chore: bootstrap repo skeleton with sprint 0 plan

- .gitignore (Python, Node, RT/maldev hygiene, secrets)
- README.md (project framing, stack, conventions, status)
- CHANGELOG.md (team kickoff decisions Q1/Q2/Q3, T2/T3/T4, auth strategy)
- tasks/spec-decisions.md (D-001..D-007 arbitrations on top of frozen spec)
- tasks/todo.md (sprint 0 backlog: B0.* / F0.* / S0.* / R0.*)
- tasks/lessons.md (empty, populated as work progresses)
- backend/ frontend/ docs/ scaffolding

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

tasks/spec-decisions.md

@@ -0,0 +1,58 @@
+# Spec decisions log
+
+This file tracks implementation arbitrations *on top* of the frozen spec
+(`Projects/Mimic — Spec.md` in the RT-SecondBrain vault).
+
+Format: one entry per decision, newest first.
+
+---
+
+## 2026-05-21 — Team kickoff decisions
+
+### D-001 — SOC collaboration hypothesis
+**Context.** Devils-advocate flagged the sociological assumption that SOC analysts
+will cote in the live cockpit.
+**Decision.** Hypothesis accepted as-is. No paper PoC. Risk owned by lead RT.
+
+### D-002 — Mimic deployment location
+**Context.** Spec §6 NF-network did not pin where Mimic is physically deployed.
+**Decision.** Mimic runs on RT infrastructure. SOC client connects through the
+existing RT reverse proxy (Caddy, out of Mimic scope). Mimic → Mythic / Home C2
+through outbound VPN. RT R&D (TTP library, stealthy variants) never sits on
+client premises.
+
+### D-003 — Authentication strategy
+**Context.** Spec mentions OIDC Keycloak but lab onboarding cost is high.
+**Decision.** v1 ships **local auth** (username/password, bcrypt, Flask server-side
+sessions). v2 adds Keycloak OIDC. The RBAC model is **group-based from day one**,
+so OIDC will map claims to existing groups without touching application code.
+SOC sessions remain a distinct mechanism (`soc_session.token_opaque` bcrypt hash,
+clear token out-of-band).
+
+### D-004 — C2 credential storage (T2)
+**Context.** Engagement.config_json (encrypted JSON column) vs dedicated table.
+**Decision.** Dedicated table `c2_credential (id, engagement_id, c2_type,
+config_json_fernet, version, created_at, retired_at)`. Active row per engagement =
+`retired_at IS NULL`, highest version. Rotation = insert + retire previous.
+Fernet key in env, never in DB.
+
+### D-005 — Cleanup template variable sources (T3)
+**Context.** Jinja `{{outputs.X}}` source ambiguity.
+**Decision.** Two accessors:
+- `{{outputs.text}}` → `run_step.output_text` (stdout/UTF-8 text).
+- `{{outputs.blob("<key>")}}` → reads from `output_blob_ref`, hard cap **10 MB**
+  (consistent with F8 evidence limit), UTF-8 decoding with latin-1 fallback,
+  silent refusal + log entry if the blob is non-decodable.
+`regex_extract` always operates on the resulting string.
+
+### D-006 — SOC session token storage (T4)
+**Context.** `soc_session.token_opaque` storage form.
+**Decision.** bcrypt hash. Clear token generated server-side at session creation,
+returned **once** in the API response, delivered out-of-band to the SOC analyst.
+Never re-displayable.
+
+### D-007 — Reverse proxy scope
+**Context.** Mimic exposure to internet for SOC client access.
+**Decision.** Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT
+infrastructure. Mimic ships an HTTP listener on localhost only; the deployment
+playbook wires it behind the existing proxy.