Code-review MAJOR MA2. The previous `store_blob(root, data: bytes)` signature
forced the entire payload into RAM before the 10 MB cap was checked — a
hostile-large output blob could OOM the worker before the limit even fired.
New signature: `store_blob(root, stream, *, max_bytes=10_485_760)`. The
implementation:
- reads from `stream` in 64 KB chunks;
- updates the sha256 + writes to `<root>/.tmp-<pid>-<rand>.gz` incrementally;
- raises `BlobTooLarge(max_bytes)` as soon as the running total crosses the
cap, then unlinks the partial temp file via `contextlib.suppress`;
- atomic-renames the temp file to the CAS path `<aa>/<bb>/<sha256>.gz` once
the stream finishes;
- sets `0o750` on the directory and `0o640` on the file with explicit
`os.chmod` (does not rely on the process umask).
Updated unit tests cover: BlobTooLarge enforcement (with temp-file cleanup),
multi-chunk happy path (1.5 MB payload exercising the 64 KB loop), and
`max_bytes <= 0` validation.
Code-review MAJOR MA1. The previous `scripts/postgres-init/00-roles.sql`
hardcoded a `CHANGE_ME` password for `mimic_audit_writer` and was bind-mounted
into the dev Postgres container; on prod boxes this risks lingering as the
real credential.
- The init script was removed in the previous commit alongside the dropped
scripts dir.
- `docker-compose.yml` no longer mounts a `docker-entrypoint-initdb.d`
directory; the audit-writer role provisioning is the Ansible playbook's
responsibility (D-010).
- `backend/README.md` documents the manual one-shot `CREATE ROLE` command
for local dev with a placeholder password.
Net effect: no `CHANGE_ME` credential reaches a container image / git history.
The Alembic migration's `audit_log` grant block stays idempotent — it is a
no-op when the role is absent.
Code-review BLOCKER B1. Reaffirms D-011: a `re` stdlib fallback defeats the
OPSEC-safe-regex guarantee because hostile C2 output can trigger catastrophic
backtracking. The `[:1MB]` slice cap does not mitigate that — re-evaluating
a malicious pattern over 1 MB of attacker-controlled text is still a worker
freeze.
- `mimic.templating.filters` now imports `re2` unconditionally and raises
`RuntimeError` at module load if the binding is absent. No `re` import,
no `_HAS_RE2` branch, no `_FALLBACK_MAX_INPUT`.
- `pyproject.toml` already pinned `google-re2 >= 1.1, < 2.0`; this commit
hardens the import path to actually enforce it.
- New test `test_re2_is_required` asserts the binding is wired in.
Pre-merge sanity per devops checklist (ruff format --check, mypy --strict).
Type fixes:
- ORM models: `Mapped[dict]` → `Mapped[dict[str, Any]]` (audit, scenario, run,
report, ttp, detection.artifact_files_json). Equivalent on Pydantic DTOs
(TtpBase.params_schema_json, ScenarioStepBase.params_override_json).
- Rename `TtpRead.current_version` → `TtpRead.version` to mirror the ORM
column (which itself was renamed in D-009 cleanup).
- Flask blueprints: add `-> ResponseReturnValue` to every view, plus typed
UUID params on `_validate_step_consistency`.
- `templating/filters.py`: rewrite the conditional re2 import so mypy can
narrow the union (`ModuleType | None`); the runtime branch on `_re2 is not
None` removes the unused-ignore that was triggered by warn_unused_ignores.
- `pyproject.toml`: add `flask_login.*` and `pythonjsonlogger.*` to the
`[[tool.mypy.overrides]]` `ignore_missing_imports` list (both ship without
typed marker).
- Misc: drop stale `# type: ignore` comments (`app.py:36`,
`rbac/decorators.py:35`) flagged by `warn_unused_ignores`. Keep
`logging.JsonFormatter` ignore because the symbol exists at runtime but is
not re-exported through the typed surface.
Formatting:
- `ruff format` applied (15 files normalized; line-length unchanged at 100).
Verification on this commit:
- `ruff check` → All checks passed.
- `ruff format --check` → 68 files already formatted.
- `mypy --strict src` → Success: no issues found in 54 source files.
- `pytest tests/unit` → 49 passed.
D-011 — `regex_extract(text, pattern, *, group=1, name=None)`:
- engine google-re2 (linear-time, ReDoS-safe), `re` fallback with 1 MB cap.
- first match only.
- no match → raises Jinja2 `TemplateError` (no silent default — cleanup
templates must fail loud when source string drifts).
- default capture is group 1 with fallback to group(0) when the pattern has
no groups; named groups via `name="<name>"`.
D-012 — `outputs.blob()`:
- reads the gzip-compressed CAS file from `MIMIC_BLOB_ROOT`.
- 10 MB cap is applied **after** decompression.
- decode UTF-8 with latin-1 fallback; never raises (missing / corrupt /
non-gzip blobs return empty string, logged at WARNING).
Unit tests rewritten to cover both the new fail-loud regex contract and
the gzip read path. 49 unit tests pass; ruff clean.
D-009 reaffirms spec H32: no `ttp_version` table. Replayability lives solely
on `run.snapshot_json`. The previous initial migration introduced a separate
`ttp_version` aggregate by mistake — removed here.
D-008 requires the bootstrap to seed exactly the three F11 groups
(`rt_operator`, `rt_lead`, `soc_analyst`) with exactly the F11 permission
matrix. The migration now:
- inserts every `Permission` enum value into the `permission` table,
- inserts the three groups with deterministic uuid5(NAMESPACE_DNS, ...) ids,
- inserts the matching `group_permission` rows from GROUP_PERMISSIONS.
Also renames `ttp.current_version` to `ttp.version` (matches §8 spec column
name; the value remains informational per H32 / D-009).
- Flask app factory wires SQLAlchemy / Migrate / Login / SocketIO and
registers every blueprint. /healthz smoke endpoint included.
- Pydantic 2 DTOs (request/response) for engagement / host / TTP /
scenario aggregates with from_attributes=True conversion.
- Flat CRUD blueprints under /api/v1/:
* engagements (list / create / get / put / delete-as-archive)
* hosts (engagement-scoped CRUD)
* library/ttps (CRUD; promote requires the lead-only TTP_PROMOTE)
* scenarios + steps (F3 invariant enforced: host.c2_type must match
scenario.c2_type at compose time, 400 otherwise).
- @require_perm guards every endpoint per the F11 matrix.
- audit/ writer is hash-chained from v1 (SHA-256 of canonical record
plus previous hash). The SQL-level write-only role enforcement ships
in the deploy playbook (idempotent grants run at migration time).
- mimic-cli (click): user create (seeds RT operator/lead with group
membership), db dump / db restore (manual pg_dump/pg_restore, R-O1).
No orchestrator, no WebSocket, no report generation — those land after
PR1/PR2/PR3.
- Permission enum + GroupName enum + GROUP_PERMISSIONS mapping mirror
the F11 matrix in code (verifiable against the spec table in tests).
- @require_perm decorator: 401 on anonymous, 403 on missing permission,
passes through otherwise. Pure-function user_has() for unit-testing.
- AuthUser (Flask-Login wrapper) resolves the permission set from a
User's groups; load_user is the Flask-Login user_loader.
- bcrypt password hashing helpers (12 rounds by default, configurable).
- SOC opaque token (D-006): secrets.token_urlsafe(32), bcrypt-hashed at
rest, plain value returned once at creation and never re-displayable.
- Group-based RBAC from day one (D-003) — Keycloak OIDC in v2 maps onto
the same group model.
- CleanupRenderer wraps jinja2.sandbox.SandboxedEnvironment with
StrictUndefined (no autoescape — shell context, not HTML).
- Custom filter regex_extract(text, pattern, group=1, default='') uses
google-re2 for linear-time matching (ReDoS-safe) and falls back to
re with a 1 MB input cap when re2 is absent.
- StepOutputs exposes {{ outputs.text }} and {{ outputs.blob('name') }}.
blob() decodes UTF-8 with latin-1 fallback, hard-capped at 10 MB
(consistent with F8 evidence limit, D-005).
- render_cleanup() is the module-level convenience wrapper.
- abstract C2Connector with authenticate / list_hosts / execute_task /
get_task_result / cancel_task / execute_cleanup; stream_task_output
optional v1 (NotImplementedError).
- Payload / TaskHandle / TaskResult / TaskStatus frozen dataclasses.
- UnsupportedPayloadType raised when no native command maps to the
chosen (c2_type, payload_type) pair.
- Mythic payload_type → native command map populated (spec §7 table).
- HOME map left empty until PR2 is closed.
- ConnectorFactory: register_connector decorator + build(c2_type) that
instantiates + authenticates via an injected config resolver.
No real Mythic / Home implementations land in this sprint.
- pyproject.toml with ruff + mypy strict + pytest + coverage >=70%
- Makefile with Docker/Podman auto-detect
- Multi-stage Dockerfile (python:3.12-slim-bookworm, non-root user)
- docker-compose.yml for Postgres dev DB
- alembic.ini wired to src/mimic/db/migrations
- scripts/postgres-init/00-roles.sql seeds the audit writer role
- .env.example documents every MIMIC_* var (no secrets committed)
D-011 freezes the regex_extract Jinja filter signature
`regex_extract(text, pattern, *, group=1, name=None)`, google-re2 engine,
raise on no-match — unblocks backend B0.5 templating sandbox.
D-012 splits storage in two pools: `blobs/` (CAS sha256 + gzip) for C2
binary outputs and `evidence/` (flat per engagement) for user uploads,
10 MB per-blob cap, no global quota v1.
Q-001 and Q-002 removed from open-questions.md (resolved).
Q-003/Q-004/Q-005 marked `deferred` with explicit re-open conditions.
Captures the four grey areas team-lead flagged in the sprint 0 brief
(regex_extract semantics, output_blob_ref storage, /hosts/sync merge
behaviour, payload_type↔home-C2 mapping) plus stale-host policy.
No decisions taken: each entry lists options, a recommended default
if no decision is reached, and a "becomes blocking when…" trigger.
Resolved questions will move to spec-decisions.md as D-NNN entries.
D-008 frames the group-based RBAC layout as an OIDC-prep mechanism that must
seed exactly the three F11 spec roles and their canonical permission matrix.
Custom groups remain out of v1 scope.
D-009 reaffirms H32: replayability lives only on run.snapshot_json. The
ttp_version table listed in B0.2 must be dropped from the initial migration.
