anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Compare commits

base: anti:fc99375c62ef5687078541d7a7541eabfa26772e
Branches Tags
anti:main anti:dev anti:testing anti:tomerge/main
anti:v0.2 anti:v0.1.0
..
compare: anti:dev
Branches Tags
anti:dev anti:testing anti:main anti:tomerge/main
anti:v0.2 anti:v0.1.0

352 Commits
fc99375c62 ... dev

Author SHA1 Message Date
anti
201d246c07 fix(ci): fix indentation on ci.yaml
Some checks failed
CI / Lint (ruff) (push) Successful in 14s
Details
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Test (Standard) (3.11) (push) Has been cancelled
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Dependency audit (pip-audit) (push) Has been cancelled
Details
2026-04-20 16:46:30 -04:00
anti
47cd200e1d feat(mazenet): repo methods for topology/LAN/decky/edge/status events 
Adds topology CRUD to BaseRepository (NotImplementedError defaults) and
implements them in SQLModelRepository: create/get/list/delete topologies,
add/update/list LANs and TopologyDeckies, add/list edges, plus an atomic
update_topology_status that appends a TopologyStatusEvent in the same
transaction.  Cascade delete sweeps children before the topology row.

Covered by tests/topology/test_repo.py (roundtrip, per-topology name
uniqueness, status event log, cascade delete, status filter) and an
extension to tests/test_base_repo.py for the NotImplementedError surface.
 2026-04-20 16:43:49 -04:00
anti
096a35b24a feat(mazenet): add topology schema to models.py 
Introduces five new SQLModel tables for MazeNET (nested deception
topologies): Topology, LAN, TopologyDecky, TopologyEdge, and
TopologyStatusEvent.  DeckyShard is intentionally not touched —
TopologyDecky is a purpose-built sibling for MazeNET's lifecycle
(topology-scoped UUIDs, per-topology name uniqueness).

Part of MazeNET v1 (nested self-container network-of-networks).
 2026-04-20 16:40:10 -04:00
anti
8a2876fe86 fix(api): document missing HTTP status codes on router endpoints
All checks were successful
CI / Lint (ruff) (push) Successful in 16s
Details
CI / SAST (bandit) (push) Successful in 18s
Details
CI / Dependency audit (pip-audit) (push) Successful in 26s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m41s
Details
CI / Test (Live) (3.11) (push) Successful in 1m6s
Details
CI / Test (Fuzz) (3.11) (push) Successful in 1h9m14s
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
CI / Merge dev → testing (push) Successful in 12s
Details
CI / Prepare Merge to Main (push) Has been skipped
Details 
Schemathesis was failing CI on routes that returned status codes not
declared in their OpenAPI responses= dicts. Adds the missing codes
across swarm_updates, swarm_mgmt, swarm, fleet and attackers routers.

Also adds 400 to every POST/PUT/PATCH that accepts a JSON body —
Starlette returns 400 on malformed/non-UTF8 bodies before FastAPI's
422 validation runs, which schemathesis fuzzing trips every time.

No handler logic changed.
 2026-04-20 15:25:02 -04:00
anti
3e8e4c9e1c fix(ci): run less harsh tests on CI, let local runners run harder ones 2026-04-20 14:07:34 -04:00
anti
64bc6fcb1d chores(pyproj): modified some values 2026-04-20 13:22:49 -04:00
anti
af9d59d3ee fixed(api): documentation 2026-04-20 13:20:42 -04:00
anti
4197441c01 fix(ci): skip live service isolation
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Dependency audit (pip-audit) (push) Successful in 22s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m47s
Details
CI / Test (Live) (3.11) (push) Successful in 1m7s
Details
CI / Test (Fuzz) (3.11) (push) Failing after 45m40s
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-20 13:14:48 -04:00
anti
1b70d6db87 fix(ci): added skipif on mysql absence
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Dependency audit (pip-audit) (push) Successful in 24s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m51s
Details
CI / Test (Live) (3.11) (push) Failing after 1m2s
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-20 13:07:31 -04:00
anti
038596776a feat(ci): added live mysql service on test-live
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Dependency audit (pip-audit) (push) Successful in 23s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m49s
Details
CI / Test (Live) (3.11) (push) Failing after 1m1s
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-20 12:54:03 -04:00
anti
692ac35ee4 modification(versions): drop 3.12 tests and support only 3.11
Some checks failed
CI / Lint (ruff) (push) Successful in 17s
Details
CI / SAST (bandit) (push) Successful in 19s
Details
CI / Dependency audit (pip-audit) (push) Successful in 26s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m58s
Details
CI / Test (Live) (3.11) (push) Failing after 58s
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-20 12:43:03 -04:00
anti
f064690452 fixed(tests): jwt_lazy
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Dependency audit (pip-audit) (push) Successful in 23s
Details
CI / Test (Standard) (3.11) (push) Successful in 5m6s
Details
CI / Test (Standard) (3.12) (push) Failing after 3h14m38s
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
2026-04-20 02:26:54 -04:00
anti
dd82cd3f39 fixed(tests): mode_gating
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Dependency audit (pip-audit) (push) Successful in 23s
Details
CI / Test (Standard) (3.11) (push) Failing after 5m0s
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Test (Standard) (3.12) (push) Has been cancelled
Details
2026-04-20 02:18:11 -04:00
anti
ff3e376726 modified(actions): modified actions to bypass bandit on decnet/templates
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 16s
Details
CI / Dependency audit (pip-audit) (push) Successful in 31s
Details
CI / Test (Standard) (3.11) (push) Failing after 4m52s
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Test (Standard) (3.12) (push) Has been cancelled
Details
2026-04-20 02:05:36 -04:00
anti
47f2ca8d5f added(tests): schemathesis contract fuzzing at the agent and swarmctl level
Some checks failed
CI / Lint (ruff) (push) Successful in 17s
Details
CI / SAST (bandit) (push) Failing after 19s
Details
CI / Dependency audit (pip-audit) (push) Failing after 38s
Details
CI / Test (Standard) (3.11) (push) Has been skipped
Details
CI / Test (Standard) (3.12) (push) Has been skipped
Details
CI / Test (Live) (3.11) (push) Has been skipped
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-20 01:27:39 -04:00
anti
da3e675f86 fix(tests): fixed locust fixtures and rampups, since >100 generally isn't very well managed 2026-04-20 01:26:56 -04:00
anti
2febd921bc fix(models): added lenght validation to the common name, which per RFC 5280 must be max =< 64 2026-04-20 01:26:07 -04:00
anti
12b5c25cd7 fix(agent-routes): added undocumented responses 2026-04-20 01:24:05 -04:00
anti
5b70a34c94 fix(routes): added undocumented responses 2026-04-20 01:23:07 -04:00
anti
4abfac1a98 fix: monkeypatch test db URL 2026-04-20 00:03:12 -04:00
anti
9eca33938d chore: deleted swp file 2026-04-19 23:51:59 -04:00
anti
195580c74d test: fix templates paths, CLI gating, and stress-suite harness 
- tests/**: update templates/ → decnet/templates/ paths after module move
- tests/mysql_spinup.sh: use root:root and asyncmy driver
- tests/test_auto_spawn.py: patch decnet.cli.utils._pid_dir (package split)
- tests/test_cli.py: set DECNET_MODE=master in api-command tests
- tests/stress/conftest.py: run locust out-of-process via its CLI + CSV
  stats shim to avoid urllib3 RecursionError from late gevent monkey-patch;
  raise uvicorn startup timeout to 60s, accept 401 from auth-gated health,
  strip inherited DECNET_* env, surface stderr on 0-request runs
- tests/stress/test_stress.py: loosen baseline thresholds to match hw
 2026-04-19 23:50:53 -04:00
anti
262a84ca53 refactor(cli): split decnet/cli.py monolith into decnet/cli/ package 
The 1,878-line cli.py held every Typer command plus process/HTTP helpers
and mode-gating logic. Split into one module per command using a
register(app) pattern so submodules never import app at module scope,
eliminating circular-import risk.

- utils.py: process helpers, _http_request, _kill_all_services, console, log
- gating.py: MASTER_ONLY_* sets, _require_master_mode, _gate_commands_by_mode
- deploy.py: deploy + _deploy_swarm (tightly coupled)
- lifecycle.py: status, teardown, redeploy
- workers.py: probe, collect, mutate, correlate
- inventory.py, swarm.py, db.py, and one file per remaining command

__init__.py calls register(app) on each module then runs the mode gate
last, and re-exports the private symbols tests patch against
(_db_reset_mysql_async, _kill_all_services, _require_master_mode, etc.).

Test patches retargeted to the submodule where each name now resolves.
Enroll-bundle tarball test updated to assert decnet/cli/__init__.py.

No behavioral change.
 2026-04-19 22:42:52 -04:00
anti
d1b7e94325 fix(swarm): inject peer cert into ASGI scope for uvicorn <= 0.44 
Uvicorn's h11/httptools HTTP protocols don't populate scope['extensions']['tls'], so /swarm/heartbeat's per-request cert pinning was 403ing every call despite CERT_REQUIRED validating the cert at handshake. Patch RequestResponseCycle.__init__ on both protocol modules to read the peer cert off the asyncio transport and write DER bytes into scope['extensions']['tls']['client_cert_chain']. Importing the module from swarm_api.py auto-installs the patch in the swarmctl uvicorn worker before any request is served.
 2026-04-19 22:09:11 -04:00
anti
33d954a61c feat(web-ui): unify SwarmDeckies into DeckyFleet with swarm card mode 
DeckyFleet now branches on /system/deployment-mode: in swarm mode it
pulls /swarm/deckies and normalises DeckyShardView into the shared
Decky shape so the same card grid renders either way. Swarm cards gain
a host badge (host_name @ address), a state pill (running/degraded/
tearing_down/failed/teardown_failed with matching colors), an inline
last_error snippet, and a two-click arm/commit Teardown button lifted
from the old SwarmDeckies component. Mutate + interval controls are
hidden in swarm mode since the worker /mutate endpoint still 501s —
swarm-side rotation is a separate ticket.

Drops the standalone /swarm/deckies route + nav entry; SwarmDeckies.tsx
is deleted. The SWARM nav group keeps SwarmHosts, Remote Updates, and
Agent Enrollment.
 2026-04-19 21:53:26 -04:00
anti
bf01804736 feat(agent): periodic heartbeat loop posting status to swarmctl 
New decnet.agent.heartbeat asyncio loop wired into the agent FastAPI
lifespan. Every 30 s the worker POSTs executor.status() to the master's
/swarm/heartbeat with its DECNET_HOST_UUID for self-identity; the
existing agent mTLS bundle provides the client cert the master pins
against SwarmHost.client_cert_fingerprint.

start() is a silent no-op when identity env (HOST_UUID, MASTER_HOST) is
unset or the worker bundle is missing, so dev runs and un-enrolled hosts
don't crash the agent app. On non-204 responses the loop logs loudly but
keeps ticking — an operator may re-enrol mid-session, and fail-closed
pinning shouldn't be self-silencing.
 2026-04-19 21:49:34 -04:00
anti
62f7c88b90 feat(swarmctl): --tls with auto-issued or BYOC server cert 
swarmctl CLI gains --tls/--cert/--key/--client-ca flags. With --tls the
controller runs uvicorn under HTTPS + mTLS (CERT_REQUIRED) so worker
heartbeats can reach it cross-host. Default is still 127.0.0.1 plaintext
for backwards compat with the master-CLI enrollment flow.

Auto-issue path (no --cert/--key given): a server cert signed by the
existing DECNET CA is issued once and parked under ~/.decnet/swarmctl/.
Workers already ship that CA's ca.crt from the enroll bundle, so they
verify the endpoint with no extra trust config. BYOC via --cert/--key
when the operator wants a publicly-trusted or externally-managed cert.
The auto-cert path is idempotent across restarts to keep a stable
fingerprint for any long-lived mTLS sessions.
 2026-04-19 21:46:32 -04:00
anti
e411063075 feat(swarm): ship host_uuid + swarmctl-port in agent enroll bundle 
The rendered /etc/decnet/decnet.ini now carries host-uuid and
swarmctl-port in [agent], which config_ini seeds into DECNET_HOST_UUID
and DECNET_SWARMCTL_PORT. Gives the worker a stable self-identity for
the heartbeat loop — the INI never has to be rewritten because cert
pinning is the real gate (a rotated UUID with a matching CA-signed
cert would still be blocked by SHA-256 fingerprint mismatch against
the stored SwarmHost row).

Also adds DECNET_MASTER_HOST so the agent can find the swarmctl URL
via the INI's existing master-host key.
 2026-04-19 21:44:23 -04:00
anti
148e51011c feat(swarm): agent→master heartbeat with per-host cert pinning 
New POST /swarm/heartbeat on the swarm controller. Workers post every
~30s with the output of executor.status(); the master bumps
SwarmHost.last_heartbeat and re-upserts each DeckyShard with a fresh
DeckyConfig snapshot and runtime-derived state (running/degraded).

Security: CA-signed mTLS alone is not sufficient — a decommissioned
worker's still-valid cert could resurrect ghost shards. The endpoint
extracts the presented peer cert (primary: scope["extensions"]["tls"],
fallback: transport.get_extra_info("ssl_object")) and SHA-256-pins it
to the SwarmHost.client_cert_fingerprint stored for the claimed
host_uuid. Extraction is factored into _extract_peer_fingerprint so
tests can exercise both uvicorn scope shapes and the both-unavailable
fail-closed path without mocking uvicorn's TLS pipeline.

Adds get_swarm_host_by_fingerprint to the repo interface (SQLModel
impl reuses the indexed client_cert_fingerprint column).
 2026-04-19 21:37:15 -04:00
anti
3ebd206bca feat(swarm): persist DeckyConfig snapshot per shard + enrich list API 
Dispatch now writes the full serialised DeckyConfig into
DeckyShard.decky_config (plus decky_ip as a cheap extract), so the
master can render the same rich per-decky card the local-fleet view
uses — hostname, distro, archetype, service_config, mutate_interval,
last_mutated — without round-tripping to the worker on every page
render. DeckyShardView gains the corresponding fields; the repository
flattens the snapshot at read time. Pre-migration rows keep working
(fields fall through as None/defaults).

Columns are additive + nullable so SQLModel.metadata.create_all handles
the change on both SQLite and MySQL. Backfill happens organically on
the next dispatch or (in a follow-up) agent heartbeat.
 2026-04-19 21:29:45 -04:00
anti
f576564f02 fix(agent): also wipe /etc/decnet during self-destruct 2026-04-19 21:04:31 -04:00
anti
00d5799a79 fix(agent): escape systemd cgroup when spawning self-destruct reaper 
The reaper was being SIGTERM'd mid-rm because `start_new_session=True`
only forks a new POSIX session — it does not escape decnet-agent.service's
cgroup. When the reaper ran `systemctl stop decnet-agent`, systemd
tore down the whole cgroup (reaper included) before `rm -rf /opt/decnet*`
finished, leaving the install on disk.

Spawn the reaper via `systemd-run --collect --unit decnet-reaper-<pid>`
so it runs in a fresh transient scope, outside the agent unit. Falls
back to bare Popen for non-systemd hosts.
 2026-04-19 21:00:43 -04:00
anti
14250cacad feat(swarm): self-destruct agent on decommission 
Decommissioning a worker from the dashboard (or swarm controller) now
asks the agent to wipe its own install before the master forgets it.
The agent stops decky containers + every decnet-* systemd unit, then
deletes /opt/decnet*, /etc/systemd/system/decnet-*, /var/lib/decnet/*,
and /usr/local/bin/decnet*. Logs under /var/log are preserved.

The reaper runs as a detached /tmp script (start_new_session=True) so
it survives the agent process being killed. Self-destruct dispatch is
best-effort — a dead worker doesn't block master-side cleanup.
 2026-04-19 20:47:09 -04:00
anti
9d68bb45c7 feat(web): async teardowns — 202 + background task, UI allows parallel queue 
Teardowns were synchronous all the way through: POST blocked on the
worker's docker-compose-down cycle (seconds to minutes), the frontend
locked tearingDown to a single string so only one button could be armed
at a time, and operators couldn't queue a second teardown until the
first returned. On a flaky worker that meant staring at a spinner for
the whole RTT.

Backend: POST /swarm/hosts/{uuid}/teardown returns 202 the instant the
request is validated. Affected shards flip to state='tearing_down'
synchronously before the response so the UI reflects progress
immediately, then the actual AgentClient call + DB cleanup run in an
asyncio.create_task (tracked in a module-level set to survive GC and
to be drainable by tests). On failure the shard flips to
'teardown_failed' with the error recorded — nothing is re-raised,
since there's no caller to catch it.

Frontend: swap tearingDown / decommissioning from 'string | null' to
'Set<string>'. Each button tracks its own in-flight state; the poll
loop picks up the final shard state from the backend. Multiple
teardowns can now be queued without blocking each other.
 2026-04-19 20:30:56 -04:00
anti
07ec4bc269 fix(fleet): INI fully replaces prior decky state on redeploy 
Submitting an INI with a single [decky1] was silently redeploying the
deckies from the *previous* deploy too. POST /deckies/deploy merged the
new INI into the stored DecnetConfig by name, so a 1-decky INI on top of
a prior 3-decky run still pushed 3 deckies to the worker. Those stale
decky2/decky3 kept their old IPs, collided on the parent NIC, and the
agent failed with 'Address already in use' — the deploy the operator
never asked for.

The INI is the source of truth for which deckies exist this deploy.
Full replace: config.deckies = list(new_decky_configs). Operators who
want to add more deckies should list them all in the INI.

Update the deploy-limit test to reflect the new replace semantics, and
add a regression test asserting prior state is dropped.
 2026-04-19 20:24:29 -04:00
anti
a63301c7a3 fix(web): replace window.confirm with two-click arm/commit on swarm actions 
Teardown and Decommission buttons were silently dead in the browser.
Root cause: every handler started with 'if (!window.confirm(...)) return;'
and browsers permanently disable confirm() for a tab once the user ticks
'Prevent this page from creating additional dialogs'. That returns false
with no UI, the handler early-exits, and no request is ever fired — no
network traffic, no console error, no backend activity.

Swap to an inline two-click pattern: first click arms the button (label
flips to 'Click again to confirm', resets after 4s); second click within
the window commits. Same safety against misclicks, zero dependency on
browser-native dialog primitives.
 2026-04-19 20:16:51 -04:00
anti
df18cb44cc fix(swarm): don't paint healthy deckies as failed when a shard-sibling fails 
docker compose up is partial-success-friendly — a build failure on one
service doesn't roll back the others. But the master was catching the
agent's 500 and tagging every decky in the shard as 'failed' with the
same error message. From the UI that looked like all three deckies died
even though two were live on the worker.

On dispatch exception, probe the agent's /status to learn which deckies
actually have running containers, and upsert per-decky state accordingly.
Only fall back to marking the whole shard failed if the status probe
itself is unreachable.

Enhance agent.executor.status() to include a 'runtime' map keyed by
decky name with per-service container state, so the master has something
concrete to consult.
 2026-04-19 20:11:08 -04:00
anti
91549e6936 fix(deploy): prevent 'Address already in use' from stale IPAM and half-torn-down containers 
Two compounding root causes produced the recurring 'Address already in use'
error on redeploy:

1. _ensure_network only compared driver+name; if a prior deploy's IPAM
   pool drifted (different subnet/gateway/range), Docker kept handing out
   addresses from the old pool and raced the real LAN. Now also compares
   Subnet/Gateway/IPRange and rebuilds on drift.

2. A prior half-failed 'up' could leave containers still holding the IPs
   and ports the new run wants. Run 'compose down --remove-orphans' as a
   best-effort pre-up cleanup so IPAM starts from a clean state.

Also surface docker compose stderr to the structured log on failure so
the agent's journal captures Docker's actual message (which IP, which
port) instead of just the exit code.
 2026-04-19 19:59:06 -04:00
anti
e8e11b2896 feat(web-ui): show decky IP on SwarmDeckies, drop compose-hash column 
Operators want to know what address to poke when triaging a swarm decky;
the compose-hash column was debug scaffolding that never paid off.

DeckyShard has no IP column (the deploy-time IP lives on DecnetConfig),
so the list endpoint resolves it at read time by joining shards against
the stored deployment state by decky_name. Missing lookups render as "—"
rather than erroring — the list stays useful even after a master restart
that hasn't persisted a config yet.
 2026-04-19 19:48:27 -04:00
anti
585541016f fix(engine): teardown(decky_id=...) built malformed service names 
The nested list-comp `[f"{id}-{svc}" for svc in [d.services for d ...]]`
iterated over a list of lists, so `svc` was the whole services list and
f-string stringified it -> `decky3-['sip']`. docker compose saw "no such
service" and the per-decky teardown failed 500.

Flatten: find the matching decky once, then iterate its services. Noop
early on unknown decky_id and on empty service lists. Regression test
asserts the emitted compose args have no '[' or quote characters.
 2026-04-19 19:42:42 -04:00
anti
5dad1bb315 feat(swarm): remote teardown API + UI (per-decky and per-host) 
Agents already exposed POST /teardown; the master was missing the plumbing
to reach it. Add:

- POST /api/v1/swarm/hosts/{uuid}/teardown — admin-gated. Body
  {decky_id: str|null}: null tears the whole host, a value tears one decky.
  On worker failure the master returns 502 and leaves DB shards intact so
  master and agent stay aligned.
- BaseRepository.delete_decky_shard(name) + sqlmodel impl for per-decky
  cleanup after a single-decky teardown.
- SwarmHosts page: "Teardown all" button (keeps host enrolled).
- SwarmDeckies page: per-row "Teardown" button.

Also exclude setuptools' build/ staging dir from the enrollment tarball —
`pip install -e` on the master generates build/lib/decnet_web/node_modules
and the bundle walker was leaking it to agents. Align pyproject's bandit
exclude with the git-hook invocation so both skip decnet/templates/.
 2026-04-19 19:39:28 -04:00
anti
6708f26e6b fix(packaging): move templates/ into decnet/ package so they ship with pip install 
The docker build contexts and syslog_bridge.py lived at repo root, which
meant setuptools (include = ["decnet*"]) never shipped them. Agents
installed via `pip install $RELEASE_DIR` got site-packages/decnet/** but no
templates/, so every deploy blew up in deployer._sync_logging_helper with
FileNotFoundError on templates/syslog_bridge.py.

Move templates/ -> decnet/templates/ and declare it as setuptools
package-data. Path resolutions in services/*.py and engine/deployer.py drop
one .parent since templates now lives beside the code. Test fixtures,
bandit exclude path, and coverage omit glob updated to match.
 2026-04-19 19:30:04 -04:00
anti
2bef3edb72 feat(swarm): unbundle master-only code from agent tarball + sync systemd units on update 
Agents now ship with collector/prober/sniffer as systemd services; mutator,
profiler, web, and API stay master-only (profiler rebuilds attacker profiles
against the master DB — no per-host DB exists). Expand _EXCLUDES to drop the
full decnet/web, decnet/mutator, decnet/profiler, and decnet_web trees from
the enrollment bundle.

Updater now calls _heal_path_symlink + _sync_systemd_units after rotation so
fleets pick up new unit files and /usr/local/bin/decnet tracks the shared venv
without a manual reinstall. daemon-reload runs once per update when any unit
changed.

Fix _service_registry matchers to accept systemd-style /usr/local/bin/decnet
cmdlines (psutil returns a list — join to string before substring-checking)
so agent-mode `decnet status` reports collector/prober/sniffer correctly.
 2026-04-19 19:19:17 -04:00
anti
d2cf1e8b3a feat(updater): sync systemd unit files and daemon-reload on update 
The bootstrap installer copies etc/systemd/system/*.service into
/etc/systemd/system at enrollment time, but the updater was skipping
that step — a code push could not ship a new unit (e.g. the four
per-host microservices added this session) or change ExecStart on an
existing one. systemctl alone doesn't re-read unit files; daemon-reload
is required.

run_update / run_update_self now call _sync_systemd_units after
rotation: diff each .service file against the live copy, atomically
replace changed ones, then issue a single `systemctl daemon-reload`.
No-op on legacy tarballs that don't ship etc/systemd/system/.
 2026-04-19 19:07:24 -04:00
anti
6d7877c679 feat(swarm): per-host microservices as systemd units, mutator off agents 
Previously `decnet status` on an agent showed every microservice as DOWN
because deploy's auto-spawn was unihost-scoped and the agent CLI gate
hid the per-host commands. Now:

  - collect, probe, profiler, sniffer drop out of MASTER_ONLY_COMMANDS
    (they run per-host; master-side work stays master-gated).
  - mutate stays master-only (it orchestrates swarm-wide respawns).
  - decnet/mutator/ excluded from agent tarballs — never invoked there.
  - decnet/web exclusion tightened: ship db/ + auth.py + dependencies.py
    (profiler needs the repo singleton), drop api.py, swarm_api.py,
    ingester.py, router/, templates/.
  - Four new systemd unit templates (decnet-collector/prober/profiler/
    sniffer) shipped in every enrollment tarball.
  - enroll_bootstrap.sh enables + starts all four alongside agent and
    forwarder at install time.
  - updater restarts the aux units on code push so they pick up the new
    release (best-effort — legacy enrollments without the units won't
    fail the update).
  - status table hides Mutator + API rows in agent mode.
 2026-04-19 18:58:48 -04:00
anti
ee9ade4cd5 feat(enroll): strip master API and frontend from agent tarball 
Agents never run the FastAPI master app (decnet/web/) or serve the React
frontend (decnet_web/) — they run decnet.agent, decnet.updater, and
decnet.forwarder, none of which import decnet.web. Shipping the master
tree bloats every enrollment payload and needlessly widens the worker's
attack surface.

Excluded paths are unreachable on the worker (all cli.py imports of
decnet.web are inside master-only command bodies that the agent-mode
gate strips). Tests assert neither tree leaks into the tarball.
 2026-04-19 18:47:03 -04:00
anti
dad29249de fix(updater): align bootstrap layout with updater; log update phases 
The bootstrap was installing into /opt/decnet/.venv with an editable
`pip install -e .`, and /usr/local/bin/decnet pointed there. The updater
writes releases to /opt/decnet/releases/active/ with a shared venv at
/opt/decnet/venv — a parallel tree nothing on the box actually runs.
Result: updates appeared to succeed (release dir rotated, SHA changed)
but systemd kept executing the untouched bootstrap code.

Changes:
  - Bootstrap now installs directly into /opt/decnet/releases/active
    with the shared venv at /opt/decnet/venv and /opt/decnet/current
    symlinked. Same layout the updater rotates in and out of.
  - /usr/local/bin/decnet -> /opt/decnet/venv/bin/decnet.
  - run_update / run_update_self heal /usr/local/bin/decnet on every
    push so already-enrolled hosts recover on the next update instead
    of needing a re-enroll.
  - run_update / run_update_self now log each phase (receive, extract,
    pip install, rotate, restart, probe) so the updater log actually
    shows what happened.
 2026-04-19 18:39:11 -04:00
anti
f91ba9a16e feat(cli): allow decnet status in agent mode 
Agents run deckies locally and need to inspect their own state. Removed
`status` from MASTER_ONLY_COMMANDS so it survives the agent-mode gate.
Useful for validating remote updater pushes from the master.
 2026-04-19 18:29:41 -04:00
anti
43b92c7bd6 fix(updater): restart agent+forwarder+self via systemd on push 
Three holes in the systemd integration:
1. _spawn_agent_via_systemd only restarted decnet-agent.service, leaving
   decnet-forwarder.service running the pre-update code (same /opt/decnet
   tree, stale import cache).
2. run_update_self used os.execv regardless of environment — the re-execed
   process kept the updater's existing cgroup/capability inheritance but
   systemd would notice MainPID change and mark the unit degraded.
3. No path to surface a failed forwarder restart (legacy enrollments have
   no forwarder unit).

Now: agent restart first, forwarder restart as best-effort (logged but
non-fatal so legacy workers still update), MainPID still read from the
agent unit. For update-self under systemd, spawn a detached sleep+
systemctl restart so the HTTP response flushes before the unit cycles.
 2026-04-19 18:23:10 -04:00
anti
a0a241f65d feat(enroll): decnet-updater now runs under systemd, not a --daemon fork 
Bootstrap used to end with `decnet updater --daemon` which forks and
detaches — invisible to systemctl, no auto-restart, dies on reboot.
Ships a decnet-updater.service template matching the pattern of the
other units (Restart=on-failure, log to /var/log/decnet/decnet.updater.log,
certs from /etc/decnet/updater, install tree at /opt/decnet), bundles
it alongside agent/forwarder/engine units, and the installer now
`systemctl enable --now`s it when --with-updater is set.
 2026-04-19 18:19:24 -04:00
anti
42b5e4cd06 fix(network): replace decnet_lan when driver differs (macvlan<->ipvlan) 
The create helpers short-circuited on name alone, so a prior macvlan
deploy left Docker's decnet_lan network in place. A subsequent ipvlan
deploy would no-op the network create, then container attach would try
to add a macvlan port on enp0s3 that already had an ipvlan slave —
EBUSY, agent 500, docker ps empty.

Now: when the existing network's driver disagrees with the requested
one, disconnect any live containers and DROP it before recreating.
Parent-NIC can host one driver at a time.

Also: setup_host_{macvlan,ipvlan} opportunistically delete the opposite
host-side helper so we don't leave cruft across driver swaps.
 2026-04-19 18:12:28 -04:00
anti
6245786289 fix(cli): db-reset now drops swarm_hosts + decky_shards 
_DB_RESET_TABLES was missing the swarm tables, so drop-tables mode left
them intact. create_all doesn't alter columns on existing tables, so any
schema change to SwarmHost (like use_ipvlan) never took effect after a
reset. Child FK first (decky_shards -> swarm_hosts).
 2026-04-19 18:04:35 -04:00
anti
5df995fda1 feat(enroll): opt-in IPvlan per-agent for Wi-Fi-bridged VMs 
Wi-Fi APs bind one MAC per associated station, so VirtualBox/VMware
guests bridged over Wi-Fi rotate the VM's DHCP lease when Docker's
macvlan starts emitting container-MAC frames through the vNIC. Adds a
`use_ipvlan` toggle on the Agent Enrollment tab (mirrors the updater
daemon checkbox): flips the flag on SwarmHost, bakes `ipvlan=true` into
the agent's decnet.ini, and `_worker_config` forces ipvlan=True on the
per-host shard at dispatch. Safe no-op on wired/bare-metal agents.
 2026-04-19 17:57:45 -04:00
anti
6d7567b6bb fix(fleet): reset stale host_uuid on carried-over deckies before dispatch 
Deckies merged in from a prior deployment's saved state kept their
original host_uuid — which dispatch_decnet_config then 404'd on if that
host had since been decommissioned or re-enrolled at a different uuid.
Before round-robin assignment, drop any host_uuid that isn't in the live
swarm_hosts set so orphaned entries get reassigned instead of exploding
with 'unknown host_uuid'.
 2026-04-19 06:27:34 -04:00
anti
dbaccde143 fix(swarm-updates): offload tarball build to worker thread 
tar_working_tree (walks repo + gzips several MB) and detect_git_sha
(shells out) were called directly on the event loop, so /swarm-updates/push
and /swarm-updates/push-self froze every other request until the tarball
was ready. Wrap both in asyncio.to_thread.
 2026-04-19 06:21:27 -04:00
anti
b883f24ba2 fix(engine): pin docker compose project name to avoid empty-basename failure 
systemd daemons run with WorkingDirectory=/ by default; docker compose
derives the project name from basename(cwd), which is empty at '/', and
aborts with 'project name must not be empty'. Pass -p decnet explicitly
so the project name is independent of cwd, and set WorkingDirectory=/opt/decnet
on the three DECNET units so compose artifacts (decnet-compose.yml,
build contexts) also land in the install dir.
 2026-04-19 06:17:30 -04:00
anti
79db999030 feat(fleet): auto-swarm deploy — shard across enrolled workers when master 
POST /deckies/deploy now branches on DECNET_MODE + enrolled host presence:
when the caller is a master with at least one reachable swarm host, round-
robin host_uuids are assigned over new deckies and the config is dispatched
via AgentClient. Falls back to local docker-compose otherwise.

Extracts the dispatch loop from api_deploy_swarm into dispatch_decnet_config
so both endpoints share the same shard/dispatch/persist path. Adds
GET /system/deployment-mode for the UI to show 'will shard across N hosts'
vs 'will deploy locally' before the operator clicks deploy.
 2026-04-19 06:09:08 -04:00
anti
cb1a1d1270 fix(fleet): defer DecnetConfig build until deckies are expanded 
Stateless /api/v1/deckies/deploy previously instantiated DecnetConfig with
deckies=[] so it could merge entries later — but DecnetConfig.deckies is
min_length=1, so Pydantic raised and the global handler mapped it to 422
'Internal data consistency error'. Construct the config after
build_deckies_from_ini returns at least one DeckyConfig.
 2026-04-19 06:02:26 -04:00
anti
899ea559d9 feat(enroll): systemd units for agent/forwarder/engine + log-directory INI key 
Rename log-file-path -> log-directory (maps to DECNET_LOG_DIRECTORY). Bundle
now ships three systemd units rendered with agent_name/master_host and installs
them into /etc/systemd/system/. Bootstrap replaces direct 'decnet X --daemon'
calls with systemctl enable --now. Each unit pins DECNET_SYSTEM_LOGS so agent,
forwarder, and deckies logs land at decnet.{agent,forwarder}.log and decnet.log
under /var/log/decnet.
 2026-04-19 05:46:08 -04:00
anti
e67b6d7f73 refactor(swarm-mgmt): move agent/updater certs to /etc/decnet (root-owned) 2026-04-19 05:32:39 -04:00
anti
bc5f43c3f7 feat(swarm-mgmt): probe-on-read for GET /swarm/hosts heartbeat + status 2026-04-19 05:26:35 -04:00
anti
ff4c993617 refactor(swarm-mgmt): backfill host address from agent's .tgz source IP 2026-04-19 05:20:29 -04:00
anti
e32fdf9cbf feat(swarm-mgmt): agent_host + updater opt-in; prevent duplicate forwarder spawn 2026-04-19 05:12:55 -04:00
anti
95ae175e1b fix(swarm-mgmt): exclude .env from bundle, chmod +x decnet, mkdir log 2026-04-19 04:58:55 -04:00
anti
b4df9ea0a1 fix(swarm-mgmt): bundle URLs target master_host, not dashboard base_url 2026-04-19 04:52:20 -04:00
anti
02f07c7962 feat(web-ui): SWARM nav group + Hosts/Deckies/AgentEnrollment pages 2026-04-19 04:29:07 -04:00
anti
c6f7de30d2 feat(swarm-mgmt): agent enrollment bundle flow + admin swarm endpoints 2026-04-19 04:25:57 -04:00
anti
37b22b76a5 feat(cli): auto-spawn listener as detached sibling from decnet swarmctl 
Mirrors the agent→forwarder pattern: `decnet swarmctl` now fires the
syslog-TLS listener as a detached Popen sibling so a single master
invocation brings the full receive pipeline online. --no-listener opts
out for operators who want to run the listener on a different host (or
under their own systemd unit).

Listener bind host / port come from DECNET_LISTENER_HOST and
DECNET_SWARM_SYSLOG_PORT — both seedable from /etc/decnet/decnet.ini.
PID at $(pid_dir)/listener.pid so operators can kill/restart manually.

decnet.ini.example ships alongside env.config.example as the
documented surface for the new role-scoped config. Mode, forwarder
targets, listener bind, and master ports all live there — no more
memorizing flag trees.

Extends tests/test_auto_spawn.py with two swarmctl cases: listener is
spawned with the expected argv + PID file, and --no-listener suppresses.
 2026-04-19 03:25:40 -04:00
anti
43f140a87a feat(cli): auto-spawn forwarder as detached sibling from decnet agent 
New _spawn_detached(argv, pid_file) helper uses Popen with
start_new_session=True + close_fds=True + DEVNULL stdio to launch a
DECNET subcommand as a fully independent process. The parent does NOT
wait(); if it dies the child survives under init. This is deliberately
not a supervisor — if the child dies the operator restarts it manually.

_pid_dir() picks /opt/decnet when writable else ~/.decnet, so both
root-run production and non-root dev work without ceremony.

`decnet agent` now auto-spawns `decnet forwarder --daemon ...` as
that detached sibling, pulling master host + syslog port from
DECNET_SWARM_MASTER_HOST / DECNET_SWARM_SYSLOG_PORT. --no-forwarder
opts out. If DECNET_SWARM_MASTER_HOST is unset the auto-spawn is
silently skipped (single-host dev or operator wants to start the
forwarder separately).

tests/test_auto_spawn.py monkeypatches subprocess.Popen and verifies:
the detach kwargs are passed, the PID file exists and contains a
valid positive integer (PID-file corruption is a real operational
headache — catching bad writes at the test level is free), the
--no-forwarder flag suppresses the spawn, and the unset-master-host
path silently skips.
 2026-04-19 03:23:42 -04:00
anti
3223bec615 feat(cli): gate master-only commands when DECNET_MODE=agent 
- MASTER_ONLY_COMMANDS / MASTER_ONLY_GROUPS frozensets enumerate every
  command a worker host must not see. Comment block at the declaration
  puts the maintenance obligation in front of anyone touching command
  registration.
- _gate_commands_by_mode() filters both app.registered_commands (for
  @app.command() registrations) and app.registered_groups (for
  add_typer sub-apps) so the 'swarm' group disappears along with
  'api', 'swarmctl', 'deploy', etc. on agent hosts.
- _require_master_mode() is the belt-and-braces in-function guard,
  added to the four highest-risk commands (api, swarmctl, deploy,
  teardown). Protects against direct function imports that would
  bypass Typer.
- DECNET_DISALLOW_MASTER=false is the escape hatch for hybrid dev
  hosts that legitimately play both roles.

tests/test_mode_gating.py exercises help-text listings via subprocess
and the defence-in-depth guard via direct import.
 2026-04-19 03:20:48 -04:00
anti
2b1b962849 feat(env): run decnet.ini loader at package import; expose DECNET_MODE 
- decnet/__init__.py now calls load_ini_config() on first import of any
  decnet.* module, seeding os.environ via setdefault() so env.py's
  module-level reads pick up INI values before the shell had to export
  them. Real env vars still win.
- env.py exposes DECNET_MODE (default 'master') and
  DECNET_DISALLOW_MASTER (default true), consumed by the upcoming
  master-command gating in cli.py.

Back-compat: missing /etc/decnet/decnet.ini is a no-op. Existing
.env.local + flag-based launches behave identically.
 2026-04-19 03:17:25 -04:00
anti
65fc9ac2b9 fix(tests): clean up two pre-existing failures before config work 
- decnet/agent/app.py /health: drop leftover 'push-test-2' canary
  planted during live VM push verification and never cleaned up;
  test_health_endpoint asserts the exact dict shape.
- tests/test_factory.py: switch the lazy-engine check from
  mysql+aiomysql (not in pyproject) to mysql+asyncmy (the driver the
  project actually ships). The test does not hit the wire so the
  dialect swap is safe.

Both were red on `pytest tests/` before any config/auto-spawn work
began; fixing them here so the upcoming commits land on a green
full-suite baseline.
 2026-04-19 03:17:17 -04:00
anti
1e8b73c361 feat(config): add /etc/decnet/decnet.ini loader 
New decnet/config_ini.py parses a role-scoped INI file via stdlib
configparser and seeds os.environ via setdefault — real env vars still
win, keeping full back-compat with .env.local flows.

[decnet] holds role-agnostic keys (mode, disallow-master, log-file-path);
the role section matching `mode` is loaded, the other is ignored
silently so a worker never reads master-only keys (and vice versa).

Loader is standalone in this commit — not wired into cli.py yet.
 2026-04-19 03:10:51 -04:00
anti
9b1299458d fix(env): resolve DECNET_JWT_SECRET lazily so agent/updater subcommands don't need it 
The module-level _require_env('DECNET_JWT_SECRET') call blocked
`decnet agent` and `decnet updater` from starting on workers that
legitimately have no business knowing the master's JWT signing key.

Move the resolution into a module `__getattr__`: only consumers that
actually read `decnet.env.DECNET_JWT_SECRET` trigger the validation,
which in practice means only decnet.web.auth (master-side).

Adds tests/test_env_lazy_jwt.py covering both the in-process lazy path
and an out-of-process `decnet agent --help` subprocess check with a
fully sanitized environment.
 2026-04-19 02:43:25 -04:00
anti
7894b9e073 feat(web-ui): Remote Updates dashboard page — push code to workers from the UI 
React component for /swarm-updates: per-host table polled every 10s,
row actions for Push Update / Update Updater / Rollback, a fleet-wide
'Push to All' modal with the include_self toggle, and toast feedback
per result.

Admin-only (both server-gated and UI-gated). Unreachable hosts surface
as an explicit state; actions are disabled on them. Rollback is
disabled when the worker has no previous release slot (previous_sha
null from /hosts).
 2026-04-19 01:03:04 -04:00
anti
a266d6b17e feat(web): Remote Updates API — dashboard endpoints for pushing code to workers 
Adds /api/v1/swarm-updates/{hosts,push,push-self,rollback} behind
require_admin. Reuses the existing UpdaterClient + tar_working_tree + the
per-host asyncio.gather pattern from api_deploy_swarm.py; tarball is
built exactly once per /push request and fanned out to every selected
worker. /hosts filters out decommissioned hosts and agent-only
enrollments (no updater bundle = not a target).

Connection drops during /update-self are treated as success — the
updater re-execs itself mid-response, so httpx always raises.

Pydantic models live in decnet/web/db/models.py (single source of
truth). 24 tests cover happy paths, rollback, transport failures,
include_self ordering (skip on rolled-back agents), validation, and
RBAC gating.
 2026-04-19 01:01:09 -04:00
anti
f5a5fec607 feat(deploy): systemd units w/ capability-based hardening; updater restarts agent via systemctl 
Add deploy/ unit files for every DECNET daemon (agent, updater, api, web,
swarmctl, listener, forwarder). All run as User=decnet with NoNewPrivileges,
ProtectSystem, PrivateTmp, LockPersonality; AmbientCapabilities=CAP_NET_ADMIN
CAP_NET_RAW only on the agent (MACVLAN/scapy). Existing api/web units migrated
to /opt/decnet layout and the same hardening stanza.

Make the updater's _spawn_agent systemd-aware: under systemd (detected via
INVOCATION_ID + systemctl on PATH), `systemctl restart decnet-agent.service`
replaces the Popen path so the new agent inherits the unit's ambient caps
instead of the updater's empty set. _stop_agent becomes a no-op in that mode
to avoid racing systemctl's own stop phase.

Tests cover the dispatcher branch selection, MainPID parsing, and the
systemd no-op stop.
 2026-04-19 00:44:06 -04:00
anti
40d3e86e55 fix(updater): bootstrap fresh venv with deps; rebuild self-update argv from env 
- _run_pip: on first venv use, install decnet with its full dep tree so the
  bootstrapped environment actually has typer/fastapi/uvicorn. Subsequent
  updates keep --no-deps for a near-no-op refresh.
- run_update_self: do not reuse sys.argv to re-exec the updater. Inside the
  live process, sys.argv is the uvicorn subprocess invocation (--ssl-keyfile
  etc.), which 'decnet updater' CLI rejects. Reconstruct the operator-visible
  command from env vars set by updater.server.run.
 2026-04-18 23:51:41 -04:00
anti
ebeaf08a49 fix(updater): fall back to /proc scan when agent.pid is missing 
If the agent was started outside the updater (manually, during dev,
or from a prior systemd unit), there is no agent.pid for _stop_agent
to target, so a successful code install leaves the old in-memory
agent process still serving requests. Scan /proc for any decnet agent
command and SIGTERM all matches so restart is reliable regardless of
how the agent was originally launched.
 2026-04-18 23:42:26 -04:00
anti
7765b36c50 feat(updater): remote self-update daemon with auto-rollback 
Adds a separate `decnet updater` daemon on each worker that owns the
agent's release directory and installs tarball pushes from the master
over mTLS. A normal `/update` never touches the updater itself, so the
updater is always a known-good rescuer if a bad agent push breaks
/health — the rotation is reversed and the agent restarted against the
previous release. `POST /update-self` handles updater upgrades
explicitly (no auto-rollback).

- decnet/updater/: executor, FastAPI app, uvicorn launcher
- decnet/swarm/updater_client.py, tar_tree.py: master-side push
- cli: `decnet updater`, `decnet swarm update [--host|--all]
  [--include-self] [--dry-run]`, `--updater` on `swarm enroll`
- enrollment API issues a second cert (CN=updater@<host>) signed by the
  same CA; SwarmHost records updater_cert_fingerprint
- tests: executor, app, CLI, tar tree, enroll-with-updater (37 new)
- wiki: Remote-Updates page + sidebar + SWARM-Mode cross-link
 2026-04-18 21:40:21 -04:00
anti
8914c27220 feat(swarm): add decnet swarm deckies to list deployed shards by host 
`swarm list` only shows enrolled workers — there was no way to see which
deckies are running and where. Adds GET /swarm/deckies on the controller
(joins DeckyShard with SwarmHost for name/address/status) plus the CLI
wrapper with --host / --state filters and --json.
 2026-04-18 21:10:07 -04:00
anti
4db9c7464c fix(swarm): relocalize master-built config on worker before deploy 
deploy --mode swarm was failing on every heterogeneous fleet: the master
populates config.interface from its own box (detect_interface() → its
default NIC), then ships that verbatim. The worker's deployer then calls
get_host_ip(config.interface), hits 'ip addr show wlp6s0' on a VM whose
NIC is enp0s3, and 500s.

Fix: agent.executor._relocalize() runs on every swarm-mode deploy.
Re-detects the worker's interface/subnet/gateway/host_ip locally and
swaps them into the config before calling deployer.deploy(). When the
worker's subnet doesn't match the master's, decky IPs are re-allocated
from the worker's subnet via allocate_ips() so they're reachable.

Unihost-mode configs are left untouched — they're already built against
the local box and second-guessing them would be wrong.

Validated against anti@192.168.1.13: master dispatched interface=wlp6s0,
agent logged 'relocalized interface=enp0s3', deployer ran successfully,
dry-run returned ok=deployed.

4 new tests cover both branches (matching-subnet preserves decky IPs;
mismatch re-allocates), the end-to-end executor.deploy() path, and the
unihost short-circuit.
 2026-04-18 20:41:21 -04:00
anti
411a797120 feat(cli): add decnet swarm check wrapper for POST /swarm/check 
The swarmctl API already exposes POST /swarm/check — an active mTLS
probe that refreshes SwarmHost.status + last_heartbeat for every
enrolled worker. The CLI was missing a wrapper, so operators had to
curl the endpoint directly (which is how the VM validation run did it,
and how the wiki Deployment-Modes / SWARM-Mode pages ended up doc'ing
a command that didn't exist yet).

Matches the existing list/enroll/decommission pattern: typer subcommand
under swarm_app, --url override, Rich table output plus --json for
scripting. Three tests: populated table, empty-swarm path, and --json
emission.
 2026-04-18 20:28:34 -04:00
anti
3da5a2c4ee feat(cli): add decnet listener + --agent-dir on agent 
New `decnet listener` command runs the master-side RFC 5425 syslog-TLS
receiver as a standalone process (mirrors `decnet api` / `decnet swarmctl`
pattern, SIGTERM/SIGINT handlers, --daemon support).

`decnet agent` now accepts --agent-dir so operators running the worker
agent under sudo/root can point at a bundle outside /root/.decnet/agent
(the HOME under sudo propagation).

Both flags were needed to stand up the full SWARM pipeline end-to-end on
a throwaway VM: mTLS control plane reachable, syslog-over-TLS wire
confirmed via tcpdump, master-crash/resume proved with zero loss and
zero duplication across 10 forwarded lines.

pyproject: bump asyncmy floor to 0.2.11 (resolver already pulled this in).
 2026-04-18 20:15:25 -04:00
anti
bfc7af000a test(swarm): add forwarder/listener resilience scenarios 
Covers failure modes the happy-path tests miss:

- log rotation (copytruncate): st_size shrinks under the forwarder, it
  resets offset=0 and reships the new contents instead of getting wedged
  past EOF;
- listener restart: forwarder retries, resumes from the persisted offset,
  and the previously-acked lines are NOT duplicated on the master;
- listener tolerates a well-authenticated client that sends a partial
  octet-count frame and drops — the server must stay up and accept
  follow-on connections;
- peer_cn / fingerprint_from_ssl degrade to 'unknown' / None when no
  peer cert is available (defensive path that otherwise rarely fires).
 2026-04-18 19:56:51 -04:00
anti
1e8ca4cc05 feat(swarm-cli): add decnet swarm {enroll,list,decommission} + deploy --mode swarm 
New sub-app talks HTTP to the local swarm controller (127.0.0.1:8770 by
default; override with --url or $DECNET_SWARMCTL_URL).

- enroll: POSTs /swarm/enroll, prints fingerprint, optionally writes
  ca.crt/worker.crt/worker.key to --out-dir for scp to the worker.
- list: renders enrolled workers as a rich table (with --status filter).
- decommission: looks up uuid by --name, confirms, DELETEs.

deploy --mode swarm now:
  1. fetches enrolled+active workers from the controller,
  2. round-robin-assigns host_uuid to each decky,
  3. POSTs the sharded DecnetConfig to /swarm/deploy,
  4. renders per-worker pass/fail in a results table.

Exits non-zero if no workers exist or any worker's dispatch failed.
 2026-04-18 19:52:37 -04:00
anti
a6430cac4c feat(swarm): add decnet forwarder CLI to run syslog-over-TLS forwarder 
The forwarder module existed but had no runner — closes that gap so the
worker-side process can actually be launched and runs isolated from the
agent (asyncio.run + SIGTERM/SIGINT → stop_event).

Guards: refuses to start without a worker cert bundle or a resolvable
master host ($DECNET_SWARM_MASTER_HOST or --master-host).
 2026-04-18 19:41:37 -04:00
anti
39d2077a3a feat(swarm): syslog-over-TLS log pipeline (RFC 5425, TCP 6514) 
Worker-side log_forwarder tails the local RFC 5424 log file and ships
each line as an octet-counted frame to the master over mTLS. Offset is
persisted in a tiny local SQLite so master outages never cause loss or
duplication — reconnect resumes from the exact byte where the previous
session left off. Impostor workers (cert not signed by DECNET CA) are
rejected at TLS handshake.

Master-side log_listener terminates mTLS on 0.0.0.0:6514, validates the
client cert, extracts the peer CN as authoritative worker provenance,
and appends each frame to the master's ingest log files. Attacker-
controlled syslog HOSTNAME field is ignored — the CA-controlled CN is
the only source of provenance.

7 tests added covering framing codec, offset persistence across
reopens, end-to-end mTLS delivery, crash-resilience (offset survives
restart, no duplicate shipping), and impostor-CA rejection.

DECNET_SWARM_SYSLOG_PORT / DECNET_SWARM_MASTER_HOST env bindings
added.
 2026-04-18 19:33:58 -04:00
anti
e2d6f857b5 refactor(swarm): move router DTOs into decnet/web/db/models.py 
_schemas.py was a local exception to the codebase convention. The rest
of the app keeps all API request/response DTOs in decnet/web/db/models.py
alongside UserResponse, DeployIniRequest, etc. — the swarm endpoints now
follow the same convention (SwarmEnrollRequest, SwarmHostView, etc).
Deletes decnet/web/router/swarm/_schemas.py.
 2026-04-18 19:28:15 -04:00
anti
811136e600 refactor(swarm): one file per endpoint, matching existing router layout 
Splits the three grouped router files into eight api_<verb>_<resource>.py
modules under decnet/web/router/swarm/ to match the convention used by
router/fleet/ and router/config/. Shared request/response models live in
_schemas.py. Keeps each endpoint easy to locate and modify without
stepping on siblings.
 2026-04-18 19:23:06 -04:00
anti
63b0a58527 feat(swarm): master-side SWARM controller (swarmctl) + agent CLI 
Adds decnet/web/swarm_api.py as an independent FastAPI app with routers
for host enrollment, deployment dispatch (sharding DecnetConfig across
enrolled workers via AgentClient), and active health probing. Runs as
its own uvicorn subprocess via 'decnet swarmctl', mirroring the isolation
pattern used by 'decnet api'. Also wires up 'decnet agent' CLI entry for
the worker side.

29 tests added under tests/swarm/test_swarm_api.py cover enrollment
(including bundle generation + duplicate rejection), host CRUD, sharding
correctness, non-swarm-mode rejection, teardown, and health probes with
a stubbed AgentClient.
 2026-04-18 19:18:33 -04:00
anti
cd0057c129 feat(swarm): DeckyConfig.host_uuid + fix agent log/status field refs 
- decnet.models.DeckyConfig grows an optional 'host_uuid' (the SwarmHost
  that runs this decky). Defaults to None so legacy unihost state files
  deserialize unchanged.
- decnet.agent.executor: replace non-existent config.name references
  with config.mode / config.interface in logs and status payload.
- tests/swarm/test_state_schema.py covers legacy-dict roundtrip, field
  default, and swarm-mode assignments.
 2026-04-18 19:10:25 -04:00
anti
0c77cdab32 feat(swarm): master AgentClient — mTLS httpx wrapper around worker API 
decnet.swarm.client exposes:
- MasterIdentity / ensure_master_identity(): the master's own CA-signed
  client bundle, issued once into ~/.decnet/ca/master/.
- AgentClient: async-context httpx wrapper that talks to a worker agent
  over mTLS. health/status/deploy/teardown methods mirror the agent API.

SSL context is built from a bare ssl.SSLContext(PROTOCOL_TLS_CLIENT)
instead of httpx.create_ssl_context — the latter layers on default-CA
and purpose logic that broke private-CA mTLS. Server cert is pinned by
CA + chain, not DNS (workers enroll with arbitrary SANs).

tests/swarm/test_client_agent_roundtrip.py spins uvicorn in-process
with real certs on disk and verifies:
- A CA-signed master client passes health + status calls.
- An impostor whose cert comes from a different CA cannot connect.
 2026-04-18 19:08:36 -04:00
anti
8257bcc031 feat(swarm): worker agent + fix pre-existing base_repo coverage test 
Worker agent (decnet.agent):
- mTLS FastAPI service exposing /deploy, /teardown, /status, /health,
  /mutate. uvicorn enforces CERT_REQUIRED with the DECNET CA pinned.
- executor.py offloads the blocking deployer onto asyncio.to_thread so
  the event loop stays responsive.
- server.py refuses to start without an enrolled bundle in
  ~/.decnet/agent/ — unauthenticated agents are not a supported mode.
- docs/openapi disabled on the agent — narrow attack surface.

tests/test_base_repo.py: DummyRepo was missing get_attacker_artifacts
(pre-existing abstractmethod) and so could not be instantiated. Added
the stub + coverage for the new swarm CRUD surface on BaseRepository.
 2026-04-18 07:15:53 -04:00
anti
d3b90679c5 feat(swarm): PKI module — self-managed CA for master/worker mTLS 
decnet.swarm.pki provides:
- generate_ca() / ensure_ca() — self-signed root, PKCS8 PEM, 4096-bit.
- issue_worker_cert() — per-worker keypair + cert signed by the CA with
  serverAuth + clientAuth EKU so the same identity backs the agent's
  HTTPS endpoint AND the syslog-over-TLS upstream.
- write_worker_bundle() / load_worker_bundle() — persist with 0600 on
  private keys.
- fingerprint() — SHA-256 DER hex for master-side pinning.

tests/swarm/test_pki.py covers:
- CA idempotency on disk.
- Signed chain validates against CA subject.
- SAN population (DNS + IP).
- Bundle roundtrip with 0600 key perms.
- End-to-end mTLS handshake between two CA-issued peers.
- Cross-CA client rejection (handshake fails).
 2026-04-18 07:09:58 -04:00
anti
6657d3e097 feat(swarm): add SwarmHost and DeckyShard tables + repo CRUD 
Introduces the master-side persistence layer for swarm mode:
- SwarmHost: enrolled worker metadata, cert fingerprint, heartbeat.
- DeckyShard: per-decky host assignment, state, last error.
Repo methods are added as default-raising on BaseRepository so unihost
deployments are untouched; SQLModelRepository implements them (shared
between the sqlite and mysql subclasses per the existing pattern).
 2026-04-18 07:09:29 -04:00
anti
293da364a6 chores: fix linting 2026-04-18 06:46:10 -04:00
anti
d5e6ca1949 chore(gitignore): ignore sqlite WAL files and per-subsystem runtime logs 
decnet.collector.log / decnet.system.log and the *.db-shm / *.db-wal
sidecars produced by the sqlite WAL journal were slipping through the
existing rules. Extend the patterns so runtime state doesn't show up
in git status.
 2026-04-18 05:38:09 -04:00
anti
a97696fa23 chore: add env.config.example documenting DECNET env vars 
Reference template for .env / .env.local showing every variable that
decnet/env.py consumes, with short rationale per section (system
logging, embedded workers, profiling, API server, …). Copy to .env
and fill in secrets; .env itself stays gitignored.
 2026-04-18 05:37:50 -04:00
anti
7864c72948 test(ssh): add unit coverage for emit_capture RFC 5424 output 
Exercises the JSON → syslog formatter end to end: flat fields ride as
SD params, bulky nested metadata collapses into the meta_json_b64 blob,
and the event_type / hostname / service mapping lands in the right
RFC 5424 header slots.
 2026-04-18 05:37:42 -04:00
anti
47a0480994 feat(web-ui): event-body parser and dashboard/live-logs polish 
Frontend now handles syslog lines from producers that don't use
structured-data (notably the SSH PROMPT_COMMAND hook, which emits
'CMD uid=0 user=root src=IP pwd=… cmd=…' as a plain logger message).
A new parseEventBody utility splits the body into head + key/value
pairs and preserves the final value verbatim so commands stay intact.

Dashboard and LiveLogs use this parser to render consistent pills
whether the structure came from SD params or from the MSG body.
 2026-04-18 05:37:31 -04:00
anti
2bf886e18e feat(sniffer): probe ipvlan host iface when macvlan is absent 
The host-side sniffer interface depends on the deploy's driver choice
(--ipvlan flag). Instead of hardcoding HOST_MACVLAN_IFACE, probe both
names and pick whichever exists; warn and disable cleanly if neither
is present. Explicit DECNET_SNIFFER_IFACE still wins.
 2026-04-18 05:37:20 -04:00
anti
8bdc5b98c9 feat(collector): parse real PROCID and extract IPs from logger kv pairs 
- Relaxed RFC 5424 regex to accept either NILVALUE or a numeric PROCID;
  sshd / sudo go through rsyslog with their real PID, while
  syslog_bridge emitters keep using '-'.
- Added a fallback pass that scans the MSG body for IP-shaped
  key=value tokens. This rescues attacker attribution for plain logger
  callers like the SSH PROMPT_COMMAND shim, which emits
  'CMD … src=IP …' without SD-element params.
 2026-04-18 05:37:08 -04:00
anti
aa39be909a feat(templates): ship syslog_bridge.py to every service template 
Each honeypot container now carries its own copy of the shared RFC 5424
formatter. Services that previously rolled their own ad-hoc syslog
lines can now import syslog_line / write_syslog_file for a consistent
SD-element format that the collector already knows how to parse.
 2026-04-18 05:36:56 -04:00
anti
41fd496128 feat(web): attacker artifacts endpoint + UI drawer 
Adds the server-side wiring and frontend UI to surface files captured
by the SSH honeypot for a given attacker.

- New repository method get_attacker_artifacts (abstract + SQLModel
  impl) that joins the attacker's IP to `file_captured` log rows.
- New route GET /attackers/{uuid}/artifacts.
- New router /artifacts/{decky}/{service}/{stored_as} that streams a
  quarantined file back to an authenticated viewer.
- AttackerDetail grows an ArtifactDrawer panel with per-file metadata
  (sha256, size, orig_path) and a download action.
- ssh service fragment now sets NODE_NAME=decky_name so logs and the
  host-side artifacts bind-mount share the same decky identifier.
 2026-04-18 05:36:48 -04:00
anti
39dafaf384 feat(ssh-stealth): hide capture artifacts via XOR+gzip entrypoint blob 
The /opt/emit_capture.py, /opt/syslog_bridge.py, and
/usr/libexec/udev/journal-relay files were plaintext and world-readable
to any attacker root-shelled into the SSH honeypot — revealing the full
capture logic on a single cat.

Pack all three into /entrypoint.sh as XOR+gzip+base64 blobs at build
time (_build_stealth.py), then decode in-memory at container start and
exec the capture loop from a bash -c string. No .py files under /opt,
no journal-relay file under /usr/libexec/udev, no argv_zap name
anywhere. The LD_PRELOAD shim is installed as
/usr/lib/x86_64-linux-gnu/libudev-shared.so.1 — sits next to the real
libudev.so.1 and blends into the multiarch layout.

A 1-byte random XOR key is chosen at image build so a bare
'base64 -d | gunzip' probe on the visible entrypoint returns binary
noise instead of readable Python.

Docker-dependent tests live under tests/docker/ behind a new 'docker'
pytest marker (excluded from the default run, same pattern as fuzz /
live / bench).
 2026-04-18 05:34:50 -04:00
anti
b0e00a6cc4 fix(ssh-capture): drop relay FIFO, rsyslog→/proc/1/fd/1 direct 
The named pipe at /run/systemd/journal/syslog-relay had two problems
beyond its argv leak: any root-in-container process could (a) `cat`
the pipe and watch the live SIEM feed, and (b) write to it and inject
forged log lines. Since an attacker with a shell is already root
inside the honeypot, file permissions can't fix it.

Point rsyslog's auth/user actions directly at /proc/1/fd/1 — the
container-stdout fd Docker attached to PID 1 — and delete the
mkfifo + cat relay from the entrypoint. No pipe on disk, nothing to
read, nothing to inject, and one fewer cloaked process in `ps`.
 2026-04-18 02:12:32 -04:00
anti
2843aafa1a fix(ssh-capture): hide watcher bash argv and sanitize script header 
Two leaks remained after the inotifywait argv fix:

1. The bash running journal-relay showed its argv[1] (the script path)
   in /proc/PID/cmdline, producing a line like
     'journal-relay /usr/libexec/udev/journal-relay'
   Apply argv_zap.so to that bash too.

2. argv_zap previously hardcoded PR_SET_NAME to 'kmsg-watch', which was
   wrong for any caller other than inotifywait. The comm name now comes
   from ARGV_ZAP_COMM so each caller can pick its own (kmsg-watch for
   inotifywait, journal-relay for the watcher bash).

3. The capture.sh header started with 'SSH honeypot file-catcher' —
   fatal if an attacker runs 'cat' on it. Rewritten as a plausible
   systemd-journal relay helper; stray 'attacker' / 'honeypot' words
   in mid-script comments stripped too.
 2026-04-18 02:06:36 -04:00
anti
766eeb3d83 feat(ssh): add ping/nmap/ca-certificates to base image 
A lived-in Linux box ships with iputils-ping, ca-certificates, and nmap
available. Their absence is a cheap tell, and they're handy for letting
the attacker move laterally in ways we want to observe. iproute2 (ip a)
was already installed for attribution — noted here for completeness.
 2026-04-18 01:53:33 -04:00
anti
f462835373 feat(ssh-capture): LD_PRELOAD shim to zero inotifywait argv 
The kmsg-watch (inotifywait) process was the last honest giveaway in
`ps aux` — its watch paths and event flags betrayed the honeypot. The
argv_zap.so shim hooks __libc_start_main, heap-copies argv for the real
main, then memsets the contiguous argv[1..] region to NUL so the kernel's
cmdline reader returns just argv[0].

gcc is installed and purged in the same Docker layer to keep the image
slim. The shim also calls prctl(PR_SET_NAME) so /proc/self/comm mirrors
the argv[0] disguise.
 2026-04-18 01:52:30 -04:00
anti
e356829234 fix(ssh-capture): drop bash token from journal-relay ps line 
exec -a replaces argv[0] so ps shows 'journal-relay /usr/libexec/udev/journal-relay'
instead of '/bin/bash /usr/libexec/udev/journal-relay' — no interpreter
hint on the watcher process.
 2026-04-18 01:45:38 -04:00
anti
a5d6860124 fix(ssh-capture): collapse duplicate journal-relay bash in ps 
inotify | while spawns a subshell for the tail of the pipeline, so
two bash processes (the script itself and the while-loop subshell)
showed up under /usr/libexec/udev/journal-relay in ps aux. Enable
lastpipe so the while loop runs in the main shell — ps now shows
one bash plus the inotify child, matching a simple udev helper.
 2026-04-17 23:04:33 -04:00
anti
8dd4c78b33 refactor: strip DECNET tokens from container-visible surface 
Rename the container-side logging module decnet_logging → syslog_bridge
(canonical at templates/syslog_bridge.py, synced into each template by
the deployer). Drop the stale per-template copies; setuptools find was
picking them up anyway. Swap useradd/USER/chown "decnet" for "logrelay"
so no obvious token appears in the rendered container image.

Apply the same cloaking pattern to the telnet template that SSH got:
syslog pipe moves to /run/systemd/journal/syslog-relay and the relay
is cat'd via exec -a "systemd-journal-fwd". rsyslog.d conf rename
99-decnet.conf → 50-journal-forward.conf. SSH capture script:
/var/decnet/captured → /var/lib/systemd/coredump (real systemd path),
logger tag decnet-capture → systemd-journal. Compose volume updated
to match the new in-container quarantine path.

SD element ID shifts decnet@55555 → relay@55555; synced across
collector, parser, sniffer, prober, formatter, tests, and docs so the
host-side pipeline still matches what containers emit.
 2026-04-17 22:57:53 -04:00
anti
69510fb880 fix(ssh-capture): cloak syslog relay pipe and cat process 
Rename the rsyslog→stdout pipe from /var/run/decnet-logs (dead giveaway)
to /run/systemd/journal/syslog-relay, and launch the relay via
exec -a "systemd-journal-fwd" so ps shows a plausible systemd forwarder
instead of a bare cat. Casual ps/ls inspection now shows nothing
with "decnet" in the name.
 2026-04-17 22:51:34 -04:00
anti
09d9f8595e fix(ssh-capture): disguise watcher as udev helper in ps output 
Old ps output was a dead giveaway: two "decnet-capture" bash procs
and a raw "inotifywait". Install script at /usr/libexec/udev/journal-relay
and invoke inotifywait through a /usr/libexec/udev/kmsg-watch symlink so
both now render as plausible udev/journal helpers under casual inspection.
 2026-04-17 22:44:47 -04:00
anti
bfb3edbd4a fix(ssh-capture): add ss-only attribution fallback 
fuser and /proc fd walks race scp/wget/sftp — by close_write the writer
has already closed the fd, so pid-chain attribution always resolved to
unknown for non-interactive drops. Fall back to the ss snapshot: one
established session → ss-only, multiple → ss-ambiguous (still record
src_ip from the first, analysts cross-check concurrent_sessions).
 2026-04-17 22:36:06 -04:00
anti
a773dddd5c feat(ssh): capture attacker-dropped files with session attribution 
inotifywait watches writable paths in the SSH decky and mirrors any
file close_write/moved_to into a per-decky host-mounted quarantine dir.
Each artifact carries a .meta.json with attacker attribution resolved
by walking the writer PID's PPid chain to the sshd session leader,
then cross-referencing ss and utmp for source IP/user/login time.
Also emits an RFC 5424 syslog line per capture for SIEM correlation.
 2026-04-17 22:20:05 -04:00
anti
edc5c59f93 docs(profiles): archive locust run artifacts under development/profiles 
Commit-by-commit evidence of the perf work: each CSV is the raw
Locust output for the commit hash in its filename, plus the four
fb69a06 variants (single worker, tracing on/off, single-core pinned,
12 workers) referenced in the README baseline table.
 2026-04-17 22:05:35 -04:00
anti
1f758a3669 chore(profile): tolerate null/empty frames in walk_self_time 
Some pyinstrument frame trees contain branches where an identifier is
missing (typically at the very top or with certain async boundaries),
which crashed the aggregator with a KeyError mid-run. Short-circuit
on None frames and missing identifiers so a single ugly HTML no
longer kills the summary of the other few hundred.
 2026-04-17 22:04:29 -04:00
anti
6c22f9ba59 fix(deps): add cryptography for asyncmy MySQL auth 
asyncmy needs cryptography for caching_sha2_password (the MySQL 8
default auth plugin). Without it, connection handshake fails the
moment the server negotiates the modern plugin.
 2026-04-17 22:04:24 -04:00
anti
20fa1f9a63 docs: record single-worker / multi-worker perf baseline 
Capture Locust numbers from the fb69a06 branch across five
configurations so future regressions have something to measure against.

- 500u tracing-on single-worker: ~960 RPS / p99 2.9 s
- 1500u tracing-on single-worker: ~880 RPS / p99 9.5 s
- 1500u tracing-off single-worker: ~990 RPS / p99 8.4 s
- 1500u tracing-off pinned to one core: ~46 RPS / p99 122 s
- 1500u tracing-off 12 workers: ~1585 RPS / p99 4.2 s

Also note MySQL max_connections math (pool_size * max_overflow *
workers = 720) to explain why the default 151 needs bumping, and the
Python 3.14 GC segfault so nobody repeats that mistake.
 2026-04-17 22:03:50 -04:00
anti
fb69a06ab3 fix(db): detach session cleanup onto fresh task on cancellation 
Previous attempt (shield + sync invalidate fallback) didn't work
because shield only protects against cancellation from *other* tasks.
When the caller task itself is cancelled mid-query, its next await
re-raises CancelledError as soon as the shielded coroutine yields —
rollback inside session.close() never completes, the aiomysql
connection is orphaned, and the pool logs 'non-checked-in connection'
when GC finally reaches it.

Hand exception-path cleanup to loop.create_task() so the new task
isn't subject to the caller's pending cancellation. close() (and the
invalidate() fallback for a dead connection) runs to completion.
Success path is unchanged — still awaits close() inline so callers
see commit visibility and pool release before proceeding.
 2026-04-17 21:13:43 -04:00
anti
1446f6da94 fix(db): invalidate pool connection when cancelled close fails 
Under high-concurrency MySQL load, uvicorn cancels request tasks when
clients disconnect.  If cancellation lands mid-query, session.close()
tries to ROLLBACK on a connection that aiomysql has already marked as
closed — raising InterfaceError("Cancelled during execution") and
leaving the connection checked-out until GC, which the pool then
warns about as a 'non-checked-in connection'.

The old fallback tried sync.rollback() + sync.close(), but those still
go through the async driver and fail the same way on a dead connection.
Replace them with session.sync_session.invalidate(), which just flips
the pool's internal record — no I/O, so it can't be cancelled — and
tells the pool to drop the connection immediately instead of waiting
for garbage collection.
 2026-04-17 21:04:04 -04:00
anti
e967aaabfb perf: cache get_user_by_username on the login hot path 
Locust @task(2) hammers /auth/login in steady state on top of the
on_start burst. After caching the uuid-keyed user lookup and every
other read endpoint, login alone accounted for 47% of total
_execute at 500c/u — pure DB queueing on SELECT users WHERE
username=?.

5s TTL, positive hits only (misses bypass so a freshly-created
user can log in immediately). Password verify still runs against
the cached hash, so security is unchanged — the only staleness
window is: a changed password accepts the old password for up to
5s until invalidate_user_cache fires (it's called on every write).
 2026-04-17 20:36:39 -04:00
anti
255c2e5eb7 perf: cache auth user-lookup and admin list_users 
The per-request SELECT users WHERE uuid=? in require_role was the
hidden tax behind every authed endpoint — it kept _execute at ~60%
across the profile even after the page caches landed. Even /health
(with its DB and Docker probes cached) was still 52% _execute from
this one query.

- dependencies.py: 10s TTL cache on get_user_by_uuid, well below JWT
  expiry. invalidate_user_cache(uuid) is called on password change,
  role change, and user delete.
- api_get_config.py: 5s TTL cache on the admin branch's list_users()
  (previously fetched every /config call). Invalidated on user
  create/update/delete.
- api_change_pass.py + api_manage_users.py: invalidation hooks on
  all user-mutating endpoints.
 2026-04-17 19:56:39 -04:00
anti
2dd86fb3bb perf: cache /bounty, /logs/histogram, /deckies; bump /config TTL to 5s 
Round-2 follow-up: profile at 500c/u showed _execute still dominating
the uncached read endpoints (/bounty 76%, /logs/histogram 73%,
/deckies 56%). Same router-level TTL pattern as /stats — 5s window,
asyncio.Lock to collapse concurrent calls into one DB hit.

- /bounty: cache default unfiltered page (limit=50, offset=0,
  bounty_type=None, search=None). Filtered requests bypass.
- /logs/histogram: cache default (interval_minutes=15, no filters).
  Filtered / non-default interval requests bypass.
- /deckies: cache full response (endpoint takes no params).
- /config: bump _STATE_TTL from 1.0 to 5.0 — admin writes are rare,
  1s was too short for bursts to coalesce at high concurrency.
 2026-04-17 19:30:11 -04:00
anti
3106d03135 perf(db): default pool_pre_ping=false for SQLite 
SQLite is a local file — a SELECT 1 per session checkout is pure
overhead. Env var DECNET_DB_POOL_PRE_PING stays for anyone running
on a network-mounted volume. MySQL backend keeps its current default.
 2026-04-17 19:11:07 -04:00
anti
3cc5ba36e8 fix(cli): keep FileNotFoundError handling on decnet api 
Popen moved inside the try so a missing uvicorn falls through to the
existing error message instead of crashing the CLI. test_cli was still
patching the old subprocess.run entrypoint; switched both api command
tests to patch subprocess.Popen / os.killpg to match the current path.
 2026-04-17 19:09:15 -04:00
anti
6301504c0e perf(api): TTL-cache /stats + unfiltered pagination counts 
Every /stats call ran SELECT count(*) FROM logs + SELECT count(DISTINCT
attacker_ip) FROM logs; every /logs and /attackers call ran an
unfiltered count for the paginator. At 500 concurrent users these
serialize through aiosqlite's worker threads and dominate wall time.

Cache at the router layer (repo stays dialect-agnostic):
  - /stats response: 5s TTL
  - /logs total (only when no filters): 2s TTL
  - /attackers total (only when no filters): 2s TTL

Filtered paths bypass the cache. Pattern reused from api_get_config
and api_get_health (asyncio.Lock + time.monotonic window + lazy lock).
 2026-04-17 19:09:15 -04:00
anti
de4b64d857 perf(auth): avoid duplicate user lookup in require_role 
require_role._check previously chained from get_current_user, which
already loaded the user — then looked it up again. Inline the decode +
single user fetch + must_change_password + role check so every
authenticated request costs one SELECT users WHERE uuid=? instead of
two.
 2026-04-17 17:48:42 -04:00
anti
b5d7bf818f feat(health): 3-tier status (healthy / degraded / unhealthy) 
Only database, docker, and ingestion_worker now count as critical
(→ 503 unhealthy). attacker/sniffer/collector failures drop overall
status to degraded (still 200) so the dashboard doesn't panic when a
non-essential worker isn't running.
 2026-04-17 17:48:42 -04:00
anti
257f780d0f docs(bugs): document SSE /api/v1/stream BrokenPipe storm (BUG-003) 2026-04-17 17:48:42 -04:00
anti
a10aee282f perf(ingester): batch log writes into bulk commits 
The ingester now accumulates up to DECNET_BATCH_SIZE rows (default 100)
or DECNET_BATCH_MAX_WAIT_MS (default 250ms) before flushing through
repo.add_logs — one transaction, one COMMIT per batch instead of per
row. Under attacker traffic this collapses N commits into ⌈N/100⌉ and
takes most of the SQLite writer-lock contention off the hot path.

Flush semantics are cancel-safe: _position only advances after a batch
commits successfully, and the flush helper bails without touching the
DB if the enclosing task is being cancelled (lifespan teardown).
Un-flushed lines stay in the file and are re-read on next startup.

Tests updated to assert on add_logs (bulk) instead of the per-row
add_log that the ingester no longer uses, plus a new test that 250
lines flush in ≤5 calls.
 2026-04-17 16:37:34 -04:00
anti
11b9e85874 feat(db): bulk add_logs for one-commit ingestion batches 
Adds BaseRepository.add_logs (default: loops add_log for backwards
compatibility) and a real single-session/single-commit implementation
on SQLModelRepository. Introduces DECNET_BATCH_SIZE (default 100) and
DECNET_BATCH_MAX_WAIT_MS (default 250) so the ingester can flush on
either a size or a time bound when it adopts the new method.

Ingester wiring is deferred to a later pass — the single-log path was
deadlocking tests when flushed during lifespan teardown, so this change
ships the DB primitive alone.
 2026-04-17 16:23:09 -04:00
anti
45039bd621 fix(cache): lazy-init TTL cache locks to survive event-loop turnover 
A module-level asyncio.Lock binds to the loop it was first awaited on.
Under pytest-anyio (and xdist) each test spins up a new loop; any later
test that hit /health or /config would wait on a lock owned by a dead
loop and the whole worker would hang.

Create the lock on first use and drop it in the test-reset helpers so a
fresh loop always gets a fresh lock.
 2026-04-17 16:23:00 -04:00
anti
4ea1c2ff4f fix(health): move Docker client+ping off the event loop 
Under CPU saturation the sync docker.from_env()/ping() calls could miss
their socket timeout, cache _docker_healthy=False, and return 503 for
the full 5s TTL window. Both calls now run on a thread so the event
loop keeps serving other requests while Docker is being probed.
 2026-04-17 15:43:51 -04:00
anti
bb8d782e42 fix(cli): kill uvicorn worker tree on Ctrl+C 
With --workers > 1, SIGINT from the terminal raced uvicorn's supervisor:
some workers got signaled directly, the supervisor respawned them, and
the result behaved like a forkbomb. Start uvicorn in its own session and
signal the whole process group (SIGTERM → 10s grace → SIGKILL) when we
catch KeyboardInterrupt.
 2026-04-17 15:32:08 -04:00
anti
342916ca63 feat(cli): expose --workers on decnet api 
Forwards straight to uvicorn's --workers. Default stays at 1 so the
single-worker efficiency direction is preserved; raising it is available
for threat-actor load scenarios where the honeypot needs to soak real
attack traffic without queueing on one event loop.
 2026-04-17 15:22:45 -04:00
anti
d3f4bbb62b perf(locust): skip change-password in on_start when not required 
Previously every user did login → change-pass → re-login in on_start
regardless of whether the server actually required a password change.
With bcrypt at ~250ms/call that's 3 bcrypt-bound requests per user.
At 2500 users the on_start queue was ~10k bcrypt ops — users never
escaped warmup, so @task endpoints never fired.

Login already returns must_change_password; only run the change-pass
+ re-login dance when the server says we have to. Cuts on_start from
3 requests to 1 for every user after the first DB initialization.
 2026-04-17 15:15:59 -04:00
anti
32340bea0d perf: migrate hot-path JSON serialization to orjson 
stdlib json was FastAPI's default. Every response body, every SSE frame,
and every add_log/state/payload write paid the stdlib encode cost.

- pyproject.toml: add orjson>=3.10 as a core dep.
- decnet/web/api.py: default_response_class=ORJSONResponse on the
  FastAPI app, so every endpoint return goes through orjson without
  touching call sites. Explicit JSONResponse sites in the validation
  exception handlers migrated to ORJSONResponse for consistency.
- health endpoint's explicit JSONResponse → ORJSONResponse.
- SSE stream (api_stream_events.py): 6 json.dumps call sites →
  orjson.dumps(...).decode() — the per-event frames that fire on every
  sse tick.
- sqlmodel_repo.py: encode sites on the log-insert path switched to
  orjson (fields, payload, state value). Parser sites (json.loads)
  left as-is for now — not on the measured hot path.
 2026-04-17 15:07:28 -04:00
anti
f1e14280c0 perf: 1s TTL cache for /health DB probe and /config state reads 
Locust hit /health and /config on every @task(3), so each request was
firing repo.get_total_logs() and two repo.get_state() calls against
aiosqlite — filling the driver queue for data that changes on the order
of seconds, not milliseconds.

Both caches follow the shape already used by the existing Docker cache:
- asyncio.Lock with double-checked TTL so concurrent callers collapse
  into one DB hit per 1s window.
- _reset_* helpers called from tests/api/conftest.py::setup_db so the
  module-level cache can't leak across tests.

tests/test_health_config_cache.py asserts 50 concurrent callers
produce exactly 1 repo call, and the cache expires after TTL.
 2026-04-17 15:05:18 -04:00
anti
931f33fb06 perf: cache Docker daemon ping in /health (5s TTL) 
Creating a new docker.from_env() client per /health request opened a
fresh unix-socket connection each time. Under load that's wasteful and
hammers dockerd.

Keep a module-level client + last-check timestamp; actually ping every
5 seconds, return cached state in between. Reset helper provided for
tests.
 2026-04-17 15:01:53 -04:00
anti
467511e997 db: switch MySQL driver to asyncmy, env-tune pool, serialize DDL 
- aiomysql → asyncmy on both sides of the URL/import (faster, maintained).
- Pool sizing now reads DECNET_DB_POOL_SIZE / MAX_OVERFLOW / RECYCLE /
  PRE_PING for both SQLite and MySQL engines so stress runs can bump
  without code edits.
- MySQL initialize() now wraps schema DDL in a GET_LOCK advisory lock so
  concurrent uvicorn workers racing create_all() don't hit 'Table was
  skipped since its definition is being modified by concurrent DDL'.
- sqlite & mysql repo get_log_histogram use the shared _session() helper
  instead of session_factory() for consistency with the rest of the repo.
- SSE stream_events docstring updated to asyncmy.
 2026-04-17 15:01:49 -04:00
anti
3945e72e11 perf: run bcrypt on a thread so it doesn't block the event loop 
verify_password / get_password_hash are CPU-bound and take ~250ms each
at rounds=12. Called directly from async endpoints, they stall every
other coroutine for that window — the single biggest single-worker
bottleneck on the login path.

Adds averify_password / ahash_password that wrap the sync versions in
asyncio.to_thread. Sync versions stay put because _ensure_admin_user and
tests still use them.

5 call sites updated: login, change-password, create-user, reset-password.
tests/test_auth_async.py asserts parallel averify runs concurrently (~1x
of a single verify, not 2x).
 2026-04-17 14:52:22 -04:00
anti
bd406090a7 fix: re-seed admin password when still unfinalized (must_change_password=True) 
_ensure_admin_user was strict insert-if-missing: once a stale hash landed
in decnet.db (e.g. from a deploy that used a different DECNET_ADMIN_PASSWORD),
login silently 401'd because changing the env var later had no effect.

Now on startup: if the admin still has must_change_password=True (they
never finalized their own password), re-sync the hash from the current
env var. Once the admin sets a real password, we leave it alone.

Found via locustfile.py login storm — see tests/test_admin_seed.py.

Note: this commit also bundles uncommitted pool-management work already
present in sqlmodel_repo.py from prior sessions.
 2026-04-17 14:49:13 -04:00
anti
e22d057e68 added: scripts/profile/aggregate_requests.py — roll up pyinstrument request profiles 
Parses every HTML in profiles/, reattributes [self]/[await] synthetic
leaves to their parent function, and reports per-endpoint wall-time
(mean/p50/p95/max) plus top hot functions by cumulative self-time.

Makes post-locust profile dirs actually readable — otherwise they're
just a pile of hundred-plus HTML files.
 2026-04-17 14:48:59 -04:00
anti
cb12e7c475 fix: logging handler must not crash its caller on reopen failure 
When decnet.system.log is root-owned (e.g. created by a pre-fix 'sudo
decnet deploy') and a subsequent non-root process tries to log, the
InodeAwareRotatingFileHandler raised PermissionError out of emit(),
which propagated up through logger.debug/info and killed the collector's
log stream loop ('log stream ended ... reason=[Errno 13]').

Now matches stdlib behaviour: wrap _open() in try/except OSError and
defer to handleError() on failure. Adds a regression test.

Also: scripts/profile/view.sh 'pyinstrument' keyword was matching
memray-flamegraph-*.html files. Exclude the memray-* prefix.
 2026-04-17 14:01:36 -04:00
anti
c29ca977fd added: scripts/profile/classify_usage.py — classify memray usage_over_time.csv 
Reads the memray usage CSV and emits a verdict based on tail-drop-from-
peak: CLIMB-AND-DROP, MOSTLY-RELEASED, or SUSTAINED-AT-PEAK. Deliberately
ignores net-growth-vs-baseline since any active workload grows vs. a cold
interpreter — that metric is misleading as a leak signal.
 2026-04-17 13:54:37 -04:00
anti
bf4afac70f fix: RotatingFileHandler reopens on external deletion/rotation 
Mirrors the inode-check fix from 935a9a5 (collector worker) for the
stdlib-handler-based log paths. Both decnet.system.log (config.py) and
decnet.log (logging/file_handler.py) now use a subclass that stats the
target path before each emit and reopens on inode/device mismatch —
matching the behavior of stdlib WatchedFileHandler while preserving
size-based rotation.

Previously: rm decnet.system.log → handler kept writing to the orphaned
inode until maxBytes triggered; all lines between were lost.
 2026-04-17 13:42:15 -04:00
anti
4b15b7eb35 fix: chown log files to sudo-invoking user so non-root API can append 
'sudo decnet deploy' needs root for MACVLAN, but the log files it creates
(decnet.log and decnet.system.log) end up owned by root. A subsequent
non-root 'decnet api' then crashes on PermissionError appending to them.

New decnet.privdrop helper reads SUDO_UID/SUDO_GID and chowns files/dirs
back to the invoking user. Best-effort: no-op when not root, not under
sudo, path missing, or chown fails. Applied at both log-file creation
sites (config.py system log, logging/file_handler.py syslog file).
 2026-04-17 13:39:09 -04:00
anti
140d2fbaad fix: gate embedded sniffer behind DECNET_EMBED_SNIFFER (default off) 
The API's lifespan unconditionally spawned a MACVLAN sniffer task, which
duplicated the standalone 'decnet sniffer --daemon' process that
'decnet deploy' always starts — causing two workers to sniff the same
interface, double events, and wasted CPU.

Mirror the existing DECNET_EMBED_PROFILER pattern: sniffer is OFF by
default, opt in explicitly. Static regression tests guard against
accidental removal of the gate.
 2026-04-17 13:35:43 -04:00
anti
064c8760b6 fix: memray run needs --trace-python-allocators for frame attribution 
Without it, 'Total number of frames seen: 0' in memray stats and flamegraphs
render empty / C-only. Also added --follow-fork so uvicorn workers spawned
as child processes are tracked.
 2026-04-17 13:24:55 -04:00
anti
6572c5cbaf added: scripts/profile/view.sh — auto-pick newest artifact and open viewer 
Dispatches by extension: .prof -> snakeviz, memray .bin -> memray flamegraph
(overridable via VIEW=table|tree|stats|summary|leaks), .svg/.html -> xdg-open.
Positional arg can be a file path or a type keyword (cprofile, memray, pyspy,
pyinstrument).
 2026-04-17 13:20:05 -04:00
anti
ba448bae13 docs: py-spy 0.4.1 lacks Python 3.14 support; wrapper aborts early 
Root cause of 'No python processes found in process <pid>': py-spy needs
per-release ABI knowledge and 0.4.1 (latest PyPI) predates 3.14. Wrapper
now detects the interpreter and points users at pyinstrument/memray/cProfile.
 2026-04-17 13:17:23 -04:00
anti
1a18377b0a fix: mysql url builder tests expect asyncmy, not aiomysql 
The builder in decnet/web/db/mysql/database.py emits 'mysql+asyncmy://' URLs
(asyncmy is the declared dep in pyproject.toml). Tests were stale from a
prior aiomysql era.
 2026-04-17 13:13:36 -04:00
anti
319c1dbb61 added: profiling toolchain (py-spy, pyinstrument, pytest-benchmark, memray, snakeviz) 
New `profile` optional-deps group, opt-in Pyinstrument ASGI middleware
gated by DECNET_PROFILE_REQUESTS, bench marker + tests/perf/ micro-benchmarks
for repository hot paths, and scripts/profile/ helpers for py-spy/cProfile/memray.
 2026-04-17 13:13:00 -04:00
anti
c1d8102253 modified: DEVELOPMENT roadmap. one step closer to v1 2026-04-16 11:39:07 -04:00
anti
49f3002c94 added: docs; modified: .gitignore
Some checks failed
CI / Lint (ruff) (push) Successful in 18s
Details
CI / SAST (bandit) (push) Successful in 19s
Details
CI / Dependency audit (pip-audit) (push) Successful in 40s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m38s
Details
CI / Test (Standard) (3.12) (push) Successful in 2m56s
Details
CI / Test (Live) (3.11) (push) Failing after 1m3s
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-16 02:10:38 -04:00
anti
9b59f8672e chores: cleanup; added: viteconfig 2026-04-16 02:09:30 -04:00
anti
296979003d fix: pytest -m live works without extra flags 
Root cause: test_schemathesis.py mutates decnet.web.auth.SECRET_KEY at
module-level import time, poisoning JWT verification for all other tests
in the same process — even when fuzz tests are deselected.

- Add pytest_ignore_collect hook in tests/api/conftest.py to skip
  collecting test_schemathesis.py unless -m fuzz is selected
- Add --dist loadscope to addopts so xdist groups by module (protects
  module-scoped fixtures in live tests)
- Remove now-unnecessary xdist_group markers from live test classes
 2026-04-16 01:55:38 -04:00
anti
89099b903d fix: resolve schemathesis and live test failures 
- Add 403 response to all RBAC-gated endpoints (schemathesis UndefinedStatusCode)
- Add 400 response to all endpoints accepting JSON bodies (malformed input)
- Add required 'title' field to schemathesis.toml for schemathesis 4.15+
- Add xdist_group markers to live tests with module-scoped fixtures to
  prevent xdist from distributing them across workers (fixture isolation)
 2026-04-16 01:39:04 -04:00
anti
29578d9d99 fix: resolve all ruff and bandit lint/security issues 
- Remove unused Optional import (F401) in telemetry.py
- Move imports above module-level code (E402) in web/db/models.py
- Default API/web hosts to 127.0.0.1 instead of 0.0.0.0 (B104)
- Add usedforsecurity=False to MD5 calls in JA3/HASSH fingerprinting (B324)
- Annotate intentional try/except/pass blocks with nosec (B110)
- Remove stale nosec comments that no longer suppress anything
 2026-04-16 01:04:57 -04:00
anti
70d8ffc607 feat: complete OTEL tracing across all services with pipeline bridge and docs 
Extends tracing to every remaining module: all 23 API route handlers,
correlation engine, sniffer (fingerprint/p0f/syslog), prober (jarm/hassh/tcpfp),
profiler behavioral analysis, logging subsystem, engine, and mutator.

Bridges the ingester→SSE trace gap by persisting trace_id/span_id columns on
the logs table and creating OTEL span links in the SSE endpoint. Adds log-trace
correlation via _TraceContextFilter injecting otel_trace_id into Python LogRecords.

Includes development/docs/TRACING.md with full span reference (76 spans),
pipeline propagation architecture, quick start guide, and troubleshooting.
 2026-04-16 00:58:08 -04:00
anti
04db13afae feat: cross-stage trace propagation and granular per-event spans 
Collector now creates a span per event and injects W3C trace context
into JSON records. Ingester extracts that context and creates child
spans, connecting the full event journey: collector -> ingester ->
db.add_log + extract_bounty -> db.add_bounty.

Profiler now creates per-IP spans inside update_profiles with rich
attributes (event_count, is_traversal, bounty_count, command_count).

Traces in Jaeger now show the complete execution map from capture
through ingestion and profiling.
 2026-04-15 23:52:13 -04:00
anti
d1a88e75bd fix: dynamic TracedRepository proxy + disable tracing in test suite 
Replace brittle explicit method-by-method proxy with __getattr__-based
dynamic proxy that forwards all args/kwargs to the inner repo. Fixes
TypeError on get_logs_after_id() where concrete repo accepts extra
kwargs beyond the ABC signature.

Pin DECNET_DEVELOPER_TRACING=false in conftest.py so .env.local
settings don't leak into the test suite.
 2026-04-15 23:46:46 -04:00
anti
65ddb0b359 feat: add OpenTelemetry distributed tracing across all DECNET services 
Gated by DECNET_DEVELOPER_TRACING env var (default off, zero overhead).
When enabled, traces flow through FastAPI routes, background workers
(collector, ingester, profiler, sniffer, prober), engine/mutator
operations, and all DB calls via TracedRepository proxy.

Includes Jaeger docker-compose for local dev and 18 unit tests.
 2026-04-15 23:23:13 -04:00
anti
b437bc8eec fix: use unbuffered reads in proxy for SSE streaming 
resp.read(4096) blocks until 4096 bytes accumulate, which stalls SSE
events (~100-500 bytes each) in the proxy buffer indefinitely. Switch
to read1() which returns bytes immediately available without waiting
for more. Also disable the 120s socket timeout for SSE connections.
 2026-04-15 23:03:03 -04:00
anti
a1ca5d699b fix: use dedicated thread pools for collector and sniffer workers 
The collector spawned one permanent thread per Docker container via
asyncio.to_thread(), saturating the default asyncio executor. This
starved short-lived to_thread(load_state) calls in get_deckies() and
get_stats_summary(), causing the SSE stream and deckies endpoints to
hang indefinitely while other DB-only endpoints worked fine.

Give the collector and sniffer their own ThreadPoolExecutor so they
never compete with the default pool.
 2026-04-15 22:57:03 -04:00
anti
e9d151734d feat: deduplicate bounties on (bounty_type, attacker_ip, payload) 
Before inserting a bounty, check whether an identical row already exists.
Drops silent duplicates to prevent DB saturation from aggressive scanners.
 2026-04-15 18:02:52 -04:00
anti
0ab97d0ade docs: document decnet domain models and fleet transformation 2026-04-15 18:01:27 -04:00
anti
60de16be84 docs: document decnet collector worker 2026-04-15 17:56:24 -04:00
anti
82ec7f3117 fix: gate embedded profiler behind DECNET_EMBED_PROFILER to prevent dual-instance cursor conflict 
decnet deploy spawns a standalone profiler daemon AND api.py was also starting
attacker_profile_worker as an asyncio task inside the web server. Both instances
shared the same attacker_worker_cursor key in the state table, causing a race
where one instance could skip events already claimed by the other or overwrite
the cursor mid-batch.

Default is now OFF (embedded profiler disabled). The standalone daemon started
by decnet deploy is the single authoritative instance. Set DECNET_EMBED_PROFILER=true
only when running decnet api in isolation without a full deploy.
 2026-04-15 17:49:18 -04:00
anti
11d749f13d fix: wire prober tcpfp_fingerprint events into sniffer_rollup for OS/hop detection 
The active prober emits tcpfp_fingerprint events with TTL, window, MSS etc.
from the attacker's SYN-ACK. These were invisible to the behavioral profiler
for two reasons:

1. target_ip (prober's field name for attacker IP) was not in _IP_FIELDS in
   collector/worker.py or correlation/parser.py, so the profiler re-parsed
   raw_lines and got attacker_ip=None, never attributing prober events to
   the attacker profile.

2. sniffer_rollup only handled tcp_syn_fingerprint (passive sniffer) and
   ignored tcpfp_fingerprint (active prober). Prober events use different
   field names: window_size/window_scale/sack_ok vs window/wscale/has_sack.

Changes:
- Add target_ip to _IP_FIELDS in collector and parser
- Add _PROBER_TCPFP_EVENT and _INITIAL_TTL table to behavioral.py
- sniffer_rollup now processes tcpfp_fingerprint: maps field names, derives
  OS from TTL via _os_from_ttl, computes hop_distance = initial_ttl - observed
- Expand prober DEFAULT_TCPFP_PORTS to [22,80,443,8080,8443,445,3389] for
  better SYN-ACK coverage on attacker machines
- Add 4 tests covering prober OS detection, hop distance, and field mapping
 2026-04-15 17:36:40 -04:00
anti
a4798946c1 fix: add remote_addr to IP field lookup so http/https/k8s events are attributed correctly 
Templates for http, https, k8s, and docker_api log the client IP as
remote_addr (Flask's request.remote_addr) instead of src_ip. The collector
and correlation parser only checked src_ip/src/client_ip/remote_ip/ip, so
every request event from those services was stored with attacker_ip="Unknown"
and never associated with any attacker profile.

Adding remote_addr to _IP_FIELDS in both collector/worker.py and
correlation/parser.py fixes attribution. The profiler cursor was also reset
to 0 so the worker performs a cold rebuild and re-ingests existing events with
the corrected field mapping.
 2026-04-15 17:23:33 -04:00
anti
d869eb3d23 docs: document decnet engine orchestrator 2026-04-15 17:13:13 -04:00
anti
89887ec6fd fix: serialize HTTP headers as JSON so tool detection and bounty extraction work 
templates/decnet_logging.py calls str(v) on all SD-PARAM values, turning a
headers dict into Python repr ('{'User-Agent': ...}') rather than JSON.
detect_tools_from_headers() called json.loads() on that string and silently
swallowed the error, returning [] for every HTTP event. Same bug prevented
the ingester from extracting User-Agent bounty fingerprints.

- templates/http/server.py: wrap headers dict in json.dumps() before passing
  to syslog_line so the value is a valid JSON string in the syslog record
- behavioral.py: add ast.literal_eval fallback for existing DB rows that were
  stored with the old Python repr format
- ingester.py: parse headers as JSON string in _extract_bounty so User-Agent
  fingerprints are stored correctly going forward
- tests: add test_json_string_headers and test_python_repr_headers_fallback
  to exercise both formats in detect_tools_from_headers
 2026-04-15 17:03:52 -04:00
anti
02e73a19d5 fix: promote TCP-fingerprinted nmap to tool_guesses (detects -sC sans HTTP) 2026-04-15 16:44:45 -04:00
anti
b3efd646f6 feat: replace tool attribution stat with dedicated DETECTED TOOLS block 2026-04-15 16:37:54 -04:00
anti
2ec64ef2ef fix: rename BEHAVIOR label to ATTACK PATTERN for clarity 2026-04-15 16:36:19 -04:00
anti
e67624452e feat: centralize microservice logging to DECNET_SYSTEM_LOGS (default: decnet.system.log) 2026-04-15 16:23:28 -04:00
anti
e05b632e56 feat: update AttackerDetail UI for new behavior classes and multi-tool badges 2026-04-15 15:49:03 -04:00
anti
c8f05df4d9 feat: overhaul behavioral profiler — multi-tool detection, improved classification, TTL OS fallback 2026-04-15 15:47:02 -04:00
anti
935a9a58d2 fix: reopen collector log handles after deletion or log rotation 
Replaces the single persistent open() with inode-based reopen logic.
If decnet.log or decnet.json is deleted or renamed by logrotate, the
next write detects the stale inode, closes the old handle, and creates
a fresh file — preventing silent data loss to orphaned inodes.
 2026-04-15 14:04:54 -04:00
anti
63efe6c7ba fix: persist ingester position and profiler cursor across restarts 
- Ingester now loads byte-offset from DB on startup (key: ingest_worker_position)
  and saves it after each batch — prevents full re-read on every API restart
- On file truncation/rotation the saved offset is reset to 0
- Profiler worker now loads last_log_id from DB on startup — every restart
  becomes an incremental update instead of a full cold rebuild
- Updated all affected tests to mock get_state/set_state; added new tests
  covering position restore, set_state call, truncation reset, and cursor
  restore/cold-start paths
 2026-04-15 13:58:12 -04:00
anti
314e6c6388 fix: remove event-loop-blocking cold start; unify profiler to cursor-based incremental 
Cold start fetched all logs in one bulk query then processed them in a tight
synchronous loop with no yields, blocking the asyncio event loop for seconds
on datasets of 30K+ rows. This stalled every concurrent await — including the
SSE stream generator's initial DB calls — causing the dashboard to show
INITIALIZING SENSORS indefinitely.

Changes:
- Drop _cold_start() and get_all_logs_raw(); uninitialized state now runs the
  same cursor loop as incremental, starting from last_log_id=0
- Yield to the event loop after every _BATCH_SIZE rows (asyncio.sleep(0))
- Add SSE keepalive comment as first yield so the connection flushes before
  any DB work begins
- Add Cache-Control/X-Accel-Buffering headers to StreamingResponse
 2026-04-15 13:46:42 -04:00
anti
12aa98a83c fix: migrate TEXT→MEDIUMTEXT for attacker/state columns on MySQL 
Existing MySQL databases hit a DataError when the commands/fingerprints
JSON blobs exceed 64 KiB (TEXT limit). _BIG_TEXT emits MEDIUMTEXT only
at CREATE TABLE time; create_all() is a no-op on existing columns.

Add MySQLRepository._migrate_column_types() that queries
information_schema and issues ALTER TABLE … MODIFY COLUMN … MEDIUMTEXT
for the five affected columns (commands, fingerprints, services, deckies,
state.value) whenever they are still TEXT. Called from an overridden
initialize() after _migrate_attackers_table() and before create_all().

Add tests/test_mysql_migration.py covering: ALTER issued for TEXT columns,
no-op for already-MEDIUMTEXT, idempotency, DEFAULT clause correctness,
and initialize() call order.
 2026-04-15 12:59:54 -04:00
anti
7dbc71d664 test: add profiler behavioral analysis and RBAC endpoint tests 
- test_profiler_behavioral.py: attacker behavior pattern matching tests
- api/test_rbac.py: comprehensive RBAC role separation tests
- api/config/: configuration API endpoint tests (CRUD, reinit, user management)
 2026-04-15 12:51:38 -04:00
anti
dae3687089 test: add fingerprinting and TCP analysis tests 
- test_sniffer_p0f.py: p0f passive OS fingerprinting tests
- test_sniffer_tcp_fingerprint.py: TCP fingerprinting accuracy tests
- test_sniffer_retransmit.py: retransmission detection and analysis
 2026-04-15 12:51:35 -04:00
anti
187194786f test: add MySQL backend integration tests 
- test_mysql_backend_live.py: live integration tests for MySQL connections
- test_mysql_histogram_sql.py: dialect-specific histogram query tests
- test_mysql_url_builder.py: MySQL connection string construction
- mysql_spinup.sh: Docker spinup script for local MySQL testing
 2026-04-15 12:51:33 -04:00
anti
9de320421e test: add repository factory and CLI db-reset tests 
- test_factory.py: verify database factory selects correct backend
- test_cli_db_reset.py: test CLI database reset functionality
 2026-04-15 12:51:29 -04:00
anti
dd4e2aad91 test: update existing test suites for refactored codebase 
- test_api_attackers.py: update for BaseRepository interface
- test_attacker_worker.py: full test suite for worker logic (formerly in module)
- test_base_repo.py: repository interface conformance tests
- test_cli.py: CLI enhancements (randomize-services, selective deployment)
- test_service_isolation.py: isolation validation tests
- api/conftest.py: fixture updates for RBAC-gated endpoints
- live/test_service_isolation_live.py: live integration tests
 2026-04-15 12:51:26 -04:00
anti
7d10b78d50 chore: update templates and development documentation 
- templates/sniffer/decnet_logging.py: add logging configuration for sniffer integration
- templates/ssh/decnet_logging.py: add SSH service logging template
- development/DEVELOPMENT.md: document new MySQL backend, p0f, profiler, config API features
- pyproject.toml: update dependencies for MySQL, p0f, profiler functionality
 2026-04-15 12:51:22 -04:00
anti
ddfb232590 feat: add behavioral profiler for attacker pattern analysis 
- decnet/profiler/: analyze attacker behavior timings, command sequences, service probing patterns
- Enables detection of coordinated attacks vs random scanning
- Feeds into attacker scoring and risk assessment
 2026-04-15 12:51:19 -04:00
anti
d7da3a7fc7 feat: add advanced OS fingerprinting via p0f integration 
- decnet/sniffer/fingerprint.py: enhance TCP/IP fingerprinting pipeline
- decnet/sniffer/p0f.py: integrate p0f for passive OS classification
- Improves attacker profiling accuracy in honeypot interaction analysis
 2026-04-15 12:51:17 -04:00
anti
947efe7bd1 feat: add configuration management API endpoints 
- api_get_config.py: retrieve current DECNET config (admin only)
- api_update_config.py: modify deployment settings (admin only)
- api_manage_users.py: user/role management (admin only)
- api_reinit.py: reinitialize database schema (admin only)
- Integrated with centralized RBAC per memory: server-side UI gating
 2026-04-15 12:51:14 -04:00
anti
c603531fd2 feat: add MySQL backend support for DECNET database 
- Implement MySQLRepository extending BaseRepository
- Add SQLAlchemy/SQLModel ORM abstraction layer (sqlmodel_repo.py)
- Support connection pooling and tuning via DECNET_DB_URL env var
- Cross-compatible with SQLite backend via factory pattern
- Prepared for production deployment with MySQL SIEM/ELK integration
 2026-04-15 12:51:11 -04:00
anti
a78126b1ba feat: enhance UI components with config management and RBAC gating 
- Add Config.tsx component for admin configuration management
- Update AttackerDetail, DeckyFleet components to use server-side RBAC gating
- Remove client-side role checks per memory: server-side UI gating is mandatory
- Add Config.css for configuration UI styling
 2026-04-15 12:51:08 -04:00
anti
0ee23b8700 refactor: enforce RBAC decorators on all API endpoints 
- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory
 2026-04-15 12:51:05 -04:00
anti
0952a0b71e refactor: enhance CLI with improved service registration and deployment 
- Refactor deploy command to support service randomization and selective service deployment
- Add --services flag to filter deployed services by name
- Improve status and teardown command output formatting
- Update help text for clarity
 2026-04-15 12:50:53 -04:00
anti
4683274021 refactor: remove attacker_worker.py, move logic to test_attacker_worker.py 
- Worker logic refactored and tested via test_attacker_worker.py
- No longer needed as standalone module
 2026-04-15 12:50:51 -04:00
anti
ab187f70a1 refactor: migrate SQLiteRepository to BaseRepository interface 
- Extract dialect-agnostic methods to BaseRepository
- Keep only SQLite-specific SQL and initialization in SQLiteRepository
- Reduces duplication for upcoming MySQL backend
- Maintains 100% backward compatibility
 2026-04-15 12:50:44 -04:00
anti
172a002d41 refactor: implement database backend factory for SQLite and MySQL 
- Add `get_repository()` factory function to select DB implementation at runtime via DECNET_DB_TYPE env var
- Extract BaseRepository abstract interface from SQLiteRepository
- Update dependencies to use factory-based repository injection
- Add DECNET_DB_TYPE env var support (defaults to sqlite)
- Refactor models and repository base class for cross-dialect compatibility
 2026-04-15 12:50:41 -04:00
anti
f6cb90ee66 perf: rate-limit connect/disconnect events in collector to spare ingester 
Connection-lifecycle events (connect, disconnect, accept, close) fire once
per TCP connection. During a portscan or credential-stuffing run this
firehoses the SQLite ingester with tiny WAL writes and starves all reads
until the queue drains.

The collector now deduplicates these events by
(attacker_ip, decky, service, event_type) over a 1-second window before
writing to the .json ingestion stream. The raw .log file is untouched, so
rsyslog/SIEM still see every event for forensic fidelity.

Tunable via DECNET_COLLECTOR_RL_WINDOW_SEC and DECNET_COLLECTOR_RL_EVENT_TYPES.
 2026-04-15 12:04:04 -04:00
anti
2d65d74069 chore: fix ruff lint errors, bandit suppressions, and pin pip>=26.0 
Remove unused imports (ruff F401), suppress B324 false positives on
spec-mandated MD5 in HASSH/JA3/JA3S fingerprinting, drop unused
record_version assignment in JARM parser, and pin pip>=26.0 in dev
deps to address CVE-2025-8869 and CVE-2026-1703.
 2026-04-14 17:32:18 -04:00
anti
d5eb60cb41 fix: env leak from live tests caused test_failed_mutation_returns_404 to fail 
The live test modules set DECNET_CONTRACT_TEST=true at module level,
which persisted across xdist workers and caused the mutate endpoint
to short-circuit before the mock was reached. Clear the env var in
affected tests with monkeypatch.delenv.
 2026-04-14 17:29:02 -04:00
anti
47f2da1d50 test: add live service isolation tests 
21 live tests covering all background workers against real resources:
collector (real Docker daemon), ingester (real filesystem + DB),
attacker worker (real DB profiles), sniffer (real network interfaces),
API lifespan (real health endpoint), and cross-service cascade isolation.
 2026-04-14 17:24:21 -04:00
anti
53fdeee208 test: add live integration tests for /health endpoint 
9 tests covering auth enforcement, component reporting, status
transitions, degraded mode, and real DB/Docker state validation.
Runs with -m live alongside other live service tests.
 2026-04-14 17:03:43 -04:00
anti
a2ba7a7f3c feat: add /health endpoint for microservice monitoring 
Checks database, background workers (ingestion, collector, attacker,
sniffer), and Docker daemon. Reports healthy/degraded/unhealthy status
with per-component details. Returns 503 when required services fail,
200 for healthy or degraded (only optional services down).
 2026-04-14 16:56:20 -04:00
anti
3eab6e8773 test: add service isolation and cascade failure tests 
23 tests verifying that each background worker degrades gracefully
when its dependencies are unavailable, and that failures don't cascade:

- Collector: Docker unavailable, no state file, empty fleet
- Ingester: missing log file, unset env var, malformed JSON, fatal DB
- Attacker: DB errors, empty database
- Sniffer: missing interface, no state, scapy crash, non-decky traffic
- API lifespan: all workers failing, DB init failure, sniffer import fail
- Cascade: collector→ingester, ingester→attacker, sniffer→collector, DB→sniffer
 2026-04-14 15:07:50 -04:00
anti
5a7ff285cd feat: fleet-wide MACVLAN sniffer microservice 
Replace per-decky sniffer containers with a single host-side sniffer
that monitors all traffic on the MACVLAN interface. Runs as a background
task in the FastAPI lifespan alongside the collector, fully fault-isolated
so failures never crash the API.

- Add fleet_singleton flag to BaseService; sniffer marked as singleton
- Composer skips fleet_singleton services in compose generation
- Fleet builder excludes singletons from random service assignment
- Extract TLS fingerprinting engine from templates/sniffer/server.py
  into decnet/sniffer/ package (parameterized for fleet-wide use)
- Sniffer worker maps packets to deckies via IP→name state mapping
- Original templates/sniffer/server.py preserved for future use
 2026-04-14 15:02:34 -04:00
anti
1d73957832 feat: collapsible sections in attacker detail view 
All info sections (Timeline, Services, Deckies, Commands, Fingerprints)
now have clickable headers with a chevron toggle to expand/collapse
content. Pagination controls in Commands stay clickable without
triggering the collapse. All sections default to open.
 2026-04-14 13:42:52 -04:00
anti
c2eceb147d refactor: group fingerprints by type in attacker detail view 
Replace flat fingerprint card list with a structured section that
groups fingerprints by type under two categories: Active Probes
(JARM, HASSH, TCP/IP) and Passive Fingerprints (TLS, certificates,
latency, etc.). Each group shows its icon, label, and count.
 2026-04-14 13:05:07 -04:00
anti
09d9c0ec74 feat: add JARM, HASSH, and TCP/IP fingerprint rendering to frontend 
AttackerDetail: dedicated render components for JARM (hash + target),
HASSHServer (hash, banner, expandable KEX/encryption algorithms), and
TCP/IP stack (TTL, window, MSS as bold stats, DF/SACK/TS as tags,
options order string).

Bounty: add fingerprint field labels and priority keys so prober
bounties display structured rows instead of raw JSON. Add FINGERPRINTS
filter option to the type dropdown.
 2026-04-14 13:01:29 -04:00
anti
2dcf47985e feat: add HASSHServer and TCP/IP stack fingerprinting to DECNET-PROBER 
Extends the prober with two new active probe types alongside JARM:
- HASSHServer: SSH server fingerprinting via KEX_INIT algorithm ordering
  (MD5 hash of kex;enc_s2c;mac_s2c;comp_s2c, pure stdlib)
- TCP/IP stack: OS/tool fingerprinting via SYN-ACK analysis using scapy
  (TTL, window size, DF bit, MSS, TCP options ordering, SHA256 hash)

Worker probe cycle now runs three phases per IP with independent
per-type port tracking. Ingester extracts bounties for all three
fingerprint types.
 2026-04-14 12:53:55 -04:00
anti
5585e4ec58 refactor: prober auto-discovers attackers from log stream 
Remove --probe-targets from deploy. The prober now tails the JSON log
file and automatically discovers attacker IPs, JARM-probing each on
common C2 ports (443, 8443, 8080, 4443, 50050, etc.).

- Deploy spawns prober automatically (like collector), no manual targets
- `decnet probe` runs in foreground, --daemon detaches to background
- Worker tracks probed (ip, port) pairs to avoid redundant scans
- Empty JARM hashes (no TLS server) are silently skipped
- 80 prober tests (jarm + worker discovery + bounty extraction)
 2026-04-14 12:22:20 -04:00
anti
ce2699455b feat: DECNET-PROBER standalone JARM fingerprinting service 
Add active TLS probing via JARM to identify C2 frameworks (Cobalt Strike,
Sliver, Metasploit) by their TLS server implementation quirks. Runs as a
detached host-level process — no container dependency.

- decnet/prober/jarm.py: pure-stdlib JARM implementation (10 crafted probes)
- decnet/prober/worker.py: standalone async worker with RFC 5424 + JSON output
- CLI: `decnet probe --targets ip:port` and `--probe-targets` on deploy
- Ingester: JARM bounty extraction (fingerprint type)
- 68 new tests covering JARM logic and bounty extraction
 2026-04-14 12:14:32 -04:00
anti
df3f04c10e revert: undo service badge filter, parser normalization, and SSH relay 
Reverts commits 8c249f6, a6c7cfd, 7ff5703. The SSH log relay approach
requires container redeployment and doesn't retroactively fix existing
attacker profiles. Rolling back to reassess the approach.
 2026-04-14 02:14:46 -04:00
anti
7ff5703250 feat: SSH log relay emits proper DECNET syslog for sshd events 
New log_relay.py replaces raw 'cat' on the rsyslog pipe. Intercepts
sshd and bash lines and re-emits them as structured RFC 5424 events:
login_success, session_opened, disconnect, connection_closed, command.
Parsers updated to accept non-nil PROCID (sshd uses PID).
 2026-04-14 02:07:35 -04:00
anti
a6c7cfdf66 fix: normalize SSH bash CMD lines to service=ssh, event_type=command 
The SSH honeypot logs commands via PROMPT_COMMAND logger as:
  <14>1 ... bash - - -  CMD uid=0 pwd=/root cmd=ls
These lines had service=bash and event_type=-, so the attacker worker
never recognized them as commands. Both the collector and correlation
parsers now detect the CMD pattern and normalize to service=ssh,
event_type=command, with uid/pwd/command in fields.
 2026-04-14 01:54:36 -04:00
anti
7ecb126c8e fix: cap commands endpoint limit to 200 
Requests with limit > 200 get a 422, and the frontend responds
accordingly.
 2026-04-14 01:46:37 -04:00
anti
f3bb0b31ae feat: paginated commands endpoint for attacker profiles 
New GET /attackers/{uuid}/commands?limit=&offset=&service= endpoint
serves commands with server-side pagination and optional service filter.
AttackerDetail frontend fetches commands from this endpoint with
page controls. Service badge filter now drives both the API query
and the local fingerprint filter.
 2026-04-14 01:45:19 -04:00
anti
8c249f6987 fix: service badges filter commands/fingerprints locally 
Clicking a service badge in the attacker detail view now filters the
commands and fingerprints sections on that page instead of navigating
away. Click again to clear. Header shows filtered/total counts.
 2026-04-14 01:38:24 -04:00
anti
24e0d98425 feat: add service filter to attacker profiles 
API now accepts ?service=https to filter attackers by targeted service.
Service badges are clickable in both the attacker list and detail views,
navigating to a filtered view. Active filter shows as a dismissable tag.
 2026-04-14 01:35:12 -04:00
anti
7756747787 fix: deduplicate sniffer fingerprint events 
Same (src_ip, event_type, fingerprint) tuple is now suppressed within a
5-minute window (configurable via DEDUP_TTL env var). Prevents the bounty
vault from filling up with identical JA3/JA4 rows from repeated connections.
 2026-04-14 01:24:44 -04:00
anti
e312e072e4 feat: add HTTPS honeypot service template 
TLS-wrapped variant of the HTTP honeypot. Auto-generates a self-signed
certificate on startup if none is provided. Supports all the same persona
options (fake_app, server_header, custom_body, etc.) plus TLS_CERT,
TLS_KEY, and TLS_CN configuration.
 2026-04-14 00:57:38 -04:00
anti
5631d09aa8 fix: reject empty HELO/EHLO with 501 per RFC 5321 
EHLO/HELO require a domain or address-literal argument. Previously
the server accepted bare EHLO with no argument and responded 250,
which deviates from the spec and makes the honeypot easier to
fingerprint.
 2026-04-14 00:30:46 -04:00
anti
c2f7622fbb fix: teardown --all now kills collector processes 
The collector kept streaming stale container IDs after a redeploy,
causing new service logs to never reach decnet.log. Now _kill_api()
also matches and SIGTERMs any running decnet.cli collect process.
 2026-04-14 00:17:57 -04:00
anti
8335c5dc4c fix: remove duplicate print() in _log() across all service templates 
Every service's _log() called print() then write_syslog_file() which also
calls print(), causing every log line to appear twice in Docker logs. The
collector streamed both copies, doubling ingested events. Removed the
redundant print() from all 22 service server.py files.
 2026-04-14 00:16:18 -04:00
anti
b71db65149 fix: SMTP server handles bare LF line endings and AUTH PLAIN continuation 
Two bugs fixed:
- data_received only split on CRLF, so clients sending bare LF (telnet, nc,
  some libraries) got no responses at all. Now splits on LF and strips
  trailing CR, matching real Postfix behavior.
- AUTH PLAIN without inline credentials set state to "await_plain" but no
  handler existed for that state, causing the next line to be dispatched as
  a normal command. Added the missing state handler.
 2026-04-13 23:46:50 -04:00
anti
fd62413935 feat: rich fingerprint rendering in attacker detail view 
Replace raw JSON dump with typed fingerprint cards:
- JA3/JA4/JA3S/JA4S shown as labeled hash rows with TLS version, SNI, ALPN tags
- JA4L displayed as prominent RTT/TTL metrics
- TLS session resumption mechanisms rendered as colored tags
- Certificate details with subject CN, issuer, validity, SANs, self-signed badge
- HTTP User-Agent and VNC client shown with monospace value display
- Generic fallback for unknown fingerprint types
 2026-04-13 23:24:37 -04:00
anti
ea340065c6 feat: JA4/JA4S/JA4L fingerprints, TLS session resumption, certificate extraction 
Extend the passive TLS sniffer with next-gen attacker fingerprinting:

- JA4 (ClientHello) and JA4S (ServerHello) computation with
  supported_versions, signature_algorithms, and ALPN parsing
- JA4L latency measurement via TCP SYN→SYN-ACK RTT tracking
- TLS session resumption detection (session tickets, PSK, 0-RTT early data)
- Certificate extraction for TLS ≤1.2 with minimal DER/ASN.1 parser
  (subject CN, issuer, SANs, validity period, self-signed flag)
- Ingester bounty extraction for all new fingerprint types
- 116 tests covering all new functionality (1255 total passing)
 2026-04-13 23:20:37 -04:00
anti
a022b4fed6 feat: attacker profiles — UUID model, API routes, list/detail frontend 
Migrate Attacker model from IP-based to UUID-based primary key with
auto-migration for old schema. Add GET /attackers (paginated, search,
sort) and GET /attackers/{uuid} API routes. Rewrite Attackers.tsx as
a card grid with full threat info and create AttackerDetail.tsx as a
dedicated detail page with back navigation, stats, commands table,
and fingerprints.
 2026-04-13 22:35:13 -04:00
anti
3dc5b509f6 feat: Phase 1 — JA3/JA3S sniffer, Attacker model, profile worker 
Add passive TLS fingerprinting via a sniffer container on the MACVLAN
interface, plus the Attacker table and periodic rebuild worker that
correlates per-IP profiles from Log + Bounty + CorrelationEngine.

- templates/sniffer/: Scapy sniffer with pure-Python TLS parser;
  emits tls_client_hello / tls_session RFC 5424 lines with ja3, ja3s,
  sni, alpn, raw_ciphers, raw_extensions; GREASE filtered per RFC 8701
- decnet/services/sniffer.py: service plugin (no ports, NET_RAW/NET_ADMIN)
- decnet/web/db/models.py: Attacker SQLModel table + AttackersResponse
- decnet/web/db/repository.py: 5 new abstract methods
- decnet/web/db/sqlite/repository.py: implement all 5 (upsert, pagination,
  sort by recent/active/traversals, bounty grouping)
- decnet/web/attacker_worker.py: 30s periodic rebuild via CorrelationEngine;
  extracts commands from log fields, merges fingerprint bounties
- decnet/web/api.py: wire attacker_profile_worker into lifespan
- decnet/web/ingester.py: extract JA3 bounty (fingerprint_type=ja3)
- development/DEVELOPMENT.md: full attacker intelligence collection roadmap
- pyproject.toml: scapy>=2.6.1 added to dev deps
- tests: test_sniffer_ja3.py (40+ vectors), test_attacker_worker.py,
  test_base_repo.py / test_web_api.py updated for new surface
 2026-04-13 20:22:08 -04:00
anti
c9be447a38 fix: set busy_timeout and WAL pragmas on every async SQLite connection 2026-04-13 19:17:53 -04:00
anti
62db686b42 chore: bump all dev deps to latest versions, suppress schemathesis filter_too_much health check 2026-04-13 19:08:28 -04:00
anti
57d395d6d7 fix: auth redirect, SSE reconnect, stats polling removal, active decky count, schemathesis health check
Some checks failed
CI / Lint (ruff) (push) Successful in 18s
Details
CI / SAST (bandit) (push) Successful in 19s
Details
CI / Dependency audit (pip-audit) (push) Failing after 27s
Details
CI / Test (Standard) (3.11) (push) Has been skipped
Details
CI / Test (Standard) (3.12) (push) Has been skipped
Details
CI / Test (Live) (3.11) (push) Has been skipped
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-13 18:33:32 -04:00
anti
ac094965b5 fix: redirect to login on expired/missing JWT and 401 responses 2026-04-13 08:17:57 -04:00
anti
435c004760 feat: extract HTTP User-Agent and VNC client version as fingerprint bounties
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
Details
CI / SAST (bandit) (push) Successful in 14s
Details
CI / Dependency audit (pip-audit) (push) Successful in 24s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m2s
Details
CI / Test (Standard) (3.12) (push) Successful in 2m5s
Details
CI / Test (Live) (3.11) (push) Successful in 56s
Details
CI / Test (Fuzz) (3.11) (push) Failing after 6m25s
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-13 08:14:38 -04:00
anti
89a2132c61 fix: use semver 0.x.0 schema for auto-tagging
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 14s
Details
CI / Dependency audit (pip-audit) (push) Successful in 22s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m4s
Details
CI / Test (Standard) (3.12) (push) Successful in 2m6s
Details
CI / Test (Live) (3.11) (push) Successful in 57s
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
2026-04-13 08:05:32 -04:00
anti
3d01ca2c2a fix: resolve ruff lint errors (unused import, E402 import order)
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 14s
Details
CI / Dependency audit (pip-audit) (push) Successful in 27s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m7s
Details
CI / Test (Standard) (3.12) (push) Successful in 2m8s
Details
CI / Test (Live) (3.11) (push) Successful in 58s
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
2026-04-13 07:58:13 -04:00
anti
8124424e96 fix: replace trivy-action with direct install to avoid GitHub credential dependency
Some checks failed
CI / Lint (ruff) (push) Failing after 18s
Details
CI / SAST (bandit) (push) Successful in 18s
Details
CI / Dependency audit (pip-audit) (push) Successful in 27s
Details
CI / Test (Standard) (3.11) (push) Has been skipped
Details
CI / Test (Standard) (3.12) (push) Has been skipped
Details
CI / Test (Live) (3.11) (push) Has been skipped
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-13 07:56:44 -04:00
anti
a4da9b8f32 feat: embed changelog in release tag message
Some checks failed
CI / Dependency audit (pip-audit) (push) Has been cancelled
Details
CI / Test (Standard) (3.11) (push) Has been cancelled
Details
CI / Test (Standard) (3.12) (push) Has been cancelled
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Lint (ruff) (push) Has been cancelled
Details
CI / SAST (bandit) (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
2026-04-13 07:54:37 -04:00
anti
448cb9cee0 chore: untrack .claude/settings.local.json (already covered by .gitignore)
Some checks failed
CI / Lint (ruff) (push) Has been cancelled
Details
CI / SAST (bandit) (push) Has been cancelled
Details
CI / Dependency audit (pip-audit) (push) Has been cancelled
Details
CI / Test (Standard) (3.11) (push) Has been cancelled
Details
CI / Test (Standard) (3.12) (push) Has been cancelled
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
2026-04-13 07:45:12 -04:00
anti
035499f255 feat: add component-aware RFC 5424 application logging system 
- Modify Rfc5424Formatter to read decnet_component from LogRecord
  and use it as RFC 5424 APP-NAME field (falls back to 'decnet')
- Add get_logger(component) factory in decnet/logging/__init__.py
  with _ComponentFilter that injects decnet_component on each record
- Wire all five layers to their component tag:
    cli -> 'cli', engine -> 'engine', api -> 'api' (api.py, ingester,
    routers), mutator -> 'mutator', collector -> 'collector'
- Add structured INFO/DEBUG/WARNING/ERROR log calls throughout each
  layer per the defined vocabulary; DEBUG calls are suppressed unless
  DECNET_DEVELOPER=true
- Add tests/test_logging.py covering factory, filter, formatter
  component-awareness, fallback behaviour, and level gating
 2026-04-13 07:39:01 -04:00
anti
0706919469 modified: gitignore to ignore temporary log files
All checks were successful
CI / Lint (ruff) (push) Successful in 17s
Details
CI / SAST (bandit) (push) Successful in 16s
Details
CI / Dependency audit (pip-audit) (push) Successful in 26s
Details
CI / Test (Standard) (3.11) (push) Successful in 2m8s
Details
CI / Test (Standard) (3.12) (push) Successful in 2m12s
Details
CI / Test (Live) (3.11) (push) Successful in 58s
Details
CI / Test (Fuzz) (3.11) (push) Successful in 6m45s
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
CI / Merge dev → testing (push) Successful in 11s
Details
2026-04-13 01:44:52 -04:00
anti
f2cc585d72 fix: align tests with model validation and API error reporting 2026-04-13 01:43:52 -04:00
anti
89abb6ecc6 Merge branch 'dev' of https://git.resacachile.cl/anti/DECNET into dev
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 14s
Details
CI / Dependency audit (pip-audit) (push) Successful in 23s
Details
CI / Test (Standard) (3.11) (push) Successful in 1m33s
Details
CI / Test (Standard) (3.12) (push) Successful in 1m35s
Details
CI / Test (Live) (3.11) (push) Successful in 56s
Details
CI / Test (Fuzz) (3.11) (push) Failing after 4m8s
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-12 08:02:06 -04:00
anti
03f5a7826f Fix: resolved sqlite concurrency errors (table users already exists) by moving DDL to explicit async initialize() and implementing lazy singleton dependency. 2026-04-12 08:01:21 -04:00
anti
a5eaa3291e Fix: resolved sqlite concurrency errors (table users already exists) by moving DDL to explicit async initialize() and implementing lazy singleton dependency.
Some checks failed
CI / SAST (bandit) (push) Successful in 15s
Details
CI / Lint (ruff) (push) Failing after 18s
Details
CI / Dependency audit (pip-audit) (push) Successful in 26s
Details
CI / Test (Standard) (3.11) (push) Has been skipped
Details
CI / Test (Standard) (3.12) (push) Has been skipped
Details
CI / Test (Live) (3.11) (push) Has been skipped
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-12 07:59:45 -04:00
anti
b2e4706a14 Refactor: implemented Repository Factory and Async Mutator Engine. Decoupled storage logic and enforced Dependency Injection across CLI and Web API. Updated documentation.
Some checks failed
CI / Lint (ruff) (push) Successful in 12s
Details
CI / SAST (bandit) (push) Successful in 13s
Details
CI / Dependency audit (pip-audit) (push) Successful in 22s
Details
CI / Test (Standard) (3.11) (push) Failing after 54s
Details
CI / Test (Standard) (3.12) (push) Successful in 1m35s
Details
CI / Test (Live) (3.11) (push) Has been skipped
Details
CI / Test (Fuzz) (3.11) (push) Has been skipped
Details
CI / Merge dev → testing (push) Has been skipped
Details
CI / Prepare Merge to Main (push) Has been skipped
Details
CI / Finalize Merge to Main (push) Has been skipped
Details
2026-04-12 07:48:17 -04:00
anti
6095d0d2ed ci: solidify promotion dependencies with explicit test list
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
Details
CI / SAST (bandit) (push) Successful in 12s
Details
CI / Dependency audit (pip-audit) (push) Successful in 21s
Details
CI / Test (Standard) (3.11) (push) Successful in 1m9s
Details
CI / Test (Standard) (3.12) (push) Successful in 1m11s
Details
CI / Test (Live) (3.11) (push) Successful in 54s
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
2026-04-12 04:24:29 -04:00
anti
04685ba1c4 ci: reorder heavy tests (Live before Fuzz) 2026-04-12 04:22:33 -04:00
anti
2ce3f7ee90 ci: delegate release tagging and versioning to release.yml 2026-04-12 04:21:28 -04:00
anti
cb4bac4b42 ci: segment pytest into standard, fuzz, and live categories
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
Details
CI / SAST (bandit) (push) Successful in 12s
Details
CI / Dependency audit (pip-audit) (push) Successful in 22s
Details
CI / Test (Standard) (3.11) (push) Successful in 1m10s
Details
CI / Test (Standard) (3.12) (push) Successful in 1m13s
Details
CI / Test (Live) (3.11) (push) Has been cancelled
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Prepare Merge to Main (push) Has been cancelled
Details
CI / Finalize Merge to Main (push) Has been cancelled
Details
CI / Test (Fuzz) (3.11) (push) Has been cancelled
Details
2026-04-12 04:17:05 -04:00
anti
8d5944f775 ci: implement automated RC flow and finalize optimizations on dev 2026-04-12 04:15:42 -04:00
anti
ea9f7e734b ci: sequential checks, heavy pytest, and skip ci on auto-merge 2026-04-12 03:55:12 -04:00
anti
fe18575a9c modified: pyproject, moved [live] deps to [dev] deps.
All checks were successful
CI / Lint (ruff) (push) Successful in 11s
Details
CI / Test (pytest) (3.11) (push) Successful in 1m19s
Details
CI / Test (pytest) (3.12) (push) Successful in 1m22s
Details
CI / SAST (bandit) (push) Successful in 12s
Details
CI / Dependency audit (pip-audit) (push) Successful in 21s
Details
CI / Merge dev → testing (push) Successful in 10s
Details
CI / Open PR to main (push) Has been skipped
Details
2026-04-12 03:49:20 -04:00
anti
0f63820ee6 chore: fix unused imports in tests and update development roadmap
Some checks failed
CI / Lint (ruff) (push) Successful in 16s
Details
CI / Test (pytest) (3.11) (push) Failing after 34s
Details
CI / Test (pytest) (3.12) (push) Failing after 36s
Details
CI / SAST (bandit) (push) Successful in 12s
Details
CI / Merge dev → testing (push) Has been cancelled
Details
CI / Open PR to main (push) Has been cancelled
Details
CI / Dependency audit (pip-audit) (push) Has been cancelled
Details
2026-04-12 03:46:23 -04:00
anti
fdc404760f moved: mermaid graph to development folder 2026-04-12 03:42:43 -04:00
anti
95190946e0 moved: AST graphs into develpment/ folder 2026-04-12 03:42:08 -04:00
anti
1692df7360 deleted: trash vscode stuff 2026-04-12 03:41:15 -04:00
anti
aac39e818e Docs: Generated full coverage report in development/COVERAGE.md 2026-04-12 03:36:13 -04:00
anti
ff38d58508 Testing: Stabilized test suite and achieved 93% total coverage. 
- Fixed CLI tests by patching local imports at source (psutil, os, Path).
- Fixed Collector tests by globalizing docker.from_env mock.
- Stabilized SSE stream tests via AsyncMock and immediate generator termination to prevent hangs.
- Achieved >80% coverage on CLI (84%), Collector (97%), and DB Repository (100%).
- Implemented SMTP Relay service tests (100%).
 2026-04-12 03:30:06 -04:00
anti
f78104e1c8 fix: resolve all ruff lint errors and SQLite UNIQUE constraint issue 
Ruff fixes (20 errors → 0):
- F401: Remove unused imports (DeckyConfig, random_hostname, IniConfig,
  COMPOSE_FILE, sys, patch) across cli.py, mutator/engine.py,
  templates/ftp, templates/rdp, test_mysql.py, test_postgres.py
- F541: Remove extraneous f-prefixes on strings with no placeholders
  in templates/imap, test_ftp_live, test_http_live
- E741: Rename ambiguous variable 'l' to descriptive names (line, entry,
  part) across conftest.py, test_ftp_live, test_http_live,
  test_mongodb_live, test_pop3, test_ssh

SQLite fix:
- Change _initialize_sync() admin seeding from SELECT-then-INSERT to
  INSERT OR IGNORE, preventing IntegrityError when admin user already
  exists from a previous run
 2026-04-12 02:17:50 -04:00
anti
99be4e64ad ci: rework pipeline to dev → testing → main promotion 
- Add merge-to-testing job: after all CI checks pass on dev, auto-merge
  into testing with --no-ff for clear merge history
- Move open-pr job to trigger on testing branch instead of dev
- PR now opens testing → main instead of dev → main
- Add bandit and pip-audit jobs to pr.yml PR gate for full suite coverage
- PR gate test job now installs dev dependencies consistently
 2026-04-12 02:11:24 -04:00
anti
c3c1cd2fa6 modified: .gitignore
Some checks failed
CI / Lint (ruff) (push) Failing after 16s
Details
CI / Test (pytest) (3.11) (push) Failing after 47s
Details
CI / Test (pytest) (3.12) (push) Failing after 49s
Details
CI / SAST (bandit) (push) Successful in 12s
Details
CI / Dependency audit (pip-audit) (push) Successful in 23s
Details
CI / Open PR to main (push) Has been skipped
Details
2026-04-12 02:03:49 -04:00
anti
68b13b8a59 added: decnet_logging.py stub for telnet monitoring 2026-04-12 02:03:06 -04:00
anti
f8bb134d70 added: fixed mssql service 2026-04-12 02:01:45 -04:00
anti
20fba18711 fix(telnet): disable imklog in rsyslog — containers cannot access /proc/kmsg 2026-04-12 01:45:46 -04:00
anti
b325fc8c5f fix(logging): silence Twisted internal logs and Werkzeug startup banner from stdout 2026-04-12 01:43:42 -04:00
anti
1484d2f625 fix(telnet): use busybox-static for telnetd applet, rm stale fifo on restart 2026-04-12 01:39:31 -04:00
anti
f8ae9ce2a6 refactor(deps): move live test deps to pyproject.toml optional-dependencies[live] 2026-04-12 01:35:16 -04:00
anti
662a5e43e8 feat(tests): add live subprocess integration test suite for services 
Spins up each service's server.py in a real subprocess via a free ephemeral
port (PORT env var), connects with real protocol clients, and asserts both
correct protocol behavior and RFC 5424 log output.

- 44 live tests across 10 services: http, ftp, smtp, redis, mqtt,
  mysql, postgres, mongodb, pop3, imap
- Shared conftest.py: _ServiceProcess (bg reader thread + queue),
  free_port, live_service fixture, assert_rfc5424 helper
- PORT env var added to all 10 targeted server.py templates
- New pytest marker `live`; excluded from default addopts run
- requirements-live-tests.txt: flask, twisted + protocol clients
 2026-04-12 01:34:16 -04:00
anti
d63e396410 fix(protocols): guard against zero/malformed length fields in binary protocol parsers 
MongoDB had the same infinite-loop bug as MSSQL (msg_len=0 → buffer never
shrinks in while loop). Postgres, MySQL, and MQTT had related length-field
issues (stuck state, resource exhaustion, overlong remaining-length).

Also fixes an existing MongoDB _op_reply struct.pack format bug (extra 'q'
specifier caused struct.error on any OP_QUERY response).

Adds 53 regression + protocol boundary tests across MSSQL, MongoDB,
Postgres, MySQL, and MQTT, including a _run_with_timeout threading harness
to catch infinite loops and @pytest.mark.fuzz hypothesis tests for each.
 2026-04-12 01:01:13 -04:00
anti
65d585569b fix(telnet): replace Cowrie with real busybox telnetd + rsyslog logging 
Cowrie was exposing an SSH daemon on port 22 alongside the telnet service
even when COWRIE_SSH_ENABLED=false, contaminating deployments that did not
request an SSH service.

New implementation mirrors the SSH service pattern:
- busybox telnetd in foreground mode on port 23
- /bin/login for real PAM authentication (brute-force attempts logged)
- rsyslog RFC 5424 bridge piped to stdout for Docker log capture
- Configurable root password and hostname via env vars
- No Cowrie dependency
 2026-04-12 00:34:45 -04:00
anti
c384a3103a refactor: separate engine, collector, mutator, and fleet into independent subpackages 
- decnet/engine/ — container lifecycle (deploy, teardown, status); _kill_api removed
- decnet/collector/ — Docker log streaming (moved from web/collector.py)
- decnet/mutator/ — mutation engine (no longer imports from cli or duplicates deployer code)
- decnet/fleet.py — shared decky-building logic extracted from cli.py

Cross-contamination eliminated:
- web router no longer imports from decnet.cli
- mutator no longer imports from decnet.cli
- cli no longer imports from decnet.web
- _kill_api() moved to cli (process management, not engine concern)
- _compose_with_retry duplicate removed from mutator
 2026-04-12 00:26:22 -04:00
anti
c79f96f321 refactor(ssh): consolidate real_ssh into ssh, remove duplication 
real_ssh was a separate service name pointing to the same template and
behaviour as ssh. Merged them: ssh is now the single real-OpenSSH service.

- Rename templates/real_ssh/ → templates/ssh/
- Remove decnet/services/real_ssh.py
- Deaddeck archetype updated: services=["ssh"]
- Merge test_real_ssh.py into test_ssh.py (includes deaddeck + logging tests)
- Drop decnet.services.real_ssh from test_build module list
 2026-04-11 19:51:41 -04:00
anti
d77def64c4 fix(cli): import Path locally in deploy to fix NameError 2026-04-11 19:46:58 -04:00
anti
ce182652ad fix(cli): add __main__ guard so python -m decnet.cli actually runs the app 
The collector subprocess was spawned via 'python3 -m decnet.cli collect'
but cli.py had no 'if __name__ == __main__: app()' guard. Python executed
the module, defined all functions, then exited cleanly with code 0 without
ever calling the collect command. No output, no log file, exit 0 — silent
non-start every time.

Also route collector stderr to <log_file>.collector.log so future crashes
are visible instead of disappearing into DEVNULL.
 2026-04-11 19:42:10 -04:00
anti
a6063efbb9 fix(collector): daemonize background subprocesses with start_new_session 
Collector and mutator watcher subprocesses were spawned without
start_new_session=True, leaving them in the parent's process group.
SIGHUP (sent when the controlling terminal closes) killed both
processes silently — stdout/stderr were DEVNULL so the crash was
invisible.

Also update test_services and test_composer to reflect the ssh plugin
no longer using Cowrie env vars (replaced with SSH_ROOT_PASSWORD /
SSH_HOSTNAME matching the real_ssh plugin).
 2026-04-11 19:36:46 -04:00
anti
d4ac53c0c9 feat(ssh): replace Cowrie with real OpenSSH + rsyslog logging pipeline 
Scraps the Cowrie emulation layer. The real_ssh template now runs a
genuine sshd backed by a three-layer logging stack forwarded to stdout
as RFC 5424 for the DECNET collector:

  auth,authpriv.*  → rsyslogd → named pipe → stdout  (logins/failures)
  user.*           → rsyslogd → named pipe → stdout  (PROMPT_COMMAND cmds)
  sudo syslog=auth → rsyslogd → named pipe → stdout  (privilege escalation)
  sudo logfile     → /var/log/sudo.log               (local backup with I/O)

The ssh.py service plugin now points to templates/real_ssh and drops all
COWRIE_* / NODE_NAME env vars, sharing the same compose fragment shape as
real_ssh.py.
 2026-04-11 19:12:54 -04:00
anti
9ca3b4691d docs(roadmap): tick completed service implementations 2026-04-11 04:02:50 -04:00
anti
babad5ce65 refactor(collector): use state file for container detection, drop label heuristics 
_load_service_container_names() reads decnet-state.json and builds the
exact set of expected container names ({decky}-{service}). is_service_container()
and is_service_event() do a direct set lookup — no regex, no label
inspection, no heuristics.
 2026-04-11 03:58:52 -04:00
anti
7abae5571a fix(collector): fix container detection and auto-start on deploy 
Two bugs caused the log file to never be written:

1. is_service_container() used regex '^decky-\d+-\w' which only matched
   the old decky-01-smtp naming style. Actual containers are named
   omega-decky-smtp, relay-decky-smtp, etc. Fixed by using Docker Compose
   labels instead: com.docker.compose.project=decnet + non-empty
   depends_on discriminates service containers from base (sleep infinity)
   containers reliably regardless of decky naming convention.
   Added is_service_event() for the Docker events path.

2. The collector was only started when --api was used. Added a 'collect'
   CLI subcommand (decnet collect --log-file <path>) and wired it into
   deploy as an auto-started background process when --api is not in use.
   Default log path: /var/log/decnet/decnet.log
 2026-04-11 03:56:53 -04:00
anti
377ba0410c feat(deploy): add --parallel flag for concurrent image builds 
When --parallel is set:
- DOCKER_BUILDKIT=1 is injected into the subprocess environment to
  ensure BuildKit is active regardless of host daemon config
- docker compose build runs first (all images built concurrently)
- docker compose up -d follows without --build (no redundant checks)

Without --parallel the original up --build path is preserved.
--parallel and --no-cache compose correctly (build --no-cache).
 2026-04-11 03:46:52 -04:00
anti
5ef48d60be fix(conpot): add syslog bridge entrypoint for logging pipeline 
Conpot is a third-party app with its own Python logger — it never calls
decnet_logging. Added entrypoint.py as a subprocess wrapper that:
- Launches conpot and captures its stdout/stderr
- Classifies each line (startup/request/warning/error/log)
- Extracts source IPs via regex
- Emits RFC 5424 syslog lines to stdout for Docker/collector pickup

Entrypoint is self-contained (no import of shared decnet_logging.py)
because the conpot base image runs Python 3.6, which cannot parse the
dict[str, Any] / str | None type syntax used in the canonical file.
 2026-04-11 03:44:41 -04:00
anti
fe46b8fc0b fix(conpot): use honeynet/conpot:latest base, run as conpot user 
The BASE_IMAGE build arg was being unconditionally overwritten by
composer.py with the decky's distro build_base (debian:bookworm-slim),
turning the conpot container into a bare Debian image with no conpot
installation — hence the silent restart loop.

Two fixes:
1. composer.py: use args.setdefault() so services that pre-declare
   BASE_IMAGE in their compose_fragment() win over the distro default.
2. conpot.py: pre-declare BASE_IMAGE=honeynet/conpot:latest in build
   args so it always uses the upstream image regardless of decky distro.

Also removed the USER decnet switch from the conpot Dockerfile. The
upstream image already runs as the non-root 'conpot' user; switching to
'decnet' broke pkg_resources because conpot's eggs live under
/home/conpot/.local and are only on sys.path for that user.
 2026-04-11 03:32:11 -04:00
anti
c7713c6228 feat(imap,pop3): full IMAP4rev1 + POP3 bait mailbox implementation 
IMAP: extended to full IMAP4rev1 — 10 bait emails (AWS keys, DB creds,
tokens, VPN config, root pw etc.), LIST/LSUB/STATUS/FETCH/UID FETCH/
SEARCH/CLOSE/NOOP, proper SELECT untagged responses (EXISTS, UIDNEXT,
FLAGS, PERMANENTFLAGS), CAPABILITY with IDLE/LITERAL+/AUTH=PLAIN.
FETCH correctly handles sequence sets (1:*, 1:3, *), item dispatch
(FLAGS, ENVELOPE, BODY[], RFC822, RFC822.SIZE), and places body literals
last per RFC 3501.

POP3: extended with same 10 bait emails, fixed banner env var key
(POP3_BANNER not IMAP_BANNER), CAPA fully populated (TOP/UIDL/USER/
RESP-CODES/SASL), TOP (headers + N body lines), UIDL (msg-N format),
DELE/RSET with _deleted set tracking, NOOP. _active_messages() helper
excludes DELE'd messages from STAT/LIST/UIDL.

Both: DEBT-026 stub added (_EMAIL_SEED_PATH env var, documented in
DEBT.md for next-session JSON seed file wiring).

Tests: test_imap.py expanded to 27 cases, test_pop3.py to 22 cases —
860 total tests passing.
 2026-04-11 03:12:32 -04:00
anti
1196363d0b feat(os_fingerprint): Phase 2 — add icmp_ratelimit + icmp_ratemask sysctls 
Windows: both 0 (no ICMP rate limiting — matches real Windows behavior)
Linux: 1000ms / mask 6168 (kernel defaults)
BSD: 250ms / mask 6168 (FreeBSD default is faster than Linux)
Embedded/Cisco: both 0 (most firmware doesn't rate-limit ICMP)

These affect nmap's IE and U1 probe groups which measure ICMP error
response timing to closed UDP ports. Windows responds to all probes
instantly while Linux throttles to ~1/sec.

Tests: 10 new cases (5 per sysctl). Suite: 822 passed.
 2026-04-10 16:41:23 -04:00
anti
62a67f3d1d docs(HARDENING): rewrite roadmap based on live scan findings 
Phase 1 is complete. Live testing revealed:
- Window size (64240) is already correct — Phase 2 window mangling unnecessary
- TI=Z (IP ID = 0) is the single remaining blocker for Windows spoofing
- ip_no_pmtu_disc does NOT fix TI=Z (tested and confirmed)

Revised phase plan:
- Phase 2: ICMP tuning (icmp_ratelimit + icmp_ratemask sysctls)
- Phase 3: NFQUEUE daemon for IP ID rewriting (fixes TI=Z)
- Phase 4: diminishing returns, not recommended

Added detailed NFQUEUE architecture, TCPOPTSTRIP notes, and
note clarifying P= field in nmap output.
 2026-04-10 16:38:27 -04:00
anti
6df2c9ccbf revert(os_fingerprint): undo ip_no_pmtu_disc=1 for windows — was incorrect 
ip_no_pmtu_disc controls PMTU discovery for UDP/ICMP paths only.
TI=Z originates from ip_select_ident() in the kernel TCP stack setting
IP ID=0 for DF=1 TCP packets — a namespace-scoped sysctl cannot change this.
The previous commit was based on incorrect root-cause analysis.
 2026-04-10 16:29:44 -04:00
anti
b1f6c3b84a fix(os_fingerprint): set ip_no_pmtu_disc=1 for windows to eliminate TI=Z 
When ip_no_pmtu_disc=0 the Linux kernel sets DF=1 on TCP packets and uses
IP ID=0 (RFC 6864). nmap's TI=Z fingerprint has no Windows match in its DB,
causing 91% confidence guesses of 'Linux 2.4/2.6 embedded' regardless of
TTL being 128. Setting ip_no_pmtu_disc=1 allows non-zero IP ID generation.

Trade-off: DF bit is not set on outgoing packets (slightly wrong for Windows)
but TI=Z is far more damaging to the spoof than losing DF accuracy.
 2026-04-10 16:19:32 -04:00
anti
5fdfe67f2f fix(cowrie): add missing COPY+chmod for entrypoint.sh in Dockerfile 
The entrypoint.sh was present in the build context but never COPYed into
the image, causing 'stat /entrypoint.sh: no such file or directory' at
container start. Added COPY+chmod before the USER decnet instruction so
the script is installed as root and is executable by all users.
 2026-04-10 16:15:05 -04:00
anti
4fac9570ec chore: add arche-test.ini OS fingerprint smoke-test fleet 2026-04-10 16:11:18 -04:00
anti
5e83c9e48d feat(os_fingerprint): Phase 1 — extend OS sysctls with 6 new fingerprint knobs 
Add tcp_timestamps, tcp_window_scaling, tcp_sack, tcp_ecn, ip_no_pmtu_disc,
and tcp_fin_timeout to every OS profile in OS_SYSCTLS.

All 6 are network-namespace-scoped and safe to set per-container without
--privileged. They directly influence nmap's OPS, WIN, ECN, and T2-T6
probe groups, making OS family detection significantly more convincing.

Key changes:
- tcp_timestamps=0 for windows/embedded/cisco (strongest Windows discriminator)
- tcp_ecn=2 for linux (ECN offer), 0 for all others
- tcp_sack=0 / tcp_window_scaling=0 for embedded/cisco
- ip_no_pmtu_disc=1 for embedded/cisco (DF bit ICMP behaviour)
- Expose _REQUIRED_SYSCTLS frozenset for completeness assertions

Tests: 88 new test cases across all OS families and composer integration.
Total suite: 812 passed.
 2026-04-10 16:06:36 -04:00
anti
d8457c57f3 docs: add OS fingerprint spoofing hardening roadmap 2026-04-10 16:02:00 -04:00
anti
38d37f862b docs: Detail attachable Swarm overlay backend in FUTURE.md 2026-04-10 03:00:03 -04:00
anti
fa8b0f3cb5 docs: Add latency simulation to FUTURE.md 2026-04-10 02:53:00 -04:00
anti
db425df6f2 docs: Add FUTURE.md to capture long-term architectural visions 2026-04-10 02:48:28 -04:00
anti
73e68388c0 fix(conpot): Refactor permissions to use dedicated decnet user via chown 2026-04-10 02:27:02 -04:00
anti
682322d564 fix(conpot): Resolve silent crash by running as nobody and ensuring permissions 2026-04-10 02:25:45 -04:00
anti
33885a2eec fix(conpot): Keep container as root to allow port 502 binding and fix user not found error 2026-04-10 02:20:46 -04:00
anti
f583b3d699 fix(services): Resolve protocol realism gaps and update technical debt register 
- Add dynamic challenge nonces to Postgres, VNC, and SIP.
- Add basic keyspace lookup and mock data to Redis.
- Correct MSSQL TDS pre-login offset bounds.
- Support MongoDB OP_MSG handshake version checking.
- Suppress Werkzeug HTTP server headers and normalize FTPAnonymousShell response.
- Add tracking for Dynamic Bait Store (DEBT-027) via DEBT.md.
 2026-04-10 02:16:42 -04:00
anti
5cb6666d7b docs: Append bug ledger implementation plan to REALISM_AUDIT.md 2026-04-10 01:58:23 -04:00
anti
25b6425496 Update REALISM_AUDIT.md with completed tasks 2026-04-10 01:55:14 -04:00
anti
08242a4d84 Implement ICS/SCADA and IMAP Bait features 2026-04-10 01:50:08 -04:00
anti
63fb477e1f feat: add smtp_relay service; add service_testing/ init 
- decnet/services/smtp_relay.py: open relay variant of smtp, same template
  with SMTP_OPEN_RELAY=1 baked into the environment
- tests/service_testing/__init__.py: init so pytest discovers the subdirectory
 2026-04-10 01:09:15 -04:00
anti
94f82c9089 feat(smtp): fix DATA state machine; add SMTP_OPEN_RELAY mode 
- Buffer DATA body until CRLF.CRLF terminator — fixes 502-on-every-body-line bug
- SMTP_OPEN_RELAY=1: AUTH accepted (235), RCPT TO accepted for any domain,
  full DATA pipeline with queued-as message ID
- Default (SMTP_OPEN_RELAY=0): credential harvester — AUTH rejected (535)
  but connection stays open, RCPT TO returns 554 relay denied
- SASL PLAIN and LOGIN multi-step AUTH both decoded and logged
- RSET clears all per-transaction state
- Add development/SMTP_RELAY.md, IMAP_BAIT.md, ICS_SCADA.md, BUG_FIXES.md
  (live-tested service realism plans)
 2026-04-10 01:03:47 -04:00
anti
40cd582253 fix: restore forward_syslog as no-op stub; all service server.py files import it 2026-04-10 00:43:50 -04:00
anti
24f02c3466 fix: resolve all bandit SAST findings in templates/ 
- Add # nosec B104 to all intentional 0.0.0.0 binds in honeypot servers
  (hardcoded_bind_all_interfaces is by design — deckies must accept attacker connections)
- Add # nosec B101 to assert statements used for protocol validation in ldap/snmp
- Add # nosec B105 to fake SASL placeholder in ldap
- Add # nosec B108 to /tmp usage in smb template
- Exclude root-owned auto-generated decnet_logging.py copies from bandit scan
  via pyproject.toml [tool.bandit] config (synced by _sync_logging_helper at deploy)
 2026-04-10 00:24:40 -04:00
anti
25ba3fb56a feat: replace bind-mount log pipeline with Docker log streaming 
Services now print RFC 5424 to stdout; Docker captures via json-file driver.
A new host-side collector (decnet.web.collector) streams docker logs from all
running decky service containers and writes RFC 5424 + parsed JSON to the host
log file. The existing ingester continues to tail the .json file unchanged.
rsyslog can consume the .log file independently — no DECNET involvement needed.

Removes: bind-mount volume injection, _LOG_NETWORK bridge, log_target config
field and --log-target CLI flag, TCP syslog forwarding from service templates.
 2026-04-10 00:14:14 -04:00
anti
8d023147cc fix: chmod 777 log dir on compose generation so container decnet user can write logs 2026-04-09 19:36:53 -04:00
anti
14f7a535db fix: use model_dump(mode='json') to serialize datetime fields; fixes SSE stream silently dying post-ORM migration 2026-04-09 19:29:27 -04:00
anti
cea6279a08 fix: add Last-Event-ID to CORS allow_headers to unblock SSE reconnects 2026-04-09 19:26:24 -04:00
anti
6b8392102e fix: emit stats/histogram snapshot on SSE connect; remove polling api.get('/stats') from Dashboard 2026-04-09 19:23:24 -04:00
anti
d2a569496d fix: add get_stream_user dependency for SSE endpoint; allow query-string token for EventSource 2026-04-09 19:20:38 -04:00
anti
f20e86826d fix: derive default CORS origin from DECNET_WEB_HOST/PORT instead of hardcoded ports 2026-04-09 19:15:45 -04:00
anti
29da2a75b3 fix: add localhost:9090 to CORS defaults; revert broken relative-URL and proxy changes 2026-04-09 19:14:40 -04:00
anti
3362325479 fix: resolve CORS blocking Vite dev server (add 5173 to defaults, add proxy) 2026-04-09 19:10:10 -04:00
anti
34a57d6f09 fix: make setcap resilient — no-op when Python absent or symlink-only 2026-04-09 19:04:52 -04:00
anti
016115a523 fix: clear all addressable technical debt (DEBT-005 through DEBT-025) 
Security:
- DEBT-008: remove query-string token auth; header-only Bearer now enforced
- DEBT-013: add regex constraint ^[a-z0-9\-]{1,64}$ on decky_name path param
- DEBT-015: stop leaking raw exception detail to API clients; log server-side
- DEBT-016: validate search (max_length=512) and datetime params with regex

Reliability:
- DEBT-014: wrap SSE event_generator in try/except; yield error frame on failure
- DEBT-017: emit log.warning/error on DB init retry; silent failures now visible

Observability / Docs:
- DEBT-020: add 401/422 response declarations to all route decorators

Infrastructure:
- DEBT-018: add HEALTHCHECK to all 24 template Dockerfiles
- DEBT-019: add USER decnet + setcap cap_net_bind_service to all 24 Dockerfiles
- DEBT-024: bump Redis template version 7.0.12 → 7.2.7

Config:
- DEBT-012: validate DECNET_API_PORT and DECNET_WEB_PORT range (1-65535)

Code quality:
- DEBT-010: delete 22 duplicate decnet_logging.py copies; deployer injects canonical
- DEBT-022: closed as false positive (print only in module docstring)
- DEBT-009: closed as false positive (templates already use structured syslog_line)

Build:
- DEBT-025: generate requirements.lock via pip freeze

Testing:
- DEBT-005/006/007: comprehensive test suite added across tests/api/
- conftest: in-memory SQLite + StaticPool + monkeypatched session_factory
- fuzz mark added; default run excludes fuzz; -n logical parallelism

DEBT.md updated: 23/25 items closed; DEBT-011 (Alembic) and DEBT-023 (digest pinning) remain
 2026-04-09 19:02:51 -04:00
anti
0166d0d559 fix: clean up db layer — model_dump, timezone-aware timestamps, unified histogram, async load_state 2026-04-09 18:46:35 -04:00
anti
dbf6d13b95 fix: use :memory: + StaticPool for test DBs, eliminates file:testdb_* garbage 2026-04-09 18:39:36 -04:00
anti
d15c106b44 test: fix async fixture isolation, add fuzz marks, parallelize with xdist 
- Rebuild repo.engine and repo.session_factory per-test using unique
  in-memory SQLite URIs — fixes KeyError: 'access_token' caused by
  stale session_factory pointing at production DB
- Add @pytest.mark.fuzz to all Hypothesis and Schemathesis tests;
  default run excludes them (addopts = -m 'not fuzz')
- Add missing fuzz tests to bounty, fleet, histogram, and repository
- Use tmp_path for state file in patch_state_file/mock_state_file to
  eliminate file-path race conditions under xdist parallelism
- Set default addopts: -v -q -x -n logical (26 tests in ~7s)
 2026-04-09 18:32:46 -04:00
anti
6fc1a2a3ea test: refactor suite to use AsyncClient, in-memory DBs, and parallel coverage 2026-04-09 16:43:49 -04:00
anti
de84cc664f refactor: migrate database to SQLModel and implement modular DB structure 2026-04-09 16:43:30 -04:00
anti
1541b4b7e0 docs: close DEBT-002 as by-design 2026-04-09 13:25:40 -04:00
anti
2b7d872ab7 fix: revert DECNET_ADMIN_PASSWORD to default 'admin'; first-login change enforces security 2026-04-09 13:25:29 -04:00
anti
4ae6f4f23d test: expand coverage 64%→76%; add BUGS.md for Gemini migration issues 2026-04-09 12:55:52 -04:00
anti
310c2a1fbe feat: add pytest-asyncio, freezegun, schemathesis, pytest-cov to test toolchain 2026-04-09 12:40:59 -04:00
anti
44de453bb2 refactor: modularize API tests to match router structure 2026-04-09 12:32:31 -04:00
anti
ec66e01f55 fix: add missing __init__.py to tests/api subpackages to fix relative imports 2026-04-09 12:24:09 -04:00
anti
a22f996027 docs: mark DEBT-001–004 as resolved in DEBT.md 2026-04-09 12:14:16 -04:00
anti
b6b046c90b fix: harden startup security — require strong secrets, restrict CORS 
- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
  required env vars; startup raises ValueError if unset or set to a
  known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
  http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
  and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
  collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
  from env instead of hardcoded "admin"

Closes DEBT-001, DEBT-002, DEBT-004
 2026-04-09 12:13:22 -04:00
anti
29a2cf2738 refactor: modularize API routes into separate files and clean up dependencies 2026-04-09 11:58:57 -04:00
anti
551664bc43 fix: stabilize test suite by ensuring proper test DB isolation and initialization 2026-04-09 02:31:14 -04:00
anti
a2d07bd67c fix: refactor Bounty UI to match dashboard style and fix layout 2026-04-09 02:00:49 -04:00
anti
a3b92d4dd6 docs: tag API endpoints for better organization 2026-04-09 01:58:54 -04:00
anti
30edf9a55d feat: add DECNET_DEVELOPER toggle for API documentation 2026-04-09 01:55:31 -04:00
anti
69626d705d feat: implement Bounty Vault for captured credentials and artifacts 2026-04-09 01:52:50 -04:00
anti
0f86f883fe fix: resolve remaining bandit warnings and stabilize lifespan 2026-04-09 01:35:08 -04:00
anti
13f3d15a36 fix: stabilize tests with synchronous DB init and handle Bandit security findings 2026-04-09 01:33:15 -04:00
anti
8c7ec2953e fix: handle bcrypt 72-byte limit and increase JWT secret length 2026-04-09 01:11:32 -04:00
anti
0123e1c69e fix: suppress noisy cleanup warnings in pytest and fix fleet test auth 2026-04-09 01:05:34 -04:00
anti
9dc6ff3887 ui: ensure inputs and buttons inherit Ubuntu Mono font 2026-04-08 21:31:44 -04:00
anti
fe25798425 ui: change main dashboard font to Ubuntu Mono 2026-04-08 21:30:30 -04:00
anti
6c2478ede3 fix: restore missing API endpoints, fix chart rendering, and update date filter formatting 2026-04-08 21:25:59 -04:00
anti
532a4e2dc5 fix: resolve SSE CORS issues and fix date filter format mismatch 2026-04-08 21:15:26 -04:00
anti
ec503b9ec6 feat: implement advanced live logs with KQL search, histogram, and live/historical modes 2026-04-08 21:01:05 -04:00
anti
fe6b349e5e modified: ci.yml, fucked up last time lol
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
Details
CI / Test (pytest) (3.11) (push) Successful in 1m42s
Details
CI / Test (pytest) (3.12) (push) Successful in 1m45s
Details
CI / SAST (bandit) (push) Failing after 12s
Details
CI / Dependency audit (pip-audit) (push) Successful in 20s
Details
CI / Open PR to main (push) Has been skipped
Details
2026-04-08 15:53:49 -04:00
anti
65b220fdbe modified: ci.yml, pyproject: added missing installs and modified pip install command
Some checks failed
CI / Lint (ruff) (push) Successful in 16s
Details
CI / Test (pytest) (3.11) (push) Failing after 20s
Details
CI / Test (pytest) (3.12) (push) Failing after 20s
Details
CI / SAST (bandit) (push) Failing after 11s
Details
CI / Dependency audit (pip-audit) (push) Successful in 19s
Details
CI / Open PR to main (push) Has been skipped
Details
2026-04-08 15:50:17 -04:00
anti
6f10e7556f chore: deleted trash
Some checks failed
CI / Lint (ruff) (push) Successful in 11s
Details
CI / Test (pytest) (3.11) (push) Failing after 18s
Details
CI / Test (pytest) (3.12) (push) Failing after 18s
Details
CI / SAST (bandit) (push) Failing after 11s
Details
CI / Dependency audit (pip-audit) (push) Successful in 18s
Details
CI / Open PR to main (push) Has been skipped
Details
2026-04-08 02:07:11 -04:00
1021 changed files with 64984 additions and 10948 deletions
Expand all files Collapse all files

7
.claude/settings.local.json
View File

@@ -1,7 +0,0 @@
{
"permissions": {
"allow": [
"mcp__plugin_context-mode_context-mode__ctx_batch_execute"
]
}
}

3
.env.example
View File

@@ -1,7 +1,7 @@
# API Options # API Options
DECNET_API_HOST=0.0.0.0 DECNET_API_HOST=0.0.0.0
DECNET_API_PORT=8000 DECNET_API_PORT=8000
DECNET_JWT_SECRET=supersecretkey12345 DECNET_JWT_SECRET=supersecretkey12345678901234567
DECNET_INGEST_LOG_FILE=/var/log/decnet/decnet.log DECNET_INGEST_LOG_FILE=/var/log/decnet/decnet.log
# Web Dashboard Options # Web Dashboard Options
@@ -9,3 +9,4 @@ DECNET_WEB_HOST=0.0.0.0
DECNET_WEB_PORT=8080 DECNET_WEB_PORT=8080
DECNET_ADMIN_USER=admin DECNET_ADMIN_USER=admin
DECNET_ADMIN_PASSWORD=admin DECNET_ADMIN_PASSWORD=admin
DECNET_DEVELOPER=False

176
.gitea/workflows/ci.yml
View File

@@ -2,7 +2,7 @@ name: CI
on: on:
push: push:
branches: [dev, testing] branches: [dev, testing, "temp/merge-*"]
paths-ignore: paths-ignore:
- "**/*.md" - "**/*.md"
- "docs/**" - "docs/**"
@@ -19,20 +19,6 @@ jobs:
- run: pip install ruff - run: pip install ruff
- run: ruff check . - run: ruff check .
test:
name: Test (pytest)
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.11", "3.12"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- run: pip install -e .
- run: pytest tests/ -v --tb=short
bandit: bandit:
name: SAST (bandit) name: SAST (bandit)
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -42,7 +28,7 @@ jobs:
with: with:
python-version: "3.11" python-version: "3.11"
- run: pip install bandit - run: pip install bandit
- run: bandit -r decnet/ -ll -x decnet/services/registry.py - run: bandit -r decnet/ -ll -x decnet/services/registry.py -x decnet/templates/
pip-audit: pip-audit:
name: Dependency audit (pip-audit) name: Dependency audit (pip-audit)
@@ -53,37 +39,137 @@ jobs:
with: with:
python-version: "3.11" python-version: "3.11"
- run: pip install pip-audit - run: pip install pip-audit
- run: pip install -e . - run: pip install -e .[dev]
- run: pip-audit --skip-editable - run: pip-audit --skip-editable --ignore-vuln CVE-2025-65896
open-pr: test-standard:
name: Open PR to main name: Test (Standard)
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [lint, test, bandit, pip-audit] needs: [lint, bandit, pip-audit]
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- run: pip install -e .[dev]
- run: pytest
test-live:
name: Test (Live)
runs-on: ubuntu-latest
needs: [test-standard]
services:
mysql:
image: mysql:8.0
env:
MYSQL_ROOT_PASSWORD: root
MYSQL_DATABASE: decnet_test
ports:
- 3307:3306
options: >-
--health-cmd="mysqladmin ping -h 127.0.0.1"
--health-interval=10s
--health-timeout=5s
--health-retries=5
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- run: pip install -e .[dev]
- run: pytest -m live
env:
DECNET_MYSQL_HOST: 127.0.0.1
DECNET_MYSQL_PORT: 3307
DECNET_MYSQL_USER: root
DECNET_MYSQL_PASSWORD: root
DECNET_MYSQL_DATABASE: decnet_test
test-fuzz:
name: Test (Fuzz)
runs-on: ubuntu-latest
needs: [test-live]
strategy:
matrix:
python-version: ["3.11"]
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}
- run: pip install -e .[dev]
- run: pytest -m fuzz
env:
SCHEMATHESIS_CONFIG: schemathesis.ci.toml
merge-to-testing:
name: Merge dev → testing
runs-on: ubuntu-latest
needs: [test-standard, test-live, test-fuzz]
if: github.ref == 'refs/heads/dev' if: github.ref == 'refs/heads/dev'
steps: steps:
- name: Open PR via Gitea API - uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.DECNET_PR_TOKEN }}
- name: Configure git
run: | run: |
echo "--- Checking for existing open PRs ---" git config user.name "DECNET CI"
LIST_RESPONSE=$(curl -s \ git config user.email "ci@decnet.local"
-H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \ - name: Merge dev into testing
"https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls?state=open&head=anti:dev&base=main&limit=5") run: |
echo "$LIST_RESPONSE" git fetch origin testing
EXISTING=$(echo "$LIST_RESPONSE" | python3 -c "import sys, json; print(len(json.load(sys.stdin)))") git checkout testing
echo "Open PRs found: $EXISTING" git merge origin/dev --no-ff -m "ci: auto-merge dev → testing [skip ci]"
if [ "$EXISTING" -gt "0" ]; then git push origin testing
echo "PR already open, skipping."
exit 0 prepare-merge-to-main:
fi name: Prepare Merge to Main
echo "--- Creating PR ---" runs-on: ubuntu-latest
CREATE_RESPONSE=$(curl -s -X POST \ needs: [test-standard, test-live, test-fuzz]
-H "Authorization: token ${{ secrets.DECNET_PR_TOKEN }}" \ if: github.ref == 'refs/heads/testing'
-H "Content-Type: application/json" \ steps:
-d '{ - uses: actions/checkout@v4
"title": "Auto PR: dev → main", with:
"head": "dev", fetch-depth: 0
"base": "main", token: ${{ secrets.DECNET_PR_TOKEN }}
"body": "All CI and security checks passed. Review and merge when ready." - name: Configure git
}' \ run: |
"https://git.resacachile.cl/api/v1/repos/anti/DECNET/pulls") git config user.name "DECNET CI"
echo "$CREATE_RESPONSE" git config user.email "ci@decnet.local"
- name: Create temp branch and sync with main
run: |
git fetch origin main
git checkout -b temp/merge-testing-to-main
echo "--- Switched to temp branch, merging main into it ---"
git merge origin/main --no-edit || { echo "CONFLICT: Manual resolution required"; exit 1; }
git push origin temp/merge-testing-to-main --force
finalize-merge-to-main:
name: Finalize Merge to Main
runs-on: ubuntu-latest
needs: [test-standard, test-live, test-fuzz]
if: startsWith(github.ref, 'refs/heads/temp/merge-')
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.DECNET_PR_TOKEN }}
- name: Configure git
run: |
git config user.name "DECNET CI"
git config user.email "ci@decnet.local"
- name: Merge RC into main
run: |
git fetch origin main
git checkout main
git merge ${{ github.ref }} --no-ff -m "ci: auto-merge testing → main"
git push origin main
echo "--- Cleaning up temp branch ---"
git push origin --delete ${{ github.ref_name }}

25
.gitea/workflows/pr.yml
View File

@@ -30,5 +30,28 @@ jobs:
- uses: actions/setup-python@v5 - uses: actions/setup-python@v5
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
- run: pip install -e . - run: pip install -e .[dev]
- run: pytest tests/ -v --tb=short - run: pytest tests/ -v --tb=short
bandit:
name: SAST (bandit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: pip install bandit
- run: bandit -r decnet/ -ll -x decnet/services/registry.py
pip-audit:
name: Dependency audit (pip-audit)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.11"
- run: pip install pip-audit
- run: pip install -e .[dev]
- run: pip-audit --skip-editable

64
.gitea/workflows/release.yml
View File

@@ -22,27 +22,42 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
token: ${{ secrets.DECNET_PR_TOKEN }}
- name: Extract version from pyproject.toml - name: Configure git
run: |
git config user.name "DECNET CI"
git config user.email "ci@decnet.local"
- name: Bump version and Tag
id: version id: version
run: | run: |
VERSION=$(python3 -c "import tomllib; f=open('pyproject.toml','rb'); d=tomllib.load(f); print(d['project']['version'])") # Calculate next version (v0.x)
echo "version=$VERSION" >> $GITHUB_OUTPUT LATEST_TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "v0.0.0")
NEXT_VER=$(python3 -c "
tag = '$LATEST_TAG'.lstrip('v')
parts = tag.split('.')
major = int(parts[0]) if parts[0] else 0
minor = int(parts[1]) if len(parts) > 1 else 0
print(f'{major}.{minor + 1}.0')
")
- name: Create tag if not exists echo "Next version: $NEXT_VER (calculated from $LATEST_TAG)"
id: tag
run: | # Update pyproject.toml
VERSION=${{ steps.version.outputs.version }} sed -i "s/^version = \".*\"/version = \"$NEXT_VER\"/" pyproject.toml
if git rev-parse "v$VERSION" >/dev/null 2>&1; then
echo "Tag v$VERSION already exists, skipping." git add pyproject.toml
echo "created=false" >> $GITHUB_OUTPUT git commit -m "chore: auto-release v$NEXT_VER [skip ci]" || echo "No changes to commit"
else CHANGELOG=$(git log ${LATEST_TAG}..HEAD --oneline --no-decorate --no-merges)
git config user.name "gitea-actions" git tag -a "v$NEXT_VER" -m "Auto-release v$NEXT_VER
git config user.email "actions@git.resacachile.cl"
git tag -a "v$VERSION" -m "Release v$VERSION" Changes since $LATEST_TAG:
git push origin "v$VERSION" $CHANGELOG"
git push origin main --follow-tags
echo "version=$NEXT_VER" >> $GITHUB_OUTPUT
echo "created=true" >> $GITHUB_OUTPUT echo "created=true" >> $GITHUB_OUTPUT
fi
docker: docker:
name: Build, scan & push ${{ matrix.service }} name: Build, scan & push ${{ matrix.service }}
@@ -52,7 +67,7 @@ jobs:
fail-fast: false fail-fast: false
matrix: matrix:
service: service:
- cowrie - conpot
- docker_api - docker_api
- elasticsearch - elasticsearch
- ftp - ftp
@@ -69,11 +84,12 @@ jobs:
- postgres - postgres
- rdp - rdp
- redis - redis
- real_ssh
- sip - sip
- smb - smb
- smtp - smtp
- snmp - snmp
- ssh
- telnet
- tftp - tftp
- vnc - vnc
steps: steps:
@@ -99,13 +115,13 @@ jobs:
cache-from: type=gha cache-from: type=gha
cache-to: type=gha,mode=max cache-to: type=gha,mode=max
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Scan with Trivy - name: Scan with Trivy
uses: aquasecurity/trivy-action@master run: |
with: trivy image --exit-code 1 --severity CRITICAL --ignore-unfixed decnet-${{ matrix.service }}:scan
image-ref: decnet-${{ matrix.service }}:scan
exit-code: "1"
severity: CRITICAL
ignore-unfixed: true
- name: Push image - name: Push image
if: success() if: success()

13
.gitignore vendored
View File

@@ -1,4 +1,7 @@
.venv/ .venv/
logs/
.claude/*
CLAUDE.md
__pycache__/ __pycache__/
*.pyc *.pyc
*.pyo *.pyo
@@ -8,7 +11,6 @@ build/
decnet-compose.yml decnet-compose.yml
decnet-state.json decnet-state.json
*.ini *.ini
.env
decnet.log* decnet.log*
*.loggy *.loggy
*.nmap *.nmap
@@ -16,6 +18,13 @@ linterfails.log
webmail webmail
windows1 windows1
*.db *.db
*.db-shm
*.db-wal
decnet.*.log
decnet.json decnet.json
.env .env*
.env.local .env.local
.coverage
.hypothesis/
profiles/*
tests/test_decnet.db*

4
.hypothesis/constants/0da7ee28577247a0
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[404, 500, 1000, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '1.0.0', 'Bearer', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'limit', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'token_type', 'total', 'username', 'uuid']

4
.hypothesis/constants/0ff817caa72a52a4
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/logging/file_handler.py
# hypothesis_version: 6.151.11
[1024, '%(message)s', 'DECNET_LOG_FILE', 'decnet.syslog', 'utf-8']

4
.hypothesis/constants/12924abcbf0c075f
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[404, 500, 1000, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '1.0.0', 'Authorization', 'Bearer', 'Bearer ', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'username', 'uuid']

4
.hypothesis/constants/15d50d1e53b9b5c3
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/tftp.py
# hypothesis_version: 6.151.11
['LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'templates', 'tftp', 'unless-stopped']

4
.hypothesis/constants/1687359ae69f4da6
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/ini_loader.py
# hypothesis_version: 6.151.11
[',', '.', '1', 'amount', 'archetype', 'binary', 'custom-', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']

4
.hypothesis/constants/16e4ba38c473ee5e
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[5173, 8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/19d5adc9efd5ec68
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/ingester.py
# hypothesis_version: 6.151.11
['.json', 'decnet.web.ingester', 'r', 'replace', 'utf-8']

4
.hypothesis/constants/1f005a833d034313
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/logging/forwarder.py
# hypothesis_version: 6.151.11
[2.0, ':']

4
.hypothesis/constants/1f12b014d4fe2068
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/mongodb.py
# hypothesis_version: 6.151.11
[27017, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mongodb', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/219a36e8b671f84b
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/repository.py
# hypothesis_version: 6.151.11
[]

4
.hypothesis/constants/2220ccbe8a25f02d
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/snmp.py
# hypothesis_version: 6.151.11
[161, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'snmp', 'templates', 'unless-stopped']

4
.hypothesis/constants/2f0b53ebdb35c4e1
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/sip.py
# hypothesis_version: 6.151.11
[5060, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'sip', 'templates', 'unless-stopped']

4
.hypothesis/constants/3048c6da87ba838d
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/auth.py
# hypothesis_version: 6.151.11
[1440, 'HS256', 'exp', 'iat', 'utf-8']

4
.hypothesis/constants/30a7ffe86227f7f1
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/mssql.py
# hypothesis_version: 6.151.11
[1433, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mssql', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/349ec22a74b50191
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/composer.py
# hypothesis_version: 6.151.11
['/var/log/decnet', '3.8', 'BASE_IMAGE', 'DECNET_LOG_FILE', 'HOSTNAME', 'NET_ADMIN', 'args', 'bridge', 'build', 'cap_add', 'command', 'container_name', 'decnet_logs', 'depends_on', 'driver', 'environment', 'external', 'hostname', 'image', 'infinity', 'internal', 'ipv4_address', 'network_mode', 'networks', 'restart', 'services', 'sleep', 'sysctls', 'unless-stopped', 'version', 'volumes']

4
.hypothesis/constants/37d6bf6c6c0b58e6
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/elasticsearch.py
# hypothesis_version: 6.151.11
[9200, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'elasticsearch', 'environment', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/39f59c66c174e4ce
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/3cc47bb868bcb8f4
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/telnet.py
# hypothesis_version: 6.151.11
[':', 'COWRIE_SSH_ENABLED', 'NET_BIND_SERVICE', 'cap_add', 'container_name', 'cowrie/cowrie', 'environment', 'false', 'image', 'restart', 'telnet', 'true', 'unless-stopped']

4
.hypothesis/constants/407fc1fdd6e042af
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[5173, 8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/42a1dcb5c22b1ac1
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/ini_loader.py
# hypothesis_version: 6.151.11
[100, 512, 1024, ',', '.', '1', '[', ']', 'amount', 'archetype', 'binary', 'custom-', 'exceeds maximum', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']

4
.hypothesis/constants/46cebe14ff55dbd1
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[5173, 8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/4b12b89e1879f5ab
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/archetypes.py
# hypothesis_version: 6.151.11
[', ', 'Database Server', 'DevOps Host', 'Domain Controller', 'File Server', 'IoT Device', 'Linux Server', 'Mail Server', 'Monitoring Node', 'Network Printer', 'VoIP Server', 'Web Server', 'Windows Server', 'Windows Workstation', 'alpine', 'conpot', 'database-server', 'deaddeck', 'debian', 'devops-host', 'docker_api', 'domain-controller', 'embedded', 'fedora', 'file-server', 'ftp', 'http', 'imap', 'industrial-control', 'iot-device', 'k8s', 'ldap', 'linux', 'linux-server', 'llmnr', 'mail-server', 'monitoring-node', 'mqtt', 'mysql', 'pop3', 'postgres', 'printer', 'rdp', 'real_ssh', 'redis', 'rocky9', 'sip', 'smb', 'smtp', 'snmp', 'ssh', 'telnet', 'ubuntu20', 'ubuntu22', 'voip-server', 'web-server', 'windows', 'windows-server', 'windows-workstation']

4
.hypothesis/constants/4efedb0b38145ee9
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/env.py
# hypothesis_version: 6.151.11
['.env', '.env.local', '0.0.0.0', '8000', '8080', 'DECNET_ADMIN_USER', 'DECNET_API_HOST', 'DECNET_API_PORT', 'DECNET_JWT_SECRET', 'DECNET_WEB_HOST', 'DECNET_WEB_PORT', 'admin']

4
.hypothesis/constants/507a3145954fca93
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/http.py
# hypothesis_version: 6.151.11
[443, '/opt/html_files', 'CUSTOM_BODY', 'EXTRA_HEADERS', 'FAKE_APP', 'FILES_DIR', 'LOG_TARGET', 'NODE_NAME', 'RESPONSE_CODE', 'SERVER_HEADER', 'build', 'container_name', 'context', 'custom_body', 'environment', 'extra_headers', 'fake_app', 'files', 'http', 'response_code', 'restart', 'server_header', 'templates', 'unless-stopped', 'volumes']

4
.hypothesis/constants/5274e5adddfb5fe5
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/ini_loader.py
# hypothesis_version: 6.151.11
[',', '.', '1', 'amount', 'archetype', 'binary', 'custom-', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']

4
.hypothesis/constants/53a42446f9f19b20
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/ftp.py
# hypothesis_version: 6.151.11
['LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'ftp', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/56584ef41d5dcfbb
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/auth.py
# hypothesis_version: 6.151.11
[1440, 'HS256', 'exp', 'iat', 'utf-8']

4
.hypothesis/constants/574dbe54f9b23d3e
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/correlation/engine.py
# hypothesis_version: 6.151.11
[3600, ',', 'Attacker IP', 'Deckies', 'Duration', 'Events', 'First Seen', 'Traversal Path', 'bold red', 'correlator', 'cyan', 'decnet-correlator', 'dim', 'events_indexed', 'lines_parsed', 'right', 'stats', 'traversal_detected', 'traversals', 'unique_ips', 'yellow']

4
.hypothesis/constants/62e387790ed5b79f
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/vnc.py
# hypothesis_version: 6.151.11
[5900, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'restart', 'templates', 'unless-stopped', 'vnc']

4
.hypothesis/constants/653cbfe0ead00867
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[404, 500, 1000, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '1.0.0', 'Authorization', 'Bearer', 'Bearer ', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'username', 'uuid']

4
.hypothesis/constants/66bd79275cd609e8
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/correlation/parser.py
# hypothesis_version: 6.151.11
['"', '-', '\\', '\\"', '\\\\', '\\]', ']', 'client_ip', 'ip', 'remote_ip', 'src', 'src_ip']

4
.hypothesis/constants/6ef9c847efdbbda6
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[400, 404, 500, 512, 1000, 1024, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '1.0.0', 'Authorization', 'Bearer', 'Bearer ', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'decnet.web.api', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'unihost', 'username', 'uuid']

4
.hypothesis/constants/76302489300fdc45
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/config.py
# hypothesis_version: 6.151.11
[0.0, ':', 'compose_path', 'config', 'debian', 'debian:bookworm-slim', 'decnet-state.json', 'linux', 'log_target', 'services', 'swarm', 'unihost']

4
.hypothesis/constants/77b4b42ea3b9c9bf
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/llmnr.py
# hypothesis_version: 6.151.11
[5353, 5355, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'llmnr', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/79661beef79449a5
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/registry.py
# hypothesis_version: 6.151.11
['base', 'decnet.services.', 'registry']

4
.hypothesis/constants/7a3f92bbfaebef4e
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/ini_loader.py
# hypothesis_version: 6.151.11
[',', '.', '1', 'amount', 'archetype', 'binary', 'custom-', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']

4
.hypothesis/constants/7f9302a54093ce41
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/correlation/__init__.py
# hypothesis_version: 6.151.11
['AttackerTraversal', 'CorrelationEngine', 'LogEvent', 'TraversalHop', 'parse_line']

4
.hypothesis/constants/8029f0494746966f
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/ldap.py
# hypothesis_version: 6.151.11
[389, 636, 'LOG_TARGET', 'NET_BIND_SERVICE', 'NODE_NAME', 'build', 'cap_add', 'container_name', 'context', 'environment', 'ldap', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/84bbb6b2519f3506
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[400, 404, 500, 1000, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '1.0.0', 'Authorization', 'Bearer', 'Bearer ', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'decnet.web.api', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'unihost', 'username', 'uuid']

4
.hypothesis/constants/87dce71ef389d477
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/mqtt.py
# hypothesis_version: 6.151.11
[1883, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mqtt', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/8b9368be0f77a253
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/custom_service.py
# hypothesis_version: 6.151.11
['-', 'LOG_TARGET', 'NODE_NAME', '_', 'command', 'container_name', 'environment', 'image', 'restart', 'unless-stopped']

4
.hypothesis/constants/8c9335cb8231944a
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/docker_api.py
# hypothesis_version: 6.151.11
[2375, 2376, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'docker_api', 'environment', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/8e330e30c399dccc
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/real_ssh.py
# hypothesis_version: 6.151.11
['NET_BIND_SERVICE', 'SSH_HOSTNAME', 'SSH_ROOT_PASSWORD', 'admin', 'build', 'cap_add', 'container_name', 'context', 'environment', 'hostname', 'password', 'real_ssh', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/8f0af26df36110f1
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/ini_loader.py
# hypothesis_version: 6.151.11
[',', '.', '1', 'amount', 'archetype', 'binary', 'custom-', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']

4
.hypothesis/constants/9193e12e937c9da2
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/logging/syslog_formatter.py
# hypothesis_version: 6.151.11
[255, '"', '-', '1', '\\', '\\"', '\\\\', '\\]', ']', 'decnet@55555']

4
.hypothesis/constants/91b4fe59f03adba2
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[5173, 8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/933f6b3526e97b62
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/repository.py
# hypothesis_version: 6.151.11
[]

4
.hypothesis/constants/952b61539a326753
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/ssh.py
# hypothesis_version: 6.151.11
[2222, ':', 'COWRIE_HOSTNAME', 'COWRIE_SSH_VERSION', 'NET_BIND_SERVICE', 'NODE_NAME', 'build', 'cap_add', 'container_name', 'context', 'cowrie', 'environment', 'hardware_platform', 'kernel_build_string', 'kernel_version', 'restart', 'ssh', 'ssh_banner', 'templates', 'true', 'unless-stopped', 'users']

4
.hypothesis/constants/95eb634544ca6000
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/smb.py
# hypothesis_version: 6.151.11
[139, 445, 'LOG_TARGET', 'NET_BIND_SERVICE', 'NODE_NAME', 'build', 'cap_add', 'container_name', 'context', 'environment', 'restart', 'smb', 'templates', 'unless-stopped']

4
.hypothesis/constants/996aa9c745349122
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/base.py
# hypothesis_version: 6.151.11
[]

4
.hypothesis/constants/a115dde40ee13bf8
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/mysql.py
# hypothesis_version: 6.151.11
[3306, 'LOG_TARGET', 'MYSQL_VERSION', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'mysql', 'restart', 'templates', 'unless-stopped', 'version']

4
.hypothesis/constants/a3207e9522fed10c
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[1000, '*', '/api/v1/auth/login', '/api/v1/logs', '/api/v1/stats', '1.0.0', 'Bearer', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'limit', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'token_type', 'total', 'username', 'uuid']

4
.hypothesis/constants/a36433a7a8a46f4d
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/smtp.py
# hypothesis_version: 6.151.11
[587, 'LOG_TARGET', 'NET_BIND_SERVICE', 'NODE_NAME', 'SMTP_BANNER', 'SMTP_MTA', 'banner', 'build', 'cap_add', 'container_name', 'context', 'environment', 'mta', 'restart', 'smtp', 'templates', 'unless-stopped']

4
.hypothesis/constants/a36bdeb88e27cda2
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/postgres.py
# hypothesis_version: 6.151.11
[5432, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'postgres', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/a4b0cd024dec37b3
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/pop3.py
# hypothesis_version: 6.151.11
[110, 995, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'pop3', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/a92a9b5d6ef7fbda
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/os_fingerprint.py
# hypothesis_version: 6.151.11
['128', '2', '255', '3', '6', '64', 'bsd', 'cisco', 'embedded', 'linux', 'windows']

4
.hypothesis/constants/b0cdd7ca461ac3a7
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/k8s.py
# hypothesis_version: 6.151.11
[6443, 8080, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'k8s', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/b3ae76f264e289ba
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/redis.py
# hypothesis_version: 6.151.11
[6379, 'LOG_TARGET', 'NODE_NAME', 'REDIS_OS', 'REDIS_VERSION', 'build', 'container_name', 'context', 'environment', 'os_string', 'redis', 'restart', 'templates', 'unless-stopped', 'version']

4
.hypothesis/constants/b4fbfe7d71d1fde1
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/correlation/graph.py
# hypothesis_version: 6.151.11
[' → ', 'attacker_ip', 'deckies', 'decky', 'decky_count', 'duration_seconds', 'event_type', 'first_seen', 'hop_count', 'hops', 'last_seen', 'path', 'service', 'timestamp']

4
.hypothesis/constants/bae355075973c2af
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[400, 404, 500, 512, 1000, 1024, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '1.0.0', 'Authorization', 'Bearer', 'Bearer ', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'decnet.web.api', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'unihost', 'username', 'uuid']

4
.hypothesis/constants/c1bae63b725863f0
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/imap.py
# hypothesis_version: 6.151.11
[143, 993, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'imap', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/c2ecbf26f54555a4
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/.venv/bin/pytest
# hypothesis_version: 6.151.11
['__main__']

4
.hypothesis/constants/c604d77c59dde05f
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/network.py
# hypothesis_version: 6.151.11
['/', 'add', 'addr', 'bridge', 'decnet_ipvlan0', 'decnet_lan', 'decnet_macvlan0', 'default', 'del', 'dev', 'inet ', 'inet6', 'ip', 'ipvlan', 'ipvlan_mode', 'l2', 'link', 'macvlan', 'mode', 'parent', 'route', 'set', 'show', 'type', 'up', 'via']

4
.hypothesis/constants/cbd8a83626f88ea8
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/sqlite_repository.py
# hypothesis_version: 6.151.11
['SELECT * FROM logs', 'active_deckies', 'attacker_ip', 'decky', 'decnet.db', 'deployed_deckies', 'event_type', 'fields', 'max_id', 'msg', 'must_change_password', 'password_hash', 'raw_line', 'role', 'service', 'timestamp', 'total', 'total_logs', 'unique_attackers', 'username', 'uuid']

4
.hypothesis/constants/cc88ec3582943bc7
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/distros.py
# hypothesis_version: 6.151.11
['Alpine Linux 3.19', 'Arch Linux', 'CentOS 7', 'Debian 12 (Bookworm)', 'Fedora 39', 'Kali Linux (Rolling)', 'Rocky Linux 9', 'alpha', 'alpine', 'alpine:3.19', 'arch', 'archlinux:latest', 'backup', 'bravo', 'centos7', 'centos:7', 'charlie', 'db', 'debian', 'debian:bookworm-slim', 'delta', 'dev', 'echo', 'fedora', 'fedora:39', 'files', 'foxtrot', 'generic', 'golf', 'hotel', 'india', 'juliet', 'kali', 'kilo', 'lima', 'mail', 'mike', 'minimal', 'monitor', 'nova', 'oscar', 'prod', 'proxy', 'rhel', 'rocky9', 'rockylinux:9-minimal', 'rolling', 'stage', 'ubuntu20', 'ubuntu22', 'ubuntu:20.04', 'ubuntu:22.04', 'web']

4
.hypothesis/constants/ceb1d0465029fa83
View File

@@ -1,4 +0,0 @@
# file: /home/anti/.local/bin/pytest
# hypothesis_version: 6.151.11
['__main__']

4
.hypothesis/constants/da39a3ee5e6b4b0d
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/__init__.py
# hypothesis_version: 6.151.11
[]

4
.hypothesis/constants/da43cd4d80a43169
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/sqlite_repository.py
# hypothesis_version: 6.151.11
['SELECT * FROM logs', 'active_deckies', 'attacker_ip', 'decky', 'decnet.db', 'event_type', 'fields', 'msg', 'must_change_password', 'password_hash', 'raw_line', 'role', 'service', 'timestamp', 'total', 'total_logs', 'unique_attackers', 'username', 'uuid']

4
.hypothesis/constants/dbb3e0fb1231c2a3
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/df40fa14165138c7
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/auth.py
# hypothesis_version: 6.151.11
[1440, 'DECNET_SECRET_KEY', 'HS256', 'exp', 'iat', 'utf-8']

4
.hypothesis/constants/e04c4b026eeb7e26
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/rdp.py
# hypothesis_version: 6.151.11
[3389, 'LOG_TARGET', 'NODE_NAME', 'build', 'container_name', 'context', 'environment', 'rdp', 'restart', 'templates', 'unless-stopped']

4
.hypothesis/constants/e6075ef770e33fe2
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/api.py
# hypothesis_version: 6.151.11
[400, 404, 500, 512, 1000, 1024, '*', '/api/v1/auth/login', '/api/v1/deckies', '/api/v1/logs', '/api/v1/stats', '/api/v1/stream', '1.0.0', 'Authorization', 'Bearer', 'Bearer ', 'Decky not found', 'No active deployment', 'WWW-Authenticate', 'access_token', 'admin', 'bearer', 'data', 'decnet.web.api', 'id', 'lastEventId', 'limit', 'logs', 'message', 'must_change_password', 'offset', 'password_hash', 'role', 'stats', 'text/event-stream', 'token', 'token_type', 'total', 'type', 'unihost', 'username', 'uuid']

4
.hypothesis/constants/e9250999acae5d85
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/cli.py
# hypothesis_version: 6.151.11
[5173, 8000, ',', ', ', '--all', '--api', '--api-port', '--archetype', '--config', '--deckies', '--decky', '--distro', '--dry-run', '--emit-syslog', '--host', '--id', '--interface', '--ip-start', '--ipvlan', '--log-file', '--log-target', '--min-deckies', '--mode', '--mutate-interval', '--no-cache', '--output', '--port', '--randomize-distros', '--randomize-services', '--services', '--subnet', '--watch', '--web-port', '-a', '-c', '-d', '-f', '-i', '-m', '-n', '-o', '-w', '/index.html', '0.0.0.0', 'Available Services', 'Default Services', 'Description', 'Display Name', 'Docker Image', 'Image', 'Machine Archetypes', 'Name', 'Ports', 'Slug', 'archetypes', 'bold cyan', 'correlate', 'decnet', 'decnet.cli', 'decnet.log', 'decnet.web.api:app', 'decnet_web', 'dim', 'dist', 'distros', 'green', 'json', 'linux', 'mutate', 'services', 'swarm', 'syslog', 'table', 'unihost', 'uvicorn', 'web']

4
.hypothesis/constants/ee59d8cc35cab799
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/ini_loader.py
# hypothesis_version: 6.151.11
[',', '.', '1', 'amount', 'archetype', 'binary', 'custom-', 'exec', 'general', 'gw', 'interface', 'ip', 'log-target', 'log_target', 'mutate-interval', 'mutate_interval', 'net', 'nmap-os', 'nmap_os', 'ports', 'services']

4
.hypothesis/constants/ee6334e46981bb15
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/web/sqlite_repository.py
# hypothesis_version: 6.151.11
['SELECT * FROM logs', 'active_deckies', 'attacker_ip', 'decky', 'decnet.db', 'deployed_deckies', 'event_type', 'fields', 'msg', 'must_change_password', 'password_hash', 'raw_line', 'role', 'service', 'timestamp', 'total', 'total_logs', 'unique_attackers', 'username', 'uuid']

4
.hypothesis/constants/f61b7d1d118bca37
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/deployer.py
# hypothesis_version: 6.151.11
[5.0, ', ', '--build', '--no-cache', '--watch', '-d', '-f', 'DECNET Deckies', 'Decky', 'Deployed Deckies', 'Hostname', 'IP', 'IPvlan', 'IPvlan L2', 'MACVLAN', 'Services', 'Status', '[green]up[/]', '[red]degraded[/]', 'absent', 'bold', 'build', 'cmdline', 'compose', 'decnet-compose.yml', 'decnet.cli', 'decnet.web.api:app', 'docker', 'down', 'green', 'manifest for', 'manifest unknown', 'mutate', 'name', 'not found', 'pid', 'pull access denied', 'red', 'rm', 'running', 'stop', 'up', 'uvicorn']

4
.hypothesis/constants/f6bf64199f202d36
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/config.py
# hypothesis_version: 6.151.11
[':', 'compose_path', 'config', 'debian', 'debian:bookworm-slim', 'decnet-state.json', 'linux', 'log_target', 'services', 'swarm', 'unihost']

4
.hypothesis/constants/fb7b3bbd8bd7b0f3
View File

@@ -1,4 +0,0 @@
# file: /home/anti/Tools/DECNET/decnet/services/conpot.py
# hypothesis_version: 6.151.11
[161, 502, 'CONPOT_TEMPLATE', 'conpot', 'container_name', 'default', 'environment', 'honeynet/conpot', 'image', 'restart', 'unless-stopped']

1
.hypothesis/examples/02709a08d5dd3bf6/be0230ef54d34195
View File

@@ -1 +0,0 @@
Ђ–В№5у»ћрЅ¶џUz&)ZГџ

2
.hypothesis/examples/04e6b3400353b141/02709a08d5dd3bf6
View File

@@ -1,2 +0,0 @@
φνOηό
;<16>}οΒΐΫb¶4η®

1
.hypothesis/examples/04e6b3400353b141/07415f0af878fbe0
View File

@@ -1 +0,0 @@
Ö¹8 (}hYögõ×`ô$ù<>lI<6C>€0y„}bÄU`¯¶…ˆ e[ë2PÅŸá

BIN
.hypothesis/examples/04e6b3400353b141/69de0ff9882fb7ae
View File

Binary file not shown.

BIN
.hypothesis/examples/04e6b3400353b141/ad62dc9ce19b3e65
View File

Binary file not shown.

1
.hypothesis/examples/04e6b3400353b141/ecc7e8764d8d8b88
View File

@@ -1 +0,0 @@
¨&@a!Þ”'<âÚÂN1ïÓ/Ï!ÁI…ÿø6-lÔãú+ÁÌI>…•_l.secondary

BIN
.hypothesis/examples/07415f0af878fbe0/59a0424d9d1db2bd
View File

Binary file not shown.

1
.hypothesis/examples/69de0ff9882fb7ae/046ad25b37468979
View File

@@ -1 +0,0 @@
<EFBFBD>

1
.hypothesis/examples/69de0ff9882fb7ae/145ce512e57fc774
View File

@@ -1 +0,0 @@
<EFBFBD>

1
.hypothesis/examples/69de0ff9882fb7ae/1f3d226b8b16b85f
View File

@@ -1 +0,0 @@
<EFBFBD>ソ。

1
.hypothesis/examples/69de0ff9882fb7ae/2a4604391a6a3a01
View File

@@ -1 +0,0 @@
<EFBFBD>

1
.hypothesis/examples/69de0ff9882fb7ae/327ebe8e2777678d
View File

@@ -1 +0,0 @@
<EFBFBD>

1
.hypothesis/examples/69de0ff9882fb7ae/6bd8eb2cdf74b98a
View File

@@ -1 +0,0 @@
<EFBFBD>」泯

1
.hypothesis/examples/69de0ff9882fb7ae/6f5b1e7034c7c5b5
View File

@@ -1 +0,0 @@
<EFBFBD>

1
.hypothesis/examples/69de0ff9882fb7ae/723685965ac5ff1d
View File

@@ -1 +0,0 @@
<EFBFBD>

1
.hypothesis/examples/69de0ff9882fb7ae/7960c8d6f8ec07ac
View File

@@ -1 +0,0 @@
ぱ。

Some files were not shown because too many files have changed in this diff Show More