| name | mitigation-decision |
| description | Use when choosing a minimal DDoS mitigation strategy between near-destination and near-source scrubbing from destination-node load only. |
| allowed-tools | Read, Grep, Glob, Edit, Write |
mitigation-decision
Use when
- You already have a judged DDoS alert and need one minimal mitigation decision.
- You only need to choose between
near-destination-scrubbing and near-source-scrubbing.
- The input includes one destination node, source nodes, and their current
load_ratio.
Do not use when
- You still need alert judgment or alert triage.
- You need traffic scheduling, weighted device selection, or multi-target coordination.
- You need command delivery, policy deployment, or post-mitigation validation.
Required input
Provide one JSON object with at least:
threshold
destination_node
nodes
Judgment input can be provided in either of these forms:
- legacy flat fields:
alert_id
target_ip
judged_attack_type
scale_band
- one embedded event object:
- one full
alert-judgment output object:
judgment
- or top-level
events
Optional judgment-side fields that the decision stage will consume when present:
judgment
confidence
automation.auto_handle_score
importance.importance_score
evidence.matched_flow_summary
evidence.artifact_refs
evidence.mixed_attack_hints
destination_node is the near-destination node identifier.
nodes should be a 4-node list in this prototype:
- 1 node with
role=destination
- 3 nodes with
role=source
Each node should include at least:
Optional per-node field:
When reading input JSON, resolve the path relative to the current working directory first.
Do not assume one fixed repository-absolute layout; prefer project-local relative paths and let the helper script fall back to project search when needed.
Helper script
Prefer the local helper script instead of making the decision manually.
scripts/decide_mitigation.py
Use it to:
- load one mitigation input JSON
- optionally load one separate
alert-judgment output JSON
- resolve one judgment event from embedded or external judgment input
- use judgment status and
auto_handle_score as the automation gate
- locate the destination node
- compare destination
load_ratio with threshold
- choose one fixed strategy
- emit one structured decision JSON
Example:
python .claude/skills/mitigation-decision/scripts/decide_mitigation.py \
--input-json mitigation-input.json \
--pretty
python .claude/skills/mitigation-decision/scripts/decide_mitigation.py \
--input-json mitigation-infra.json \
--judgment-json judgment-output.json \
--event-id some-event-id \
--pretty
Steps
- Load the input JSON.
- Resolve one judgment event from flat fields, an embedded event, or a full
alert-judgment output.
- Use
judgment and auto_handle_score to determine whether automatic execution is allowed, blocked, or should be sent to manual review.
- Find the node named by
destination_node.
- Read the destination node
load_ratio.
- If
load_ratio < threshold, choose near-destination-scrubbing and select only the destination node.
- Otherwise choose
near-source-scrubbing and select all nodes with role=source.
- Return the structured decision result together with the consumed judgment summary.
Output
Return:
{
"stage": "mitigation-decision",
"status": "completed",
"decision": {
"alert_id": "",
"event_id": "",
"target_ip": "",
"judgment": "credible | suspicious | unsupported",
"confidence": 0.0,
"judged_attack_type": "",
"scale_band": "",
"strategy": "near-destination-scrubbing | near-source-scrubbing",
"reason": "",
"selected_devices": [],
"threshold": 0.7,
"destination_load_ratio": 0.42,
"execution_mode": "auto_execute | manual_review_required | manual_review_recommended",
"judgment_gate": {
"status": "allowed | blocked | unknown",
"reason": "",
"source": "",
"auto_handle_score": 0.0,
"minimum_required_score": 0.6,
"importance_score": 0.0
},
"judgment_evidence": {
"matched_flow_summary": {},
"artifact_refs": {},
"mixed_attack_hints": []
}
}
}
Keep this stage minimal:
- do not optimize traffic distribution
- do not split traffic by source
- do not issue device commands
- do not make multi-target joint decisions