anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: anti:4197441c010a91c6708c16560f8349a363a67590
Branches Tags
anti:main anti:dev anti:testing anti:tomerge/main
anti:v0.2 anti:v0.1.0
..
compare: anti:testing
Branches Tags
anti:dev anti:testing anti:main anti:tomerge/main
anti:v0.2 anti:v0.1.0

7 Commits
4197441c01 ... testing

Author SHA1 Message Date
DECNET CI
e8d97281f7 ci: auto-merge dev → testing [skip ci] 2026-04-20 20:39:35 +00:00
anti
8a2876fe86 fix(api): document missing HTTP status codes on router endpoints
All checks were successful
CI / Lint (ruff) (push) Successful in 16s
Details
CI / SAST (bandit) (push) Successful in 18s
Details
CI / Dependency audit (pip-audit) (push) Successful in 26s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m41s
Details
CI / Test (Live) (3.11) (push) Successful in 1m6s
Details
CI / Test (Fuzz) (3.11) (push) Successful in 1h9m14s
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
CI / Merge dev → testing (push) Successful in 12s
Details
CI / Prepare Merge to Main (push) Has been skipped
Details 
Schemathesis was failing CI on routes that returned status codes not
declared in their OpenAPI responses= dicts. Adds the missing codes
across swarm_updates, swarm_mgmt, swarm, fleet and attackers routers.

Also adds 400 to every POST/PUT/PATCH that accepts a JSON body —
Starlette returns 400 on malformed/non-UTF8 bodies before FastAPI's
422 validation runs, which schemathesis fuzzing trips every time.

No handler logic changed.
 2026-04-20 15:25:02 -04:00
anti
3e8e4c9e1c fix(ci): run less harsh tests on CI, let local runners run harder ones 2026-04-20 14:07:34 -04:00
anti
64bc6fcb1d chores(pyproj): modified some values 2026-04-20 13:22:49 -04:00
anti
af9d59d3ee fixed(api): documentation 2026-04-20 13:20:42 -04:00
DECNET CI
8ad3350d51 ci: auto-merge dev → testing [skip ci] 2026-04-13 05:55:46 +00:00
DECNET CI
ac4e5e1570 ci: auto-merge dev → testing
All checks were successful
CI / Lint (ruff) (push) Successful in 11s
Details
CI / Test (pytest) (3.11) (push) Successful in 1m9s
Details
CI / Test (pytest) (3.12) (push) Successful in 1m14s
Details
CI / SAST (bandit) (push) Successful in 12s
Details
CI / Dependency audit (pip-audit) (push) Successful in 21s
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Open PR to main (push) Successful in 6s
Details
PR Gate / Lint (ruff) (pull_request) Successful in 11s
Details
PR Gate / Test (pytest) (3.11) (pull_request) Successful in 1m13s
Details
PR Gate / Test (pytest) (3.12) (pull_request) Successful in 1m12s
Details
PR Gate / SAST (bandit) (pull_request) Successful in 13s
Details
PR Gate / Dependency audit (pip-audit) (pull_request) Successful in 21s
Details
2026-04-12 07:53:07 +00:00
18 changed files with 107 additions and 62 deletions
Expand all files Collapse all files

2
.gitea/workflows/ci.yml
View File

@@ -105,6 +105,8 @@ jobs:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
- run: pip install -e .[dev] - run: pip install -e .[dev]
- run: pytest -m fuzz - run: pytest -m fuzz
env:
SCHEMATHESIS_CONFIG: schemathesis.ci.toml
merge-to-testing: merge-to-testing:
name: Merge dev → testing name: Merge dev → testing

58
CLAUDE.md
View File

@@ -1,58 +0,0 @@
# CLAUDE.md
This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
## Commands
```bash
# Install (dev)
pip install -e .
# List registered service plugins
decnet services
# Dry-run (generates compose, no containers)
decnet deploy --mode unihost --deckies 3 --randomize-services --dry-run
# Full deploy (requires root for MACVLAN)
sudo decnet deploy --mode unihost --deckies 5 --interface eth0 --randomize-services
sudo decnet deploy --mode unihost --deckies 3 --services ssh,smb --log-target 192.168.1.5:5140
# Status / teardown
decnet status
sudo decnet teardown --all
sudo decnet teardown --id decky-01
```
## Project Overview
DECNET is a honeypot/deception network framework. It deploys fake machines (called **deckies**) with realistic services (RDP, SMB, SSH, FTP, etc.) to lure and profile attackers. All attacker interactions are aggregated to an isolated logging network (ELK stack / SIEM).
## Deployment Models
**UNIHOST** — one real host spins up _n_ deckies via a container orchestrator. Simpler, single-machine deployment.
**SWARM (MULTIHOST)**_n_ real hosts each running deckies. Orchestrated via Ansible/sshpass or similar tooling.
## Core Technology Choices
- **Containers**: Docker Compose is the starting point but other orchestration frameworks should be evaluated if they serve the project better. `debian:bookworm-slim` is the default base image; mixing in Ubuntu, CentOS, or other distros is encouraged to make the decoy network look heterogeneous.
- **Networking**: Deckies need to appear as real machines on the LAN (own MACs/IPs). MACVLAN and IPVLAN are candidates; the right driver depends on the host environment. WSL has known limitations — bare metal or a VM is preferred for testing.
- **Log pipeline**: Logstash → ELK stack → SIEM (isolated network, not reachable from decoy network)
## Architecture Constraints
- The decoy network must be reachable from the outside (attacker-facing).
- The logging/aggregation network must be isolated from the decoy network.
- A publicly accessible real server acts as the bridge between the two networks.
- Deckies should differ in exposed services and OS fingerprints to appear as a heterogeneous network.
- **IMPORTANT**: The system now strictly enforces dependency injection for storage. Do not import `SQLiteRepository` directly in new features; instead, use `get_repository()` from the factory or the FastAPI `get_repo` dependency.
## Development and testing
- For every new feature, pytests must me made.
- Pytest is the main testing framework in use.
- NEVER pass broken code to the user.
- Broken means: not running, not passing 100% tests, etc.
- After tests pass with 100%, always git commit your changes.
- NEVER add "Co-Authored-By" or any Claude attribution lines to git commit messages.

3
decnet/web/router/__init__.py
View File

@@ -30,8 +30,11 @@ api_router = APIRouter(
# require_* Depends or by the global auth middleware). Document 401/403 # require_* Depends or by the global auth middleware). Document 401/403
# here so the OpenAPI schema reflects reality for contract tests. # here so the OpenAPI schema reflects reality for contract tests.
responses={ responses={
400: {"description": "Malformed request body"},
401: {"description": "Missing or invalid credentials"}, 401: {"description": "Missing or invalid credentials"},
403: {"description": "Authenticated but not authorized"}, 403: {"description": "Authenticated but not authorized"},
404: {"description": "Referenced resource does not exist"},
409: {"description": "Conflict with existing resource"},
}, },
) )

1
decnet/web/router/attackers/api_get_attacker_commands.py
View File

@@ -15,6 +15,7 @@ router = APIRouter()
401: {"description": "Could not validate credentials"}, 401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"}, 403: {"description": "Insufficient permissions"},
404: {"description": "Attacker not found"}, 404: {"description": "Attacker not found"},
422: {"description": "Query parameter validation error (limit/offset out of range or invalid)"},
}, },
) )
@_traced("api.get_attacker_commands") @_traced("api.get_attacker_commands")

3
decnet/web/router/fleet/api_deploy_deckies.py
View File

@@ -26,7 +26,8 @@ router = APIRouter()
403: {"description": "Insufficient permissions"}, 403: {"description": "Insufficient permissions"},
409: {"description": "Configuration conflict (e.g. invalid IP allocation or network mismatch)"}, 409: {"description": "Configuration conflict (e.g. invalid IP allocation or network mismatch)"},
422: {"description": "Invalid INI config or schema validation error"}, 422: {"description": "Invalid INI config or schema validation error"},
500: {"description": "Deployment failed"} 500: {"description": "Deployment failed"},
502: {"description": "Partial swarm deploy failure — one or more worker hosts returned an error"},
} }
) )
@_traced("api.deploy_deckies") @_traced("api.deploy_deckies")

7
decnet/web/router/fleet/api_mutate_decky.py
View File

@@ -11,7 +11,12 @@ router = APIRouter()
@router.post( @router.post(
"/deckies/{decky_name}/mutate", "/deckies/{decky_name}/mutate",
tags=["Fleet Management"], tags=["Fleet Management"],
responses={401: {"description": "Could not validate credentials"}, 403: {"description": "Insufficient permissions"}, 404: {"description": "Decky not found"}} responses={
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Decky not found"},
422: {"description": "Path parameter validation error (decky_name must match ^[a-z0-9\\-]{1,64}$)"},
}
) )
@_traced("api.mutate_decky") @_traced("api.mutate_decky")
async def api_mutate_decky( async def api_mutate_decky(

6
decnet/web/router/swarm/api_enroll_host.py
View File

@@ -29,7 +29,11 @@ router = APIRouter()
response_model=SwarmEnrolledBundle, response_model=SwarmEnrolledBundle,
status_code=status.HTTP_201_CREATED, status_code=status.HTTP_201_CREATED,
tags=["Swarm Hosts"], tags=["Swarm Hosts"],
responses={409: {"description": "A worker with this name is already enrolled"}}, responses={
400: {"description": "Bad Request (malformed JSON body)"},
409: {"description": "A worker with this name is already enrolled"},
422: {"description": "Request body validation error"},
},
) )
async def api_enroll_host( async def api_enroll_host(
req: SwarmEnrollRequest, req: SwarmEnrollRequest,

2
decnet/web/router/swarm/api_heartbeat.py
View File

@@ -101,8 +101,10 @@ async def _verify_peer_matches_host(
status_code=204, status_code=204,
tags=["Swarm Health"], tags=["Swarm Health"],
responses={ responses={
400: {"description": "Bad Request (malformed JSON body)"},
403: {"description": "Peer cert missing, or its fingerprint does not match the host's pinned cert"}, 403: {"description": "Peer cert missing, or its fingerprint does not match the host's pinned cert"},
404: {"description": "host_uuid is not enrolled"}, 404: {"description": "host_uuid is not enrolled"},
422: {"description": "Request body validation error"},
}, },
) )
async def heartbeat( async def heartbeat(

6
decnet/web/router/swarm/api_teardown_swarm.py
View File

@@ -25,7 +25,11 @@ router = APIRouter()
"/teardown", "/teardown",
response_model=SwarmDeployResponse, response_model=SwarmDeployResponse,
tags=["Swarm Deployments"], tags=["Swarm Deployments"],
responses={404: {"description": "A targeted host does not exist"}}, responses={
400: {"description": "Bad Request (malformed JSON body)"},
404: {"description": "A targeted host does not exist"},
422: {"description": "Request body validation error"},
},
) )
async def api_teardown_swarm( async def api_teardown_swarm(
req: SwarmTeardownRequest, req: SwarmTeardownRequest,

6
decnet/web/router/swarm_mgmt/api_decommission_host.py
View File

@@ -24,6 +24,12 @@ router = APIRouter()
"/hosts/{uuid}", "/hosts/{uuid}",
status_code=status.HTTP_204_NO_CONTENT, status_code=status.HTTP_204_NO_CONTENT,
tags=["Swarm Management"], tags=["Swarm Management"],
responses={
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Host not found"},
422: {"description": "Path parameter validation error"},
},
) )
async def decommission_host( async def decommission_host(
uuid: str, uuid: str,

7
decnet/web/router/swarm_mgmt/api_enroll_bundle.py
View File

@@ -322,6 +322,13 @@ def _render_bootstrap(
response_model=EnrollBundleResponse, response_model=EnrollBundleResponse,
status_code=status.HTTP_201_CREATED, status_code=status.HTTP_201_CREATED,
tags=["Swarm Management"], tags=["Swarm Management"],
responses={
400: {"description": "Bad Request (malformed JSON body)"},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
409: {"description": "A worker with this name is already enrolled"},
422: {"description": "Request body validation error"},
},
) )
async def create_enroll_bundle( async def create_enroll_bundle(
req: EnrollBundleRequest, req: EnrollBundleRequest,

7
decnet/web/router/swarm_mgmt/api_teardown_host.py
View File

@@ -115,6 +115,13 @@ async def _run_teardown(
response_model=TeardownHostResponse, response_model=TeardownHostResponse,
status_code=status.HTTP_202_ACCEPTED, status_code=status.HTTP_202_ACCEPTED,
tags=["Swarm Management"], tags=["Swarm Management"],
responses={
400: {"description": "Bad Request (malformed JSON body)"},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Host not found"},
422: {"description": "Request body or path parameter validation error"},
},
) )
async def teardown_host( async def teardown_host(
uuid: str, uuid: str,

4
decnet/web/router/swarm_updates/api_list_host_releases.py
View File

@@ -64,6 +64,10 @@ async def _probe_host(host: dict[str, Any]) -> HostReleaseInfo:
"/hosts", "/hosts",
response_model=HostReleasesResponse, response_model=HostReleasesResponse,
tags=["Swarm Updates"], tags=["Swarm Updates"],
responses={
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
},
) )
async def api_list_host_releases( async def api_list_host_releases(
admin: dict = Depends(require_admin), admin: dict = Depends(require_admin),

7
decnet/web/router/swarm_updates/api_push_update.py
View File

@@ -128,6 +128,13 @@ def _is_expected_connection_drop(exc: BaseException) -> bool:
"/push", "/push",
response_model=PushUpdateResponse, response_model=PushUpdateResponse,
tags=["Swarm Updates"], tags=["Swarm Updates"],
responses={
400: {"description": "Bad Request (malformed JSON body or conflicting host_uuids/all flags)"},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "No matching target hosts or no updater-capable hosts enrolled"},
422: {"description": "Request body validation error"},
},
) )
async def api_push_update( async def api_push_update(
req: PushUpdateRequest, req: PushUpdateRequest,

7
decnet/web/router/swarm_updates/api_push_update_self.py
View File

@@ -68,6 +68,13 @@ async def _push_self_one(host: dict[str, Any], tarball: bytes, sha: str) -> Push
"/push-self", "/push-self",
response_model=PushUpdateResponse, response_model=PushUpdateResponse,
tags=["Swarm Updates"], tags=["Swarm Updates"],
responses={
400: {"description": "Bad Request (malformed JSON body or conflicting host_uuids/all flags)"},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "No matching target hosts or no updater-capable hosts enrolled"},
422: {"description": "Request body validation error"},
},
) )
async def api_push_update_self( async def api_push_update_self(
req: PushUpdateRequest, req: PushUpdateRequest,

7
decnet/web/router/swarm_updates/api_rollback_host.py
View File

@@ -23,6 +23,13 @@ router = APIRouter()
"/rollback", "/rollback",
response_model=RollbackResponse, response_model=RollbackResponse,
tags=["Swarm Updates"], tags=["Swarm Updates"],
responses={
400: {"description": "Bad Request (malformed JSON body or host has no updater bundle)"},
401: {"description": "Could not validate credentials"},
403: {"description": "Insufficient permissions"},
404: {"description": "Unknown host, or no previous release slot on the worker"},
422: {"description": "Request body validation error"},
},
) )
async def api_rollback_host( async def api_rollback_host(
req: RollbackRequest, req: RollbackRequest,

1
pyproject.toml
View File

@@ -76,6 +76,7 @@ decnet = "decnet.cli:app"
[tool.pytest.ini_options] [tool.pytest.ini_options]
asyncio_mode = "auto" asyncio_mode = "auto"
asyncio_debug = "true" asyncio_debug = "true"
asyncio_default_fixture_loop_scope = "module"
addopts = "-m 'not fuzz and not live and not stress and not bench and not docker' -v -q -x -n logical --dist loadscope" addopts = "-m 'not fuzz and not live and not stress and not bench and not docker' -v -q -x -n logical --dist loadscope"
markers = [ markers = [
"fuzz: hypothesis-based fuzz tests (slow, run with -m fuzz or -m '' for all)", "fuzz: hypothesis-based fuzz tests (slow, run with -m fuzz or -m '' for all)",

35
schemathesis.ci.toml Normal file
View File

@@ -0,0 +1,35 @@
# schemathesis.ci.toml
[[project]]
title = "DECNET API"
continue-on-failure = true
request-timeout = 10.0
workers = "auto"
[generation]
mode = "all"
max-examples = 50 # 10x less than local
no-shrink = true # skip shrinking in CI, saves time
allow-x00 = true
unique-inputs = true
[phases.examples]
enabled = true
fill-missing = true
[phases.coverage]
enabled = true
[phases.fuzzing]
enabled = true
[phases.stateful]
enabled = true
max-steps = 5 # 4x less than local
[checks]
status_code_conformance.enabled = true
content_type_conformance.enabled = true
response_schema_conformance.enabled = true
negative_data_rejection.enabled = true
ignored_auth.enabled = true
max_response_time = 5.0 # more lenient than local 2s