3a3e3ff0ec
Three follow-ups on the flat CRUD blueprints triggered by code-review + spec-analyst (MA4, MA5, MA6). **MA4 — `created_by_id`** — engagements, TTPs and scenarios now record the creator from `current_user.id` instead of leaving the FK NULL. The new `api._helpers.current_user_id()` exposes the UUID safely (returns None when the request is unauthenticated, e.g. during /healthz). **MA5 — Audit log integration** — `api._helpers.audit_write(...)` wraps the hash-chained `AuditWriter` and is called after every successful commit in the 4 blueprints (engagement / host / ttp / scenario incl. step), recording the actor, action, resource type/id, IP, user agent, and small metadata (field list, names, engagement scope). F13 "Toute mutation tracée" now holds end-to-end. **MA6 — RT operator scope on engagements** — F11 limits RT operators to "engagements assignés". The previous implementation let them list / read every engagement and every nested resource. Fix: `is_rt_lead()` short- circuits the check for RT leads; otherwise a membership probe against `engagement_member` runs on every list/read and on `_engagement_or_404` in `hosts.py` and `scenarios.py`. Listings now `JOIN engagement_member` and filter by `current_user.id`. `audit_write` casts `db.session` (a `scoped_session` proxy) to the unwrapped `sqlalchemy.orm.Session` that `AuditWriter` expects; the two are interchangeable at runtime. The promotion-perm check on TTPs no longer needs a lazy `flask_login` import since the decorator scope already brings `current_user` in.
Mimic
Internal BAS (Breach & Attack Simulation) platform for the Red Team. Replays TTPs from engagement journals or an internal ATT&CK library against client infrastructure through VPN/relay, in white-glove coordination with the SOC.
Output: a coverage report mapped to MITRE ATT&CK — measurable, reproducible, archived.
Status
ready-with-prereqs — spec frozen on 2026-05-19, 23 review patches integrated.
Code start blocked on:
- PR1 — Mythic API documentation + pinned version (lead RT)
- PR2 — Internal C2 interface spec + journal export example (internal C2 team)
- PR3 — RT graphic charter for the PDF report (lead RT)
While PR1/PR2/PR3 are open, sprint 0 focuses on the unblocked skeleton.
Spec
The authoritative spec lives in the RT-SecondBrain vault:
Projects/Mimic — Spec.md. Do not duplicate it here.
In-repo documentation:
CHANGELOG.md— chronological log of features, decisions, rollbacks.tasks/spec-decisions.md— implementation arbitrations on top of the spec.tasks/todo.md— current sprint backlog.
Stack (frozen)
- Backend Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
- Frontend TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
- Storage Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
- Deploy Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).
Layout
mimic/
├── backend/ # Flask app, connectors, orchestrator, reporting, CLI
├── frontend/ # Vite + React app
├── docs/ # Architecture notes, ADRs, deployment
└── tasks/ # Sprint backlog, decisions, lessons
Conventions
- Branches:
feature/<scope>,fix/<scope>,docs/<scope>,chore/<scope>. Long-lived:main. - Commits: Conventional Commits (
feat:,fix:,chore:,docs:,test:,refactor:). - PRs: each branch → review (
code-reviewer) → team-lead merges. No direct push tomain.
Build & run
make targets land at the end of sprint 0. For now the repo is skeleton-only.
Licensing
Internal — proprietary, RT use only. Do not redistribute.