Sprint 5: Analyzer Contract and First Plugin Conversion

[USTungsten]

Sprint 5 Goal

Turn plugins into formal analyzers with trust-aware metadata. Plugins currently emit thin Finding objects via a lifting layer. Sprint 5 converts them to emit ForensicFinding directly under a formal plugin contract.

Deliverables

• Analyzer contract (plugins emit ForensicFinding directly)
• Plugin manifest schema (plugin_id, version, category, required_streams, trust metadata)
• Plugin diagnostics model
• Trust-state representation (built-in-trusted, local-unsigned, community, blocked)
• Conversion of first built-in analyzers to new contract
• GUI plugin inventory basics (list, trust state, version, which ran)

Acceptance Criteria

• Plugins have formal metadata
• Findings record plugin version and trust state
• GUI shows plugin inventory and trust state
• Converted plugins emit evidence-backed ForensicFindings directly (no lifting layer needed)

Spec Reference

Sprint Plan doc §7, Plugin Trust and Tuning Spec §2–6

[USTungsten]

Sprint 5 complete. 448 tests passing (433 existing + 15 new).

Delivered:

• PluginManifest, PluginDiagnostics, PluginCategory, PluginTrustState, and AnalyzerPlugin protocol in contract.py
• All 11 plugins now have formal manifests with category, required/optional streams, trust state, and output finding types
• forensic_analyze() on Plugin base class — checks required streams, emits ForensicFinding directly (no lifting needed), returns PluginDiagnostics
• PLUGIN_REGISTRY, get_plugin_manifests(), get_plugin() in plugins __init__
• cases_api.py analyze route updated to use forensic contract; new GET /api/cases/{case_id}/plugins endpoint
• GUI Plugins tab with per-plugin cards: name, version, category badge, trust state badge, required streams, run status, findings count
• Backward compat preserved: old run()/analyze() methods untouched, lifting layer still available

[USTungsten]

Sprint 5 verified and gaps patched in commit 7fe45a5 (Sprint 6). Fixes: trust_state serialized into plugin_diagnostics.json, execution_status property added to PluginDiagnostics, _PLUGIN_STREAM_MAP updated for all 11 plugins. Sprint 5 can be closed.