2ead16114d
D-011 freezes the regex_extract Jinja filter signature `regex_extract(text, pattern, *, group=1, name=None)`, google-re2 engine, raise on no-match — unblocks backend B0.5 templating sandbox. D-012 splits storage in two pools: `blobs/` (CAS sha256 + gzip) for C2 binary outputs and `evidence/` (flat per engagement) for user uploads, 10 MB per-blob cap, no global quota v1. Q-001 and Q-002 removed from open-questions.md (resolved). Q-003/Q-004/Q-005 marked `deferred` with explicit re-open conditions.
3.5 KiB
3.5 KiB
Open spec questions
Structured questions raised in flight by the team. Each entry is a candidate for
team-lead escalation before code touches the area. Resolved questions move
to spec-decisions.md (with a D-NNN id) and are deleted from here.
Format:
- Q-NNN — one-line title
- Where it bites: the F* or §-anchor in the spec
- What is silent: the precise gap
- Options: numbered alternatives with tradeoffs
- Recommended default if no decision: the safest path forward
- Status:
open/deferred — re-open when …/ resolved entries are moved tospec-decisions.md
Q-003 — /engagements/:id/hosts/sync merge semantics
- Status: deferred — re-open when F4 sync endpoint lands (post-sprint-0, needs PR1 closed).
- Where it bites: F4 + §9 endpoint
/engagements/:id/hosts/sync. - What is silent:
- Merge vs replace: do hosts that disappear from C2 get deleted, marked
status = "stale", or kept untouched? - What if a manually-added host conflicts (same hostname, different
c2_session_id)? - Source of truth: the C2 session ID, the hostname, the IP, a tuple?
- Cascading effect: a
hostreferenced byscenario_step.host_iddeleted mid-engagement breaks the scenario silently.
- Merge vs replace: do hosts that disappear from C2 get deleted, marked
- Options:
- Merge + mark stale: insert new, update changed, mark missing as
status = "stale"(never delete). Conflicts: manual entry wins, C2-synced entry is appended with a suffix and an audit_log entry. - Replace: delete all sync-sourced rows, reinsert from C2. Manual entries kept untouched. Simple but loses history.
- Merge by tuple
(hostname, c2_session_id)with status tracking, conflicts always raise and require manual resolution UI.
- Merge + mark stale: insert new, update changed, mark missing as
- Recommended default if no decision: option 1. Stale > deleted: a deleted
host breaks
scenario_step.host_idand the audit trail. Conflict policy: manual wins, C2 entry suffixed and audit-logged.
Q-004 — payload_type → C2 home command mapping (depends on PR2)
- Status: deferred — re-open with PR2 (internal C2 interface spec).
- Where it bites: §7 enum
payload_type, right column "C2 maison" is fully TBD; F2 import journal C2 home parser; B0.4C2Connectorfactory. - What is silent: entirety of the C2 home mapping table, plus the exact
return semantics of
HomeConnector.execute_task / get_task_result / cancel_task / execute_cleanup(PR2). - Options: no in-flight options — this is owned by PR2.
- Recommended default if no decision: keep
HomeConnectoras a stub that raisesNotImplementedError(per B0.4: "no real implementation"). Block any attempt to shipHomeConnectorv1 logic until PR2 is closed.
Q-005 — Stale-host policy after engagement archival
- Status: deferred — re-open with the F12 archival CLI.
- Where it bites: §8
host.status, engagement lifecycle, F12. - What is silent: when an engagement is archived, what happens to its hosts? Detach session, freeze status, leave as-is?
- Options:
- Set
host.status = "archived"cascading fromengagement.status. - Keep status untouched, rely on
engagement.statusupstream.
- Set
- Recommended default if no decision: option 2 — engagement state is the single source of truth, hosts inherit by JOIN.
Resolved (moved to spec-decisions.md)
- Q-001 → D-011 —
regex_extractJinja2 filter semantics. - Q-002 → D-012 —
output_blob_refstorage layout.