Unit (`tests/unit/test_user_schemas.py`):
- 4 tests on `UserCreate` (happy path, password min length, email
validation, invalid type).
- 2 tests on `UserUpdate` (all-optional, password validation when set).
- 3 tests on `EngagementMemberCreate` (default `"member"`, explicit role,
max-length 40).
- 4 tests on `PageQuery` (defaults, offset arithmetic, page_size cap,
page lower bound).
Integration (`tests/integration/test_user_mgmt_e2e.py`, marked
`integration`):
- The critical MA6-in-practice flow: rt_lead creates rt_operator, assigns
to engagement A, the operator signs in, lists engagements and sees only
A, `GET /engagements/B` returns 404 (anti-leak), `GET /engagements/B/members`
returns 404 too, `/engagements/A/members` is reachable, `GET /users` is
forbidden for the operator.
- `USER_MANAGE` gate: anonymous → 401, operator session → 403,
lead session → 200.
- 409 `email_taken` on duplicate `POST /users`.
- `/audit/log` is lead-only, paginates with `page_size`, filters by
`?action=`.
- Disabling a user blocks subsequent logins (same uniform
`invalid_credentials` envelope as for bad passwords — no enumeration
leak of "this account was disabled").
74 unit tests pass (61 sprint 1 + 13 sprint 2); integration tests run on
the testcontainers Postgres fixture in CI.
Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead
already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead
gets the new permission automatically, rt_operator and soc_analyst get 403.
Alembic migration `202605230001_add_user_manage_permission`:
- inserts the `user.manage` row into `permission`,
- inserts the `(rt_lead, user.manage)` link into `group_permission`,
- exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests.
The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised
to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New
migrations register themselves there without editing the historical one.
Verbatim wording from spec-analyst is recorded as D-015 in
`tasks/spec-decisions.md` (separate commit).
Unit:
- test_auth_schemas: LoginRequest validation (min/max bounds, extra-fields
policy) + serialize_current_user round-trip (RT lead permission set,
RT operator subset, display_name None pass-through).
Integration (testcontainers Postgres, marked `integration`):
- test_login_then_create_and_list_engagement: full sprint-1 user journey —
/me → 401, POST /login → 200, /me → 200, POST /engagements → 201,
GET /engagements lists the new row, POST /logout → 204, /me → 401.
- test_login_rejects_bad_credentials: wrong password AND unknown user
return the exact same 401 invalid_credentials envelope (no enumeration
leak).
- test_logout_without_session_returns_401: /logout on anonymous returns
the uniform not_authenticated envelope.
Unit total: 61 passed in 0.50s. Integration tests skip locally when
testcontainers is absent.
Code-review MAJOR MA3. The initial Alembic migration imported the live
`mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` /
`group_permission` rows. That breaks the Alembic invariant "a migration
produces the same schema regardless of when you replay it": a future tweak
to the runtime matrix would silently change the seeded baseline on a fresh
DB.
Two changes:
1. The migration now carries an *inline frozen snapshot* of the F11 matrix
(`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`).
The seed reads from these tuples/dicts only. If the canonical matrix
evolves, the next migration is responsible for the delta.
2. A new unit test `test_migration_seed_matches_current_matrix` enforces
that the frozen seed equals the runtime `Permission` enum and
`GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to
write a new migration instead of editing the existing one.
Also: docstring no longer mentions `ttp_version` (M8 follow-up).
Code-review MAJOR MA2. The previous `store_blob(root, data: bytes)` signature
forced the entire payload into RAM before the 10 MB cap was checked — a
hostile-large output blob could OOM the worker before the limit even fired.
New signature: `store_blob(root, stream, *, max_bytes=10_485_760)`. The
implementation:
- reads from `stream` in 64 KB chunks;
- updates the sha256 + writes to `<root>/.tmp-<pid>-<rand>.gz` incrementally;
- raises `BlobTooLarge(max_bytes)` as soon as the running total crosses the
cap, then unlinks the partial temp file via `contextlib.suppress`;
- atomic-renames the temp file to the CAS path `<aa>/<bb>/<sha256>.gz` once
the stream finishes;
- sets `0o750` on the directory and `0o640` on the file with explicit
`os.chmod` (does not rely on the process umask).
Updated unit tests cover: BlobTooLarge enforcement (with temp-file cleanup),
multi-chunk happy path (1.5 MB payload exercising the 64 KB loop), and
`max_bytes <= 0` validation.
Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the
OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic
backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating
a malicious pattern over 1 MB of attacker-controlled text is still a worker
freeze.
- `mimic.templating.filters` now imports `re2` unconditionally and raises
`RuntimeError` at module load if the binding is absent. No `re` import,
no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`.
- `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit
hardens the import path to actually enforce it.
- New test `test_re2_is_required` asserts the binding is wired in.
D-011 — `regex_extract(text, pattern, *, group=1, name=None)`:
- engine google-re2 (linear-time, ReDoS-safe), `re` fallback with 1 MB cap.
- first match only.
- no match → raises Jinja2 `TemplateError` (no silent default — cleanup
templates must fail loud when source string drifts).
- default capture is group 1 with fallback to group(0) when the pattern has
no groups; named groups via `name="<name>"`.
D-012 — `outputs.blob()`:
- reads the gzip-compressed CAS file from `MIMIC_BLOB_ROOT`.
- 10 MB cap is applied **after** decompression.
- decode UTF-8 with latin-1 fallback; never raises (missing / corrupt /
non-gzip blobs return empty string, logged at WARNING).
Unit tests rewritten to cover both the new fail-loud regex contract and
the gzip read path. 49 unit tests pass; ruff clean.
