Unit:
- test_auth_schemas: LoginRequest validation (min/max bounds, extra-fields
policy) + serialize_current_user round-trip (RT lead permission set,
RT operator subset, display_name None pass-through).
Integration (testcontainers Postgres, marked `integration`):
- test_login_then_create_and_list_engagement: full sprint-1 user journey —
/me → 401, POST /login → 200, /me → 200, POST /engagements → 201,
GET /engagements lists the new row, POST /logout → 204, /me → 401.
- test_login_rejects_bad_credentials: wrong password AND unknown user
return the exact same 401 invalid_credentials envelope (no enumeration
leak).
- test_logout_without_session_returns_401: /logout on anonymous returns
the uniform not_authenticated envelope.
Unit total: 61 passed in 0.50s. Integration tests skip locally when
testcontainers is absent.
Code-review MAJOR MA3. The initial Alembic migration imported the live
`mimic.rbac.matrix.GROUP_PERMISSIONS` to seed the `permission` / `group` /
`group_permission` rows. That breaks the Alembic invariant "a migration
produces the same schema regardless of when you replay it": a future tweak
to the runtime matrix would silently change the seeded baseline on a fresh
DB.
Two changes:
1. The migration now carries an *inline frozen snapshot* of the F11 matrix
(`_PERMISSIONS_FROZEN`, `_GROUP_PERMISSIONS_FROZEN`, `_GROUP_DESCRIPTIONS`).
The seed reads from these tuples/dicts only. If the canonical matrix
evolves, the next migration is responsible for the delta.
2. A new unit test `test_migration_seed_matches_current_matrix` enforces
that the frozen seed equals the runtime `Permission` enum and
`GROUP_PERMISSIONS` mapping. Drift now fails CI loudly with a hint to
write a new migration instead of editing the existing one.
Also: docstring no longer mentions `ttp_version` (M8 follow-up).
Code-review MAJOR MA2. The previous `store_blob(root, data: bytes)` signature
forced the entire payload into RAM before the 10 MB cap was checked — a
hostile-large output blob could OOM the worker before the limit even fired.
New signature: `store_blob(root, stream, *, max_bytes=10_485_760)`. The
implementation:
- reads from `stream` in 64 KB chunks;
- updates the sha256 + writes to `<root>/.tmp-<pid>-<rand>.gz` incrementally;
- raises `BlobTooLarge(max_bytes)` as soon as the running total crosses the
cap, then unlinks the partial temp file via `contextlib.suppress`;
- atomic-renames the temp file to the CAS path `<aa>/<bb>/<sha256>.gz` once
the stream finishes;
- sets `0o750` on the directory and `0o640` on the file with explicit
`os.chmod` (does not rely on the process umask).
Updated unit tests cover: BlobTooLarge enforcement (with temp-file cleanup),
multi-chunk happy path (1.5 MB payload exercising the 64 KB loop), and
`max_bytes <= 0` validation.
Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the
OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic
backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating
a malicious pattern over 1 MB of attacker-controlled text is still a worker
freeze.
- `mimic.templating.filters` now imports `re2` unconditionally and raises
`RuntimeError` at module load if the binding is absent. No `re` import,
no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`.
- `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit
hardens the import path to actually enforce it.
- New test `test_re2_is_required` asserts the binding is wired in.
D-011 — `regex_extract(text, pattern, *, group=1, name=None)`:
- engine google-re2 (linear-time, ReDoS-safe), `re` fallback with 1 MB cap.
- first match only.
- no match → raises Jinja2 `TemplateError` (no silent default — cleanup
templates must fail loud when source string drifts).
- default capture is group 1 with fallback to group(0) when the pattern has
no groups; named groups via `name="<name>"`.
D-012 — `outputs.blob()`:
- reads the gzip-compressed CAS file from `MIMIC_BLOB_ROOT`.
- 10 MB cap is applied **after** decompression.
- decode UTF-8 with latin-1 fallback; never raises (missing / corrupt /
non-gzip blobs return empty string, logged at WARNING).
Unit tests rewritten to cover both the new fail-loud regex contract and
the gzip read path. 49 unit tests pass; ruff clean.
