Auto PR: testing → main #3

Closed

anti wants to merge 0 commits from testing into main

pull from: testing

merge into: anti:main

anti:main

anti:dev

anti:tomerge/main

Conversation 1 Commits - Files Changed -

anti commented 2026-04-12 09:56:29 +02:00

Owner

Copy Link

All CI and security checks passed on both dev and testing. Review and merge when ready.

All CI and security checks passed on both dev and testing. Review and merge when ready.

anti added 136 commits 2026-04-12 09:56:30 +02:00

revert f8a9f8fc64 ... d344e4c8bb

revert Added: modified notes. Finished CI/CD pipeline.

Finished: CI/CD pipeline. 850a6f2ad7

Modified README: added more examples to the config.ini section and modified instructions for quick setup. c32ad82d0a

feat: add web dashboard dependencies to support real-time monitoring fbb16a960c

feat: implement Auth endpoints for web dashboard 5b990743db

feat: implement Logs endpoints for web dashboard b46934db46

feat: implement Stats endpoints for web dashboard 697929a127

feat: initialize React frontend with minimalistic Matrix theme 50e53120df

fix: switch to direct bcrypt usage for Python 3.14 compatibility 81135cb861

feat: backend support for mandatory password change on first login 52c26a2891

feat: frontend support for mandatory password change and react-router integration 05e71f6d2e

feat: implement background log ingestion from local file bad90dfb75

feat: add --api flag to deploy and new web command for dashboard 1b593920cd

fix: invoke uvicorn via sys.executable to handle sudo PATH restrictions 6ed92d080f

feat: switch to JSON-based log ingestion for higher reliability 5f637b5272

feat: parse RFC 5424 fields and msg directly in backend 7bc8d75242

feat: render structured syslog tags and msg in Dashboard 950280a97b

chore: enforce strict typing and internal naming conventions across web components ba2faba5d5

docs: add comprehensive EVENTS.md detailing all service log events 3656a89d60

chore: move development docs to development/ and clean up project root b1f09b9c6a

test: add comprehensive property-based fuzzing for all API endpoints 1a2ad27eca

feat: add dedicated Decoy Fleet inventory page and API eb4be44c9a

fix: enforce absolute paths for state and database files a9c7ddec2b

feat: integrate API lifecycle with teardown and update dependencies 1f5c6604d6

feat: implement dynamic decky mutation and fix dot-separated INI sections 18de381a43

fix: correctly iterate over all deckies in _build_deckies_from_ini 47f0e6da8f

fix: increase timeout for mutate API call to handle slow docker ops e24da92e0f

ui: improve mutation feedback and increase timeout for long-running docker ops 6e19848723

feat: migrate dashboard live logs to Server-Sent Events (SSE) c544964f57

docs: update roadmap items in DEVELOPMENT.md dd363629ab

docs: revert incorrect roadmap ticks d139729fa2

ui: fix dashboard overflow and overlap with sidebar db9a2699b9

feat: add API-only mode and web-based INI deployment 168ecf14ab

ui: add file upload support to web-based INI deployment 1b5d366b38

feat: add server-side validation for web-based INI deployments cc3d434c02

fix: ensure API-deployed deckies inherit the correct log ingestion path 31e0c5151b

feat: add .env based configuration for API, Web, and Auth options 32b06afef6

fix: ensure shared log volume mount by default and disable container-side rotation 6bdb5922fa

feat: add systemd service templates for API and Web Dashboard fc99375c62

chore: deleted trash 6f10e7556f

modified: ci.yml, pyproject: added missing installs and modified pip install command 65b220fdbe

modified: ci.yml, fucked up last time lol fe6b349e5e

feat: implement advanced live logs with KQL search, histogram, and live/historical modes ec503b9ec6

fix: resolve SSE CORS issues and fix date filter format mismatch 532a4e2dc5

fix: restore missing API endpoints, fix chart rendering, and update date filter formatting 6c2478ede3

ui: change main dashboard font to Ubuntu Mono fe25798425

ui: ensure inputs and buttons inherit Ubuntu Mono font 9dc6ff3887

fix: suppress noisy cleanup warnings in pytest and fix fleet test auth 0123e1c69e

fix: handle bcrypt 72-byte limit and increase JWT secret length 8c7ec2953e

fix: stabilize tests with synchronous DB init and handle Bandit security findings 13f3d15a36

fix: resolve remaining bandit warnings and stabilize lifespan 0f86f883fe

feat: implement Bounty Vault for captured credentials and artifacts 69626d705d

feat: add DECNET_DEVELOPER toggle for API documentation 30edf9a55d

docs: tag API endpoints for better organization a3b92d4dd6

fix: refactor Bounty UI to match dashboard style and fix layout a2d07bd67c

fix: stabilize test suite by ensuring proper test DB isolation and initialization 551664bc43

refactor: modularize API routes into separate files and clean up dependencies 29a2cf2738

fix: harden startup security — require strong secrets, restrict CORS ... b6b046c90b

- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
  required env vars; startup raises ValueError if unset or set to a
  known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
  http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
  and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
  collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
  from env instead of hardcoded "admin"

Closes DEBT-001, DEBT-002, DEBT-004

docs: mark DEBT-001–004 as resolved in DEBT.md a22f996027

fix: add missing __init__.py to tests/api subpackages to fix relative imports ec66e01f55

refactor: modularize API tests to match router structure 44de453bb2

feat: add pytest-asyncio, freezegun, schemathesis, pytest-cov to test toolchain 310c2a1fbe

test: expand coverage 64%→76%; add BUGS.md for Gemini migration issues 4ae6f4f23d

fix: revert DECNET_ADMIN_PASSWORD to default 'admin'; first-login change enforces security 2b7d872ab7

docs: close DEBT-002 as by-design 1541b4b7e0

refactor: migrate database to SQLModel and implement modular DB structure de84cc664f

test: refactor suite to use AsyncClient, in-memory DBs, and parallel coverage 6fc1a2a3ea

test: fix async fixture isolation, add fuzz marks, parallelize with xdist ... d15c106b44

- Rebuild repo.engine and repo.session_factory per-test using unique
  in-memory SQLite URIs — fixes KeyError: 'access_token' caused by
  stale session_factory pointing at production DB
- Add @pytest.mark.fuzz to all Hypothesis and Schemathesis tests;
  default run excludes them (addopts = -m 'not fuzz')
- Add missing fuzz tests to bounty, fleet, histogram, and repository
- Use tmp_path for state file in patch_state_file/mock_state_file to
  eliminate file-path race conditions under xdist parallelism
- Set default addopts: -v -q -x -n logical (26 tests in ~7s)

fix: use :memory: + StaticPool for test DBs, eliminates file:testdb_* garbage dbf6d13b95

fix: clean up db layer — model_dump, timezone-aware timestamps, unified histogram, async load_state 0166d0d559

fix: clear all addressable technical debt (DEBT-005 through DEBT-025) ... 016115a523

Security:
- DEBT-008: remove query-string token auth; header-only Bearer now enforced
- DEBT-013: add regex constraint ^[a-z0-9\-]{1,64}$ on decky_name path param
- DEBT-015: stop leaking raw exception detail to API clients; log server-side
- DEBT-016: validate search (max_length=512) and datetime params with regex

Reliability:
- DEBT-014: wrap SSE event_generator in try/except; yield error frame on failure
- DEBT-017: emit log.warning/error on DB init retry; silent failures now visible

Observability / Docs:
- DEBT-020: add 401/422 response declarations to all route decorators

Infrastructure:
- DEBT-018: add HEALTHCHECK to all 24 template Dockerfiles
- DEBT-019: add USER decnet + setcap cap_net_bind_service to all 24 Dockerfiles
- DEBT-024: bump Redis template version 7.0.12 → 7.2.7

Config:
- DEBT-012: validate DECNET_API_PORT and DECNET_WEB_PORT range (1-65535)

Code quality:
- DEBT-010: delete 22 duplicate decnet_logging.py copies; deployer injects canonical
- DEBT-022: closed as false positive (print only in module docstring)
- DEBT-009: closed as false positive (templates already use structured syslog_line)

Build:
- DEBT-025: generate requirements.lock via pip freeze

Testing:
- DEBT-005/006/007: comprehensive test suite added across tests/api/
- conftest: in-memory SQLite + StaticPool + monkeypatched session_factory
- fuzz mark added; default run excludes fuzz; -n logical parallelism

DEBT.md updated: 23/25 items closed; DEBT-011 (Alembic) and DEBT-023 (digest pinning) remain

fix: make setcap resilient — no-op when Python absent or symlink-only 34a57d6f09

fix: resolve CORS blocking Vite dev server (add 5173 to defaults, add proxy) 3362325479

fix: add localhost:9090 to CORS defaults; revert broken relative-URL and proxy changes 29da2a75b3

fix: derive default CORS origin from DECNET_WEB_HOST/PORT instead of hardcoded ports f20e86826d

fix: add get_stream_user dependency for SSE endpoint; allow query-string token for EventSource d2a569496d

fix: emit stats/histogram snapshot on SSE connect; remove polling api.get('/stats') from Dashboard 6b8392102e

fix: add Last-Event-ID to CORS allow_headers to unblock SSE reconnects cea6279a08

fix: use model_dump(mode='json') to serialize datetime fields; fixes SSE stream silently dying post-ORM migration 14f7a535db

fix: chmod 777 log dir on compose generation so container decnet user can write logs 8d023147cc

feat: replace bind-mount log pipeline with Docker log streaming ... 25ba3fb56a

Services now print RFC 5424 to stdout; Docker captures via json-file driver.
A new host-side collector (decnet.web.collector) streams docker logs from all
running decky service containers and writes RFC 5424 + parsed JSON to the host
log file. The existing ingester continues to tail the .json file unchanged.
rsyslog can consume the .log file independently — no DECNET involvement needed.

Removes: bind-mount volume injection, _LOG_NETWORK bridge, log_target config
field and --log-target CLI flag, TCP syslog forwarding from service templates.

fix: resolve all bandit SAST findings in templates/ ... 24f02c3466

- Add # nosec B104 to all intentional 0.0.0.0 binds in honeypot servers
  (hardcoded_bind_all_interfaces is by design — deckies must accept attacker connections)
- Add # nosec B101 to assert statements used for protocol validation in ldap/snmp
- Add # nosec B105 to fake SASL placeholder in ldap
- Add # nosec B108 to /tmp usage in smb template
- Exclude root-owned auto-generated decnet_logging.py copies from bandit scan
  via pyproject.toml [tool.bandit] config (synced by _sync_logging_helper at deploy)

fix: restore forward_syslog as no-op stub; all service server.py files import it 40cd582253

feat(smtp): fix DATA state machine; add SMTP_OPEN_RELAY mode ... 94f82c9089

- Buffer DATA body until CRLF.CRLF terminator — fixes 502-on-every-body-line bug
- SMTP_OPEN_RELAY=1: AUTH accepted (235), RCPT TO accepted for any domain,
  full DATA pipeline with queued-as message ID
- Default (SMTP_OPEN_RELAY=0): credential harvester — AUTH rejected (535)
  but connection stays open, RCPT TO returns 554 relay denied
- SASL PLAIN and LOGIN multi-step AUTH both decoded and logged
- RSET clears all per-transaction state
- Add development/SMTP_RELAY.md, IMAP_BAIT.md, ICS_SCADA.md, BUG_FIXES.md
  (live-tested service realism plans)

feat: add smtp_relay service; add service_testing/ init ... 63fb477e1f

- decnet/services/smtp_relay.py: open relay variant of smtp, same template
  with SMTP_OPEN_RELAY=1 baked into the environment
- tests/service_testing/__init__.py: init so pytest discovers the subdirectory

Implement ICS/SCADA and IMAP Bait features 08242a4d84

Update REALISM_AUDIT.md with completed tasks 25b6425496

docs: Append bug ledger implementation plan to REALISM_AUDIT.md 5cb6666d7b

fix(services): Resolve protocol realism gaps and update technical debt register ... f583b3d699

- Add dynamic challenge nonces to Postgres, VNC, and SIP.
- Add basic keyspace lookup and mock data to Redis.
- Correct MSSQL TDS pre-login offset bounds.
- Support MongoDB OP_MSG handshake version checking.
- Suppress Werkzeug HTTP server headers and normalize FTPAnonymousShell response.
- Add tracking for Dynamic Bait Store (DEBT-027) via DEBT.md.

fix(conpot): Keep container as root to allow port 502 binding and fix user not found error 33885a2eec

fix(conpot): Resolve silent crash by running as nobody and ensuring permissions 682322d564

fix(conpot): Refactor permissions to use dedicated decnet user via chown 73e68388c0

docs: Add FUTURE.md to capture long-term architectural visions db425df6f2

docs: Add latency simulation to FUTURE.md fa8b0f3cb5

docs: Detail attachable Swarm overlay backend in FUTURE.md 38d37f862b

docs: add OS fingerprint spoofing hardening roadmap d8457c57f3

feat(os_fingerprint): Phase 1 — extend OS sysctls with 6 new fingerprint knobs ... 5e83c9e48d

Add tcp_timestamps, tcp_window_scaling, tcp_sack, tcp_ecn, ip_no_pmtu_disc,
and tcp_fin_timeout to every OS profile in OS_SYSCTLS.

All 6 are network-namespace-scoped and safe to set per-container without
--privileged. They directly influence nmap's OPS, WIN, ECN, and T2-T6
probe groups, making OS family detection significantly more convincing.

Key changes:
- tcp_timestamps=0 for windows/embedded/cisco (strongest Windows discriminator)
- tcp_ecn=2 for linux (ECN offer), 0 for all others
- tcp_sack=0 / tcp_window_scaling=0 for embedded/cisco
- ip_no_pmtu_disc=1 for embedded/cisco (DF bit ICMP behaviour)
- Expose _REQUIRED_SYSCTLS frozenset for completeness assertions

Tests: 88 new test cases across all OS families and composer integration.
Total suite: 812 passed.

chore: add arche-test.ini OS fingerprint smoke-test fleet 4fac9570ec

fix(cowrie): add missing COPY+chmod for entrypoint.sh in Dockerfile ... 5fdfe67f2f

The entrypoint.sh was present in the build context but never COPYed into
the image, causing 'stat /entrypoint.sh: no such file or directory' at
container start. Added COPY+chmod before the USER decnet instruction so
the script is installed as root and is executable by all users.

fix(os_fingerprint): set ip_no_pmtu_disc=1 for windows to eliminate TI=Z ... b1f6c3b84a

When ip_no_pmtu_disc=0 the Linux kernel sets DF=1 on TCP packets and uses
IP ID=0 (RFC 6864). nmap's TI=Z fingerprint has no Windows match in its DB,
causing 91% confidence guesses of 'Linux 2.4/2.6 embedded' regardless of
TTL being 128. Setting ip_no_pmtu_disc=1 allows non-zero IP ID generation.

Trade-off: DF bit is not set on outgoing packets (slightly wrong for Windows)
but TI=Z is far more damaging to the spoof than losing DF accuracy.

revert(os_fingerprint): undo ip_no_pmtu_disc=1 for windows — was incorrect ... 6df2c9ccbf

ip_no_pmtu_disc controls PMTU discovery for UDP/ICMP paths only.
TI=Z originates from ip_select_ident() in the kernel TCP stack setting
IP ID=0 for DF=1 TCP packets — a namespace-scoped sysctl cannot change this.
The previous commit was based on incorrect root-cause analysis.

docs(HARDENING): rewrite roadmap based on live scan findings ... 62a67f3d1d

Phase 1 is complete. Live testing revealed:
- Window size (64240) is already correct — Phase 2 window mangling unnecessary
- TI=Z (IP ID = 0) is the single remaining blocker for Windows spoofing
- ip_no_pmtu_disc does NOT fix TI=Z (tested and confirmed)

Revised phase plan:
- Phase 2: ICMP tuning (icmp_ratelimit + icmp_ratemask sysctls)
- Phase 3: NFQUEUE daemon for IP ID rewriting (fixes TI=Z)
- Phase 4: diminishing returns, not recommended

Added detailed NFQUEUE architecture, TCPOPTSTRIP notes, and
note clarifying P= field in nmap output.

feat(os_fingerprint): Phase 2 — add icmp_ratelimit + icmp_ratemask sysctls ... 1196363d0b

Windows: both 0 (no ICMP rate limiting — matches real Windows behavior)
Linux: 1000ms / mask 6168 (kernel defaults)
BSD: 250ms / mask 6168 (FreeBSD default is faster than Linux)
Embedded/Cisco: both 0 (most firmware doesn't rate-limit ICMP)

These affect nmap's IE and U1 probe groups which measure ICMP error
response timing to closed UDP ports. Windows responds to all probes
instantly while Linux throttles to ~1/sec.

Tests: 10 new cases (5 per sysctl). Suite: 822 passed.

feat(imap,pop3): full IMAP4rev1 + POP3 bait mailbox implementation ... c7713c6228

IMAP: extended to full IMAP4rev1 — 10 bait emails (AWS keys, DB creds,
tokens, VPN config, root pw etc.), LIST/LSUB/STATUS/FETCH/UID FETCH/
SEARCH/CLOSE/NOOP, proper SELECT untagged responses (EXISTS, UIDNEXT,
FLAGS, PERMANENTFLAGS), CAPABILITY with IDLE/LITERAL+/AUTH=PLAIN.
FETCH correctly handles sequence sets (1:*, 1:3, *), item dispatch
(FLAGS, ENVELOPE, BODY[], RFC822, RFC822.SIZE), and places body literals
last per RFC 3501.

POP3: extended with same 10 bait emails, fixed banner env var key
(POP3_BANNER not IMAP_BANNER), CAPA fully populated (TOP/UIDL/USER/
RESP-CODES/SASL), TOP (headers + N body lines), UIDL (msg-N format),
DELE/RSET with _deleted set tracking, NOOP. _active_messages() helper
excludes DELE'd messages from STAT/LIST/UIDL.

Both: DEBT-026 stub added (_EMAIL_SEED_PATH env var, documented in
DEBT.md for next-session JSON seed file wiring).

Tests: test_imap.py expanded to 27 cases, test_pop3.py to 22 cases —
860 total tests passing.

fix(conpot): use honeynet/conpot:latest base, run as conpot user ... fe46b8fc0b

The BASE_IMAGE build arg was being unconditionally overwritten by
composer.py with the decky's distro build_base (debian:bookworm-slim),
turning the conpot container into a bare Debian image with no conpot
installation — hence the silent restart loop.

Two fixes:
1. composer.py: use args.setdefault() so services that pre-declare
   BASE_IMAGE in their compose_fragment() win over the distro default.
2. conpot.py: pre-declare BASE_IMAGE=honeynet/conpot:latest in build
   args so it always uses the upstream image regardless of decky distro.

Also removed the USER decnet switch from the conpot Dockerfile. The
upstream image already runs as the non-root 'conpot' user; switching to
'decnet' broke pkg_resources because conpot's eggs live under
/home/conpot/.local and are only on sys.path for that user.

fix(conpot): add syslog bridge entrypoint for logging pipeline ... 5ef48d60be

Conpot is a third-party app with its own Python logger — it never calls
decnet_logging. Added entrypoint.py as a subprocess wrapper that:
- Launches conpot and captures its stdout/stderr
- Classifies each line (startup/request/warning/error/log)
- Extracts source IPs via regex
- Emits RFC 5424 syslog lines to stdout for Docker/collector pickup

Entrypoint is self-contained (no import of shared decnet_logging.py)
because the conpot base image runs Python 3.6, which cannot parse the
dict[str, Any] / str | None type syntax used in the canonical file.

feat(deploy): add --parallel flag for concurrent image builds ... 377ba0410c

When --parallel is set:
- DOCKER_BUILDKIT=1 is injected into the subprocess environment to
  ensure BuildKit is active regardless of host daemon config
- docker compose build runs first (all images built concurrently)
- docker compose up -d follows without --build (no redundant checks)

Without --parallel the original up --build path is preserved.
--parallel and --no-cache compose correctly (build --no-cache).

fix(collector): fix container detection and auto-start on deploy ... 7abae5571a

Two bugs caused the log file to never be written:

1. is_service_container() used regex '^decky-\d+-\w' which only matched
   the old decky-01-smtp naming style. Actual containers are named
   omega-decky-smtp, relay-decky-smtp, etc. Fixed by using Docker Compose
   labels instead: com.docker.compose.project=decnet + non-empty
   depends_on discriminates service containers from base (sleep infinity)
   containers reliably regardless of decky naming convention.
   Added is_service_event() for the Docker events path.

2. The collector was only started when --api was used. Added a 'collect'
   CLI subcommand (decnet collect --log-file <path>) and wired it into
   deploy as an auto-started background process when --api is not in use.
   Default log path: /var/log/decnet/decnet.log

refactor(collector): use state file for container detection, drop label heuristics ... babad5ce65

_load_service_container_names() reads decnet-state.json and builds the
exact set of expected container names ({decky}-{service}). is_service_container()
and is_service_event() do a direct set lookup — no regex, no label
inspection, no heuristics.

docs(roadmap): tick completed service implementations 9ca3b4691d

feat(ssh): replace Cowrie with real OpenSSH + rsyslog logging pipeline ... d4ac53c0c9

Scraps the Cowrie emulation layer. The real_ssh template now runs a
genuine sshd backed by a three-layer logging stack forwarded to stdout
as RFC 5424 for the DECNET collector:

  auth,authpriv.*  → rsyslogd → named pipe → stdout  (logins/failures)
  user.*           → rsyslogd → named pipe → stdout  (PROMPT_COMMAND cmds)
  sudo syslog=auth → rsyslogd → named pipe → stdout  (privilege escalation)
  sudo logfile     → /var/log/sudo.log               (local backup with I/O)

The ssh.py service plugin now points to templates/real_ssh and drops all
COWRIE_* / NODE_NAME env vars, sharing the same compose fragment shape as
real_ssh.py.

fix(collector): daemonize background subprocesses with start_new_session ... a6063efbb9

Collector and mutator watcher subprocesses were spawned without
start_new_session=True, leaving them in the parent's process group.
SIGHUP (sent when the controlling terminal closes) killed both
processes silently — stdout/stderr were DEVNULL so the crash was
invisible.

Also update test_services and test_composer to reflect the ssh plugin
no longer using Cowrie env vars (replaced with SSH_ROOT_PASSWORD /
SSH_HOSTNAME matching the real_ssh plugin).

fix(cli): add __main__ guard so python -m decnet.cli actually runs the app ... ce182652ad

The collector subprocess was spawned via 'python3 -m decnet.cli collect'
but cli.py had no 'if __name__ == __main__: app()' guard. Python executed
the module, defined all functions, then exited cleanly with code 0 without
ever calling the collect command. No output, no log file, exit 0 — silent
non-start every time.

Also route collector stderr to <log_file>.collector.log so future crashes
are visible instead of disappearing into DEVNULL.

fix(cli): import Path locally in deploy to fix NameError d77def64c4

refactor(ssh): consolidate real_ssh into ssh, remove duplication ... c79f96f321

real_ssh was a separate service name pointing to the same template and
behaviour as ssh. Merged them: ssh is now the single real-OpenSSH service.

- Rename templates/real_ssh/ → templates/ssh/
- Remove decnet/services/real_ssh.py
- Deaddeck archetype updated: services=["ssh"]
- Merge test_real_ssh.py into test_ssh.py (includes deaddeck + logging tests)
- Drop decnet.services.real_ssh from test_build module list

refactor: separate engine, collector, mutator, and fleet into independent subpackages ... c384a3103a

- decnet/engine/ — container lifecycle (deploy, teardown, status); _kill_api removed
- decnet/collector/ — Docker log streaming (moved from web/collector.py)
- decnet/mutator/ — mutation engine (no longer imports from cli or duplicates deployer code)
- decnet/fleet.py — shared decky-building logic extracted from cli.py

Cross-contamination eliminated:
- web router no longer imports from decnet.cli
- mutator no longer imports from decnet.cli
- cli no longer imports from decnet.web
- _kill_api() moved to cli (process management, not engine concern)
- _compose_with_retry duplicate removed from mutator

fix(telnet): replace Cowrie with real busybox telnetd + rsyslog logging ... 65d585569b

Cowrie was exposing an SSH daemon on port 22 alongside the telnet service
even when COWRIE_SSH_ENABLED=false, contaminating deployments that did not
request an SSH service.

New implementation mirrors the SSH service pattern:
- busybox telnetd in foreground mode on port 23
- /bin/login for real PAM authentication (brute-force attempts logged)
- rsyslog RFC 5424 bridge piped to stdout for Docker log capture
- Configurable root password and hostname via env vars
- No Cowrie dependency

fix(protocols): guard against zero/malformed length fields in binary protocol parsers ... d63e396410

MongoDB had the same infinite-loop bug as MSSQL (msg_len=0 → buffer never
shrinks in while loop). Postgres, MySQL, and MQTT had related length-field
issues (stuck state, resource exhaustion, overlong remaining-length).

Also fixes an existing MongoDB _op_reply struct.pack format bug (extra 'q'
specifier caused struct.error on any OP_QUERY response).

Adds 53 regression + protocol boundary tests across MSSQL, MongoDB,
Postgres, MySQL, and MQTT, including a _run_with_timeout threading harness
to catch infinite loops and @pytest.mark.fuzz hypothesis tests for each.

feat(tests): add live subprocess integration test suite for services ... 662a5e43e8

Spins up each service's server.py in a real subprocess via a free ephemeral
port (PORT env var), connects with real protocol clients, and asserts both
correct protocol behavior and RFC 5424 log output.

- 44 live tests across 10 services: http, ftp, smtp, redis, mqtt,
  mysql, postgres, mongodb, pop3, imap
- Shared conftest.py: _ServiceProcess (bg reader thread + queue),
  free_port, live_service fixture, assert_rfc5424 helper
- PORT env var added to all 10 targeted server.py templates
- New pytest marker `live`; excluded from default addopts run
- requirements-live-tests.txt: flask, twisted + protocol clients

refactor(deps): move live test deps to pyproject.toml optional-dependencies[live] f8ae9ce2a6

fix(telnet): use busybox-static for telnetd applet, rm stale fifo on restart 1484d2f625

fix(logging): silence Twisted internal logs and Werkzeug startup banner from stdout b325fc8c5f

fix(telnet): disable imklog in rsyslog — containers cannot access /proc/kmsg 20fba18711

added: fixed mssql service f8bb134d70

added: decnet_logging.py stub for telnet monitoring 68b13b8a59

modified: .gitignore c3c1cd2fa6

ci: rework pipeline to dev → testing → main promotion ... 99be4e64ad

- Add merge-to-testing job: after all CI checks pass on dev, auto-merge
  into testing with --no-ff for clear merge history
- Move open-pr job to trigger on testing branch instead of dev
- PR now opens testing → main instead of dev → main
- Add bandit and pip-audit jobs to pr.yml PR gate for full suite coverage
- PR gate test job now installs dev dependencies consistently

fix: resolve all ruff lint errors and SQLite UNIQUE constraint issue ... f78104e1c8

Ruff fixes (20 errors → 0):
- F401: Remove unused imports (DeckyConfig, random_hostname, IniConfig,
  COMPOSE_FILE, sys, patch) across cli.py, mutator/engine.py,
  templates/ftp, templates/rdp, test_mysql.py, test_postgres.py
- F541: Remove extraneous f-prefixes on strings with no placeholders
  in templates/imap, test_ftp_live, test_http_live
- E741: Rename ambiguous variable 'l' to descriptive names (line, entry,
  part) across conftest.py, test_ftp_live, test_http_live,
  test_mongodb_live, test_pop3, test_ssh

SQLite fix:
- Change _initialize_sync() admin seeding from SELECT-then-INSERT to
  INSERT OR IGNORE, preventing IntegrityError when admin user already
  exists from a previous run

Testing: Stabilized test suite and achieved 93% total coverage. ... ff38d58508

- Fixed CLI tests by patching local imports at source (psutil, os, Path).
- Fixed Collector tests by globalizing docker.from_env mock.
- Stabilized SSE stream tests via AsyncMock and immediate generator termination to prevent hangs.
- Achieved >80% coverage on CLI (84%), Collector (97%), and DB Repository (100%).
- Implemented SMTP Relay service tests (100%).

Docs: Generated full coverage report in development/COVERAGE.md aac39e818e

deleted: trash vscode stuff 1692df7360

moved: AST graphs into develpment/ folder 95190946e0

moved: mermaid graph to development folder fdc404760f

chore: fix unused imports in tests and update development roadmap 0f63820ee6

modified: pyproject, moved [live] deps to [dev] deps. fe18575a9c

ci: auto-merge dev → testing ac4e5e1570

anti commented 2026-04-12 10:18:09 +02:00

Author

Owner

Copy Link

fixed in: Merge pull request 'fix/merge-testing-to-main' (#4) from fix/merge-testing-to-main into main

closing.

fixed in: [Merge pull request 'fix/merge-testing-to-main' (#4) from fix/merge-testing-to-main into main](https://git.resacachile.cl/anti/DECNET/commit/23ec4709881b9c1c022700d65e61adc75a4db45a) closing.

anti closed this pull request 2026-04-12 10:18:09 +02:00

All checks were successful

Hide all checks

CI / Lint (ruff) (push) Successful in 11s

Details

CI / Test (pytest) (3.11) (push) Successful in 1m9s

Details

CI / Test (pytest) (3.12) (push) Successful in 1m14s

Details

CI / SAST (bandit) (push) Successful in 12s

Details

CI / Dependency audit (pip-audit) (push) Successful in 21s

Details

CI / Merge dev → testing (push) Has been skipped

Details

CI / Open PR to main (push) Successful in 6s

Details

PR Gate / Lint (ruff) (pull_request) Successful in 11s

Details

PR Gate / Test (pytest) (3.11) (pull_request) Successful in 1m13s

Details

PR Gate / Test (pytest) (3.12) (pull_request) Successful in 1m12s

Details

PR Gate / SAST (bandit) (pull_request) Successful in 13s

Details

PR Gate / Dependency audit (pip-audit) (pull_request) Successful in 21s

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

anti

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: anti/DECNET#3