parlov-elicit

Elicitation engine for parlov. Given a target endpoint and operator context, generates a plan of ProbeSpecs designed to trigger specific server-side differentials that reveal resource existence.

Overview

The engine codifies the elicitation playbook as 25 composable strategies across two detection vectors. Each strategy targets a different layer of the HTTP pipeline — content negotiation, conditional headers, cache validation, auth, payload validation, rate limiting — and produces probe definitions with Technique metadata that the binary feeds into its execution loops.

Usage

use parlov_elicit::{generate_plan, RiskLevel, ScanContext};
use http::HeaderMap;

let ctx = ScanContext {
    target: "https://api.example.com/users/{id}".to_string(),
    baseline_id: "1001".to_string(),
    probe_id: "9999".to_string(),
    headers: HeaderMap::new(),
    max_risk: RiskLevel::Safe,
    known_duplicate: None,
    state_field: None,
    alt_credential: None,
};

let plan = generate_plan(&ctx);
// plan contains ProbeSpec::Pair, ::Burst, and ::HeaderDiff items
// ready for dispatch by the binary's scan pipeline

Strategies

Status Code Diff (Vector::StatusCodeDiff)

Cache Probing (Vector::CacheProbing)

Design

• Pure computation — no I/O, no async. The binary owns the async boundary.
• Strategy as trait — adding a strategy is one file + one registry line.
• Two detection vectors — StatusCodeDiff (status code differentials) and CacheProbing (cache-conditional header responses). Strategies are organized by vector under existence/status_code_diff/ and existence/cache_probing/.
• Technique metadata — every ProbeSpec carries technique context (id, name, vector, normative strength) that flows through execution into analysis. Signal extraction is unconditional.
• ProbeSpec variants drive dispatch in the binary: Pair → adaptive loop, Burst → volume loop, HeaderDiff → single-request header comparison.
• RiskLevel uses Ord — generate_plan filters with risk() <= ctx.max_risk.