adler-core 0.14.0

Core engine for the Adler OSINT username-search tool.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296

//! Normalized profile evidence collected from a positive result.
//!
//! The legacy `CheckOutcome::evidence` field records human-readable signal
//! matches such as `HTTP 200 (status_found)`. This module is the product
//! layer above that: typed profile facts that can later feed confidence,
//! identity clustering, timelines, and reports.

use serde::{Deserialize, Serialize};

use crate::escalation::TransportTier;

/// A normalized fact observed on a profile or profile-like endpoint.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct ProfileEvidence {
    /// What kind of profile fact this is.
    pub kind: ProfileEvidenceKind,
    /// Original extractor/enrichment field name, when one exists.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub field: Option<String>,
    /// Cleaned observed value.
    pub value: String,
    /// Where this fact came from.
    pub source: EvidenceSource,
}

/// Profile evidence categories that higher-level analysis can reason over.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ProfileEvidenceKind {
    /// Exact username value confirmed by a site-authored detection signal.
    Username,
    /// A displayed human name.
    DisplayName,
    /// Profile biography or description text.
    Bio,
    /// Avatar or profile image URL.
    AvatarUrl,
    /// External website or social link.
    ExternalLink,
    /// Location-like profile field.
    Location,
    /// Account creation or joined date.
    JoinedDate,
    /// HTML/profile title.
    ProfileTitle,
    /// Meta/OpenGraph/Twitter description.
    MetaDescription,
    /// Field that does not yet map to a richer category.
    ExtractedField,
}

/// Source metadata attached to every normalized evidence item.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct EvidenceSource {
    /// Site name that produced the result.
    pub site: String,
    /// Concrete profile URL that was probed.
    pub url: String,
    /// Which Adler subsystem produced the fact.
    pub origin: EvidenceOrigin,
    /// Unix epoch milliseconds when Adler observed this fact. Missing on
    /// older persisted scans and on manually-built evidence.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub observed_at_ms: Option<u64>,
    /// Coarse, non-secret access context for the probe that produced this
    /// evidence. Deliberately excludes session names, proxy URLs, header
    /// values, and egress identifiers.
    #[serde(default, skip_serializing_if = "Option::is_none")]
    pub access_path: Option<EvidenceAccessPath>,
}

/// Non-secret access context for an evidence item.
#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
pub struct EvidenceAccessPath {
    /// Transport that produced the response.
    pub transport: TransportTier,
    /// Whether the result came from an automatic retry through a heavier
    /// transport.
    #[serde(default, skip_serializing_if = "is_false")]
    pub escalated: bool,
    /// Whether an operator-supplied authenticated session was applied.
    #[serde(default, skip_serializing_if = "is_false")]
    pub authenticated: bool,
    /// Reserved for future evidence types that record a missing session as
    /// evidence. Extracted profile evidence should normally leave this false.
    #[serde(default, skip_serializing_if = "is_false")]
    pub session_required: bool,
}

impl EvidenceAccessPath {
    /// Build a non-secret access summary from the live probe path.
    #[must_use]
    pub const fn new(transport: TransportTier, escalations: u8, authenticated: bool) -> Self {
        Self {
            transport,
            escalated: escalations > 0,
            authenticated,
            session_required: false,
        }
    }
}

/// Adler subsystem that produced an evidence item.
#[derive(Debug, Clone, Copy, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum EvidenceOrigin {
    /// Evidence came from a detection signal that matched the concrete probe.
    Signal,
    /// Evidence came from a registry extractor rule.
    Extractor,
}

impl ProfileEvidence {
    /// Build normalized evidence from a legacy enrichment field.
    #[must_use]
    pub fn from_enrichment(site: &str, url: &str, field: &str, value: &str) -> Self {
        Self::from_enrichment_with_source(site, url, field, value, None, None)
    }

    /// Build normalized evidence from a live enrichment field with optional
    /// observation/access metadata.
    #[must_use]
    pub fn from_enrichment_with_source(
        site: &str,
        url: &str,
        field: &str,
        value: &str,
        observed_at_ms: Option<u64>,
        access_path: Option<EvidenceAccessPath>,
    ) -> Self {
        Self {
            kind: ProfileEvidenceKind::from_field(field),
            field: Some(field.to_owned()),
            value: value.to_owned(),
            source: EvidenceSource {
                site: site.to_owned(),
                url: url.to_owned(),
                origin: EvidenceOrigin::Extractor,
                observed_at_ms,
                access_path,
            },
        }
    }

    /// Build exact username evidence from a signal that matched the concrete
    /// probed username.
    #[must_use]
    pub fn from_signal_username(
        site: &str,
        url: &str,
        username: &str,
        observed_at_ms: Option<u64>,
        access_path: Option<EvidenceAccessPath>,
    ) -> Self {
        Self {
            kind: ProfileEvidenceKind::Username,
            field: None,
            value: username.to_owned(),
            source: EvidenceSource {
                site: site.to_owned(),
                url: url.to_owned(),
                origin: EvidenceOrigin::Signal,
                observed_at_ms,
                access_path,
            },
        }
    }
}

impl ProfileEvidenceKind {
    /// Map a registry enrichment field name to a normalized evidence kind.
    #[must_use]
    pub fn from_field(field: &str) -> Self {
        match field {
            "name" | "display_name" | "fullname" | "full_name" => Self::DisplayName,
            "bio" | "description" => Self::Bio,
            "avatar" | "avatar_url" | "image" | "profile_image" => Self::AvatarUrl,
            "website" | "url" | "link" | "external_url" => Self::ExternalLink,
            "location" => Self::Location,
            "joined" | "created" | "created_at" | "join_date" => Self::JoinedDate,
            "title" => Self::ProfileTitle,
            "meta_description" | "og_description" => Self::MetaDescription,
            _ => Self::ExtractedField,
        }
    }
}

#[allow(clippy::trivially_copy_pass_by_ref)]
fn is_false(value: &bool) -> bool {
    !*value
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn maps_common_enrichment_fields_to_profile_evidence_kinds() {
        assert_eq!(
            ProfileEvidenceKind::from_field("name"),
            ProfileEvidenceKind::DisplayName
        );
        assert_eq!(
            ProfileEvidenceKind::from_field("avatar"),
            ProfileEvidenceKind::AvatarUrl
        );
        assert_eq!(
            ProfileEvidenceKind::from_field("website"),
            ProfileEvidenceKind::ExternalLink
        );
        assert_eq!(
            ProfileEvidenceKind::from_field("custom"),
            ProfileEvidenceKind::ExtractedField
        );
    }

    #[test]
    fn serializes_profile_evidence_as_snake_case_wire_data() {
        let ev =
            ProfileEvidence::from_enrichment("GitHub", "https://github.com/alice", "name", "Alice");
        let json = serde_json::to_value(&ev).unwrap();
        assert_eq!(json["kind"], "display_name");
        assert_eq!(json["field"], "name");
        assert_eq!(json["source"]["origin"], "extractor");
        assert!(json["source"].get("observed_at_ms").is_none());
        assert!(json["source"].get("access_path").is_none());
    }

    #[test]
    fn signal_username_evidence_serializes_as_signal_origin_without_field() {
        let ev = ProfileEvidence::from_signal_username(
            "GitLab",
            "https://gitlab.com/api/v4/users?username=alice",
            "alice",
            Some(123),
            Some(EvidenceAccessPath::new(TransportTier::Http, 0, false)),
        );

        let json = serde_json::to_value(&ev).unwrap();
        assert_eq!(json["kind"], "username");
        assert_eq!(json["value"], "alice");
        assert!(json.get("field").is_none());
        assert_eq!(json["source"]["origin"], "signal");
        assert_eq!(json["source"]["observed_at_ms"], 123);
        assert_eq!(json["source"]["access_path"]["transport"], "http");
    }

    #[test]
    fn old_profile_evidence_json_defaults_missing_source_metadata() {
        let raw = r#"{
            "kind": "display_name",
            "field": "name",
            "value": "Alice",
            "source": {
                "site": "GitHub",
                "url": "https://github.com/alice",
                "origin": "extractor"
            }
        }"#;

        let ev: ProfileEvidence = serde_json::from_str(raw).unwrap();

        assert_eq!(ev.source.site, "GitHub");
        assert_eq!(ev.source.observed_at_ms, None);
        assert_eq!(ev.source.access_path, None);
    }

    #[test]
    fn source_metadata_serializes_without_secret_names() {
        let ev = ProfileEvidence::from_enrichment_with_source(
            "GitHub",
            "https://github.com/alice",
            "name",
            "Alice",
            Some(1_800_000_000_000),
            Some(EvidenceAccessPath::new(TransportTier::Browser, 1, true)),
        );

        let json = serde_json::to_value(&ev).unwrap();

        assert_eq!(json["source"]["observed_at_ms"], 1_800_000_000_000_u64);
        assert_eq!(json["source"]["access_path"]["transport"], "browser");
        assert_eq!(json["source"]["access_path"]["escalated"], true);
        assert_eq!(json["source"]["access_path"]["authenticated"], true);
        assert!(
            json["source"]["access_path"]
                .get("session_required")
                .is_none()
        );

        let encoded = serde_json::to_string(&ev).unwrap();
        assert!(!encoded.contains("sessionid"));
        assert!(!encoded.contains("acct"));
        assert!(!encoded.contains("proxy"));
    }
}