Files

Knacky 5104f7c429 feat: sprint 1 — auth + CRUD engagements

Ship the first feature end-to-end on the UI: users log in with JWT,
admins manage user accounts, and any authenticated user (per RBAC)
can create, list, view, edit, and delete engagements.

Backend (Flask + SQLAlchemy + SQLite, 63 pytest)
- User / Engagement models, Alembic 0001 initial schema
- argon2 password hashing, JWT bearer (60-min TTL), @login_required
  and @role_required decorators
- 13 API endpoints under /api/*, including last-admin protection on
  DELETE/PATCH user and JSON 404 on unknown /api/* paths
- `flask create-admin` CLI with duplicate / short-password handling

Frontend (React + Vite + Tailwind + TanStack Query, 20 vitest)
- Inter font bundled locally (no CDN), DESIGN.md tokens in Tailwind
- LoginPage / EngagementsList / EngagementForm / EngagementDetail /
  UsersAdmin pages with role-aware UI
- Layout, ProtectedRoute, StatusBadge, FormField, LoadingState,
  ErrorState, EmptyState, Toast + provider
- Axios client: Bearer interceptor, 401 → purge + /login + "Session
  expirée" toast, 403 → "Accès refusé" toast (declarative <Navigate>
  for already-authed users, Fragment-keyed admin user rows)

Deployment
- Single multistage Dockerfile (node:20-alpine → python:3.12-slim)
- docker/entrypoint.sh runs `flask db upgrade` before `flask run`
- Makefile: build/start/stop/restart/update/logs/create-admin/
  update-mitre/test-{backend,frontend,e2e}/clean
- .env.example documenting MIMIC_JWT_SECRET / MIMIC_DB_PATH / MIMIC_PORT
- SQLite at /data/mimic.sqlite on named volume mimic-data

Acceptance suite (Playwright, 36 tests, all 27 ACs)
- e2e/ scaffold with playwright.config + auth/api fixtures
- One spec per user story (us1-bootstrap through us6-deployment)
- Portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL (docker or podman)

Docs
- README.md with quick-start and architecture overview
- CHANGELOG.md updated with Sprint 1 deliverables
- pyrightconfig.json so the Python LSP sees backend/.venv and
  resolves the `backend.app.*` absolute imports

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-26 09:37:53 +02:00

4.0 KiB

Raw Blame History

Changelog

All notable changes to Mimic are tracked here.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased]

Added — Sprint 1 (Auth + CRUD Engagement)

Backend (Flask + SQLAlchemy + SQLite, 63 pytest passing)

User model with admin / redteam / soc enum, argon2 password hashing.
Engagement model with planned / active / closed status, FK to creator user.
JWT Bearer auth (PyJWT, HS256, 60-min TTL), @login_required and @role_required(*roles) decorators.
13 API endpoints: /api/auth/{login,logout,me}, /api/users CRUD (admin-only with last-admin protection), /api/engagements CRUD (RBAC per role), /api/health.
Alembic migration applied at container boot by docker/entrypoint.sh.
flask create-admin CLI with duplicate-username and short-password validation.
Engagement serializer returns created_by={id, username} (not bare User object).
SPA fallback returns JSON 404 for unknown /api/* paths (no HTML leakage).

Frontend (React + Vite + TailwindCSS + TanStack Query, 20 vitest passing)

Inter font bundled locally via @fontsource-variable/inter (no CDN at runtime).
Tailwind config maps the DESIGN.md token system (palette, typography, spacing, radii).
Pages: LoginPage, EngagementsListPage, EngagementFormPage (new+edit), EngagementDetailPage (Sprint 2 placeholder), UsersAdminPage.
Components: Layout, ProtectedRoute (auth + role gate), StatusBadge, FormField, LoadingState/ErrorState/EmptyState, Toast + provider.
Axios client with Bearer interceptor; 401 → token purge + redirect /login + "Session expirée" toast (AC-2.6); 403 → "Accès refusé" toast (AC-3.7).
TanStack Query hooks: useAuth, useEngagements, useUsers, useToast.

Deployment

Single-container docker/Dockerfile (multistage: node:20-alpine → python:3.12-slim).
docker/entrypoint.sh running flask db upgrade && flask run.
Makefile with build, start, stop, restart, update, logs, create-admin, update-mitre (no-op placeholder for Sprint 2), test-backend, test-frontend, test-e2e, clean.
.env.example documenting MIMIC_JWT_SECRET, MIMIC_DB_PATH, MIMIC_PORT.
SQLite persisted at /data/mimic.sqlite, volume mimic-data survives make restart.

Acceptance tests (Playwright, 36 specs, all 27 ACs covered)

e2e/ scaffold: playwright.config.ts, fixtures/{auth,api}.ts, 6 spec files (one per user story).
Suite is portable via MIMIC_CONTAINER_CMD / MIMIC_BASE_URL env vars (works with docker or podman).

Docs

README.md with quick-start, architecture overview, project layout, make target reference, and dev workflow.
pyrightconfig.json at repo root pointing the Python LSP to backend/.venv and adding the worktree root to extraPaths for absolute imports.

Changed

2026-05-26 — admin role widened in SPEC.md § Décisions techniques. The initial draft restricted admin to user-management only; after the Sprint 1 plan review surfaced the operational pain (admin would need a second redteam account just to manage engagements), the user decided to make admin a super-user that cumulates redteam rights on engagements/simulations.

Removed

none

[Sprint 0] — Bootstrap (merged 2026-05-26)

Added

Initial SPEC.md covering project scope, simulation model, workflow, stack, and agent team.
Technical decisions section in SPEC.md: 3-role auth (admin/redteam/soc), JWT Bearer, single-container Flask+React, local MITRE STIX bundle, minimal Engagement model, admin bootstrap via Makefile target.
Sub-agent definitions under .claude/agents/ for backend-builder, frontend-builder, spec-reviewer (project override of the built-in, covers plan-vs-spec and code-vs-spec), code-reviewer, test-verifier, devil-advocate.
Project tracking scaffold: tasks/todo.md, tasks/lessons.md, CHANGELOG.md, .gitignore.

4.0 KiB Raw Blame History