knacky/mimic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2a7d27bf02826f45766179308c7ed0d64305c73c
mimic/CHANGELOG.md
Knacky b3124ba4dd fix(make): auto-detect docker/podman so Makefile works on either engine 
- Makefile: introduce CONTAINER_CMD ?= $(shell command -v docker || echo podman),
  replace all 12 hardcoded `docker` invocations with $(CONTAINER_CMD). User can
  override with `make <target> CONTAINER_CMD=podman` or env export.
- e2e/tests/us1-bootstrap-admin.spec.ts: AC-1.4 regex updated to match the new
  variable form `$(CONTAINER_CMD) exec … flask create-admin` (was hardcoded
  `docker exec`). RUNTIME default also auto-detects (same logic as Makefile)
  so the test exec'es the right engine without a MIMIC_CONTAINER_CMD export.
- e2e/tests/us6-deployment.spec.ts: same RUNTIME auto-detect so the make-dry-run
  regex assertions on lines 75 + 77 match what the Makefile actually emits on
  a podman-only host.
- README + CHANGELOG document the new behavior.

Fixes the user-reported issue: "Le makefile ne fonctionne pas sur ma machine
qui n'a que podman."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-26 12:20:29 +02:00

8.6 KiB
Raw Blame History

Changelog

All notable changes to Mimic are tracked here.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased]

Added — Sprint 2 (Simulations + MITRE ATT&CK)

Backend (Flask + SQLAlchemy, 131 pytest passing)

  • Simulation model with redteam-side (name, mitre_technique_id, mitre_technique_name, description, commands, prerequisites, executed_at, execution_result) and SOC-side (log_source, logs, soc_comment, incident_number) fields, plus status enum (pending / in_progress / review_required / done), FK to Engagement (cascade delete) and User (creator).
  • Alembic migration 0002_add_simulations.py.
  • 7 new endpoints: GET/POST /api/engagements/<eid>/simulations, GET/PATCH/DELETE /api/simulations/<sid>, POST /api/simulations/<sid>/transition, GET /api/mitre/techniques?q=.
  • simulation_workflow service: field-level RBAC (SOC blocked when status ∈ {pending, in_progress}; SOC rejected if payload contains a redteam field), state machine (only forward transitions, validated by role), and auto-transition pending → in_progress when admin/redteam saves any non-empty redteam field.
  • mitre service: STIX 2.1 Enterprise bundle loaded at boot, indexed by T-id + name + tactic. Ranked search (exact-id > prefix-id > substring-name), max 20 results. Includes sub-techniques (T1059.001). Boot-safe: missing/corrupt bundle logs a warning and the endpoint returns 503 instead of crashing the app.
  • make update-mitre is now a real target — fetches the upstream STIX bundle and restarts the container if running. Bundle is committed at backend/data/mitre/enterprise-attack.json (~46 MB) so make build stays self-contained.
  • Upfront validation of executed_at (no partial mutation on parse failure).

Frontend (React + TanStack Query, 63 vitest passing)

  • SimulationList component rendered inside EngagementDetailPage (replaces the Sprint 1 placeholder). Columns: name, MITRE id, status badge, executed_at. Row click → SPA navigation via useNavigate (no full reload).
  • SimulationFormPage (/engagements/:eid/simulations/new and /engagements/:eid/simulations/:sid/edit): single role-aware page with two cards ("Red Team" / "SOC"). Redteam/admin can edit all fields; SOC sees the redteam card as read-only and the SOC card disabled (with an explanatory banner) until status reaches review_required. Footer surfaces context-appropriate transition buttons ("Marquer en revue" / "Clôturer") and a confirmation modal for delete.
  • MitreTechniquePicker: debounced (200 ms) autocomplete input with keyboard navigation (↑↓ / Enter / Escape), listbox accessibility, and an inline 503 error path. Selection populates both mitre_technique_id and mitre_technique_name. A hasHydratedFromProps ref prevents the input from being wiped mid-stroke when the parent emits onChange(null, null).
  • SimulationStatusBadge: 4 variants mapped to DESIGN.md tokens (bg-fog, bg-primary-soft, bg-bloom-coral, bg-storm-deep). Sibling of the existing StatusBadge rather than a forked generic — the two badges share visual scaffolding but their enums diverge.
  • ConfirmDialog: generic modal used by the delete flow.
  • TanStack Query hooks: useEngagementSimulations, useSimulation, useCreateSimulation, useUpdateSimulation, useDeleteSimulation, useTransitionSimulation, useMitreSearch. Mutations invalidate both the simulation detail key and the engagement-scoped list key.

Acceptance tests (Playwright, 68 specs)

  • 6 new spec files (one per user story US-7 → US-12), 32 tests, all green.
  • us4-engagements.spec.ts AC-4.9 assertion refreshed: the Sprint 1 placeholder text was correctly replaced by the new SimulationList (the test now asserts the new heading + "Nouvelle simulation" link).
  • 5 pre-existing failures in us1-bootstrap-admin.spec.ts and us6-deployment.spec.ts remain — they hard-code docker in the test body and fail in dev environments that only have podman. The fixtures already support MIMIC_CONTAINER_CMD; the test bodies don't yet. Out of scope for Sprint 2 — to be picked up later.

Changed

  • 2026-05-26 — make update-mitre upgraded from no-op placeholder to a real curl + optional container restart (Sprint 1 marker resolved).
  • 2026-05-26 — EngagementDetailPage no longer renders the "Simulations à venir au Sprint 2" placeholder; it embeds <SimulationList> instead.
  • 2026-05-26 — Makefile now auto-detects the container engine (CONTAINER_CMD ?= docker || podman) instead of hard-coding docker. Override with make <target> CONTAINER_CMD=podman or export CONTAINER_CMD=…. The matching e2e tests (us1, us6) were updated to mirror the same detection so they pass on podman-only machines without an explicit MIMIC_CONTAINER_CMD export.

[Sprint 1] — Auth + CRUD Engagement (merged 2026-05-26)

Added

Backend (Flask + SQLAlchemy + SQLite, 63 pytest passing)

  • User model with admin / redteam / soc enum, argon2 password hashing.
  • Engagement model with planned / active / closed status, FK to creator user.
  • JWT Bearer auth (PyJWT, HS256, 60-min TTL), @login_required and @role_required(*roles) decorators.
  • 13 API endpoints: /api/auth/{login,logout,me}, /api/users CRUD (admin-only with last-admin protection), /api/engagements CRUD (RBAC per role), /api/health.
  • Alembic migration applied at container boot by docker/entrypoint.sh.
  • flask create-admin CLI with duplicate-username and short-password validation.
  • Engagement serializer returns created_by={id, username} (not bare User object).
  • SPA fallback returns JSON 404 for unknown /api/* paths (no HTML leakage).

Frontend (React + Vite + TailwindCSS + TanStack Query, 20 vitest passing)

  • Inter font bundled locally via @fontsource-variable/inter (no CDN at runtime).
  • Tailwind config maps the DESIGN.md token system (palette, typography, spacing, radii).
  • Pages: LoginPage, EngagementsListPage, EngagementFormPage (new+edit), EngagementDetailPage (Sprint 2 placeholder), UsersAdminPage.
  • Components: Layout, ProtectedRoute (auth + role gate), StatusBadge, FormField, LoadingState/ErrorState/EmptyState, Toast + provider.
  • Axios client with Bearer interceptor; 401 → token purge + redirect /login + "Session expirée" toast (AC-2.6); 403 → "Accès refusé" toast (AC-3.7).
  • TanStack Query hooks: useAuth, useEngagements, useUsers, useToast.

Deployment

  • Single-container docker/Dockerfile (multistage: node:20-alpinepython:3.12-slim).
  • docker/entrypoint.sh running flask db upgrade && flask run.
  • Makefile with build, start, stop, restart, update, logs, create-admin, update-mitre (no-op placeholder for Sprint 2), test-backend, test-frontend, test-e2e, clean.
  • .env.example documenting MIMIC_JWT_SECRET, MIMIC_DB_PATH, MIMIC_PORT.
  • SQLite persisted at /data/mimic.sqlite, volume mimic-data survives make restart.

Acceptance tests (Playwright, 36 specs, all 27 ACs covered)

  • e2e/ scaffold: playwright.config.ts, fixtures/{auth,api}.ts, 6 spec files (one per user story).
  • Suite is portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL env vars (works with docker or podman).

Docs

  • README.md with quick-start, architecture overview, project layout, make target reference, and dev workflow.
  • pyrightconfig.json at repo root pointing the Python LSP to backend/.venv and adding the worktree root to extraPaths for absolute imports.

Changed

  • 2026-05-26 — admin role widened in SPEC.md § Décisions techniques. The initial draft restricted admin to user-management only; after the Sprint 1 plan review surfaced the operational pain (admin would need a second redteam account just to manage engagements), the user decided to make admin a super-user that cumulates redteam rights on engagements/simulations.

Removed

  • none

[Sprint 0] — Bootstrap (merged 2026-05-26)

Added

  • Initial SPEC.md covering project scope, simulation model, workflow, stack, and agent team.
  • Technical decisions section in SPEC.md: 3-role auth (admin/redteam/soc), JWT Bearer, single-container Flask+React, local MITRE STIX bundle, minimal Engagement model, admin bootstrap via Makefile target.
  • Sub-agent definitions under .claude/agents/ for backend-builder, frontend-builder, spec-reviewer (project override of the built-in, covers plan-vs-spec and code-vs-spec), code-reviewer, test-verifier, devil-advocate.
  • Project tracking scaffold: tasks/todo.md, tasks/lessons.md, CHANGELOG.md, .gitignore.
Reference in New Issue View Git Blame Copy Permalink