Cutters

Modular Remediation Strategies

Cutters are pluggable modules that execute specific remediation actions. Each cutter implements the Cutter interface and is registered in the global registry.

DockerCutter

Manages Docker containers on the target node.

Actions

Action	Description
`docker_pause_all`	Pause all running containers
`docker_stop_all`	Stop all running containers
`docker_kill_all`	Kill all running containers (SIGKILL)

Policy Example

strategies:
  - threshold: 0.70
    action: docker_pause_all
  - threshold: 0.85
    action: docker_stop_all

NetworkCutter

Executes arbitrary SSH commands for network isolation.

Actions

Action	Description
`ssh_isolate_network`	Run custom command via SSH

Policy Example

strategies:
  - threshold: 0.90
    action: ssh_isolate_network
    command: "systemctl stop wireguard@wg0"
    critical: true

Common Commands

# Stop WireGuard tunnel
command: "systemctl stop wireguard@wg0"

# Full network isolation
command: "wg-quick down wg0 && iptables -P INPUT DROP && iptables -P OUTPUT DROP"

# Kill specific service
command: "systemctl stop nginx"

VBoxCutter

Controls VirtualBox VMs for snapshot-based recovery.

Actions

Action	Description
`vbox_revert_snapshot`	Revert VM to named snapshot
`vbox_poweroff`	Power off VM immediately

Policy Example

strategies:
  - threshold: 0.95
    action: vbox_revert_snapshot
    snapshot_name: "LAST_ORDERED_STATE"
    critical: true

snapshot_name must match an existing VirtualBox snapshot. Use VBoxManage snapshot list to verify.

Cutter Interface

All cutters implement this Go interface:

type Cutter interface {
    Name() string
    CanHandle(action string) bool
    Execute(ctx context.Context, target string, params map[string]string) error
}

type CutResult struct {
    Target    string
    Action    string
    Success   bool
    Error     error
    LatencyMs int64
}

Cutter Registry

Cutters are registered at startup and selected based on action name:

func NewRegistry() *Registry {
    return &Registry{
        cutters: []Cutter{
            NewDockerCutter(),
            NewNetworkCutter(),
            NewVBoxCutter(),
        },
    }
}

func (r *Registry) FindCutter(action string) (Cutter, bool) {
    for _, c := range r.cutters {
        if c.CanHandle(action) {
            return c, true
        }
    }
    return nil, false
}

Action Summary

Action	Cutter	Severity
`docker_pause_all`	Docker	Low
`docker_stop_all`	Docker	Medium
`docker_kill_all`	Docker	High
`ssh_isolate_network`	Network	High
`vbox_revert_snapshot`	VBox	Critical
`vbox_poweroff`	VBox	Critical