knacky/mimic-big
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e77ca906d49b95454802788f44b2e48eb2f7a6fe
mimic-big/tasks/todo.md
knacky e77ca906d4 docs(backend): track sprint-0 follow-ups + flag integration migration gap 
- `tasks/todo.md`: B0.5 description updated (re2 hard dep, no fallback);
  add a "Backend follow-ups (sprint 1+)" section with M1-M7 + N1-N6 from
  the code-review verdict.
- `CHANGELOG.md`: backend skeleton bullets refreshed (no re fallback,
  streaming blob store, audit + scope on CRUD, 56 unit tests); new
  "Code-review remediation" subsection lists B1 / MA1-MA6 / N4 / N6 / M8
  with one-line rationale each.
- `tests/integration/conftest.py`: leave `db.create_all()` in place but
  add an inline TODO (N6) pointing at the Alembic switchover that will
  exercise the F11 seed + audit-log role grants in CI.
2026-05-22 05:25:04 +02:00

5.4 KiB
Raw Blame History

Sprint 0 — Mimic

Repo skeleton + foundational modules. Nothing that depends on PR1/PR2/PR3.

Backend (backend) — done in feature/backend-skeleton

  • B0.1 — backend/ Python 3.12+ project: pyproject.toml (ruff, mypy strict, pytest, coverage 70 %), Makefile (Docker/Podman auto), multi-stage Dockerfile, docker-compose.yml for Postgres dev DB, .env.example.
  • B0.2 — Alembic baseline migration 202605210001_initial_schema creates every table, enum, index, and the idempotent grants for the audit write-only Postgres role. No ttp_version table (D-009). Groups rt_operator, rt_lead, soc_analyst seeded with the exact F11 permission matrix (D-008).
  • B0.3 — SQLAlchemy 2 typed mapped classes for every spec §8 aggregate (engagement, host, user/group RBAC, ttp, scenario/scenario_step, run/run_step/cleanup, detection, evidence, report, soc_session, c2_credential, audit_log).
  • B0.4 — C2Connector ABC + dataclasses + payload_type enum + factory keyed on c2_type. Mythic payload map populated; Home stays empty until PR2.
  • B0.5 — Jinja2 SandboxedEnvironment, regex_extract filter (google-re2 hard dependency per D-011, raises RuntimeError at boot if absent — no re fallback), fail-loud no-match, {{ outputs.text }} / {{ outputs.blob() }} accessors reading gzip-compressed blobs with 10 MB cap.
  • B0.6 — bcrypt password helpers + SOC opaque token (256-bit url-safe, bcrypt-hashed) + group-based RBAC matrix matching F11 + @require_perm decorator.
  • B0.7 — Flat CRUD blueprints for engagements / hosts / TTPs / scenarios (incl. step composition with F3 invariant host.c2_type == scenario.c2_type).
  • B0.8 — pytest baseline: unit tests passing, integration scaffold ready (testcontainers Postgres + /healthz smoke).

Backend follow-ups (sprint 1+)

Tracked from code-review verdict on feature/backend-skeleton @ 12d131c:

MINOR (8) — to schedule

  • M1 — Replace parse_uuid integer-ish lookup with werkzeug UUID converter on the routes (<uuid:eid>) to avoid the 404 on malformed strings being hidden by the 400 path.
  • M2 — Add OpenAPI generation (Pydantic 2 + flask-pydantic-openapi or hand-rolled).
  • M3 — Wire flask-limiter for /auth/local/login (NF-network).
  • M4 — Replace string-based Engagement.status setter with a typed transition method.
  • M5 — Introduce per-engagement read view that pre-joins engagement_member for RT operator dashboards (current per-request join is fine for v1 traffic, but re-evaluate at scale).
  • M6mimic-cli user create does not handle the SOC user-type (intended, but document and gate explicitly with a clean error message).
  • M7 — Add a mimic-cli engagement add-member <uid> --role rt_operator shortcut so the F11 scoping in MA6 is reachable from the CLI without manual SQL.
  • M8(fixed in MA1 follow-up commit) Initial migration docstring no longer references ttp_version.

NIT (6) — opportunistic

  • N1 — Sort imports inside mimic.db.models.__init__ alphabetically for diff stability.
  • N2 — Extract the _engagement_or_404 duplicated body into a shared helper.
  • N3 — Replace the inline Permission.TTP_PROMOTE not in perms check in ttps.py with a second @require_perm-style decorator.
  • N4(fixed) gunicorn added to pyproject.toml dependencies.
  • N5 — Replace bare getattr(current_user, "groups", frozenset()) accesses by a thin current_groups() helper.
  • N6tests/integration/conftest.py uses db.create_all() instead of running Alembic. Marked with a TODO; switch over once the F11 seed must be exercised in integration. Plan: convert to alembic upgrade head once the audit role bootstrap lives in the playbook (D-010).

Frontend (ux-frontend)

  • F0.1 — frontend/ Vite + React + TypeScript strict + Tailwind 4 + TanStack Query 5, eslint strict + prettier, Playwright skeleton.
  • F0.2 — Design system provisional: semantic tokens in theme.css (status colors, RT accent, data mono / UI sans), dark-first palette, placeholder logo.
  • F0.3 — Wireframes (via frontend-design skill) on mock data: Login + engagement selection, Live cockpit, Scenario composer, Report + MITRE matrix, TTP library + import.
  • F0.4 — Routing skeleton + role-aware layout shell (no real auth wired yet).

Spec / Docs (spec-analyst)

  • S0.1 — Cross-check the data model in B0.2 against §8 of the spec; report deltas before merge.
  • S0.2 — Cross-check the RBAC matrix in B0.6 against F11; report deltas before merge.
  • S0.3 — Maintain tasks/spec-decisions.md as new arbitrations land.
  • S0.4 — Open docs/architecture.md once backend layout is committed.

Review (code-reviewer)

  • R0.1 — Review each PR per the published charter; block on security/OPSEC violations.
  • R0.2 — Verify mypy strict and ruff clean before approving any backend PR.
  • R0.3 — Verify TS strict, no useEffect(fetch), exhaustive deps before approving any frontend PR.

Conventions

  • Branches: feature/<scope>, fix/<scope>, docs/<scope>, chore/<scope>. Long-lived: main.
  • Commits: Conventional Commits (feat:, fix:, chore:, docs:, test:, refactor:).
  • PRs: each branch → review (code-reviewer) → team-lead merges.
  • No direct push to main.
Reference in New Issue View Git Blame Copy Permalink