# Sprint 0 — Mimic

Repo skeleton + foundational modules. Nothing that depends on PR1/PR2/PR3.

## Backend (`backend`) — done in `feature/backend-skeleton`

- [x] B0.1 — `backend/` Python 3.12+ project: `pyproject.toml` (ruff, mypy strict, pytest,
      coverage 70 %), `Makefile` (Docker/Podman auto), multi-stage `Dockerfile`,
      `docker-compose.yml` for Postgres dev DB, `.env.example`.
- [x] B0.2 — Alembic baseline migration `202605210001_initial_schema` creates every table,
      enum, index, and the idempotent grants for the audit write-only Postgres role. **No
      `ttp_version` table** (D-009). Groups `rt_operator`, `rt_lead`, `soc_analyst` seeded
      with the exact F11 permission matrix (D-008).
- [x] B0.3 — SQLAlchemy 2 typed mapped classes for every spec §8 aggregate (engagement,
      host, user/group RBAC, ttp, scenario/scenario_step, run/run_step/cleanup, detection,
      evidence, report, soc_session, c2_credential, audit_log).
- [x] B0.4 — `C2Connector` ABC + dataclasses + `payload_type` enum + factory keyed on
      `c2_type`. Mythic payload map populated; Home stays empty until PR2.
- [x] B0.5 — Jinja2 SandboxedEnvironment, `regex_extract` filter (google-re2 with `re`
      fallback) per D-011 semantics (fail-loud no-match), `{{ outputs.text }}` /
      `{{ outputs.blob() }}` accessors with 10 MB cap.
- [x] B0.6 — bcrypt password helpers + SOC opaque token (256-bit url-safe, bcrypt-hashed) +
      group-based RBAC matrix matching F11 + `@require_perm` decorator.
- [x] B0.7 — Flat CRUD blueprints for engagements / hosts / TTPs / scenarios (incl. step
      composition with F3 invariant `host.c2_type == scenario.c2_type`).
- [x] B0.8 — pytest baseline: unit tests passing, integration scaffold ready
      (testcontainers Postgres + `/healthz` smoke).

## Frontend (`ux-frontend`)

- [ ] F0.1 — `frontend/` Vite + React + TypeScript strict + Tailwind 4 + TanStack Query 5,
      eslint strict + prettier, Playwright skeleton.
- [ ] F0.2 — Design system provisional: semantic tokens in `theme.css` (status colors, RT accent,
      data mono / UI sans), dark-first palette, placeholder logo.
- [ ] F0.3 — Wireframes (via `frontend-design` skill) on mock data:
      Login + engagement selection, Live cockpit, Scenario composer,
      Report + MITRE matrix, TTP library + import.
- [ ] F0.4 — Routing skeleton + role-aware layout shell (no real auth wired yet).

## Spec / Docs (`spec-analyst`)

- [ ] S0.1 — Cross-check the data model in B0.2 against §8 of the spec; report deltas before merge.
- [ ] S0.2 — Cross-check the RBAC matrix in B0.6 against F11; report deltas before merge.
- [ ] S0.3 — Maintain `tasks/spec-decisions.md` as new arbitrations land.
- [ ] S0.4 — Open `docs/architecture.md` once backend layout is committed.

## Review (`code-reviewer`)

- [ ] R0.1 — Review each PR per the published charter; block on security/OPSEC violations.
- [ ] R0.2 — Verify mypy strict and ruff clean before approving any backend PR.
- [ ] R0.3 — Verify TS strict, no `useEffect(fetch)`, exhaustive deps before approving any frontend PR.

## Conventions

- Branches: `feature/<scope>`, `fix/<scope>`, `docs/<scope>`, `chore/<scope>`. Long-lived: `main`.
- Commits: Conventional Commits (`feat:`, `fix:`, `chore:`, `docs:`, `test:`, `refactor:`).
- PRs: each branch → review (`code-reviewer`) → team-lead merges.
- No direct push to `main`.