knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
40 Commits 2 Branches 1 Tag
a8c5400f974b3af136cdf2c296945e5c239e128a
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
knacky a8c5400f97
Some checks failed
ci / backend (lint + typecheck + unit tests) (push) Failing after 0s
Details
ci / frontend (lint + typecheck + build + unit tests) (push) Failing after 0s
Details
docs: add production deployment guide 
Operational runbook for rolling Mimic to RT infrastructure. Scope is
the application repo only; the Ansible playbook (D-010) and Caddy
reverse proxy (D-007) are referenced as out-of-scope dependencies.

Sections:

- Host prerequisites (Podman 5, rootless, linger, PostgreSQL 16 reach).
- Filesystem layout: blobs + evidence pools at 0750 under the deploy
  user (D-012), log directory, Quadlet directory.
- Environment variables: split into "required in prod" (MIMIC_SECRET_KEY,
  MIMIC_FERNET_KEY, MIMIC_DATABASE_URL, MIMIC_DATABASE_AUDIT_URL,
  MIMIC_ENV) and "required with safe defaults" (cookie flags, log
  format, CORS origins, blob/evidence roots). Explicit note that the
  two database DSNs must point to two different Postgres roles to
  preserve the audit append-only contract (NF-AUDIT, code-reviewer N5).
- Secrets management: dedicated section addressing PR3 code-reviewer M2.
  File-based generation under ~/secrets with 0700 perms, systemd
  EnvironmentFile or future MIMIC_*_FILE indirection, vault back-up,
  Fernet key rotation requires re-encryption pass.
- Container images: pin policy `:X.Y.Z` (cross-references F-D1), exposed
  ports per layer (backend 5000 as uid 1001, frontend 8080 as uid 101).
- PostgreSQL setup: bootstrap of mimic_audit_writer role with the SQL
  the Ansible playbook runs, plus the fail-loud rationale if the role
  is missing. Alembic upgrade head invocation.
- Quadlet units: backend example with PublishPort 127.0.0.1:5000 (the
  external surface is Caddy, not the backend), EnvironmentFile,
  blob+evidence bind-mounts with `:Z` SELinux relabel.
- Smoke validation: three curl checks (Caddy-fronted /healthz, direct
  backend /healthz, audit DSN presence) with explicit "do not announce
  the release" gate on failure.
- Upgrade procedure: 5-step rolling restart anchored on Quadlet image
  tag edits + alembic upgrade as part of the entrypoint.
- Rollback procedure: image-only (additive schema) vs schema-affecting,
  with alembic downgrade against an explicit revision.
- Open items: explicit pointers to FERNET-KEY, F-D1, F-D2, F-D3
  trackers in tasks/todo.md so future operators see them.

No other file touched; no application code changed.
2026-05-23 03:15:46 +02:00
.gitea/workflows
chore(ci): drop transient smoke workflow now that runner is validated
2026-05-22 19:49:26 +02:00
backend
chore(backend): rename docker-compose.yml -> compose.yml + podman notes
2026-05-22 19:41:38 +02:00
docs
docs: add production deployment guide
2026-05-23 03:15:46 +02:00
frontend
chore(frontend): add multi-stage Dockerfile + nginx SPA config
2026-05-22 19:59:09 +02:00
tasks
docs: archive Podman runner setup runbook + track F-D1..F-D5
2026-05-23 03:08:03 +02:00
.gitignore
chore: tighten gitignore, align README stack, formalize D-010 (Ansible)
2026-05-21 20:16:40 +02:00
CHANGELOG.md
docs: align doc references with compose.yml rename (code-reviewer M1)
2026-05-22 19:49:16 +02:00
README.md
chore: tighten gitignore, align README stack, formalize D-010 (Ansible)
2026-05-21 20:16:40 +02:00

README.md

Mimic

Internal BAS (Breach & Attack Simulation) platform for the Red Team. Replays TTPs from engagement journals or an internal ATT&CK library against client infrastructure through VPN/relay, in white-glove coordination with the SOC.

Output: a coverage report mapped to MITRE ATT&CK — measurable, reproducible, archived.

Status

ready-with-prereqs — spec frozen on 2026-05-19, 23 review patches integrated. Code start blocked on:

  • PR1 — Mythic API documentation + pinned version (lead RT)
  • PR2 — Internal C2 interface spec + journal export example (internal C2 team)
  • PR3 — RT graphic charter for the PDF report (lead RT)

While PR1/PR2/PR3 are open, sprint 0 focuses on the unblocked skeleton.

Spec

The authoritative spec lives in the RT-SecondBrain vault: Projects/Mimic — Spec.md. Do not duplicate it here.

In-repo documentation:

  • CHANGELOG.md — chronological log of features, decisions, rollbacks.
  • tasks/spec-decisions.md — implementation arbitrations on top of the spec.
  • tasks/todo.md — current sprint backlog.

Stack (frozen)

  • Backend Python 3.12 / Flask / Flask-SocketIO / SQLAlchemy 2 / Pydantic 2 / Alembic / WeasyPrint / pytest + testcontainers / ruff / mypy strict
  • Frontend TypeScript / React 18+ / Vite / Tailwind 4 / TanStack Query 5 / Recharts / Playwright
  • Storage Postgres (prod) / SQLite (pure-logic unit tests) / testcontainers Postgres (audit log, RBAC, write-only role — incl. unit tests of Postgres-specific behavior, per H38)
  • Deploy Docker images + Ansible deployment playbook (per D-010). Reverse proxy (Caddy + TLS + IP allowlist) handled by existing RT infrastructure, out of Mimic scope (D-007).

Layout

mimic/
├── backend/    # Flask app, connectors, orchestrator, reporting, CLI
├── frontend/   # Vite + React app
├── docs/       # Architecture notes, ADRs, deployment
└── tasks/      # Sprint backlog, decisions, lessons

Conventions

  • Branches: feature/<scope>, fix/<scope>, docs/<scope>, chore/<scope>. Long-lived: main.
  • Commits: Conventional Commits (feat:, fix:, chore:, docs:, test:, refactor:).
  • PRs: each branch → review (code-reviewer) → team-lead merges. No direct push to main.

Build & run

make targets land at the end of sprint 0. For now the repo is skeleton-only.

Licensing

Internal — proprietary, RT use only. Do not redistribute.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 565 KiB
Languages
Python 53.4%
TypeScript 39.4%
CSS 4.6%
Dockerfile 1%
Makefile 0.8%
Other 0.8%