feat: sprint 1 — auth + CRUD engagements

Ship the first feature end-to-end on the UI: users log in with JWT, admins manage user accounts, and any authenticated user (per RBAC) can create, list, view, edit, and delete engagements. Backend (Flask + SQLAlchemy + SQLite, 63 pytest) - User / Engagement models, Alembic 0001 initial schema - argon2 password hashing, JWT bearer (60-min TTL), @login_required and @role_required decorators - 13 API endpoints under /api/*, including last-admin protection on DELETE/PATCH user and JSON 404 on unknown /api/* paths - `flask create-admin` CLI with duplicate / short-password handling Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest) - Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind - LoginPage / EngagementsList / EngagementForm / EngagementDetail / UsersAdmin pages with role-aware UI - Layout, ProtectedRoute, StatusBadge, FormField, LoadingState, ErrorState, EmptyState, Toast + provider - Axios client: Bearer interceptor, 401 → purge + /login + "Session expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate> for already-authed users, Fragment-keyed admin user rows) Deployment - Single multistage Dockerfile (node:20-alpine → python:3.12-slim) - docker/entrypoint.sh runs `flask db upgrade` before `flask run` - Makefile: build/start/stop/restart/update/logs/create-admin/ update-mitre/test-{backend,frontend,e2e}/clean - .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT - SQLite at /data/mimic.sqlite on named volume mimic-data Acceptance suite (Playwright, 36 tests, all 27 ACs) - e2e/ scaffold with playwright.config + auth/api fixtures - One spec per user story (us1-bootstrap through us6-deployment) - Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman) Docs - README.md with quick-start and architecture overview - CHANGELOG.md updated with Sprint 1 deliverables - pyrightconfig.json so the Python LSP sees backend/.venv and resolves the `backend.app.*` absolute imports Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 09:37:53 +02:00
parent be266d4879
commit 5104f7c429
95 changed files with 13801 additions and 5 deletions
--- a/frontend/src/pages/EngagementsListPage.tsx
+++ b/frontend/src/pages/EngagementsListPage.tsx
@@ -0,0 +1,126 @@
+import { Link } from 'react-router-dom';
+import { extractApiError } from '@/api/client';
+import type { Engagement } from '@/api/types';
+import { useDeleteEngagement, useEngagementsList } from '@/hooks/useEngagements';
+import { useAuth } from '@/hooks/useAuth';
+import { useToast } from '@/hooks/useToast';
+import { LoadingState } from '@/components/LoadingState';
+import { ErrorState } from '@/components/ErrorState';
+import { EmptyState } from '@/components/EmptyState';
+import { StatusBadge } from '@/components/StatusBadge';
+
+function formatDate(value: string | null): string {
+  if (!value) return '—';
+  return value;
+}
+
+export function EngagementsListPage(): JSX.Element {
+  const { data, isLoading, isError, error, refetch } = useEngagementsList();
+  const { canEditEngagements } = useAuth();
+  const { push } = useToast();
+  const deleteMutation = useDeleteEngagement();
+
+  const onDelete = async (eng: Engagement) => {
+    if (!window.confirm(`Delete engagement "${eng.name}"? This cannot be undone.`)) return;
+    try {
+      await deleteMutation.mutateAsync(eng.id);
+      push('Engagement supprimé', 'success');
+    } catch (err) {
+      push(extractApiError(err, 'Suppression impossible'), 'error');
+    }
+  };
+
+  return (
+    <div className="flex flex-col gap-xl">
+      <header className="flex items-end justify-between gap-md">
+        <div>
+          <h1 className="text-[44px] font-medium leading-none">Engagements</h1>
+          <p className="text-charcoal text-[16px] mt-sm">
+            Red team missions and their lifecycle status.
+          </p>
+        </div>
+        {canEditEngagements ? (
+          <Link to="/engagements/new" className="btn-primary">
+            New engagement
+          </Link>
+        ) : null}
+      </header>
+
+      {isLoading ? <LoadingState label="Loading engagements…" /> : null}
+
+      {isError ? (
+        <ErrorState message={extractApiError(error, 'Could not load engagements')} onRetry={() => refetch()} />
+      ) : null}
+
+      {!isLoading && !isError && data && data.length === 0 ? (
+        <EmptyState
+          title="No engagements yet"
+          description="Create your first engagement to start tracking red team missions."
+          action={
+            canEditEngagements ? (
+              <Link to="/engagements/new" className="btn-primary">
+                Create engagement
+              </Link>
+            ) : undefined
+          }
+        />
+      ) : null}
+
+      {!isLoading && !isError && data && data.length > 0 ? (
+        <div className="card-product overflow-hidden p-0">
+          <table className="w-full text-left">
+            <thead className="bg-cloud border-b border-hairline">
+              <tr className="text-[12px] uppercase tracking-[0.5px] text-graphite">
+                <th className="px-xl py-md">Name</th>
+                <th className="px-xl py-md">Status</th>
+                <th className="px-xl py-md">Start</th>
+                <th className="px-xl py-md">End</th>
+                <th className="px-xl py-md">Created by</th>
+                <th className="px-xl py-md text-right">Actions</th>
+              </tr>
+            </thead>
+            <tbody>
+              {data.map((eng) => (
+                <tr key={eng.id} className="border-b border-hairline last:border-0">
+                  <td className="px-xl py-md">
+                    <Link to={`/engagements/${eng.id}`} className="text-ink font-medium hover:underline">
+                      {eng.name}
+                    </Link>
+                  </td>
+                  <td className="px-xl py-md">
+                    <StatusBadge status={eng.status} />
+                  </td>
+                  <td className="px-xl py-md text-charcoal">{formatDate(eng.start_date)}</td>
+                  <td className="px-xl py-md text-charcoal">{formatDate(eng.end_date)}</td>
+                  <td className="px-xl py-md text-charcoal">{eng.created_by.username}</td>
+                  <td className="px-xl py-md text-right">
+                    <div className="inline-flex gap-sm">
+                      <Link to={`/engagements/${eng.id}`} className="btn-text-link">
+                        View
+                      </Link>
+                      {canEditEngagements ? (
+                        <>
+                          <Link to={`/engagements/${eng.id}/edit`} className="btn-text-link">
+                            Edit
+                          </Link>
+                          <button
+                            type="button"
+                            className="btn-text-link text-bloom-deep"
+                            onClick={() => onDelete(eng)}
+                            disabled={deleteMutation.isPending}
+                          >
+                            Delete
+                          </button>
+                        </>
+                      ) : null}
+                    </div>
+                  </td>
+                </tr>
+              ))}
+            </tbody>
+          </table>
+        </div>
+      ) : null}
+    </div>
+  );
+}