merge: testing → main (reconcile 2-week divergence)

decnet/web/router/attackers/api_get_attacker_mail.py

@@ -0,0 +1,37 @@
+from typing import Any
+
+from fastapi import APIRouter, Depends, HTTPException
+
+from decnet.telemetry import traced as _traced
+from decnet.web.dependencies import require_admin, repo
+
+router = APIRouter()
+
+
+@router.get(
+    "/attackers/{uuid}/mail",
+    tags=["Attacker Profiles"],
+    responses={
+        401: {"description": "Could not validate credentials"},
+        403: {"description": "Admin access required"},
+        404: {"description": "Attacker not found"},
+    },
+)
+@_traced("api.get_attacker_mail")
+async def get_attacker_mail(
+    uuid: str,
+    admin: dict = Depends(require_admin),
+) -> dict[str, Any]:
+    """List stored messages this attacker relayed via the SMTP honeypots.
+
+    Each entry is a ``message_stored`` log row — headers + attachment
+    manifest live in ``fields``; the raw .eml bytes are fetched via
+    ``/artifacts/{decky}/{stored_as}?service=smtp`` (also admin-gated).
+    Admin-only because message bodies are attacker-controlled content
+    and may include phishing kits / malware droppers.
+    """
+    attacker = await repo.get_attacker_by_uuid(uuid)
+    if not attacker:
+        raise HTTPException(status_code=404, detail="Attacker not found")
+    rows = await repo.get_attacker_stored_mail(uuid)
+    return {"total": len(rows), "data": rows}