chore: bootstrap repo skeleton with sprint 0 plan

- .gitignore (Python, Node, RT/maldev hygiene, secrets) - README.md (project framing, stack, conventions, status) - CHANGELOG.md (team kickoff decisions Q1/Q2/Q3, T2/T3/T4, auth strategy) - tasks/spec-decisions.md (D-001..D-007 arbitrations on top of frozen spec) - tasks/todo.md (sprint 0 backlog: B0.* / F0.* / S0.* / R0.*) - tasks/lessons.md (empty, populated as work progresses) - backend/ frontend/ docs/ scaffolding Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 20:10:47 +02:00
parent 030a018970
commit 047583eb9c
9 changed files with 263 additions and 0 deletions
--- a/tasks/todo.md
+++ b/tasks/todo.md
@@ -0,0 +1,52 @@
+# Sprint 0 — Mimic
+
+Repo skeleton + foundational modules. Nothing that depends on PR1/PR2/PR3.
+
+## Backend (`backend`)
+
+- [ ] B0.1 — `backend/` Python project: `pyproject.toml` (ruff, mypy strict, pytest, coverage),
+      `Makefile`, `Dockerfile`, `docker-compose.yml` for Postgres dev DB.
+- [ ] B0.2 — Alembic init + complete initial migration covering the §8 schema (incl. `ttp_version`,
+      `c2_credential`, `user`, `group`, `user_group`, `permission`, `group_permission`,
+      `soc_session`, audit_log with write-only Postgres role).
+- [ ] B0.3 — SQLAlchemy 2 typed mapped classes for every table + repositories scaffold.
+- [ ] B0.4 — `C2Connector` ABC + dataclasses (`Payload`, `TaskHandle`, `TaskResult`) + enum
+      `payload_type` + factory keyed on `c2_type`. **No real implementation.**
+- [ ] B0.5 — Jinja2 SandboxedEnvironment + `regex_extract` filter via `google-re2` +
+      `{{outputs.text}}` and `{{outputs.blob(key)}}` accessors with 10 MB cap.
+- [ ] B0.6 — Local auth (login/password bcrypt + Flask server-side sessions) + RBAC
+      group-based decorators + F11 permission matrix declared in code.
+- [ ] B0.7 — Flat CRUD endpoints (engagements, hosts, TTPs, scenarios) — no orchestration,
+      no WebSocket, no reporting yet.
+- [ ] B0.8 — pytest baseline: unit (SQLite) + integration scaffold (testcontainers Postgres).
+
+## Frontend (`ux-frontend`)
+
+- [ ] F0.1 — `frontend/` Vite + React + TypeScript strict + Tailwind 4 + TanStack Query 5,
+      eslint strict + prettier, Playwright skeleton.
+- [ ] F0.2 — Design system provisional: semantic tokens in `theme.css` (status colors, RT accent,
+      data mono / UI sans), dark-first palette, placeholder logo.
+- [ ] F0.3 — Wireframes (via `frontend-design` skill) on mock data:
+      Login + engagement selection, Live cockpit, Scenario composer,
+      Report + MITRE matrix, TTP library + import.
+- [ ] F0.4 — Routing skeleton + role-aware layout shell (no real auth wired yet).
+
+## Spec / Docs (`spec-analyst`)
+
+- [ ] S0.1 — Cross-check the data model in B0.2 against §8 of the spec; report deltas before merge.
+- [ ] S0.2 — Cross-check the RBAC matrix in B0.6 against F11; report deltas before merge.
+- [ ] S0.3 — Maintain `tasks/spec-decisions.md` as new arbitrations land.
+- [ ] S0.4 — Open `docs/architecture.md` once backend layout is committed.
+
+## Review (`code-reviewer`)
+
+- [ ] R0.1 — Review each PR per the published charter; block on security/OPSEC violations.
+- [ ] R0.2 — Verify mypy strict and ruff clean before approving any backend PR.
+- [ ] R0.3 — Verify TS strict, no `useEffect(fetch)`, exhaustive deps before approving any frontend PR.
+
+## Conventions
+
+- Branches: `feature/<scope>`, `fix/<scope>`, `docs/<scope>`, `chore/<scope>`. Long-lived: `main`.
+- Commits: Conventional Commits (`feat:`, `fix:`, `chore:`, `docs:`, `test:`, `refactor:`).
+- PRs: each branch → review (`code-reviewer`) → team-lead merges.
+- No direct push to `main`.