docs: update CHANGELOG + tasks for the backend skeleton sprint 0
- CHANGELOG.md: detail every B0.1..B0.8 deliverable + spec deltas D-008 (ttp_version coexists), D-009 (audit hash chain v1), D-010 (no type_annotation_map on declarative base). - tasks/todo.md: tick every B0.x item. - tasks/spec-decisions.md: log D-008, D-009, D-010 alongside the pre-existing D-001..D-007.
This commit is contained in:
knacky
36
CHANGELOG.md
36
CHANGELOG.md
@@ -24,3 +24,39 @@ Versioning starts at `0.1.0` when sprint 0 lands.
|
||||
|
||||
Repo skeleton, data model, `C2Connector` ABC, Jinja2 sandbox, local auth + RBAC, flat CRUD,
|
||||
UX wireframes (mock data). No real connector, no reporting until PR1/PR2/PR3 land.
|
||||
|
||||
#### Backend skeleton (`feature/backend-skeleton`)
|
||||
|
||||
- `backend/` Python 3.12+ project: `pyproject.toml` (ruff, mypy strict, pytest, coverage 70 %),
|
||||
`Makefile` (Docker/Podman auto-detect), multi-stage `Dockerfile`, `docker-compose.yml` for
|
||||
Postgres dev DB, `.env.example`.
|
||||
- Full §8 data model in SQLAlchemy 2 typed mapped classes: `engagement`, `c2_credential`,
|
||||
`host`, `user`, `group`, `group_permission`, `user_group`, `engagement_member`, `ttp`,
|
||||
`ttp_version`, `scenario`, `scenario_step`, `run`, `run_step`, `run_step_cleanup`,
|
||||
`detection`, `evidence`, `report`, `soc_session`, `audit_log`.
|
||||
- Alembic baseline migration `202605210001_initial_schema`: every table + enum + index +
|
||||
idempotent `audit_log` grants for the write-only Postgres role.
|
||||
- `C2Connector` ABC + `Payload` / `TaskHandle` / `TaskResult` / `TaskStatus` dataclasses +
|
||||
`PayloadType` enum + `ConnectorFactory` keyed on `c2_type`. Mythic payload map populated;
|
||||
Home stays empty until PR2.
|
||||
- Jinja2 `SandboxedEnvironment` + `regex_extract` filter (google-re2 with `re` fallback) +
|
||||
`{{ outputs.text }}` / `{{ outputs.blob() }}` accessors (10 MB cap, UTF-8 → latin-1).
|
||||
- Group-based RBAC: `Permission` + `GroupName` + `GROUP_PERMISSIONS` mirror the F11 matrix;
|
||||
`@require_perm` decorator + `AuthUser` Flask-Login wrapper that resolves the permission set
|
||||
from the user's groups.
|
||||
- bcrypt password helpers + SOC opaque token (256-bit url-safe, bcrypt-hashed at rest, plain
|
||||
returned once).
|
||||
- Hash-chained append-only audit writer (sprint 0 fills `prev_hash` / `row_hash` at insert;
|
||||
verifier shipped in v2).
|
||||
- Flat CRUD blueprints: engagements / hosts / TTPs / scenarios + scenario steps. F3 invariant
|
||||
enforced (host.c2_type must match scenario.c2_type at compose time).
|
||||
- `mimic-cli` (click): `user create`, `db dump`, `db restore`.
|
||||
- pytest baseline: **38 unit tests passing**, integration scaffold ready for testcontainers
|
||||
Postgres (`/healthz` smoke included).
|
||||
|
||||
#### Spec deltas applied in this sprint
|
||||
|
||||
- **D-008** `ttp_version` table re-introduced alongside `run.snapshot_json` (overrides H32).
|
||||
- **D-009** `audit_log` hash chain (`prev_hash` / `row_hash`) shipped v1.
|
||||
- **D-010** UUID columns use SQLAlchemy 2 native `Uuid` mapping; no `type_annotation_map` on
|
||||
the declarative base (Flask-SQLAlchemy incompatibility).
|
||||
|
||||
Reference in New Issue
Block a user