v1.4.1 — Docs: TTP-focus framing fix
Docs-only patch
Clarifies that Purple Loop validates behavioral/TTP detections, not IOCs. MISP and CISA KEV are prioritization inputs to threat-intel-arbiter, which passes ATT&CK techniques — not hashes, IPs, or domains — to Purple Loop.
Changes:
- README: sharpen 'threats' → 'techniques' in Why this exists and two-repo sections
- README: add Design decisions / scope section (Pyramid of Pain rationale)
- DESIGN.md §10: arbiter passes techniques, Purple Loop validates behavioral detections
- docs/index.html: arbiter DATA says 'emits techniques (not IOCs)'
The code was always correct — these edits make the docs match reality.
What's Changed
- docs: clarify TTP-focus — MISP/KEV are prioritization inputs, not IOC feeds by @jayelbotvibe-web in #48
Full Changelog: v1.1.1...v1.4.1