backend/README.md

# Mimic — backend

Sprint 0 skeleton. Python 3.12+ / Flask / SQLAlchemy 2 / Alembic / Pydantic 2.

## Layout

```
backend/
├── src/mimic/
│   ├── app.py                # Flask app factory + SocketIO init
│   ├── config.py             # Pydantic Settings
│   ├── extensions.py         # db, migrate, socketio, login_manager
│   ├── db/
│   │   ├── models/           # SQLAlchemy 2 typed models
│   │   ├── repositories/     # data access per aggregate
│   │   └── migrations/       # Alembic
│   ├── schemas/              # Pydantic 2 DTOs
│   ├── api/                  # Flask blueprints (REST)
│   ├── ws/                   # Flask-SocketIO namespaces
│   ├── connectors/           # C2Connector ABC + payload mapping
│   ├── orchestrator/         # run state machine (stub in sprint 0)
│   ├── templating/           # Jinja2 sandbox + regex_extract
│   ├── audit/                # append-only writer + rotation
│   ├── reporting/            # WeasyPrint builder (stub in sprint 0)
│   ├── rbac/                 # group-based permission matrix (F11)
│   ├── importers/            # ATR + C2 journal (stub in sprint 0)
│   └── cli/                  # mimic-cli (click)
└── tests/
    ├── unit/                 # SQLite, pure logic
    └── integration/          # testcontainers Postgres
```

## Local dev

```bash
make install      # uv venv + pip install -e .[dev]
make db-up        # $(CONTAINER) compose up -d postgres  (auto-detect docker|podman)
make db-bootstrap # one-time: create the mimic_audit_writer role (see below)
make db-migrate   # alembic upgrade head
make run          # flask run (debug)
make test         # pytest unit
make test-int     # pytest integration (testcontainers)
make lint         # ruff + mypy strict
```

### Audit writer role (dev)

`mimic_audit_writer` is provisioned by the Ansible playbook in production
(decision D-010). For local development, create it manually after `make db-up`:

```bash
# Substitute "podman" for "docker" if your runtime is Podman.
$(command -v docker || command -v podman) exec -it mimic-postgres \
  psql -U mimic_app -d mimic \
  -c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'pick-a-dev-secret';"
```

Then expose the same secret in `MIMIC_DATABASE_AUDIT_URL` in your `.env`. The
Alembic migration grants the INSERT-only permission on `audit_log` against
this role; if it does not exist, the grant block is a no-op (idempotent).

## What sprint 0 ships

- Full §8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column).
- `C2Connector` ABC + dataclasses + `payload_type` enum + factory. **No real Mythic/Home implementation** (blocked on PR1/PR2).
- Jinja2 SandboxedEnvironment + `regex_extract` filter (re2).
- Local auth (bcrypt + Flask session) + group-based RBAC matching the F11 permission matrix.
- Flat CRUD on engagements / hosts / TTPs / scenarios.
- pytest baseline + testcontainers Postgres scaffolding.

## Out of sprint 0

Orchestrator, WebSocket cockpit, real connectors, report generation, audit rotation.
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`# Mimic — backend`

			`Sprint 0 skeleton. Python 3.12+ / Flask / SQLAlchemy 2 / Alembic / Pydantic 2.`

			`## Layout`

			```
			`backend/`
			`├── src/mimic/`
			`│ ├── app.py # Flask app factory + SocketIO init`
			`│ ├── config.py # Pydantic Settings`
			`│ ├── extensions.py # db, migrate, socketio, login_manager`
			`│ ├── db/`
			`│ │ ├── models/ # SQLAlchemy 2 typed models`
			`│ │ ├── repositories/ # data access per aggregate`
			`│ │ └── migrations/ # Alembic`
			`│ ├── schemas/ # Pydantic 2 DTOs`
			`│ ├── api/ # Flask blueprints (REST)`
			`│ ├── ws/ # Flask-SocketIO namespaces`
			`│ ├── connectors/ # C2Connector ABC + payload mapping`
			`│ ├── orchestrator/ # run state machine (stub in sprint 0)`
			`│ ├── templating/ # Jinja2 sandbox + regex_extract`
			`│ ├── audit/ # append-only writer + rotation`
			`│ ├── reporting/ # WeasyPrint builder (stub in sprint 0)`
			`│ ├── rbac/ # group-based permission matrix (F11)`
			`│ ├── importers/ # ATR + C2 journal (stub in sprint 0)`
			`│ └── cli/ # mimic-cli (click)`
			`└── tests/`
			`├── unit/ # SQLite, pure logic`
			`└── integration/ # testcontainers Postgres`
			```

			`## Local dev`

			```bash
			`make install # uv venv + pip install -e .[dev]`
chore(backend): rename docker-compose.yml -> compose.yml + podman notes Compose v2 canonical filename (compose.yml) is recognized by both docker compose and podman compose without preference. The previous docker-compose.yml worked but signalled a Docker-first stance, while target deployment is Podman 5.8+ rootless. - Rename backend/docker-compose.yml -> backend/compose.yml. - backend/README.md `make db-up` comment uses $(CONTAINER) to mirror the Makefile auto-detect (lines 14-16: docker \|\| podman). - backend/README.md audit-writer bootstrap snippet hints at podman fallback explicitly with `command -v` runtime sniff. - backend/compose.yml comment for audit-writer mentions both runtimes. No functional change. Makefile $(COMPOSE) target unchanged: Compose v2 discovers compose.yml first in its search order. 2026-05-22 19:41:38 +02:00			`make db-up # $(CONTAINER) compose up -d postgres (auto-detect docker\|podman)`
fix(backend): stop seeding the audit-writer role via postgres-init (MA1) Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. 2026-05-22 05:24:13 +02:00			`make db-bootstrap # one-time: create the mimic_audit_writer role (see below)`
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`make db-migrate # alembic upgrade head`
			`make run # flask run (debug)`
			`make test # pytest unit`
			`make test-int # pytest integration (testcontainers)`
			`make lint # ruff + mypy strict`
			```

fix(backend): stop seeding the audit-writer role via postgres-init (MA1) Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. 2026-05-22 05:24:13 +02:00			`### Audit writer role (dev)`

			`mimic_audit_writer` is provisioned by the Ansible playbook in production
			(decision D-010). For local development, create it manually after `make db-up`:

			```bash
chore(backend): rename docker-compose.yml -> compose.yml + podman notes Compose v2 canonical filename (compose.yml) is recognized by both docker compose and podman compose without preference. The previous docker-compose.yml worked but signalled a Docker-first stance, while target deployment is Podman 5.8+ rootless. - Rename backend/docker-compose.yml -> backend/compose.yml. - backend/README.md `make db-up` comment uses $(CONTAINER) to mirror the Makefile auto-detect (lines 14-16: docker \|\| podman). - backend/README.md audit-writer bootstrap snippet hints at podman fallback explicitly with `command -v` runtime sniff. - backend/compose.yml comment for audit-writer mentions both runtimes. No functional change. Makefile $(COMPOSE) target unchanged: Compose v2 discovers compose.yml first in its search order. 2026-05-22 19:41:38 +02:00			`# Substitute "podman" for "docker" if your runtime is Podman.`
			`$(command -v docker \|\| command -v podman) exec -it mimic-postgres \`
			`psql -U mimic_app -d mimic \`
fix(backend): stop seeding the audit-writer role via postgres-init (MA1) Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql` hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted into the dev Postgres container; on prod boxes this risks lingering as the real credential. - The init script was removed in the previous commit alongside the dropped scripts dir. - `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d` directory; the audit-writer role provisioning is the Ansible playbook's responsibility (D-010). - `backend/README.md` documents the manual one-shot `CREATE ROLE` command for local dev with a placeholder password. Net effect: no `CHANGE_ME` credential reaches a container image / git history. The Alembic migration's `audit_log` grant block stays idempotent — it is a no-op when the role is absent. 2026-05-22 05:24:13 +02:00			`-c "CREATE ROLE mimic_audit_writer LOGIN PASSWORD 'pick-a-dev-secret';"`
			```

			Then expose the same secret in `MIMIC_DATABASE_AUDIT_URL` in your `.env`. The
			Alembic migration grants the INSERT-only permission on `audit_log` against
			`this role; if it does not exist, the grant block is a no-op (idempotent).`

chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`## What sprint 0 ships`

			`- Full §8 data model + Alembic initial migration (Postgres-specific constraints: audit_log write-only role, soc_session hash, c2_credential Fernet column).`
			- `C2Connector` ABC + dataclasses + `payload_type` enum + factory. No real Mythic/Home implementation (blocked on PR1/PR2).
			- Jinja2 SandboxedEnvironment + `regex_extract` filter (re2).
			`- Local auth (bcrypt + Flask session) + group-based RBAC matching the F11 permission matrix.`
			`- Flat CRUD on engagements / hosts / TTPs / scenarios.`
			`- pytest baseline + testcontainers Postgres scaffolding.`

			`## Out of sprint 0`

			`Orchestrator, WebSocket cockpit, real connectors, report generation, audit rotation.`