Merged
Conversation
Foundation section: 1. Title 2. Problem 3. Solution 4. Abstraction Advantage 5. Core Architecture Building incrementally to avoid write failures. https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
6. 159 Platform Connectors (categories, examples) 7. STIX 2.1 ORM (6 object types with examples) 8. Unified Interface Contract (8 core methods) https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
9. Ingest Pipeline (14 readers × 12 mappers → workspace) 10. Export Pipeline (filters → transforms → delivery) 11. Scheduling & Job Orchestration (FeedScheduler, job types, guarantees) https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
12. AI Agents (LLMClient, ResearchAgent, ParsingAgent, trust model) 13. Natural Language Queries (BuiltinParser, ClaudeParser) 14. Research Library (3-tier: personal, staging, library with TTL) 15. Automated Report Generation (daily, trends, yearly) 16. Data Lineage & Analyst Metrics (audit trail, 9 metric types) https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
17. Search Sidecar (Solr 9.x indexing) 18. TAXII 2.1 Server (full protocol) 19. STIX Pattern Validator (2-tier) 20. Health Monitoring (drift detection) 21. Capability Reflection (runtime introspection) 22. Terminal UI (Textual, F1-F6 screens) 23. Web Dashboard (FastAPI, X-Api-Key) https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
24. XSOAR Content Pack Generator (codegen, 7-step contribution) 25. Docker Containerization (core + optional profiles) 26. Multi-Tenant Workspace Isolation (namespace prefixing) 27. Database Migrations (Alembic, 3 migrations) 28. Plugin System (GNATPlugin ABC, HookBus, 14 events) 29. Policy Engine RBAC (4 roles, STIXObjectValidator, audit) https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
…-37) 30. Workflow DAG Engine (PhishingTriage, IncidentResponse) 31. AI Intel Review Queue (PENDING → APPROVED → PROMOTED) 32. Phase 4 - Safety & Control (ExecutionContext, domain boundaries, hypothesis engine) 33. Security & CI (GitHub Actions, Ruff, mypy, pytest, Dependabot, Snyk) 34. Implementation Sequence (6-phase rollout, days 1-14+) 35. Deployment Architecture (single Azure VM + scale-out patterns) 36. All Roadmap Items Complete (v1.9.0 shipped) 37. Closing slide Final deck: 37 slides, better-organized with logical flow: - Foundation (1-5) - Data & Connectors (6-8) - Pipelines & Orchestration (9-11) - Analysis & Enrichment (12-16) - Operations & Visibility (17-21) - Dashboards & UX (22-23) - Advanced Features (24-29) - Workflows & Safety (30-32) - Rollout & Roadmap (33-36) - Closing (37) https://claude.ai/code/session_01FUJQyGdWpZSgYkW1Xb95gU
There was a problem hiding this comment.
Pull request overview
Updates the GNAT Reveal.js presentation deck under docs/ to reflect an expanded, reorganized “live presentation” narrative and increased slide count.
Changes:
- Expands the deck from 33 to 37 slides and reorganizes content into labeled sections (foundation, pipelines, operations, advanced features, etc.).
- Rewrites/extends many slides with more detailed feature descriptions, examples, and CLI/API callouts.
- Tweaks styling/structure (e.g., removes
.slidesbackground rule and cleans up spacing/comments).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+127
to
+131
| <p style="font-size: 0.85em;"><strong>SourceReader</strong> (14 types) → <strong>RecordMapper</strong> (12 types) → <strong>Workspace</strong></p> | ||
| <ul style="font-size: 0.8em; margin-top: 1em;"> | ||
| <li><strong>Readers:</strong> PlainText, CSV, JSON, JSONL, STIX Bundle, TAXII, SQL, MISP, Syslog, RSS, Email, OpenIOC, Splunk, Elastic, Kafka</li> | ||
| <li><strong>Mappers:</strong> FlatIOC, STIXPassthrough, MISP, CEF, SQLRow, CSV, RSSEntry, Email, OpenIOC, Splunk, Elastic, NVD CVE, Telemetry</li> | ||
| <li><strong>Processing:</strong> Deduplication, confidence scoring, x_target_sectors normalization, TTL tracking</li> |
There was a problem hiding this comment.
The ingest pipeline summary says "SourceReader (14 types)" and "RecordMapper (12 types)", but the bullet lists include more items than those counts (e.g., Readers list includes Kafka, and Mappers list includes NVD CVE/Telemetry). Either adjust the counts or trim the lists so they match.
| <ul style="font-size: 0.8em; margin-top: 1em;"> | ||
| <li><strong>Baseline deployment (single VM):</strong> gnat-scheduler.service (FeedScheduler: ingest, export, AI research, curation, reports) · gnat-edl.service :8080 (EDLServer: independent, survives scheduler restart) · gnat-health.service :8090 (Health endpoint: GET /status → JSON, Azure Monitor/Grafana ping)</li> | ||
| <li><strong>Storage:</strong> ~/.gnat/config.ini · workspaces/ (SQLite or Postgres) · /var/reports/ (PDF/DOCX output)</li> | ||
| <li><strong>Scale-out patterns:</strong> 100+ feeds → AI jobs → Azure Container Instances. EDL SLA <5 min → dedicate B1s VM to gnat-edl. 10+ analysts → FlatFileStore → PostgreSQL (one config change). Multi-tenant → 1 workspace namespace per tenant, shared codebase.</li> |
There was a problem hiding this comment.
The text EDL SLA <5 min contains a raw < inside an HTML text node, which will be parsed as the start of a tag and can break rendering of the rest of the list item. Escape it (e.g., <5) so the slide renders consistently.
Suggested change
| <li><strong>Scale-out patterns:</strong> 100+ feeds → AI jobs → Azure Container Instances. EDL SLA <5 min → dedicate B1s VM to gnat-edl. 10+ analysts → FlatFileStore → PostgreSQL (one config change). Multi-tenant → 1 workspace namespace per tenant, shared codebase.</li> | |
| <li><strong>Scale-out patterns:</strong> 100+ feeds → AI jobs → Azure Container Instances. EDL SLA <5 min → dedicate B1s VM to gnat-edl. 10+ analysts → FlatFileStore → PostgreSQL (one config change). Multi-tenant → 1 workspace namespace per tenant, shared codebase.</li> |
Comment on lines
+115
to
+118
| <li><code>get_object(stix_id)</code> — Fetch one object</li> | ||
| <li><code>list_objects(stix_type, limit, offset)</code> — Paginated results</li> | ||
| <li><code>upsert_object(stix_obj)</code> — Create or update</li> | ||
| <li><code>delete_object(stix_id)</code> — Soft or hard delete</li> |
There was a problem hiding this comment.
This slide claims a uniform connector method signature, but the listed signatures don't match the actual connector contract (e.g., get_object/delete_object take stix_type + object_id, and list_objects uses filters/page/page_size). Since the slide is presenting this as an API contract, update the method names/parameters to match the codebase to avoid misleading users.
Suggested change
| <li><code>get_object(stix_id)</code> — Fetch one object</li> | |
| <li><code>list_objects(stix_type, limit, offset)</code> — Paginated results</li> | |
| <li><code>upsert_object(stix_obj)</code> — Create or update</li> | |
| <li><code>delete_object(stix_id)</code> — Soft or hard delete</li> | |
| <li><code>get_object(stix_type, object_id)</code> — Fetch one object</li> | |
| <li><code>list_objects(filters, page, page_size)</code> — Paginated results</li> | |
| <li><code>upsert_object(stix_obj)</code> — Create or update</li> | |
| <li><code>delete_object(stix_type, object_id)</code> — Soft or hard delete</li> |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.