@startuml
left to right direction
skinparam backgroundColor #f8fafc
skinparam linetype ortho
skinparam shadowing false
skinparam roundCorner 12
skinparam defaultFontName Helvetica
skinparam nodesep 28
skinparam ranksep 36
skinparam rectangle {
BorderColor #334155
FontColor #0f172a
}
skinparam arrow {
Color #1e293b
Thickness 1.5
}
rectangle "Inputs" as inputs #dbeafe {
rectangle "STDIN\n(line or blob mode)" as stdin #eff6ff
rectangle "Folder files\n(line or blob mode)" as folder #eff6ff
}
rectangle "Decode + Extract" as decode #fef3c7 {
rectangle "Decode modes\nbase64 | string | hex" as modes #fffbeb
rectangle "Optional JSON extraction\n--input-json-key" as json_extract #fffbeb
}
rectangle "Tagging" as tagging #dcfce7 {
rectangle "PCRE2 named captures" as pcre #f0fdf4
rectangle "Tag array\n(tags[])" as tags #f0fdf4
}
rectangle "Similarity" as similarity #fee2e2 {
rectangle "TLSH hash\n(similarity_hash)" as hash #fff1f2
rectangle "Pairwise diff\n--tlsh-diff / --tlsh-distance" as diff #fff1f2
}
rectangle "Inference" as inference #ede9fe {
rectangle "Single-packet scoring\n-P / -A / -k" as packet #f5f3ff
rectangle "Neighbor confidence boost\n(cluster size from diff graph)" as boost #f5f3ff
}
rectangle "Outputs" as outputs #e0f2fe {
rectangle "STDOUT\nNDJSON per matched payload" as stdout #f0f9ff
rectangle "STDERR\nstats JSON (--stats)" as stderr_stats #f0f9ff
rectangle "STDERR\nprotocol hints (--protocol-hints)" as stderr_hints #f0f9ff
}
inputs --> decode
decode --> tagging
tagging --> similarity
similarity --> inference
tagging --> outputs
similarity --> outputs
inference --> outputs
@enduml
