knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
05f60cde6d55b51ff942028e01cd9278b9e4d083
mimic-big/CHANGELOG.md
knacky 4ecf4b0b0e chore: tighten gitignore, align README stack, formalize D-010 (Ansible) 
- .gitignore: add Keycloak/Mythic/Fernet secret patterns (pfx, p12, token, kdbx,
  credentials.json, secrets.json, service-account*.json), MSVC artifacts
  (lib, exp, idb, ilk, tlog), dedup dist/build/ between Python and Node blocks.
- README.md: align Storage line on H38 (testcontainers Postgres for Postgres-
  specific behavior, incl. unit tests of audit log / RBAC / write-only role).
- README.md: align Deploy line on D-007/D-010 — Docker + Ansible playbook,
  reverse proxy explicitly out-of-Mimic.
- README.md: add proprietary internal use notice.
- CHANGELOG.md: convert markdown link to inline URL (no dangling reference).
- tasks/spec-decisions.md: add D-010 (Ansible for deployment playbook).

Addresses code-reviewer M1/M2/M3 + N2/N3/N4/N6 on commit 047583e.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-21 20:16:40 +02:00

27 lines
1.4 KiB
Markdown
Raw Blame History

# Changelog
All notable changes to Mimic. Format inspired by Keep a Changelog (https://keepachangelog.com).
Versioning starts at `0.1.0` when sprint 0 lands.
## [Unreleased]
### Team decisions (2026-05-21)
- **Q1** — SOC client collaboration in the live cockpit is assumed valid (no PoC sheet).
- **Q2** — Mimic is deployed on RT infrastructure (not at client). SOC client connects over
the internet through the existing RT reverse proxy (out of Mimic scope).
- **Q3** — Project framed as "improve the existing shared sheet workflow", not "rebuild Caldera".
- **T2** — C2 credentials stored in a dedicated `c2_credential` table with version + retirement
(Fernet-encrypted `config_json`). Active row per engagement = `retired_at IS NULL`, max version.
- **T3** — Jinja templating exposes two accessors: `{{outputs.text}}` (stdout) and
`{{outputs.blob("key")}}` (binary, 10 MB cap, UTF-8 with latin-1 fallback).
- **T4** — `soc_session.token_opaque` stores a bcrypt hash; the clear token is delivered
out-of-band and never re-displayable.
- **Auth** — v1: local user/password (bcrypt + Flask session). v2: Keycloak OIDC mapping
onto the same group model. RBAC is group-based from day one.
### Sprint 0 in progress
Repo skeleton, data model, `C2Connector` ABC, Jinja2 sandbox, local auth + RBAC, flat CRUD,
UX wireframes (mock data). No real connector, no reporting until PR1/PR2/PR3 land.
Reference in New Issue View Git Blame Copy Permalink