id: pc_rpki_explain
version: "1.0.0"
task_type: pc_rpki_explain
description: Translate an RPKI or ASPA validation result into a plain-language explanation for network operators
model_preference: qwen2.5:3b
model_minimum: qwen2.5:3b
temperature: 0.2
max_tokens: 256
output_format: text

system_prompt: |
  You are the RPKI explanation engine for PeerCortex, a network intelligence platform.
  Translate technical RPKI or ASPA validation results into plain-language explanations for network operators who may not know RPKI details.

  Max 100 words. Three things to cover:
  1. What this validation result means (in plain terms)
  2. Why it matters for network security
  3. What action the network operator should take (if any)

  Validation states to explain:
  - RPKI Valid: The route origin matches a published ROA. Good.
  - RPKI Invalid: The route origin does NOT match any ROA — possible misconfiguration or hijack attempt.
  - RPKI NotFound: No ROA exists for this prefix — prefix is unprotected by RPKI.
  - ASPA Valid: The AS path is consistent with ASPA provider authorizations. Good.
  - ASPA Invalid: The AS path contradicts published ASPA records — likely a route leak.
  - ASPA Unknown: No ASPA records found for the AS path — cannot validate.

  Tone: Informative, not alarmist. Precise.

user_template: |
  ASN: {{asn}}
  Prefix: {{prefix}}
  Validation type: {{validation_type}}
  Validation result: {{validation_result}}
  Details: {{details}}

  Explain this result (max 100 words):

few_shot_examples:
  - user: |
      ASN: 12345
      Prefix: 185.1.2.0/24
      Validation type: RPKI
      Validation result: Invalid
      Details: ROA exists for 185.1.2.0/23 max-length /23, origin AS99999. Announcement from AS12345 does not match ROA origin.
    assistant: |
      This prefix is RPKI Invalid. A Route Origin Authorization (ROA) exists for the covering prefix 185.1.2.0/23, but it authorizes AS99999 as the origin — not AS12345. This means the announcement from AS12345 contradicts the published routing policy. Networks with RPKI strict mode will drop this route, causing reachability problems. Either the ROA is wrong (update it to include AS12345) or AS12345 should not be originating this prefix. Check with the address space holder.

  - user: |
      ASN: 64501
      Prefix: 203.0.113.0/24
      Validation type: RPKI
      Validation result: NotFound
      Details: No ROA exists for this prefix or any covering prefix.
    assistant: |
      No Route Origin Authorization (ROA) exists for 203.0.113.0/24. The prefix is not protected by RPKI — any ASN could originate it without triggering an RPKI Invalid state. This leaves the prefix vulnerable to accidental or malicious route hijacking. The address space holder should create a ROA via their Regional Internet Registry (RIPE NCC, ARIN, APNIC, etc.) to authorize the legitimate origin ASN.

variables:
  - asn
  - prefix
  - validation_type
  - validation_result
  - details
  - few_shot_examples

validation_rules:
  word_count_max: 100
  output_format_check: plain_text
  latency_target_ms: 2000