feat(backend): add §8 data model + Alembic baseline (B0.2, B0.3)

- SQLAlchemy 2 typed mapped classes for every spec §8 aggregate: engagement, c2_credential, host, user, group, group_permission, user_group, engagement_member, ttp, ttp_version, scenario, scenario_step, run, run_step, run_step_cleanup, detection, evidence, report, soc_session, audit_log. - Shared mixins: UuidPkMixin (PG_UUID(as_uuid=True)) + TimestampsMixin. - StrEnum types covering every spec enum (C2Type, PayloadType, UserType, EngagementStatus, HostStatus, TtpSource, RunStatus, RunStepStatus, CleanupStatus, DetectionLevel, DetectionSource, EvidenceStatus). - Alembic baseline migration 202605210001_initial_schema: creates every table, enum, index, and idempotent grants for the audit_log write-only Postgres role (mimic_audit_writer). - Audit log carries prev_hash / row_hash from v1 (D-009). - ttp_version table coexists with run.snapshot_json (D-008, overrides H32).
2026-05-21 20:32:45 +02:00
parent 72a0e857a4
commit df8e4d8ef1
23 changed files with 1833 additions and 0 deletions
--- a/backend/src/mimic/db/models/soc_session.py
+++ b/backend/src/mimic/db/models/soc_session.py
@@ -0,0 +1,48 @@
+"""SOC analyst sessions (bcrypt-hashed opaque tokens).
+
+Decision D-006: bcrypt hash stored; the clear token is generated server-side at
+session creation, returned **once** in the API response and delivered out-of-band.
+Never re-displayable.
+"""
+
+from __future__ import annotations
+
+from datetime import datetime
+from typing import TYPE_CHECKING
+from uuid import UUID
+
+from sqlalchemy import DateTime, ForeignKey, String
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+
+from mimic.db.base import Base, TimestampsMixin, UuidPkMixin
+
+if TYPE_CHECKING:
+    from mimic.db.models.engagement import Engagement
+    from mimic.db.models.user import User
+
+
+class SocSession(UuidPkMixin, TimestampsMixin, Base):
+    __tablename__ = "soc_session"
+
+    user_id: Mapped[UUID] = mapped_column(
+        ForeignKey("user.id", ondelete="CASCADE"),
+        nullable=False,
+    )
+    engagement_id: Mapped[UUID] = mapped_column(
+        ForeignKey("engagement.id", ondelete="CASCADE"),
+        nullable=False,
+    )
+    token_hash: Mapped[str] = mapped_column(String(255), nullable=False, unique=True)
+    # bcrypt hash. Plain token returned once at creation.
+
+    expires_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False
+    )
+    revoked_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
+
+    last_ip: Mapped[str | None] = mapped_column(String(64))
+    last_user_agent: Mapped[str | None] = mapped_column(String(512))
+    last_used_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True))
+
+    user: Mapped[User] = relationship(back_populates="soc_sessions")
+    engagement: Mapped[Engagement] = relationship()