, proto/Connect wiring, TypeScript client, and test coverage are all correct at HEAD. All issues from prior review rounds (nil-guard dead code, RulesInPack doc comment, pack description over-claims, T1556.003/T1213 MITRE misassignments, and catalog-vs-evaluator tag mismatches) remain resolved, and no new correctness or security vulnerabilities were identified in the new ListDetectionPacks RPC.