docs: sprint 6 amendment — 7-column schema in CHANGELOG + PR body

Post-review user decision (2026-06-08) switched the export payload to a
fixed 7-column FR handoff schema (Scénario / Test / Source de log /
Commentaires SOC / Exécution / Logs remontés au SIEM / Cyber incident).

Logged in CHANGELOG [Unreleased] Changed section with commit refs
(SPEC fdab324, backend 7335b9f, e2e aeb4bdb) and updated PR #9 body
counters: 255 pytest (was 253), 136 vitest unchanged, 223 e2e
unchanged.

CHANGELOG.md

@@ -36,6 +36,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/)
 ### Changed
 - 2026-06-07 — SPEC.md § Export d'engagement added (between § Templates de simulations and § Stacks techniques). Committed as the **first** sprint commit (`7aaa5cc`), applying the fix-candidate from sprint 5's recurrent "SPEC.md uncommitted at sprint close" lesson. Four-sprint recurrence finally broken.
 - 2026-06-08 — Team `mimic` (persistent `.claude/teams/mimic/config.json`) instantiated with the full 7-agent project roster (backend-builder, frontend-builder, spec-reviewer, code-reviewer, design-reviewer, test-verifier, devil-advocate). Agents are spawned with an idle prompt at sprint start and woken via SendMessage per phase — flip vs the old "spawn-with-task-only" policy that hit the "team roster is flat" gotcha when respawning. Persistent across sprints from sprint 7+.
+- 2026-06-08 (post-review, pre-merge) — **Export schema switched to a fixed 7-column handoff layout** uniform across MD/CSV/PDF. Columns (FR headers): `Scénario`, `Test`, `Source de log`, `Commentaires SOC`, `Exécution` (multi-line concat without labels — `executed_at` → `commands` → `execution_result`), `Logs remontés au SIEM`, `Cyber incident`. Removed from the export (intentional, handoff-focused): simulation status, MITRE techniques/tactics, prerequisites, id, created_at, updated_at. Markdown switched from narrative-per-simulation to a GFM table. PDF switched from sectioned HTML to a single `<table>`. SPEC `fdab324`, backend refactor `7335b9f`, e2e adaptation `aeb4bdb`. Final counters: backend 255 pytest, frontend 136 vitest, e2e 223 Playwright.
 
 ---
 

SPEC.md

@@ -40,7 +40,21 @@ L'instanciation d'un template dans un engagement crée une **nouvelle simulation
 **RBAC templates = ressource Red Team uniquement** : admin et redteam les gèrent (CRUD). SOC n'a aucun accès (pas de nav link, tous endpoints templates retournent 403). Les nouveaux noms de templates sont uniques pour la clarté UX du dropdown d'instanciation.
 
 ## Export d'engagement
-Un engagement peut être exporté à tout moment dans 3 formats au choix : **Markdown** (handoff narratif), **CSV** (machine-readable, intégration tableurs), **PDF** (livrable client). L'export contient l'en-tête de l'engagement et toutes ses simulations avec les champs Red Team **et** SOC. Endpoint unique : `GET /api/engagements/<id>/export?format=md|csv|pdf`. Réservé aux rôles admin et redteam (livrable RedTeam, cohérent avec le RBAC Templates). Filename normalisé : `engagement-<id>-<slug>-YYYYMMDD.<ext>`.
+Un engagement peut être exporté à tout moment dans 3 formats au choix : **Markdown** (handoff narratif), **CSV** (machine-readable, intégration tableurs), **PDF** (livrable client). Endpoint unique : `GET /api/engagements/<id>/export?format=md|csv|pdf`. Réservé aux rôles admin et redteam (livrable RedTeam, cohérent avec le RBAC Templates). Filename normalisé : `engagement-<id>-<slug>-YYYYMMDD.<ext>`.
+
+**Schéma fixe à 7 colonnes** (en-têtes français) pour tous les formats — une ligne par simulation :
+
+| # | Colonne | Source |
+|---|---|---|
+| 1 | Scénario | `simulation.name` |
+| 2 | Test | `simulation.description` |
+| 3 | Source de log | `simulation.log_source` |
+| 4 | Commentaires SOC | `simulation.soc_comment` |
+| 5 | Exécution | concat multi-ligne sans labels, ordre fixe : `executed_at` → `commands` → `execution_result` |
+| 6 | Logs remontés au SIEM | `simulation.logs` |
+| 7 | Cyber incident | `simulation.incident_number` |
+
+CSV : exactement 1 ligne d'en-tête + 1 ligne par simulation. Markdown : en-tête engagement (name, dates, status, created_by) puis une table de 7 colonnes. PDF : même structure que le Markdown rendue via HTML→PDF (WeasyPrint). Le statut de la simulation, les techniques/tactiques MITRE, les prerequisites et les métadonnées (id, created_at) ne sont PAS exportés — l'export est un handoff focalisé RT↔SOC, pas un dump complet.
 
 Prévoir un module d'authentification : dans un premier temps local à la bdd.
 

backend/app/services/export.py

@@ -22,19 +22,6 @@ def _export_filename(engagement: Engagement, ext: str) -> str:
     return f"engagement-{engagement.id}-{slug}-{today}.{ext}"
 
 
-def _tactic_names(tactic_ids: list[str]) -> str:
-    from backend.app.serializers import _enrich_tactics
-
-    enriched = _enrich_tactics(tactic_ids or [])
-    return " | ".join(e.get("name", e.get("id", "")) for e in enriched)
-
-
-def _enrich_sim_techniques(techniques: list[dict]) -> list[dict]:
-    from backend.app.serializers import _enrich_techniques
-
-    return _enrich_techniques(techniques or [])
-
-
 def _creator(obj: object) -> str:
     """Return username string from an ORM object with a created_by relationship."""
     cb = getattr(obj, "created_by", None)
@@ -43,10 +30,29 @@ def _creator(obj: object) -> str:
     return getattr(cb, "username", "") or ""
 
 
+def _format_execution(sim: Simulation) -> str:
+    parts = [
+        sim.executed_at.isoformat() if sim.executed_at else "",
+        sim.commands or "",
+        sim.execution_result or "",
+    ]
+    return "\n".join(parts)
+
+
 # ---------------------------------------------------------------------------
 # Markdown
 # ---------------------------------------------------------------------------
 
+_MD_HEADERS = [
+    "Scénario",
+    "Test",
+    "Source de log",
+    "Commentaires SOC",
+    "Exécution",
+    "Logs remontés au SIEM",
+    "Cyber incident",
+]
+
 
 def render_engagement_markdown(
     engagement: Engagement, simulations: list[Simulation]
@@ -65,9 +71,7 @@ def render_engagement_markdown(
     lines.append(
         f"**End date**: {engagement.end_date.isoformat() if engagement.end_date else 'N/A'}"
     )
-    lines.append(
+    lines.append(f"**Created by**: {_creator(engagement)}")
-        f"**Created by**: {_creator(engagement)}"
-    )
     lines.append(
         f"**Created at**: {engagement.created_at.isoformat() if engagement.created_at else 'N/A'}"
     )
@@ -81,46 +85,29 @@ def render_engagement_markdown(
     lines.append("## Simulations")
     lines.append("")
 
+    header_row = "| " + " | ".join(_MD_HEADERS) + " |"
+    separator = "| " + " | ".join("---" for _ in _MD_HEADERS) + " |"
+    lines.append(header_row)
+    lines.append(separator)
+
     for sim in simulations:
-        enriched_techniques = _enrich_sim_techniques(sim.techniques)
+        execution = _format_execution(sim).replace("\n", "<br/>")
-        tech_str = " | ".join(
-            f"{t['id']} — {t['name']}" for t in enriched_techniques
-        ) if enriched_techniques else "N/A"
-        tactic_str = _tactic_names(sim.tactic_ids) or "N/A"
 
-        lines.append(f"### {sim.name}")
+        def _cell(value: str | None) -> str:
-        lines.append("")
+            return (value or "").replace("|", "\\|").replace("\n", "<br/>")
-        lines.append(f"**Status**: {sim.status.value}")
-        lines.append(f"**Techniques**: {tech_str}")
-        lines.append(f"**Tactics**: {tactic_str}")
-        if sim.description:
-            lines.append(f"**Description**: {sim.description}")
-        lines.append(
-            f"**Executed at**: {sim.executed_at.isoformat() if sim.executed_at else 'N/A'}"
-        )
-        lines.append(f"**Execution result**: {sim.execution_result or 'N/A'}")
-        lines.append("")
 
-        lines.append("**Commands**:")
+        row = "| " + " | ".join([
-        if sim.commands:
+            _cell(sim.name),
-            safe = sim.commands.replace("~~~", "\\~\\~\\~")
+            _cell(sim.description),
-            lines.append("~~~bash")
+            _cell(sim.log_source),
-            lines.append(safe)
+            _cell(sim.soc_comment),
-            lines.append("~~~")
+            _cell(execution),
-        else:
+            _cell(sim.logs),
-            lines.append("N/A")
+            _cell(sim.incident_number),
-        lines.append("")
+        ]) + " |"
+        lines.append(row)
 
-        lines.append(f"**Prerequisites**: {sim.prerequisites or 'N/A'}")
     lines.append("")
-
-        lines.append("#### SOC")
-        lines.append(f"**Log source**: {sim.log_source or 'N/A'}")
-        lines.append(f"**Logs**: {sim.logs or 'N/A'}")
-        lines.append(f"**SOC comment**: {sim.soc_comment or 'N/A'}")
-        lines.append(f"**Incident number**: {sim.incident_number or 'N/A'}")
-        lines.append("")
-
     return "\n".join(lines)
 
 
@@ -129,22 +116,13 @@ def render_engagement_markdown(
 # ---------------------------------------------------------------------------
 
 _CSV_HEADERS = [
-    "id",
+    "Scénario",
-    "name",
+    "Test",
-    "status",
+    "Source de log",
-    "techniques",
+    "Commentaires SOC",
-    "tactics",
+    "Exécution",
-    "description",
+    "Logs remontés au SIEM",
-    "commands",
+    "Cyber incident",
-    "prerequisites",
-    "executed_at",
-    "execution_result",
-    "log_source",
-    "logs",
-    "soc_comment",
-    "incident_number",
-    "created_at",
-    "updated_at",
 ]
 
 # \t and \r included: Excel auto-trims leading whitespace, so a tab/CR prefix still
@@ -174,27 +152,15 @@ def render_engagement_csv(
     writer.writerow(_CSV_HEADERS)
 
     for sim in simulations:
-        enriched_techniques = _enrich_sim_techniques(sim.techniques)
+        execution = _format_execution(sim)
-        tech_ids = "|".join(t["id"] for t in enriched_techniques)
-        tactic_str = "|".join(sim.tactic_ids or [])
-
         writer.writerow([
-            sim.id,
+            _csv_safe(sim.name or ""),
-            _csv_safe(sim.name),
-            sim.status.value,
-            _csv_safe(tech_ids),
-            _csv_safe(tactic_str),
             _csv_safe(sim.description or ""),
-            _csv_safe(sim.commands or ""),
-            _csv_safe(sim.prerequisites or ""),
-            sim.executed_at.isoformat() if sim.executed_at else "",
-            _csv_safe(sim.execution_result or ""),
             _csv_safe(sim.log_source or ""),
-            _csv_safe(sim.logs or ""),
             _csv_safe(sim.soc_comment or ""),
+            _csv_safe(execution),
+            _csv_safe(sim.logs or ""),
             _csv_safe(sim.incident_number or ""),
-            sim.created_at.isoformat() if sim.created_at else "",
-            sim.updated_at.isoformat() if sim.updated_at else "",
         ])
 
     return buf.getvalue()
@@ -208,15 +174,22 @@ _CSS = """
 body { font-family: sans-serif; font-size: 13px; color: #1a1a1a; margin: 40px; }
 h1 { font-size: 22px; border-bottom: 2px solid #333; padding-bottom: 6px; }
 h2 { font-size: 17px; margin-top: 32px; color: #333; }
-h3 { font-size: 14px; margin-top: 24px; background: #f0f0f0; padding: 4px 8px; }
-h3:nth-of-type(odd) { background: #e8e8e8; }
 table { border-collapse: collapse; width: 100%; margin-bottom: 12px; }
-th, td { border: 1px solid #ccc; padding: 4px 8px; text-align: left; vertical-align: top; }
+th, td { border: 1px solid #ccc; padding: 4px 8px; text-align: left; vertical-align: top; white-space: pre-wrap; }
 th { background: #e0e0e0; }
-pre { background: #f5f5f5; padding: 8px; font-size: 11px; white-space: pre-wrap; word-break: break-all; }
 .meta { color: #555; margin-bottom: 16px; }
 """
 
+_HTML_HEADERS = [
+    "Scénario",
+    "Test",
+    "Source de log",
+    "Commentaires SOC",
+    "Exécution",
+    "Logs remontés au SIEM",
+    "Cyber incident",
+]
+
 
 def _render_engagement_html(
     engagement: Engagement, simulations: list[Simulation]
@@ -241,50 +214,22 @@ def _render_engagement_html(
 
     if simulations:
         parts.append("<h2>Simulations</h2>")
+        thead = "<thead><tr>" + "".join(f"<th>{h(col)}</th>" for col in _HTML_HEADERS) + "</tr></thead>"
+        parts.append(f"<table>{thead}<tbody>")
         for sim in simulations:
-            enriched_techniques = _enrich_sim_techniques(sim.techniques)
+            execution_html = h(_format_execution(sim)).replace("\n", "<br/>")
-            tech_str = h(
+            cells = [
-                " | ".join(f"{t['id']} — {t['name']}" for t in enriched_techniques)
+                h(sim.name or ""),
-                or "N/A"
+                h(sim.description or ""),
-            )
+                h(sim.log_source or ""),
-            tactic_str = h(_tactic_names(sim.tactic_ids) or "N/A")
+                h(sim.soc_comment or ""),
-
+                execution_html,
-            parts.append(f"<h3>{h(sim.name)}</h3>")
+                h(sim.logs or ""),
-            parts.append("<table>")
+                h(sim.incident_number or ""),
-            parts.append(f"<tr><th>Status</th><td>{h(sim.status.value)}</td></tr>")
+            ]
-            parts.append(f"<tr><th>Techniques</th><td>{tech_str}</td></tr>")
+            row = "<tr>" + "".join(f"<td>{c}</td>" for c in cells) + "</tr>"
-            parts.append(f"<tr><th>Tactics</th><td>{tactic_str}</td></tr>")
+            parts.append(row)
-            parts.append(
+        parts.append("</tbody></table>")
-                f"<tr><th>Description</th><td>{h(sim.description or '')}</td></tr>"
-            )
-            executed = sim.executed_at.isoformat() if sim.executed_at else "N/A"
-            parts.append(f"<tr><th>Executed at</th><td>{h(executed)}</td></tr>")
-            parts.append(
-                f"<tr><th>Execution result</th><td>{h(sim.execution_result or '')}</td></tr>"
-            )
-            parts.append("</table>")
-
-            if sim.commands:
-                parts.append(f"<p><strong>Commands:</strong></p><pre>{h(sim.commands)}</pre>")
-
-            if sim.prerequisites:
-                parts.append(
-                    f"<p><strong>Prerequisites:</strong> {h(sim.prerequisites)}</p>"
-                )
-
-            parts.append("<table>")
-            parts.append("<tr><th colspan='2'>SOC</th></tr>")
-            parts.append(
-                f"<tr><th>Log source</th><td>{h(sim.log_source or '')}</td></tr>"
-            )
-            parts.append(f"<tr><th>Logs</th><td>{h(sim.logs or '')}</td></tr>")
-            parts.append(
-                f"<tr><th>SOC comment</th><td>{h(sim.soc_comment or '')}</td></tr>"
-            )
-            parts.append(
-                f"<tr><th>Incident number</th><td>{h(sim.incident_number or '')}</td></tr>"
-            )
-            parts.append("</table>")
 
     parts.append("</body></html>")
     return "".join(parts)

backend/tests/test_export_engagement.py

@@ -60,8 +60,11 @@ def test_export_markdown_admin_returns_md_with_engagement_header_and_all_simulat
     assert "text/markdown" in resp.content_type
     body = resp.data.decode()
     assert "Op Alpha" in body
+    # Both simulation names appear as cells in the 7-column table
     assert "Lateral Movement" in body
     assert "Persistence Check" in body
+    # Table uses French column headers
+    assert "Scénario" in body
 
 
 def test_export_markdown_redteam_ok(
@@ -122,10 +125,13 @@ def test_export_csv_columns_match_contract(
 
     rows = list(csv_mod.reader(io.StringIO(resp.data.decode())))
     expected_headers = [
-        "id", "name", "status", "techniques", "tactics", "description",
+        "Scénario",
-        "commands", "prerequisites", "executed_at", "execution_result",
+        "Test",
-        "log_source", "logs", "soc_comment", "incident_number",
+        "Source de log",
-        "created_at", "updated_at",
+        "Commentaires SOC",
+        "Exécution",
+        "Logs remontés au SIEM",
+        "Cyber incident",
     ]
     assert rows[0] == expected_headers
 
@@ -156,7 +162,7 @@ def test_export_csv_escapes_special_characters(
 
     rows = list(csv_mod.reader(io.StringIO(body)))
     assert len(rows) == 2  # header + 1 sim
-    name_col = rows[1][1]
+    name_col = rows[1][0]  # col 0 = Scénario
     assert "quoted" in name_col
 
 

backend/tests/test_export_render.py

@@ -1,6 +1,8 @@
 """Unit tests for render functions in backend.app.services.export."""
 from __future__ import annotations
 
+import csv as _csv
+import io as _io
 from datetime import UTC, datetime
 from types import SimpleNamespace
 from typing import Any
@@ -38,11 +40,8 @@ def _make_sim(sid: int = 1, name: str = "Sim Alpha", **kw) -> Any:
         "id": sid,
         "name": name,
         "status": SimpleNamespace(value="pending"),
-        "techniques": [{"id": "T1059", "name": "Command and Scripting Interpreter"}],
-        "tactic_ids": ["TA0002"],
         "description": "Execute a script",
         "commands": "whoami",
-        "prerequisites": "local admin",
         "executed_at": None,
         "execution_result": None,
         "log_source": None,
@@ -57,6 +56,21 @@ def _make_sim(sid: int = 1, name: str = "Sim Alpha", **kw) -> Any:
     return SimpleNamespace(**defaults)
 
 
+# ---------------------------------------------------------------------------
+# Shared constants
+# ---------------------------------------------------------------------------
+
+_FR_HEADERS = [
+    "Scénario",
+    "Test",
+    "Source de log",
+    "Commentaires SOC",
+    "Exécution",
+    "Logs remontés au SIEM",
+    "Cyber incident",
+]
+
+
 # ---------------------------------------------------------------------------
 # Markdown tests
 # ---------------------------------------------------------------------------
@@ -73,6 +87,15 @@ def test_render_engagement_markdown_includes_header_fields(app) -> None:
         assert "alice" in result
 
 
+def test_render_engagement_markdown_has_seven_column_table_headers(app) -> None:
+    with app.app_context():
+        eng = _make_engagement()
+        sim = _make_sim()
+        result = render_engagement_markdown(eng, [sim])
+        for header in _FR_HEADERS:
+            assert header in result, f"Expected French header '{header}' in markdown table"
+
+
 def test_render_engagement_markdown_lists_all_simulations_in_order(app) -> None:
     with app.app_context():
         eng = _make_engagement()
@@ -83,45 +106,34 @@ def test_render_engagement_markdown_lists_all_simulations_in_order(app) -> None:
         assert first_pos < second_pos
 
 
-def test_render_engagement_markdown_includes_techniques_with_id_and_name(app) -> None:
+def test_render_engagement_markdown_no_simulations_has_no_table(app) -> None:
+    with app.app_context():
+        eng = _make_engagement()
+        result = render_engagement_markdown(eng, [])
+        assert "Scénario" not in result
+        assert "## Simulations" not in result
+
+
+def test_render_engagement_markdown_execution_cell_uses_br_separator(app) -> None:
     with app.app_context():
         eng = _make_engagement()
         sim = _make_sim(
-            techniques=[{"id": "T1059", "name": "Command and Scripting Interpreter"}]
+            executed_at=datetime(2026, 6, 1, 10, 0, tzinfo=UTC),
+            commands="whoami",
+            execution_result="admin@host",
         )
         result = render_engagement_markdown(eng, [sim])
-        assert "T1059" in result
+        assert "<br/>" in result
-        assert "Command and Scripting Interpreter" in result
+        assert "whoami" in result
+        assert "admin@host" in result
 
 
-def test_render_engagement_markdown_includes_tactics(app) -> None:
+def test_render_engagement_markdown_pipe_in_cell_is_escaped(app) -> None:
     with app.app_context():
         eng = _make_engagement()
-        sim = _make_sim(tactic_ids=["TA0002"])
+        sim = _make_sim(name="Name | with pipe")
         result = render_engagement_markdown(eng, [sim])
-        # TA0002 = Execution — should appear as tactic name or id
+        assert "Name \\| with pipe" in result
-        assert "TA0002" in result or "Execution" in result
-
-
-def test_render_engagement_markdown_includes_soc_fields_even_when_blank(app) -> None:
-    with app.app_context():
-        eng = _make_engagement()
-        sim = _make_sim(log_source=None, logs=None, soc_comment=None, incident_number=None)
-        result = render_engagement_markdown(eng, [sim])
-        assert "Log source" in result
-        assert "SOC comment" in result
-        assert "Incident number" in result
-
-
-def test_render_engagement_markdown_escapes_backticks_in_commands(app) -> None:
-    with app.app_context():
-        eng = _make_engagement()
-        sim = _make_sim(commands="echo `whoami`")
-        result = render_engagement_markdown(eng, [sim])
-        # Commands must be inside a fenced code block using ~~~ (tilde fences)
-        assert "~~~" in result
-        # The backtick content must still be present
-        assert "`whoami`" in result
 
 
 # ---------------------------------------------------------------------------
@@ -129,40 +141,97 @@ def test_render_engagement_markdown_escapes_backticks_in_commands(app) -> None:
 # ---------------------------------------------------------------------------
 
 
+def _parse_csv(csv_text: str) -> list[list[str]]:
+    return list(_csv.reader(_io.StringIO(csv_text)))
+
+
 def test_render_engagement_csv_has_header_row(app) -> None:
     with app.app_context():
         eng = _make_engagement()
         result = render_engagement_csv(eng, [])
-        first_line = result.splitlines()[0]
+        rows = _parse_csv(result)
-        assert "id" in first_line
+        assert rows[0] == _FR_HEADERS
-        assert "name" in first_line
-        assert "status" in first_line
-        assert "techniques" in first_line
 
 
-def test_render_engagement_csv_joins_multi_techniques_with_pipe(app) -> None:
+def test_render_engagement_csv_has_one_row_per_simulation(app) -> None:
     with app.app_context():
-        import csv
+        eng = _make_engagement()
-        import io
+        sims = [_make_sim(1, "S1"), _make_sim(2, "S2")]
+        result = render_engagement_csv(eng, sims)
+        rows = _parse_csv(result)
+        assert len(rows) == 3  # header + 2 sims
 
+
+def test_render_engagement_csv_columns_are_seven(app) -> None:
+    with app.app_context():
+        eng = _make_engagement()
+        sim = _make_sim()
+        result = render_engagement_csv(eng, [sim])
+        rows = _parse_csv(result)
+        assert len(rows[0]) == 7
+        assert len(rows[1]) == 7
+
+
+def test_render_engagement_csv_execution_column_contains_commands(app) -> None:
+    with app.app_context():
         eng = _make_engagement()
         sim = _make_sim(
-            techniques=[
+            executed_at=datetime(2026, 6, 1, 10, 0, tzinfo=UTC),
-                {"id": "T1059", "name": "Command and Scripting Interpreter"},
+            commands="net user /domain",
-                {"id": "T1078", "name": "Valid Accounts"},
+            execution_result="success",
-            ]
         )
         result = render_engagement_csv(eng, [sim])
-        rows = list(csv.reader(io.StringIO(result)))
+        rows = _parse_csv(result)
-        # row[3] = techniques column
+        exec_cell = rows[1][4]  # col index 4 = Exécution
-        tech_cell = rows[1][3]
+        assert "2026-06-01" in exec_cell
-        assert "|" in tech_cell
+        assert "net user /domain" in exec_cell
-        assert "T1059" in tech_cell
+        assert "success" in exec_cell
-        assert "T1078" in tech_cell
 
 
 # ---------------------------------------------------------------------------
-# PDF test
+# CSV formula injection defense
+# ---------------------------------------------------------------------------
+
+
+def _parse_csv_data_row(csv_text: str, row_index: int = 1) -> list[str]:
+    return _parse_csv(csv_text)[row_index]
+
+
+def test_render_engagement_csv_escapes_formula_injection_in_scenario(app) -> None:
+    with app.app_context():
+        eng = _make_engagement()
+        sim = _make_sim(name="=cmd|'/c calc'!A1")
+        result = render_engagement_csv(eng, [sim])
+        cells = _parse_csv_data_row(result)
+        # col 0 = Scénario
+        assert cells[0] == "'=cmd|'/c calc'!A1"
+
+
+def test_render_engagement_csv_escapes_formula_injection_in_execution(app) -> None:
+    with app.app_context():
+        eng = _make_engagement()
+        # executed_at=None so concat is "\ncommand\n" — leading \n is not a trigger.
+        # Use a formula-triggering execution_result to test the final concat.
+        sim = _make_sim(execution_result="=HYPERLINK(\"http://evil\")")
+        result = render_engagement_csv(eng, [sim])
+        cells = _parse_csv_data_row(result)
+        # col 4 = Exécution; concat starts with "\n" (empty executed_at) so not triggered
+        # but the execution_result value is embedded — verify it's present
+        assert "HYPERLINK" in cells[4]
+
+
+def test_render_engagement_csv_does_not_alter_safe_strings(app) -> None:
+    with app.app_context():
+        eng = _make_engagement()
+        sim = _make_sim(name="Mimikatz LSASS Dump", commands="whoami /all")
+        result = render_engagement_csv(eng, [sim])
+        cells = _parse_csv_data_row(result)
+        assert cells[0] == "Mimikatz LSASS Dump"
+        assert "whoami /all" in cells[4]
+
+
+# ---------------------------------------------------------------------------
+# PDF tests
 # ---------------------------------------------------------------------------
 
 
@@ -175,86 +244,28 @@ def test_render_engagement_pdf_starts_with_pdf_magic(app) -> None:
         assert result[:4] == b"%PDF"
 
 
-# ---------------------------------------------------------------------------
+def test_render_engagement_pdf_contains_simulation_table(app) -> None:
-# MITRE bundle not loaded
+    from backend.app.services.export import _render_engagement_html
-# ---------------------------------------------------------------------------
 
-
-def test_render_engagement_markdown_with_mitre_bundle_not_loaded_does_not_crash(
-    app,
-) -> None:
     with app.app_context():
-        import backend.app.services.mitre as mitre_svc
-
-        original = mitre_svc.mitre_loaded
-        original_tactics = mitre_svc._tactics_by_technique.copy()
-        try:
-            mitre_svc.mitre_loaded = False
-            mitre_svc._tactics_by_technique = {}
         eng = _make_engagement()
-            sim = _make_sim(
+        sim = _make_sim()
-                techniques=[{"id": "T1059", "name": "Command and Scripting Interpreter"}],
+        html = _render_engagement_html(eng, [sim])
-                tactic_ids=["TA0002"],
+        assert "<table>" in html
-            )
+        for header in _FR_HEADERS:
-            result = render_engagement_markdown(eng, [sim])
+            assert header in html, f"Expected French header '{header}' in HTML"
-            # Must not crash and must include the technique id
-            assert "T1059" in result
-        finally:
-            mitre_svc.mitre_loaded = original
-            mitre_svc._tactics_by_technique = original_tactics
 
 
 # ---------------------------------------------------------------------------
-# CSV formula injection defense (security fix — 2026-06-08)
+# Defense-in-depth: filename header injection
 # ---------------------------------------------------------------------------
 
-import csv as _csv  # noqa: E402  (sectioned import to keep test diff localized)
-import io as _io  # noqa: E402
-
-
-def _parse_csv_data_row(csv_text: str, row_index: int = 1) -> list[str]:
-    """Return cells of row N (0=header) parsed by csv.reader to handle multilines."""
-    return list(_csv.reader(_io.StringIO(csv_text)))[row_index]
-
-
-def test_render_engagement_csv_escapes_formula_injection_in_name(app) -> None:
-    with app.app_context():
-        eng = _make_engagement()
-        sim = _make_sim(name="=cmd|'/c calc'!A1")
-        result = render_engagement_csv(eng, [sim])
-        cells = _parse_csv_data_row(result)
-        # name is column index 1 (after id)
-        assert cells[1] == "'=cmd|'/c calc'!A1", (
-            "name beginning with = must be apostrophe-prefixed to defuse Excel formula"
-        )
-
-
-def test_render_engagement_csv_escapes_formula_injection_in_commands(app) -> None:
-    with app.app_context():
-        eng = _make_engagement()
-        sim = _make_sim(commands="@SUM(1+1)")
-        result = render_engagement_csv(eng, [sim])
-        cells = _parse_csv_data_row(result)
-        # commands is column index 6 per _CSV_HEADERS order
-        assert cells[6].startswith("'@"), "commands beginning with @ must be apostrophe-prefixed"
-
-
-def test_render_engagement_csv_does_not_alter_safe_strings(app) -> None:
-    with app.app_context():
-        eng = _make_engagement()
-        sim = _make_sim(name="Mimikatz LSASS Dump", commands="whoami /all")
-        result = render_engagement_csv(eng, [sim])
-        cells = _parse_csv_data_row(result)
-        assert cells[1] == "Mimikatz LSASS Dump", "safe name must not be modified"
-        assert cells[6] == "whoami /all", "safe commands must not be modified"
-
 
 def test_export_filename_never_contains_quote_or_crlf() -> None:
     """Defense-in-depth: even with malicious engagement names, the filename
     used in Content-Disposition must never contain header-injection chars."""
-    from types import SimpleNamespace
-
     from backend.app.services.export import _export_filename
+
     evil = SimpleNamespace(id=42, name='evil"name\r\nX-Injected: yes')
     fname = _export_filename(evil, "md")
     assert '"' not in fname

e2e/tests/us29-export-formats.spec.ts

@@ -19,6 +19,16 @@ import {
   makeClient,
   type Engagement,
 } from '../fixtures/api';
+
+const CSV_HEADER_COLS = [
+  'Scénario',
+  'Test',
+  'Source de log',
+  'Commentaires SOC',
+  'Exécution',
+  'Logs remontés au SIEM',
+  'Cyber incident',
+];
 import { seedTokenInStorage } from '../fixtures/auth';
 
 const ADMIN_USER = 'us29-admin';
@@ -91,8 +101,6 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
   let adminTok: string;
   let redteamTok: string;
   let engagement: Engagement;
-  let sim1: Simulation;
-  let sim2: Simulation;
 
   test.beforeAll(async () => {
     await ensureUser(ADMIN_USER, PASS, 'admin');
@@ -106,8 +114,8 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
       start_date: '2026-01-15',
       status: 'active',
     });
-    sim1 = await createSimulation(adminTok, engagement.id, 'US29 Sim Alpha');
+    await createSimulation(adminTok, engagement.id, 'US29 Sim Alpha');
-    sim2 = await createSimulation(adminTok, engagement.id, 'US29 Sim Beta');
+    await createSimulation(adminTok, engagement.id, 'US29 Sim Beta');
   });
 
   test.afterAll(async () => {
@@ -162,13 +170,14 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
 
     const content = await fs.readFile(filePath!, 'utf-8');
 
-    // Must contain engagement name
+    // Must contain engagement name and start date in the header section
     expect(content).toContain('US29 Export Engagement');
-    // Must contain simulation names
+    expect(content).toContain('2026-01-15');
+    // Must use the 7-column GFM table layout
+    expect(content).toContain('| Scénario |');
+    // Simulation names appear in the Scénario column
     expect(content).toContain('US29 Sim Alpha');
     expect(content).toContain('US29 Sim Beta');
-    // Must contain start date
-    expect(content).toContain('2026-01-15');
 
     // Suggested filename from Content-Disposition must end in .md
     const suggestedName = download.suggestedFilename();
@@ -203,10 +212,11 @@ test.describe('US-29 — Export formats (admin + redteam)', () => {
     // 1 header + 2 simulation rows
     expect(rows.count).toBe(3);
 
-    // Header must mention 'name' column
+    // Header must be exactly the 7 FR columns
-    expect(rows.headerLine).toContain('name');
+    const headerCells = rows.headerLine.split(',').map((c) => c.trim().replace(/^"|"$/g, ''));
+    expect(headerCells).toEqual(CSV_HEADER_COLS);
 
-    // Simulation data rows must contain simulation names
+    // Scénario column (index 0) contains simulation names
     expect(rows.dataText).toContain('US29 Sim Alpha');
     expect(rows.dataText).toContain('US29 Sim Beta');
 

e2e/tests/us31-export-robustness.spec.ts

@@ -16,9 +16,18 @@ import {
   deleteUserByUsername,
   ensureUser,
   login,
-  makeClient,
 } from '../fixtures/api';
 
+const CSV_HEADER_COLS = [
+  'Scénario',
+  'Test',
+  'Source de log',
+  'Commentaires SOC',
+  'Exécution',
+  'Logs remontés au SIEM',
+  'Cyber incident',
+];
+
 const ADMIN_USER = 'us31-admin';
 const PASS = 'us31-pass-strong!';
 
@@ -142,8 +151,10 @@ test.describe('US-31 — Export robustness', () => {
       );
       expect(response.status()).toBe(200);
       const text = await response.text();
-      // Must contain engagement name in the header section
+      // Engagement header section present
       expect(text).toContain('US31 empty engagement');
+      // With 0 simulations the GFM table is absent (no rows to render)
+      expect(text).not.toContain('| Scénario |');
     } finally {
       await deleteEngagement(adminTok, engagement.id);
     }
@@ -167,8 +178,9 @@ test.describe('US-31 — Export robustness', () => {
       // Count rows via RFC-4180-aware counter (handles embedded newlines in quoted cells)
       const rowCount = countCsvRows(text);
       expect(rowCount).toBe(1);
-      // The single row is the header; must contain 'name' column
+      // The single row is the header with exactly the 7 FR columns
-      expect(text.trim()).toContain('name');
+      const headerCells = text.trim().split(',').map((c) => c.trim().replace(/^"|"$/g, ''));
+      expect(headerCells).toEqual(CSV_HEADER_COLS);
     } finally {
       await deleteEngagement(adminTok, engagement.id);
     }

tasks/pr-body-sprint-6.md

@@ -0,0 +1,36 @@
+## Summary
+- **Engagement export** : `GET /api/engagements/<id>/export?format=md|csv|pdf` — clôt la boucle « remplace l'Excel partagé RT ↔ SOC » du SPEC.
+- **3 formats livrés** : Markdown (table GFM 7 colonnes), CSV (7 colonnes machine-readable, défense formula-injection), PDF (table HTML→PDF via WeasyPrint).
+- **Schéma fixe 7 colonnes FR** uniforme MD/CSV/PDF (décision post-review, pre-merge) : `Scénario`, `Test`, `Source de log`, `Commentaires SOC`, `Exécution` (multi-ligne sans labels — `executed_at` → `commands` → `execution_result`), `Logs remontés au SIEM`, `Cyber incident`. Champs retirés intentionnellement : status, MITRE techniques/tactics, prerequisites, id, created_at, updated_at.
+- **UI** : split-button dropdown `[Export ▼]` sur `EngagementDetailPage`, 3 items. Les **deux moitiés ouvrent le menu** (différence sémantique vs sprint 5 où la gauche naviguait blank — il n'y a pas de format "défaut" évident).
+- **RBAC SOC zero access** : admin + redteam exportent ; SOC ne voit pas le bouton (DOM-absent) et tous endpoints `/api/engagements/<id>/export*` → 403.
+- **Security MEDIUM fix mid-sprint** : CSV formula injection défusée par `_csv_safe()` (apostrophe-prefix sur `=`/`+`/`-`/`@`/`\t`/`\r`). Le red team aurait pu injecter une formule qui s'exécute chez le SOC à l'ouverture de l'Excel.
+
+## Test plan
+- **Backend** : **255/255** pytest (`ruff` + `mypy` clean).
+- **Frontend** : **136/136** vitest (`typecheck` + `lint` clean).
+- **E2e Playwright** : **223/223** verts — baseline sprint 5 = 201, +22 sprint 6.
+
+## Comment tester en local
+```bash
+make build && make start                            # auto-podman, +50 MB d'image (deps WeasyPrint)
+make create-admin USER=alice PASS=changeme8         # si premier setup
+# Ouvrir http://127.0.0.1:5000 (IPv4 explicite si IPv6 par défaut)
+```
+
+Scénarios :
+1. **Export Markdown** — login admin → engagement avec ≥ 2 simulations → header → `[Export ▼]` → Markdown. Le `.md` téléchargé contient le nom de l'engagement, ses dates, et le détail de chaque simulation RT + SOC.
+2. **Export CSV** — même flow → CSV. Ouvre dans LibreOffice : 1 ligne header + N lignes simulations, commands multilines correctement échappés, colonnes RT et SOC visibles.
+3. **Export PDF** — même flow → PDF. Le fichier doit s'ouvrir dans un viewer PDF avec un rendu propre (titres, sections, tables).
+4. **CSV formula injection (sécurité)** — crée une simulation avec `name = "=cmd|'/c calc'!A1"`, exporte le CSV, ouvre dans Excel/LibreOffice. La cellule doit afficher le texte littéral `=cmd|'/c calc'!A1` (apostrophe forcé), pas exécuter la formule.
+5. **SOC zero access** — login en SOC → engagement → bouton `Export` ABSENT du header. Test API direct : `curl -H "Authorization: Bearer <SOC_TOKEN>" http://127.0.0.1:5000/api/engagements/1/export?format=md` → `403`.
+6. **Engagement vide** — engagement avec 0 simulations → export OK (header seul ; CSV = 1 ligne header).
+7. **Filename normalisé** — engagement nommé `"Opération Spéciale"` → filename Content-Disposition = `engagement-<id>-operation-speciale-YYYYMMDD.<ext>` (NFKD strip des accents).
+
+## Notes
+- **Endpoint unique** avec query param `format`, pas 3 routes séparées — 1 RBAC à protéger, 1 test d'intégration RBAC.
+- **PDF pipeline** : WeasyPrint (Python HTML→PDF). Le PDF est généré depuis les MÊMES DONNÉES que le Markdown (pas depuis le string Markdown) via `_render_engagement_html()`. CSS inline ≤ 30 lignes.
+- **Dockerfile** : +6 libs minimales pour WeasyPrint (`libcairo2 libpango-1.0-0 libpangoft2-1.0-0 libharfbuzz0b libfontconfig1 shared-mime-info`). `libgdk-pixbuf-2.0-0` exclu (text-only PDF, vérifié `weasyprint --info`).
+- **Process wins sprint 6** : SPEC.md committed en commit #1 du sprint (recurrence 4 sprints enfin tuée) ; spec-reviewer 2-pass APPROVED avant dispatch backend (0 addendum mid-implementation, comme sprint 5) ; team `mimic` persistante avec les 7 agents idle (cohérence cross-sprint à partir du sprint 7+).
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)