- CHANGELOG M4 Added: rewrote the frontend bullet to describe the actual
flat ATT&CK matrix that ships (full-bleed, 15-col grid with minmax(7rem,
1fr), name-only cells, ▸/▾ chevron). The original entry still described
the abandoned 3-column drill-down picker.
- New "Fixed (post-M4 code-review pass)" subsection enumerating the six
CR-driven fixes that landed in this branch (SSRF allowlist, advisory
lock, typed contract, N+1 elimination, version clearing, error scrub +
the test additions and e2e count pinning).
- DoD counts: 53 → 58 pytest, 34 e2e unchanged. testing-m4.md follows.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Spec-reviewer PASS pointed two factual nits:
- MitrePage helper text still referenced the old 3-column drill-down ("Pick
a tactic on the left, then a technique..."). Reworded for the flat matrix
with the ▸ glyph + hover-for-id idiom.
- testing-m4.md + CHANGELOG were stale at 51/12; the actual counts are 53/14
after the GET /mitre/matrix tests landed. Reconciled.
No code-path change, no e2e fallout — DoD remains 53 pytest + 34 Playwright.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Visual parity pass against attack.mitre.org/# per user feedback ("trop dense,
illisible, je veux la même représentation"):
- Layout switched from flex+fixed-width 224px columns to a CSS grid of
`repeat(N, minmax(0, 1fr))` so the 15 tactic columns share the container
width equally. No more horizontal scroll on a standard desktop.
- Cells now show NAME ONLY (matches mitre.org). The external_id (TA00xx /
T1xxx / T1xxx.xxx) is preserved in the chip selection bar at the top and
in the `title` hover tooltip on every cell — surfaces on demand, doesn't
consume cell real estate.
- Font: switched to `font-sans` (IBM Plex Sans) at `text-xs` (12px) across
cells, matching the mitre.org typography. Headers use the same family at
the same size with a 10px sub-line for the technique count.
- Chevron icons: ▸ (collapsed) / ▾ (expanded) — small, sub-technique count
rendered inline beside the chevron.
- Helper line below the matrix tells the user where the IDs went.
Spec §F2 + testing-m4.md walkthrough rewritten to lock the new sizing rules
in (font-xs, no external_id in cells, hover/chip for the ID, no horizontal
scroll). spec-reviewer will see the matching contract.
DoD: make e2e → 34 passed. Selectors (data-testid + aria-pressed) unchanged
so the existing M4 e2e test still walks the new layout end-to-end.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The hierarchical 3-column drill-down was hard to scan and forced a stateful
walk per tag. Replaced with a flat, columns-as-tactics matrix that mirrors
attack.mitre.org/# — every cell is a one-click select target, with inline
sub-technique expand via a `+N` chevron.
- New endpoint GET /api/v1/mitre/matrix returns the full grid (tactics →
techniques → sub-techniques nested) in a single ~55 KB response, so the
SPA renders the whole matrix without firing 15 parallel queries. Two
pytest tests added (nested structure + auth required).
- MitreTagPicker.tsx rewritten as a horizontal-scrolling matrix:
- Click a tactic header → select the tactic (cyan filled).
- Click a technique cell → select the technique (orange filled).
- Click the `+N` chevron → expand sub-techniques inline within the column.
- Click a sub-technique → select (purple filled).
- Single Filter field matches on external_id or name across all kinds.
- Selection chips at the top, clickable to remove.
- `aria-pressed` on every clickable cell for screen readers and Playwright.
- e2e test updated to walk the new flow (click cell → assert aria-pressed,
expand chevron, click sub, verify chip + JSON preview, filter to T1078).
- Spec §F2 + §F12 + todo.md M4 entry updated to make the matrix layout the
canonical UI for MITRE tagging (so future spec-reviewer passes accept it).
- testing-m4.md walkthrough rewritten for the flat picker.
DoD post-refactor: make test-api → 53 passed (was 51), make e2e → 34 passed.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- backend/tests/test_mitre.py: 12 integration tests using a hand-crafted
minimal STIX bundle (no network in tests). Covers parser
(revoked/deprecated skip, sub-technique parent linkage), seed idempotence,
persisted settings, checksum mismatch path, all four read endpoints, perm
enforcement on /mitre/sync, ILIKE search.
- e2e/tests/m4-mitre.spec.ts: 6 Playwright tests against the live stack.
beforeAll calls POST /mitre/sync once (real bundle, ~50 MB, ~1.1 s) then
the suite validates tactics ≥14, T1003 has ≥5 sub-techniques, the picker
walks tactic→technique→subtechnique with chip multi-select, and non-admin
sees /mitre but no Sync card.
- tasks/testing-m4.md: manual + automated checklist, air-gapped operator
notes, volume-permission caveat for pre-existing root-owned volumes.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
