# Changelog

All notable changes to Mimic. Format inspired by [Keep a Changelog](https://keepachangelog.com).
Versioning starts at `0.1.0` when sprint 0 lands.

## [Unreleased]

### Team decisions (2026-05-21)

- **Q1** — SOC client collaboration in the live cockpit is assumed valid (no PoC sheet).
- **Q2** — Mimic is deployed on RT infrastructure (not at client). SOC client connects over
  the internet through the existing RT reverse proxy (out of Mimic scope).
- **Q3** — Project framed as "improve the existing shared sheet workflow", not "rebuild Caldera".
- **T2** — C2 credentials stored in a dedicated `c2_credential` table with version + retirement
  (Fernet-encrypted `config_json`). Active row per engagement = `retired_at IS NULL`, max version.
- **T3** — Jinja templating exposes two accessors: `{{outputs.text}}` (stdout) and
  `{{outputs.blob("key")}}` (binary, 10 MB cap, UTF-8 with latin-1 fallback).
- **T4** — `soc_session.token_opaque` stores a bcrypt hash; the clear token is delivered
  out-of-band and never re-displayable.
- **Auth** — v1: local user/password (bcrypt + Flask session). v2: Keycloak OIDC mapping
  onto the same group model. RBAC is group-based from day one.

### Sprint 0 in progress

Repo skeleton, data model, `C2Connector` ABC, Jinja2 sandbox, local auth + RBAC, flat CRUD,
UX wireframes (mock data). No real connector, no reporting until PR1/PR2/PR3 land.