diff --git a/CHANGELOG.md b/CHANGELOG.md index 8aeb479..4d3dcef 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -28,7 +28,7 @@ UX wireframes (mock data). No real connector, no reporting until PR1/PR2/PR3 lan #### Backend skeleton (`feature/backend-skeleton`) - `backend/` Python 3.12+ project: `pyproject.toml` (ruff, mypy strict, pytest, coverage 70 %), - `Makefile` (Docker/Podman auto-detect), multi-stage `Dockerfile`, `docker-compose.yml` for + `Makefile` (Docker/Podman auto-detect), multi-stage `Dockerfile`, `compose.yml` for Postgres dev DB, `.env.example`. - Full §8 data model in SQLAlchemy 2 typed mapped classes: `engagement`, `c2_credential`, `host`, `user`, `group`, `permission`, `group_permission`, `user_group`, diff --git a/docs/architecture.md b/docs/architecture.md index 7d2c451..c834d35 100644 --- a/docs/architecture.md +++ b/docs/architecture.md @@ -25,7 +25,7 @@ mimic/ Deployment artifacts (Ansible playbook, prod compose) live outside the repo in the RT infra repo (D-010). Mimic ships only Dockerfiles and a dev -`docker-compose.yml`. +`compose.yml`. ## Backend module tree diff --git a/tasks/todo.md b/tasks/todo.md index fc0fa13..0d44247 100644 --- a/tasks/todo.md +++ b/tasks/todo.md @@ -6,7 +6,7 @@ Repo skeleton + foundational modules. Nothing that depends on PR1/PR2/PR3. - [x] B0.1 — `backend/` Python 3.12+ project: `pyproject.toml` (ruff, mypy strict, pytest, coverage 70 %), `Makefile` (Docker/Podman auto), multi-stage `Dockerfile`, - `docker-compose.yml` for Postgres dev DB, `.env.example`. + `compose.yml` for Postgres dev DB, `.env.example`. - [x] B0.2 — Alembic baseline migration `202605210001_initial_schema` creates every table, enum, index, and the idempotent grants for the audit write-only Postgres role. **No `ttp_version` table** (D-009). Groups `rt_operator`, `rt_lead`, `soc_analyst` seeded @@ -111,6 +111,34 @@ Tracked from code-review verdict on `feature/backend-skeleton` @ 12d131c: - [ ] R0.2 — Verify mypy strict and ruff clean before approving any backend PR. - [ ] R0.3 — Verify TS strict, no `useEffect(fetch)`, exhaustive deps before approving any frontend PR. +## CI follow-ups (sprint 1+) (`devops`) + +Raised by `code-reviewer` during review of `chore/podman-and-ci` (M2-M3 + N1-N6). +None blocking, all deferred to sprint 1+. + +- [ ] M2 — `backend/Makefile` `$(COMPOSE)` detection: invert legacy `docker-compose` v1 + probe, prefer the Compose v2 plugin (`$(CONTAINER) compose`) first. +- [ ] M3 — `.gitea/workflows/ci.yml` backend job: chain `apt-get update && apt-get install` + in one `RUN`-style step and drop `rm -rf /var/lib/apt/lists/*` (no-op in an + ephemeral CI container). +- [ ] N1 — Smoke workflow `cat /etc/os-release | head -3` → use `head -3 /etc/os-release` + (moot once smoke.yml is removed; track here in case smoke is reintroduced). +- [ ] N2 — `.gitea/workflows/ci.yml` `pull_request:` trigger: restrict to `branches: [main]` + to avoid double-running on PR retargets. +- [ ] N3 — Anticipate single-runner serialization: jobs will queue. Plan a second + runner (different host or `capacity: >1`) before scaling sprint 2+ workload. +- [ ] N4 — Add top-level `concurrency: { group: ${{ github.ref }}, cancel-in-progress: true }` + to cancel superseded PR runs. +- [ ] N5 — CI uses `MIMIC_DATABASE_AUDIT_URL == MIMIC_DATABASE_URL` (same role). + Acceptable for unit tests; integration tests covering the audit write-only + role must provision a separate `mimic_audit_writer` role in the Postgres + service before they can run. +- [ ] N6 — Cache pip + npm via `actions/cache@v4` (verify Gitea Actions fork support + before adoption; fallback to manual cache volume on the runner if unsupported). +- [ ] FERNET-KEY — Provision `FERNET_KEY_TEST` Gitea repo secret before sprint 1 + wires `c2_credential.config_fernet` (D-004). `config.py:32` accepts an empty + default at boot but `Fernet(b"")` raises `ValueError` at first use. + ## Conventions - Branches: `feature/`, `fix/`, `docs/`, `chore/`. Long-lived: `main`.