backend/pyproject.toml

[build-system]
requires = ["hatchling>=1.24"]
build-backend = "hatchling.build"

[project]
name = "mimic"
version = "0.1.0a0"
description = "Mimic — internal BAS platform (sprint 0 skeleton)"
readme = "README.md"
requires-python = ">=3.12"
license = { text = "Proprietary" }
authors = [{ name = "RT" }]

dependencies = [
    "flask>=3.0,<4.0",
    "flask-socketio>=5.3,<6.0",
    "flask-login>=0.6.3,<1.0",
    "flask-migrate>=4.0,<5.0",
    "sqlalchemy>=2.0,<3.0",
    "alembic>=1.13,<2.0",
    "psycopg[binary]>=3.1,<4.0",
    "pydantic>=2.6,<3.0",
    "pydantic-settings>=2.2,<3.0",
    "python-json-logger>=2.0,<3.0",
    "structlog>=24.1,<25.0",
    "bcrypt>=4.1,<5.0",
    "cryptography>=42.0,<43.0",
    "jinja2>=3.1,<4.0",
    "google-re2>=1.1,<2.0",
    "click>=8.1,<9.0",
    "gevent>=24.2,<25.0",
    "gevent-websocket>=0.10,<1.0",
    "gunicorn>=22.0,<24.0",
    "httpx>=0.27,<1.0",
    "weasyprint>=61.0,<62.0",
    "authlib>=1.3,<2.0",
    "pyyaml>=6.0,<7.0",
]

[project.optional-dependencies]
dev = [
    "pytest>=8.0,<9.0",
    "pytest-cov>=5.0,<6.0",
    "pytest-flask>=1.3,<2.0",
    "pytest-mock>=3.12,<4.0",
    "testcontainers[postgres]>=4.4,<5.0",
    "ruff>=0.4,<1.0",
    "mypy>=1.10,<2.0",
    "types-pyyaml>=6.0,<7.0",
    "freezegun>=1.5,<2.0",
]

[project.scripts]
mimic-cli = "mimic.cli:cli"

[tool.hatch.build.targets.wheel]
packages = ["src/mimic"]

[tool.hatch.build.targets.sdist]
include = ["src/mimic", "README.md", "pyproject.toml"]

# -- Ruff -------------------------------------------------------------------

[tool.ruff]
line-length = 100
target-version = "py312"
src = ["src", "tests"]

[tool.ruff.lint]
select = [
    "E", "F", "W",      # pycodestyle / pyflakes
    "I",                # isort
    "B",                # bugbear
    "UP",               # pyupgrade
    "N",                # pep8-naming
    "S",                # flake8-bandit (security)
    "C4",               # comprehensions
    "DTZ",              # datetime tz
    "PIE",
    "PT",               # pytest
    "RET",
    "SIM",
    "TID",
    "PL",
    "RUF",
]
ignore = [
    "PLR0913",          # too many args (Flask handlers + DI)
    "S101",             # assert in tests
]

[tool.ruff.lint.per-file-ignores]
"tests/**" = ["S101", "S105", "S106", "PLR2004"]
"src/mimic/db/migrations/**" = ["E501", "N999"]

[tool.ruff.lint.isort]
known-first-party = ["mimic"]

# -- Mypy -------------------------------------------------------------------

[tool.mypy]
python_version = "3.12"
strict = true
warn_unreachable = true
warn_unused_ignores = true
show_error_codes = true
plugins = ["pydantic.mypy"]
exclude = ["src/mimic/db/migrations/versions/"]

[[tool.mypy.overrides]]
module = [
    "weasyprint.*",
    "google.re2.*",
    "re2",
    "flask_socketio.*",
    "flask_migrate.*",
    "flask_login.*",
    "pythonjsonlogger.*",
    "gevent.*",
    "testcontainers.*",
    "authlib.*",
]
ignore_missing_imports = true

# -- Pytest -----------------------------------------------------------------

[tool.pytest.ini_options]
testpaths = ["tests"]
addopts = "-ra --strict-markers --strict-config"
markers = [
    "integration: requires testcontainers Postgres",
    "slow: long-running tests",
]
filterwarnings = ["error"]

[tool.coverage.run]
branch = true
source = ["src/mimic"]
omit = ["src/mimic/db/migrations/*"]

[tool.coverage.report]
fail_under = 70
show_missing = true
skip_covered = false
exclude_lines = [
    "pragma: no cover",
    "raise NotImplementedError",
    "if TYPE_CHECKING:",
    "\\.\\.\\.",
]
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`[build-system]`
			`requires = ["hatchling>=1.24"]`
			`build-backend = "hatchling.build"`

			`[project]`
			`name = "mimic"`
			`version = "0.1.0a0"`
			`description = "Mimic — internal BAS platform (sprint 0 skeleton)"`
			`readme = "README.md"`
			`requires-python = ">=3.12"`
			`license = { text = "Proprietary" }`
			`authors = [{ name = "RT" }]`

			`dependencies = [`
			`"flask>=3.0,<4.0",`
			`"flask-socketio>=5.3,<6.0",`
			`"flask-login>=0.6.3,<1.0",`
			`"flask-migrate>=4.0,<5.0",`
			`"sqlalchemy>=2.0,<3.0",`
			`"alembic>=1.13,<2.0",`
			`"psycopg[binary]>=3.1,<4.0",`
			`"pydantic>=2.6,<3.0",`
			`"pydantic-settings>=2.2,<3.0",`
			`"python-json-logger>=2.0,<3.0",`
			`"structlog>=24.1,<25.0",`
			`"bcrypt>=4.1,<5.0",`
			`"cryptography>=42.0,<43.0",`
			`"jinja2>=3.1,<4.0",`
			`"google-re2>=1.1,<2.0",`
			`"click>=8.1,<9.0",`
			`"gevent>=24.2,<25.0",`
			`"gevent-websocket>=0.10,<1.0",`
fix(backend): make google-re2 a hard dependency, drop re fallback (B1) Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating a malicious pattern over 1 MB of attacker-controlled text is still a worker freeze. - `mimic.templating.filters` now imports `re2` unconditionally and raises `RuntimeError` at module load if the binding is absent. No `re` import, no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`. - `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit hardens the import path to actually enforce it. - New test `test_re2_is_required` asserts the binding is wired in. 2026-05-22 05:23:47 +02:00			`"gunicorn>=22.0,<24.0",`
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`"httpx>=0.27,<1.0",`
			`"weasyprint>=61.0,<62.0",`
			`"authlib>=1.3,<2.0",`
			`"pyyaml>=6.0,<7.0",`
			`]`

			`[project.optional-dependencies]`
			`dev = [`
			`"pytest>=8.0,<9.0",`
			`"pytest-cov>=5.0,<6.0",`
			`"pytest-flask>=1.3,<2.0",`
			`"pytest-mock>=3.12,<4.0",`
			`"testcontainers[postgres]>=4.4,<5.0",`
			`"ruff>=0.4,<1.0",`
			`"mypy>=1.10,<2.0",`
			`"types-pyyaml>=6.0,<7.0",`
			`"freezegun>=1.5,<2.0",`
			`]`

			`[project.scripts]`
			`mimic-cli = "mimic.cli:cli"`

			`[tool.hatch.build.targets.wheel]`
			`packages = ["src/mimic"]`

			`[tool.hatch.build.targets.sdist]`
			`include = ["src/mimic", "README.md", "pyproject.toml"]`

			`# -- Ruff -------------------------------------------------------------------`

			`[tool.ruff]`
			`line-length = 100`
			`target-version = "py312"`
			`src = ["src", "tests"]`

			`[tool.ruff.lint]`
			`select = [`
			`"E", "F", "W", # pycodestyle / pyflakes`
			`"I", # isort`
			`"B", # bugbear`
			`"UP", # pyupgrade`
			`"N", # pep8-naming`
			`"S", # flake8-bandit (security)`
			`"C4", # comprehensions`
			`"DTZ", # datetime tz`
			`"PIE",`
			`"PT", # pytest`
			`"RET",`
			`"SIM",`
			`"TID",`
			`"PL",`
			`"RUF",`
			`]`
			`ignore = [`
			`"PLR0913", # too many args (Flask handlers + DI)`
			`"S101", # assert in tests`
			`]`

			`[tool.ruff.lint.per-file-ignores]`
			`"tests/**" = ["S101", "S105", "S106", "PLR2004"]`
			`"src/mimic/db/migrations/**" = ["E501", "N999"]`

			`[tool.ruff.lint.isort]`
			`known-first-party = ["mimic"]`

			`# -- Mypy -------------------------------------------------------------------`

			`[tool.mypy]`
			`python_version = "3.12"`
			`strict = true`
			`warn_unreachable = true`
			`warn_unused_ignores = true`
			`show_error_codes = true`
			`plugins = ["pydantic.mypy"]`
			`exclude = ["src/mimic/db/migrations/versions/"]`

			`[[tool.mypy.overrides]]`
			`module = [`
			`"weasyprint.*",`
			`"google.re2.*",`
			`"re2",`
			`"flask_socketio.*",`
			`"flask_migrate.*",`
chore(backend): mypy strict clean + ruff format pass Pre-merge sanity per devops checklist (ruff format --check, mypy --strict). Type fixes: - ORM models: `Mapped[dict]` → `Mapped[dict[str, Any]]` (audit, scenario, run, report, ttp, detection.artifact_files_json). Equivalent on Pydantic DTOs (TtpBase.params_schema_json, ScenarioStepBase.params_override_json). - Rename `TtpRead.current_version` → `TtpRead.version` to mirror the ORM column (which itself was renamed in D-009 cleanup). - Flask blueprints: add `-> ResponseReturnValue` to every view, plus typed UUID params on `_validate_step_consistency`. - `templating/filters.py`: rewrite the conditional re2 import so mypy can narrow the union (`ModuleType \| None`); the runtime branch on `_re2 is not None` removes the unused-ignore that was triggered by warn_unused_ignores. - `pyproject.toml`: add `flask_login.` and `pythonjsonlogger.` to the `[[tool.mypy.overrides]]` `ignore_missing_imports` list (both ship without typed marker). - Misc: drop stale `# type: ignore` comments (`app.py:36`, `rbac/decorators.py:35`) flagged by `warn_unused_ignores`. Keep `logging.JsonFormatter` ignore because the symbol exists at runtime but is not re-exported through the typed surface. Formatting: - `ruff format` applied (15 files normalized; line-length unchanged at 100). Verification on this commit: - `ruff check` → All checks passed. - `ruff format --check` → 68 files already formatted. - `mypy --strict src` → Success: no issues found in 54 source files. - `pytest tests/unit` → 49 passed. 2026-05-22 05:10:51 +02:00			`"flask_login.*",`
			`"pythonjsonlogger.*",`
chore(backend): bootstrap Python 3.12+ project skeleton (B0.1) - pyproject.toml with ruff + mypy strict + pytest + coverage >=70% - Makefile with Docker/Podman auto-detect - Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user) - docker-compose.yml for Postgres dev DB - alembic.ini wired to src/mimic/db/migrations - scripts/postgres-init/00-roles.sql seeds the audit writer role - .env.example documents every MIMIC_* var (no secrets committed) 2026-05-21 20:32:29 +02:00			`"gevent.*",`
			`"testcontainers.*",`
			`"authlib.*",`
			`]`
			`ignore_missing_imports = true`

			`# -- Pytest -----------------------------------------------------------------`

			`[tool.pytest.ini_options]`
			`testpaths = ["tests"]`
			`addopts = "-ra --strict-markers --strict-config"`
			`markers = [`
			`"integration: requires testcontainers Postgres",`
			`"slow: long-running tests",`
			`]`
			`filterwarnings = ["error"]`

			`[tool.coverage.run]`
			`branch = true`
			`source = ["src/mimic"]`
			`omit = ["src/mimic/db/migrations/*"]`

			`[tool.coverage.report]`
			`fail_under = 70`
			`show_missing = true`
			`skip_covered = false`
			`exclude_lines = [`
			`"pragma: no cover",`
			`"raise NotImplementedError",`
			`"if TYPE_CHECKING:",`
			`"\\.\\.\\.",`
			`]`