140a34b81e
Backend pushed the authoritative contract in docs/api.md and tightened the error envelope via a global HTTPException handler (dd5c508). This commit folds the frontend onto that contract — every drift flagged by the code-reviewer MAJOR is closed. Types (src/types/api.ts) - User: `id` → `user_id`; `display_name` is `string | null`; add `permissions: string[]` and `groups: string[]`; drop `engagement_id` and `engagement_name` (not part of CurrentUser). - Engagement: drop `name`, `client_name` is non-null `string`; status enum aligned to `draft | active | closed | archived`; `c2_type` is non-null `C2Type`; drop `created_at` (not in EngagementRead v1). - EngagementCreate body: `client_name` required, plus optional `description`, `c2_type`, `start_date`, `end_date`. No `name`. - Replace ApiError + ApiValidationError with a single uniform envelope: `{ error: string, message: string, details?: PydanticErrorItem[] }`, matching the new HTTPException handler. PydanticErrorItem is the per-field shape on 422 (`{ loc, msg, type }`). Fetch client (src/lib/api.ts) - `bodyAsApiError` now recognizes the uniform envelope by shape (error+message strings). Anything else returns null so callers fall back to a generic message — keeps us robust if the backend ever emits a non-JSON response. Engagements API (src/screens/engagements/engagementsApi.ts) - Drop the `{ items: [] }` envelope tolerance — backend serves a bare `Engagement[]`. - Hit `/engagements/` with trailing slash explicitly; backend now sets `strict_slashes=False` but staying consistent with docs/api.md. EngagementsPage - Status tone map switched to the new enum (`draft → pending`, `closed → soc`). - Drop "Name" column. `client_name` is the primary identifier; the description column replaces the now-meaningless name field. - `c2_type` is non-null, so no nullable rendering path. EngagementCreateDialog - Drop `name` field. New required field is `client_name`; add a `c2_type` select (default `mythic`); brief textarea stays optional. - `mapValidationErrors` now reads `body.details[*].loc` (last segment matches the form field) — direct alignment with the backend's new shape afterdd5c508. - 401 still surfaces "Session expirée"; 403 gains a dedicated message; other errors fall back to a capitalized backend `message` when available, then to a generic French string. Sidebar - Display fallback: `user.display_name ?? user.username` (now nullable). - Drop the `ENG · {engagement_name}` line; show `user.username` (the email) as the secondary identity instead. LoginPage - Field label "Username" → "Email or username" so RT users with email accounts find the field semantically obvious (per docs/api.md note on the username/email mapping). Tests (Vitest, 14 cases, all green) - Refreshed fixtures to the new shapes (no more `name`, no `created_at`, status `draft`, envelopes carry `error`+`message`). - New 422 test exercises the `details[*].loc` mapping shape. - New 401 test on the dialog covers the top-of-form alert path.
Mimic
Internal BAS (Breach & Attack Simulation) platform for the Red Team. Replays TTPs from engagement journals or an internal ATT&CK library against client infrastructure through VPN/relay, in white-glove coordination with the SOC.
Output: a coverage report mapped to MITRE ATT&CK — measurable, reproducible, archived.
Status
ready-with-prereqs — spec frozen on 2026-05-19, 23 review patches integrated.
Code start blocked on:
- PR1 — Mythic API documentation + pinned version (lead RT)
- PR2 — Internal C2 interface spec + journal export example (internal C2 team)
- PR3 — RT graphic charter for the PDF report (lead RT)
While PR1/PR2/PR3 are open, sprint 0 focuses on the unblocked skeleton.
Spec
The authoritative spec lives in the RT-SecondBrain vault:
Projects/Mimic — Spec.md. Do not duplicate it here.
In-repo documentation:
CHANGELOG.md— chronological log of features, decisions, rollbacks.tasks/spec-decisions.md— implementation arbitrations on top of the spec.tasks/todo.md— current sprint backlog.
Stack (frozen)
- Backend Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
- Frontend TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
- Storage Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
- Deploy Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).
Layout
mimic/
├── backend/ # Flask app, connectors, orchestrator, reporting, CLI
├── frontend/ # Vite + React app
├── docs/ # Architecture notes, ADRs, deployment
└── tasks/ # Sprint backlog, decisions, lessons
Conventions
- Branches:
feature/<scope>,fix/<scope>,docs/<scope>,chore/<scope>. Long-lived:main. - Commits: Conventional Commits (
feat:,fix:,chore:,docs:,test:,refactor:). - PRs: each branch → review (
code-reviewer) → team-lead merges. No direct push tomain.
Build & run
make targets land at the end of sprint 0. For now the repo is skeleton-only.
Licensing
Internal — proprietary, RT use only. Do not redistribute.