6aa0078fd3
Foundations for the sprint 1 backend wiring. No UI behavior change beyond the loading state in AppShell, but everything below the wire is now real: - vite.config.ts adds `server.proxy['/api']` → http://localhost:5000 (overridable via VITE_DEV_API_TARGET). In prod Caddy routes /api → backend on the same origin, so the same `/api/v1/...` paths work without changes. - src/types/api.ts hand-rolled against the backend Pydantic schemas. User / Engagement / EngagementCreate / Login / ApiError / ApiValidationError. Should be regenerated from OpenAPI once backend exposes it. - src/lib/api.ts: thin fetch wrapper. Always credentials:'include' so the HttpOnly session cookie travels. 4xx/5xx normalize into ApiClientError with typed `body` (ApiError | ApiValidationError | null). No retry loop — that's TanStack Query's policy. - src/session/sessionApi.ts: 1:1 functions for /auth/me, /auth/login, /auth/logout. fetchMe maps 401 → null so "unauthenticated" is data, not an error. - src/session/useSession.ts: now a TanStack Query hook against SESSION_QUERY_KEY (`['session']`). Returns { user, isLoading, isError, signOut, isSigningOut }. Cookie is the source of truth, server is the resolver, query is the cache. - Drop sessionStorage mock layer entirely: src/mocks/session.ts, src/session/SessionContext.{tsx,context.ts}, src/routing/Root.tsx all removed. No more provider tree — QueryClientProvider in App.tsx is the only global state container. - AppShell renders a "resolving session" state during /auth/me's first flight so users with a valid cookie don't see a /login flash on direct navigation to a protected URL. - StatusRail gains an optional `sessionState="resolving"` slot used by the loading shell. - Sidebar's Sign-out wires POST /auth/logout, invalidates the session cache, and always navigates to /login regardless of the call outcome (a failed logout still expires the local cache so users aren't stuck on a broken cookie). - types/roles.ts loses SessionUser (replaced by api.ts User which is the authoritative shape).
Mimic
Internal BAS (Breach & Attack Simulation) platform for the Red Team. Replays TTPs from engagement journals or an internal ATT&CK library against client infrastructure through VPN/relay, in white-glove coordination with the SOC.
Output: a coverage report mapped to MITRE ATT&CK — measurable, reproducible, archived.
Status
ready-with-prereqs — spec frozen on 2026-05-19, 23 review patches integrated.
Code start blocked on:
- PR1 — Mythic API documentation + pinned version (lead RT)
- PR2 — Internal C2 interface spec + journal export example (internal C2 team)
- PR3 — RT graphic charter for the PDF report (lead RT)
While PR1/PR2/PR3 are open, sprint 0 focuses on the unblocked skeleton.
Spec
The authoritative spec lives in the RT-SecondBrain vault:
Projects/Mimic — Spec.md. Do not duplicate it here.
In-repo documentation:
CHANGELOG.md— chronological log of features, decisions, rollbacks.tasks/spec-decisions.md— implementation arbitrations on top of the spec.tasks/todo.md— current sprint backlog.
Stack (frozen)
- Backend Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
- Frontend TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
- Storage Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
- Deploy Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).
Layout
mimic/
├── backend/ # Flask app, connectors, orchestrator, reporting, CLI
├── frontend/ # Vite + React app
├── docs/ # Architecture notes, ADRs, deployment
└── tasks/ # Sprint backlog, decisions, lessons
Conventions
- Branches:
feature/<scope>,fix/<scope>,docs/<scope>,chore/<scope>. Long-lived:main. - Commits: Conventional Commits (
feat:,fix:,chore:,docs:,test:,refactor:). - PRs: each branch → review (
code-reviewer) → team-lead merges. No direct push tomain.
Build & run
make targets land at the end of sprint 0. For now the repo is skeleton-only.
Licensing
Internal — proprietary, RT use only. Do not redistribute.