# Sprint 0 — Mimic

Repo skeleton + foundational modules. Nothing that depends on PR1/PR2/PR3.

## Backend (`backend`) — done in `feature/backend-skeleton`

- [x] B0.1 — `backend/` Python 3.12+ project: `pyproject.toml` (ruff, mypy strict, pytest,
      coverage 70 %), `Makefile` (Docker/Podman auto), multi-stage `Dockerfile`,
      `docker-compose.yml` for Postgres dev DB, `.env.example`.
- [x] B0.2 — Alembic baseline migration `202605210001_initial_schema` creates every table,
      enum, index, and the idempotent grants for the audit write-only Postgres role. **No
      `ttp_version` table** (D-009). Groups `rt_operator`, `rt_lead`, `soc_analyst` seeded
      with the exact F11 permission matrix (D-008).
- [x] B0.3 — SQLAlchemy 2 typed mapped classes for every spec §8 aggregate (engagement,
      host, user/group RBAC, ttp, scenario/scenario_step, run/run_step/cleanup, detection,
      evidence, report, soc_session, c2_credential, audit_log).
- [x] B0.4 — `C2Connector` ABC + dataclasses + `payload_type` enum + factory keyed on
      `c2_type`. Mythic payload map populated; Home stays empty until PR2.
- [x] B0.5 — Jinja2 SandboxedEnvironment, `regex_extract` filter (`google-re2` hard
      dependency per D-011, raises `RuntimeError` at boot if absent — no `re` fallback),
      fail-loud no-match, `{{ outputs.text }}` / `{{ outputs.blob() }}` accessors
      reading gzip-compressed blobs with 10 MB cap.
- [x] B0.6 — bcrypt password helpers + SOC opaque token (256-bit url-safe, bcrypt-hashed) +
      group-based RBAC matrix matching F11 + `@require_perm` decorator.
- [x] B0.7 — Flat CRUD blueprints for engagements / hosts / TTPs / scenarios (incl. step
      composition with F3 invariant `host.c2_type == scenario.c2_type`).
- [x] B0.8 — pytest baseline: unit tests passing, integration scaffold ready
      (testcontainers Postgres + `/healthz` smoke).

## Backend follow-ups (sprint 1+)

Tracked from code-review verdict on `feature/backend-skeleton` @ 12d131c:

### MINOR (8) — to schedule

- **M1** — Replace `parse_uuid` integer-ish lookup with `werkzeug` UUID converter on
  the routes (`<uuid:eid>`) to avoid the 404 on malformed strings being hidden by
  the 400 path.
- **M2** — Add OpenAPI generation (Pydantic 2 + `flask-pydantic-openapi` or hand-rolled).
- **M3** — Wire `flask-limiter` for `/auth/local/login` (NF-network).
- **M4** — Replace string-based `Engagement.status` setter with a typed transition method.
- **M5** — Introduce per-engagement read view that pre-joins `engagement_member` for
  RT operator dashboards (current per-request join is fine for v1 traffic, but
  re-evaluate at scale).
- **M6** — `mimic-cli user create` does not handle the SOC user-type (intended, but
  document and gate explicitly with a clean error message).
- **M7** — Add a `mimic-cli` `engagement add-member <uid> --role rt_operator` shortcut so
  the F11 scoping in MA6 is reachable from the CLI without manual SQL.
- **M8** — _(fixed in MA1 follow-up commit)_ Initial migration docstring no longer
  references `ttp_version`.

### NIT (6) — opportunistic

- **N1** — Sort imports inside `mimic.db.models.__init__` alphabetically for diff
  stability.
- **N2** — Extract the `_engagement_or_404` duplicated body into a shared helper.
- **N3** — Replace the inline `Permission.TTP_PROMOTE not in perms` check in `ttps.py`
  with a second `@require_perm`-style decorator.
- **N4** — _(fixed)_ `gunicorn` added to `pyproject.toml` dependencies.
- **N5** — Replace bare `getattr(current_user, "groups", frozenset())` accesses by a
  thin `current_groups()` helper.
- **N6** — `tests/integration/conftest.py` uses `db.create_all()` instead of running
  Alembic. Marked with a TODO; switch over once the F11 seed must be exercised in
  integration. Plan: convert to `alembic upgrade head` once the audit role
  bootstrap lives in the playbook (D-010).

## Frontend (`ux-frontend`)

- [x] F0.1 — `frontend/` Vite + React + TypeScript strict + Tailwind 4 + TanStack Query 5,
      eslint strict + prettier, Playwright skeleton.
- [x] F0.2 — Design system provisional: semantic tokens in `theme.css` (status colors, RT accent,
      data mono / UI sans), dark-first palette, placeholder logo.
- [x] F0.3 — Wireframes (via `frontend-design` skill) on mock data:
      Login + engagement selection, Live cockpit, Scenario composer,
      Report + MITRE matrix, TTP library + import.
- [x] F0.4 — Routing skeleton + role-aware layout shell (no real auth wired yet).
- [x] F0.5 — Push `feature/frontend-skeleton`, open PR for code-reviewer.
- [x] F0.6 — Polish M1-M3 from code-review (single SessionProvider, typo, fallback removal).

### Frontend follow-ups (sprint 1+, non-blocking, from review NITs)

- [ ] N1 — Tighten `readMockSession` payload validation when real auth wires up
      (currently checks only `role`; should validate the full `SessionUser` shape).
- [ ] N2 — Replace the UI-side recomposition of the `MIMIC-RUN:` marker in the
      cockpit's "Resolved command" panel with `resolvedCommandText` returned by
      the backend (`run_step_cleanup.resolved_command_text` for cleanup, equivalent
      field for steps when exposed).
- [ ] N3 — Wire `StatusRail.linkState` to the real WebSocket connection state once
      Flask-SocketIO is reachable (currently hardcoded `'up'`).
- [x] N4 — Unify `router.tsx` and any future router helpers under `src/routing/`
      (single naming, no split between root file and folder). _Addressed in F0.6:
      `src/routing/Root.tsx` introduced; `router.tsx` left at top level as the
      app-level entry that other code imports — split kept minimal._
- [ ] N5 — Actually import Recharts somewhere (likely the MITRE matrix or a latency
      chart) since it's declared in README + package.json but not yet used.
- [ ] N6 — When vendoring IBM Plex woff2 into `public/fonts/`, add
      `public/fonts/LICENSE.txt` (OFL-1.1) for license compliance.
- [ ] N7 — Add `frontend/.env.example` exposing `VITE_API_BASE_URL` and
      `VITE_WS_URL` once the backend publishes endpoints.

## Spec / Docs (`spec-analyst`)

- [ ] S0.1 — Cross-check the data model in B0.2 against §8 of the spec; report deltas before merge.
- [ ] S0.2 — Cross-check the RBAC matrix in B0.6 against F11; report deltas before merge.
- [ ] S0.3 — Maintain `tasks/spec-decisions.md` as new arbitrations land.
- [ ] S0.4 — Open `docs/architecture.md` once backend layout is committed.

## Review (`code-reviewer`)

- [ ] R0.1 — Review each PR per the published charter; block on security/OPSEC violations.
- [ ] R0.2 — Verify mypy strict and ruff clean before approving any backend PR.
- [ ] R0.3 — Verify TS strict, no `useEffect(fetch)`, exhaustive deps before approving any frontend PR.

## Conventions

- Branches: `feature/<scope>`, `fix/<scope>`, `docs/<scope>`, `chore/<scope>`. Long-lived: `main`.
- Commits: Conventional Commits (`feat:`, `fix:`, `chore:`, `docs:`, `test:`, `refactor:`).
- PRs: each branch → review (`code-reviewer`) → team-lead merges.
- No direct push to `main`.