Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
177 commits
Select commit Hold shift + click to select a range
eb13c94
Fixed order of authentication methods for timeline filter endpoint.
fatpeppapig May 22, 2026
9c017a1
Merge pull request #1080 from fatpeppapig/timeline-filters
whikernel Jun 8, 2026
fc8eea8
[ADD] Milkdown WYSIWYG note editor with size-aware Word export
gru3zi Jun 11, 2026
0745225
[ADD] Milkdown WYSIWYG editor toggle for the case summary
gru3zi Jun 11, 2026
df6d117
[ADD] Syntax-highlight code in DOCX export; [FIX] v2 API custom-attri…
gru3zi Jun 11, 2026
35ed5d0
[FIX] DOCX export: render markdown tables full-width and not broken b…
gru3zi Jun 11, 2026
e887e40
[ADD] Case notes: true split-pane editor (CodeMirror source ⇄ Milkdow…
gru3zi Jun 11, 2026
1ee221a
[FIX] Split editor: independent per-pane scrolling + no source-pane j…
gru3zi Jun 11, 2026
d0e1744
[IMP] DOCX export: use Pygments 'xcode' style for code highlighting
gru3zi Jun 11, 2026
b7b96af
[ADD] Editor: Kusto/KQL syntax highlighting + full language list in c…
gru3zi Jun 11, 2026
1da9108
[ADD] Case summary: split-pane editor; make the split editor reusable…
gru3zi Jun 11, 2026
2a9773a
[FIX] Summary editor: harden save/close + fetch error handling (CodeR…
gru3zi Jun 11, 2026
cc3f413
[IMP] DOCX export: faint light-grey code-block background + subtle bo…
gru3zi Jun 11, 2026
9bdd308
[ADD] Phase 2a-A: pycrdt-websocket Yjs collab server + auth + infra
gru3zi Jun 11, 2026
b3e445d
[ADD] Phase 2a-B: client Yjs collab wiring for notes (live co-editing)
gru3zi Jun 11, 2026
025c313
[ADD] Phase 2a-C: collab note persistence + coalesced revisions (+ se…
gru3zi Jun 11, 2026
51a1f35
[ADD] Phase 2b-1: real-time collaboration for the case summary editor
gru3zi Jun 11, 2026
5192ac7
[ADD] Phase 2b-2: collaboration presence/cursor UX (notes + summary)
gru3zi Jun 11, 2026
88d1ecb
[FIX] Split editor: restore full-height notes pane + source editable …
gru3zi Jun 11, 2026
31ba013
[FIX] Collab: joining client registers existing peers promptly (sourc…
gru3zi Jun 11, 2026
7da482a
[IMP] Collab header: quiet solo presence + remove redundant save icon
gru3zi Jun 11, 2026
42c8093
[FIX] Split editor: restore independent per-pane scrolling (bounded f…
gru3zi Jun 11, 2026
083edb3
[FIX] Split editor: source pane no longer jumps to top when typing in…
gru3zi Jun 11, 2026
c812e9f
[IMP] Summary editor: drop the redundant Save button (auto-save + clo…
gru3zi Jun 11, 2026
5b2521a
[FIX] Split editor: restore Crepe block handle (+/drag) in WYSIWYG le…
gru3zi Jun 12, 2026
c7c0905
[FIX] Split editor: prevent data loss on collab lock and tab close
Che4ter Jun 12, 2026
d8935c5
[FIX] Collab persist: audit trail, locking, error leaks, room checks
Che4ter Jun 12, 2026
2e5e10c
[IMP] Split editor: declare direct CodeMirror/Yjs dependencies
Che4ter Jun 12, 2026
6e241a5
[IMP] Extract shared collab-editor-session helpers into ui/src/lib
Che4ter Jun 12, 2026
1fdb153
[IMP] SplitEditor cleanups: withOrigin helper, bootstrap error handli…
Che4ter Jun 12, 2026
02549ab
[IMP] Narrow ImageHandler.add_picture exception handling to Rendering…
Che4ter Jun 12, 2026
53118f9
[IMP] Reusability: shared split-editor partial/helper, adopt for asse…
Che4ter Jun 12, 2026
d9a0d34
[FIX] Build: case.notes/summary/asset.js broke on bare import in non-…
Che4ter Jun 12, 2026
6d50a65
[FIX] Implement various bugfixes from code review
Che4ter Jun 16, 2026
2027971
Merge pull request #10 from baseVISION/feat/milkdown-split-editor
Che4ter Jun 16, 2026
aabe345
[ADD] Kubernetes: collab server deployment, ingress routing and helm …
Che4ter Jun 18, 2026
bc6f071
[FIX] Security: harden collab server against CSWSH, authz bypass and …
Che4ter Jun 18, 2026
9221355
[ADD] Ignore .serena/ directory
Che4ter Jun 18, 2026
df0d245
[ADD] Datastore and my profile support v2
Jun 22, 2026
15620ad
[ADD] Added missing files
Jun 22, 2026
3b645f8
[ADD] Added search on all case elements
Jun 23, 2026
33ed252
[IMP] Improved global search
Jun 23, 2026
127817c
[ADD] v2 activities endpoint with paging, scope and filters
Jun 23, 2026
17fbbcc
[IMP] Deduplicate activities within a one-minute bucket
Jun 23, 2026
d919a62
[ADD] v2 endpoints for Dim (Celery) tasks listing and detail
Jun 23, 2026
650245d
[ADD] v2 endpoints for case close and reopen
Jun 23, 2026
a09128c
[FIX] Detach alert-shared IoCs before deleting a case
Jun 23, 2026
5bea50e
[IMP] Independent open/close date bounds for case filters
Jun 23, 2026
a66ec94
[ADD] v2 endpoints for managing modules and their hooks
Jun 24, 2026
113053d
[ADD] v2 endpoints for customer contacts CRUD and embed contacts in c…
Jun 24, 2026
0581e02
[FIX] Paginated v2 envelope returns the next page number instead of a…
Jun 24, 2026
b018489
[ADD] Search query parameter on the v2 customers listing endpoint
Jun 24, 2026
41a7c53
[ADD] v2 endpoints for the Case Objects taxonomy family backed by a s…
Jun 24, 2026
454855b
[ADD] v2 CRUD endpoints for case templates accepting plain JSON bodies
Jun 24, 2026
68d64af
[ADD] v2 endpoint exposing the introspected case template schema for …
Jun 24, 2026
bfbafd8
[ADD] v2 endpoints for report templates including render-against-case…
Jun 24, 2026
0c8314d
[ADD] v2 endpoint to replace a report template's file in place via mu…
Jun 24, 2026
d560ee6
[ADD] v2 access-control endpoints covering users, groups, members, ca…
Jun 24, 2026
8cbda59
[ADD] v2 read-only endpoints for severities, TLP, alert statuses + re…
Jun 24, 2026
33a98ff
[ADD] v2 server settings endpoints with versions block, partial-updat…
Jun 24, 2026
4f8b626
[UPD] Updated dash and activities
Jun 25, 2026
6bcff7b
[FIX] Fixed GHSA-g588-5gmf-p5cx by excluding MFA secrets and webauthn…
Jun 25, 2026
a749b40
[FIX] Fixed GHSA-w78h-mx7h-qm3h by allowlisting writable fields on us…
Jun 25, 2026
9abd933
[FIX] Fixed GHSA-vjc3-7jwv-j9qf by tightening the post-login next-url…
Jun 25, 2026
30ee619
[FIX] Fixed GHSA-qhqj-8qw6-wp8v by confining datastore file ops to DA…
Jun 25, 2026
7b8cd9f
[FIX] Fixed GHSA-8hwq-v6vm-9grr by blocking alert re-attribution and …
Jun 25, 2026
2a111d3
[FIX] Sanitised HTML custom attributes via bleach and forced unsafe d…
Jun 25, 2026
9c148a3
[FIX] Moved no-cache headers into the server block and added long-liv…
Jun 25, 2026
f83151c
[DEL] Removed GraphQL surface and dependencies — GHSA-3mxh-x92q-9r25
Jun 25, 2026
bf90172
[UPD] Bumped iris-webhooks to 1.0.9 and hardened docker base images w…
Jun 25, 2026
8ef6657
[FIX] Fixed access control ordering so group access overrides custome…
Jun 25, 2026
b73472a
[ADD] Added 'neq' and 'not_like' operators to the filter condition bu…
Jun 25, 2026
200adff
[FIX] Tagged alert comment edits as 'alerts' instead of 'events' so a…
Jun 25, 2026
20dafb4
[FIX] Hardened MFA flow with session-bound user, server-side secret, …
Jun 25, 2026
aeb77ba
[ADD] Added statistics_read and custom_dashboards_{read,write,share} …
Jun 25, 2026
d8b8b04
[UPD] Folded statistics_read into custom_dashboards_read so Statistic…
Jun 25, 2026
b08635b
[ADD] Added /api/v2/dashboard/kpis with the compact KPI block for the…
Jun 25, 2026
9f55272
[ADD] Added CustomDashboard and CustomDashboardWidget models with mig…
Jun 25, 2026
05351e1
[ADD] Added custom dashboard query engine schema and named-aggregatio…
Jun 25, 2026
b1b6fb2
[ADD] Added /api/v2/custom-dashboards endpoints for CRUD render schem…
Jun 25, 2026
fb8c1c0
[ADD] Added pytest suite for custom-dashboards CRUD render system-gua…
Jun 25, 2026
4f7fc62
[FIX] Imported ac_current_user_has_permission from blueprints.access_…
Jun 25, 2026
33e343e
[FIX] Deferred get_user import in business.access_controls to break c…
Jun 25, 2026
db3b4a7
[FIX] Reconciled pre-existing custom_dashboard table by adding missin…
Jun 25, 2026
f5545dc
[FIX] Accept is_system and filters_schema in CustomDashboardSchema an…
Jun 25, 2026
a6c56af
[FIX] Dropped duplicate group-column field from seed Statistics widge…
Jun 25, 2026
1de0da7
[IMP] Returned rendered widgets grouped by section so the view page c…
Jun 25, 2026
02b26d2
[FIX] Skipped duplicate-label projection in the query engine so widge…
Jun 25, 2026
3ab8326
[ADD] Added /api/v2/me/context endpoint returning iris_version demo_m…
Jun 26, 2026
480a2c3
[ADD] Added migration that idempotently creates the saved_filters tab…
Jun 26, 2026
78a5c61
[ADD] Added /api/v2/cases-filters endpoints (list create get update d…
Jun 26, 2026
45874c1
[IMP] Made the cases filter endpoint accept a recursive group tree ({…
Jun 26, 2026
f24377b
[FIX] Enforce ownership on saved-filter PUT and DELETE in both alerts…
Jun 26, 2026
4f836c1
[FIX] Made the alembic helper functions reuse op.get_bind() instead o…
Jun 26, 2026
10c22b8
[ADD] Added avatar_blob avatar_mime and avatar_updated_at columns to …
Jun 26, 2026
9fb8f87
[ADD] Added avatar endpoints (GET users id avatar for anyone authenti…
Jun 26, 2026
096b307
[FIX] Allowed blob: in img-src CSP nginx headers so authenticated ava…
Jun 26, 2026
76e76f5
[ADD] Exposed note revisions on v2 (list get delete restore) and adde…
Jun 26, 2026
9a45f88
[ADD] v2 admin endpoints for the CustomAttribute taxonomy
Jun 26, 2026
4ecb3b1
[ADD] expose has_mini_sidebar in /me/context and a PUT /me/preference…
Jun 26, 2026
181c25a
[ADD] v2 endpoints to list other cases where an IOC or asset was prev…
Jun 26, 2026
d39de57
[ADD] Enforce MFA verification on token-authenticated endpoints with …
Jun 27, 2026
217c179
[ADD] user followed cases + multiple named timelines per case
Jun 27, 2026
7dde6a9
[ADD] war room foundation: models, ACL, REST CRUD + case attachment +…
Jun 27, 2026
68b6e85
[ADD] war room chat/tasks/notes/timelines/graph/sitreps/datastore RES…
Jun 27, 2026
664ba34
[FIX] emit war-room activity events from REST mutations (attach/detac…
Jun 27, 2026
0d0d12a
[ADD] war room chat activity_type column + inference; classify case a…
Jun 27, 2026
f2b07da
[ADD] live-merge UserActivity into war-room stream; drop chat-side ac…
Jun 27, 2026
70bd342
[REM] war room graph board (models, REST, business, migration drop)
Jun 28, 2026
c723b23
[ADD] war room: customer name on case attachments, creator/closer att…
Jun 28, 2026
b9660f6
[ADD] more war-room slash commands (/decision /assign /detach /state …
Jun 28, 2026
d36b2e3
[FIX] war-room stream: explicit error on unknown / failing slash comm…
Jun 28, 2026
5073102
[ADD] war-room cases enrich (owner/dates/state/tasks) + /people endpo…
Jun 28, 2026
ff68fc5
[REM] /whoami slash command (low signal)
Jun 28, 2026
04da4ef
[FIX] add PATCH to CORS Access-Control-Allow-Methods (war-room update…
Jun 28, 2026
ba73209
[ADD] war-room timeline event PATCH + category column + drag-between-…
Jun 28, 2026
5b50a4f
[ADD] war-room Stream threads — parent_message_id + thread_title colu…
Jun 28, 2026
5c5d203
[FIX] war-room threads support probe — use fresh engine connection, d…
Jun 28, 2026
3d8eaef
[ADD] /api/v2/cases/{id}/access/me endpoint + allow read_only access …
Jun 29, 2026
a110918
[IMP] bump postgres image to 18-alpine + add pg12→pg18 migration scri…
Jun 29, 2026
0e94185
[IMP] threads-support probe queries the column directly on a fresh co…
Jun 29, 2026
2192458
[FIX] /me/followed-cases — use CaseSchemaForAPIV2 so dashboard tile g…
Jun 29, 2026
a29703a
[REM] evtx2splunk + iris_evtx module — drop the two wheels, evtxdump_…
Jun 29, 2026
7778e11
[FIX] PG18 PGDATA path — pin to /var/lib/postgresql/data/pgdata in co…
Jun 29, 2026
f0b0d40
[ADD] pass VITE_ALLOWED_HOSTS + make ORIGIN overridable in frontend s…
Jun 29, 2026
5807a91
[FIX] api_auth — return 401 instead of 500 when token/session referen…
Jul 1, 2026
92d7082
[ADD] search — case summaries as a new searchable type in /search
Jul 1, 2026
04a082d
[FIX] cases overview — Tags filter was silently dropped; wire it via …
Jul 1, 2026
a8b0aba
[FIX] post_init — only seed default group permissions on first creati…
Jul 1, 2026
0fa2f58
[FIX] AuthorizationGroupSchema — respect partial PATCH; don't wipe gr…
Jul 1, 2026
c8b441f
[IMP] war-room sitreps — publish is a state marker only; edit and del…
Jul 1, 2026
e440917
[ADD] war-room chat — /decision, /pin, /note as thread replies; trace…
Jul 1, 2026
f0e69a2
[FIX] alembic env — restore context.begin_transaction() so migrations…
Jul 2, 2026
480a2b5
[ADD] war-room archive — archived_at/by columns, list filter, archive…
Jul 2, 2026
8394a7a
[ADD] per-user preferences — user.preferences JSONB + /users/me/prefe…
Jul 2, 2026
2e81d73
[ADD] OIDC session→JWT exchange endpoint + provider discovery fallbac…
Jul 2, 2026
133f46a
[ADD] nginx cert autodetect + reload polling, CA-bundle drop-in dir, …
Jul 2, 2026
f24da09
[ADD] docker-compose.new-ui overlay + frontend Dockerfile for the Sve…
Jul 2, 2026
a13c96d
[ADD] notification core — notification/notification_setting tables + …
Jul 2, 2026
070ca03
[ADD] incidents + investigation flows (self-conditioned, alert/incide…
Jul 2, 2026
6580548
[FIX] enforce customer-scope authorisation on incident-rules + invest…
Jul 2, 2026
b898d8e
[IMP] incidents: comments, audit trail, incident_id alert filter, inc…
Jul 2, 2026
aaf8ca0
[ADD] mail: inbound ingest + outbound send with rules engine and secr…
Jul 2, 2026
ff58138
[FIX] pg12-to-pg18 upgrade: preserve hyphens in compose project name …
Jul 2, 2026
49455df
[IMP] activity log: cover war rooms + case timelines + admin modules,…
Jul 3, 2026
86a0589
[FIX] compose: disable adapter-node BODY_SIZE_LIMIT so multi-MB avata…
Jul 3, 2026
2422741
[FIX] notifications: drop /_diag endpoint and remove UserActivity.war…
Jul 3, 2026
662252f
[ADD] on_postload hooks for war room and incidents
Jul 3, 2026
683c9e4
Merge remote-tracking branch 'upstream/develop' into sync/upstream-20…
Che4ter Jul 7, 2026
3527099
[IMP] incidents: escalate/merge to case, propagate status to alerts, …
Jul 7, 2026
883b790
[ADD] incidents: correlation graph endpoint, unlink alert/incident fr…
Jul 7, 2026
f1d8483
[ADD] collab: server-side Yjs relay, per-doc rooms, socket JWT-in-aut…
Jul 7, 2026
103a296
Fix alembic multi-head merge, WarRoom mapper crash, and CSP worker-sr…
Che4ter Jul 7, 2026
bdcdd63
Merge remote-tracking branch 'upstream/develop' into sync/upstream-20…
Che4ter Jul 7, 2026
222c3c5
Fix war room deletion 500 by setting FK to SET NULL on delete
Che4ter Jul 7, 2026
f5e6ff5
Remove duplicate code blocks left over from the upstream merge
Che4ter Jul 7, 2026
82a1b57
[FIX] nginx: grant CAP_NET_BIND_SERVICE so non-root www-data can bind…
Che4ter Jul 7, 2026
871f920
[FIX] Clean up remaining merge artifacts caught by ruff
Che4ter Jul 7, 2026
cc7f652
[FIX] reports: use f-strings instead of .format() calls
Che4ter Jul 7, 2026
0b4c80a
[FIX] collab: GFM tables in seeder + auto re-seed via seeder_version …
Jul 7, 2026
519048a
[FIX] collab: unflatten single-line GFM pipe tables from legacy imports
Jul 7, 2026
875d0b6
[FIX] nginx: don't crash at startup when the collab upstream is absent
Che4ter Jul 7, 2026
ce0895d
Merge pull request #11 from baseVISION/sync/upstream-2026-07
Che4ter Jul 7, 2026
3cf41a9
[IMP] rename Incident -> AlertCluster, IncidentRule -> ClusterRule ac…
Jul 7, 2026
13dd8d1
Fix custom_dashboard owner-delete FK violation and group_permissions …
Che4ter Jul 8, 2026
5cde105
Merge fix/dashboard-fk-and-group-permissions
Che4ter Jul 8, 2026
1d38a6a
Align 6 dependency pins with contrib/dependency-updates
Che4ter Jul 8, 2026
54a0852
Merge 3 new upstream/develop commits (AlertCluster rename, collab GFM…
Che4ter Jul 8, 2026
38c7957
Merge alembic heads after upstream sync; document test-suite stack
Che4ter Jul 8, 2026
1c93926
Merge pull request #12 from baseVISION/merge/dep-updates-into-bv-develop
Che4ter Jul 8, 2026
d393c1d
[FIX] Sanitize remaining customer-view columns and preserve raw sort/…
Che4ter Jul 8, 2026
6a5b72b
[FIX] Sanitize modification-history entries in alert history modal
Che4ter Jul 8, 2026
f05c9a6
[FIX] Sanitize alert title in asset linked-alerts popover
Che4ter Jul 8, 2026
831740d
[FIX] Align 'state' column null-guard with sibling owner/asset_type c…
Che4ter Jul 8, 2026
7c343a9
Merge pull request #13 from baseVISION/fix/customer-view-alert-saniti…
Che4ter Jul 8, 2026
6bc7d9e
[BV] Bump version to 2.5.0-bv2
Che4ter Jul 8, 2026
d59fd3e
[BV] Correct docs: bv-develop staging deploy is manually triggered, n…
Che4ter Jul 8, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions .env.model
Original file line number Diff line number Diff line change
@@ -1,13 +1,31 @@
# -- COMMON
LOG_LEVEL=info

# -- HOSTNAME (single source of truth)
# When set, IRIS_HOSTNAME provides fallback defaults for SERVER_NAME
# (nginx), PUBLIC_EXTERNAL_API_URL / ORIGIN (SvelteKit), and
# VITE_ALLOWED_HOSTS (Vite dev). Explicit values still take precedence
# for split-hostname deployments (e.g. API on a different host than UI).
# Existing .env files that set the four vars individually keep working.
#IRIS_HOSTNAME=iris.app.dev

# -- NGINX
NGINX_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_nginx

SERVER_NAME=iris.app.dev
# When both KEY_FILENAME and CERT_FILENAME are unset AND certbot's
# standard fullchain.pem + privkey.pem pair exist under
# ./certificates/web_certificates/, the nginx entrypoint autodetects
# them — useful for Let's Encrypt setups. See
# scripts/certbot-deploy-hook.sh for zero-copy renewals.
KEY_FILENAME=iris_dev_key.pem
CERT_FILENAME=iris_dev_cert.pem

# Nginx polls the cert file's mtime every N seconds and reloads on
# change so certbot renewals apply without a container restart. Set
# to 0 to disable if your deployment reloads nginx externally.
#IRIS_CERT_RELOAD_INTERVAL=60

# -- DATABASE
DB_IMAGE_NAME=ghcr.io/dfir-iris/iriswebapp_db

Expand Down Expand Up @@ -88,6 +106,23 @@ IRIS_AUTHENTICATION_TYPE=local
# optional mapping for usergroup-names
# OIDC_MAPPING_USERGROUP= "iris-roles" #Group field in OIDC Token
# OIDC_MAPPING_ROLES= '{"iris-admin": "1", "iris-analyst": "2"}'
# -- CUSTOM CA CERTIFICATES (Keycloak, LDAPS, webhooks, ...)
# The recommended way to trust internal CAs is to drop one or more
# *.crt / *.pem files into ./certificates/ca-bundle/ on the host —
# they are mounted at /etc/iris-ca/ inside the app and worker
# containers, and the entrypoint installs them into the OS trust
# store (update-ca-certificates) on every boot. This is ADDITIVE:
# system roots stay trusted, so no manual concatenation is needed.
#
# The legacy single-file bundle at
# ./certificates/ca-bundle/extra-ca.crt is still honoured for
# backward compatibility, as are the REQUESTS_CA_BUNDLE /
# SSL_CERT_FILE / TLS_ROOT_CA env vars (which REPLACE the default
# trust store rather than augmenting it — prefer the drop-in dir
# unless you have a reason to pin the exact bundle).
#REQUESTS_CA_BUNDLE=/etc/iris-ca/extra-ca.crt
#SSL_CERT_FILE=/etc/iris-ca/extra-ca.crt

# -- LISTENING PORT
INTERFACE_HTTPS_PORT=443

37 changes: 0 additions & 37 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -110,43 +110,6 @@ jobs:
name: iriswebapp_app
path: ${{ runner.temp }}/iriswebapp_app.tar

build-graphql-documentation:
name: Generate graphQL documentation
runs-on: ubuntu-22.04
needs:
- build-docker-db
- build-docker-nginx
- build-docker-app
steps:
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: iriswebapp_*
path: ${{ runner.temp }}
merge-multiple: true
- name: Load docker images
run: |
docker load --input ${{ runner.temp }}/iriswebapp_db.tar
docker load --input ${{ runner.temp }}/iriswebapp_nginx.tar
docker load --input ${{ runner.temp }}/iriswebapp_app.tar
- name: Check out iris
uses: actions/checkout@v4
- name: Start development server
run: |
cp .env.tests.model .env
docker compose --file docker-compose.dev.yml up --detach --wait
- name: Generate GraphQL documentation
run: |
npx spectaql@^3.0.2 source/spectaql/config.yml
- name: Stop development server
run: |
docker compose down
- uses: actions/upload-artifact@v4
with:
name: GraphQL DFIR-IRIS documentation
path: public
if-no-files-found: error

test-api:
name: Test API
runs-on: ubuntu-22.04
Expand Down
4 changes: 3 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -31,4 +31,6 @@ run_nv_test.py
certificates/web_certificates/*.pem
certificates/web_certificates/*.key
!certificates/web_certificates/iris_dev_*
local_dev/
local_dev/
.serena/
.tokensave
2 changes: 1 addition & 1 deletion AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ The upstream project is a DFIR case-management platform (Python/Flask backend, S
| Branch | Purpose | Push rules |
|---|---|---|
| `bv-main` | Production-stable. Tagged releases deploy to AKS prod. | PR only, 1 approval + CI green |
| `bv-develop` | Integration branch. Pushes auto-deploy to AKS staging. | Direct push allowed; PR preferred |
| `bv-develop` | Integration branch. Staging (AKS) deploy is triggered manually, not automatically on push. | Direct push allowed; PR preferred |
| `origin/master` | Upstream master mirror — **never modify** | Read-only |
| `origin/develop` | Upstream develop mirror — **never modify** | Read-only |

Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<p align="center">
Incident Response Investigation System
<br>
<i>Current Version v2.5.0-bv1</i>
<i>Current Version v2.5.0-bv2</i>
<br>
<a href="https://v200.beta.dfir-iris.org">Online Demonstration</a>
</p>
Expand Down
7 changes: 4 additions & 3 deletions bV-development-guide.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ upstream/develop ────────────────────
│ PR from release/ branch only
bv-develop ◄── integration branch → AKS staging
bv-develop ◄── integration branch → AKS staging (manual deploy trigger)
┌────┴────────────────────┐
▼ ▼
Expand All @@ -37,7 +37,7 @@ sync/upstream-<date> → PR to bv-develop (short-lived, delet
| Branch | Purpose | Azure DevOps trigger |
|---|---|---|
| `bv-main` | Production-stable, tagged releases | Tag `v*-bv*` → deploy AKS prod (manual approval) |
| `bv-develop` | Integration, always deployable | Push → deploy AKS staging (auto) |
| `bv-develop` | Integration, always deployable | Push → deploy AKS staging (manual trigger) |
| `origin/master` | Upstream master mirror — do not modify | None |
| `origin/develop` | Upstream develop mirror — do not modify | None |

Expand Down Expand Up @@ -160,7 +160,8 @@ Rule: **if a commit has no `[BV]` prefix, it must be clean enough to open a PR o
| Trigger | Jobs | Gate |
|---|---|---|
| PR to `bv-develop` | Build, static checks, unit tests | Auto — must pass before merge |
| Push to `bv-develop` | Build, push to ACR (`:develop` tag), deploy AKS staging | Auto |
| Push to `bv-develop` | Build, push to ACR (`:develop` tag) | Auto |
| Deploy AKS staging | Deploy latest `:develop` image | Manual trigger |
| Tag `v*-bv*` | Build, push to ACR (`:version` + `:latest` tags), deploy AKS prod | Manual approval |

### Docker image naming in ACR
Expand Down
25 changes: 25 additions & 0 deletions bV-local-dev-environment-setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,31 @@ podman compose -f docker-compose.bv.yml -p iris-bv logs -f bv-iriswebapp-app

---

## Running the test suite

`tests/*.py` talk to the app container directly on `127.0.0.1:8000` (see `API_URL` in
`tests/iris.py`), so run the stack under its own project name (`iris-test`) and only start the
services the tests need — no nginx, no frontend. Never point this project name at a real dev
stack; treat its volumes as throwaway.

Don't run this alongside a real dev stack (`iris-bv`, `iris-web-bv`, ...) — they'd collide on the
same host ports (8000/5432).

```bash
# Build and start a disposable test stack (no nginx/worker needed to exercise the REST API)
podman compose -f docker-compose.dev.yml -p iris-test up -d --build db rabbitmq app worker

# Wait for the app container to become healthy, then run the suite from the host
# (test files are named tests_*.py, not pytest's default test_*.py pattern)
cd tests
python -m unittest discover -p 'tests_*.py' -v

# Tear down completely when done — safe to delete, this project only ever holds test fixtures
podman compose -f docker-compose.dev.yml -p iris-test down -v
```

---

## Working on UI (JavaScript/Svelte) changes

The `ui/dist` folder is bind-mounted into the container at `/iriswebapp/static`, so you can
Expand Down
14 changes: 12 additions & 2 deletions deploy/kubernetes/charts/templates/ingress_route.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,22 @@ spec:
routes:
{{- range $host := .Values.ingress.hosts }}
{{- range $path := $host.paths }}
{{- $svcName := $.Values.irisapp.name }}
{{- $svcPort := $.Values.irisapp.service.port }}
{{- if hasKey $path "serviceName" }}
{{- $svcName = $path.serviceName }}
{{- if hasKey $path "servicePort" }}
{{- $svcPort = $path.servicePort }}
{{- end }}
{{- else if hasKey $path "servicePort" }}
{{- $svcPort = $path.servicePort }}
{{- end }}
- kind: Rule
match: >
Host(`{{ $host.host }}`) && PathPrefix(`{{ $path.path }}`)
services:
- name: {{ $.Values.irisapp.name }}
port: {{ $.Values.irisapp.service.port }}
- name: {{ $svcName }}
port: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
153 changes: 153 additions & 0 deletions deploy/kubernetes/charts/templates/iris_collab.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,153 @@
{{- if .Values.iriscollab.enabled }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Values.iriscollab.name }}-pvc
annotations:
helm.sh/resource-policy: keep
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.iriscollab.pvcSize }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.iriscollab.name }}
spec:
replicas: {{ .Values.iriscollab.replicaCount }}
selector:
matchLabels:
app: {{ .Values.iriscollab.app }}
template:
metadata:
labels:
app: {{ .Values.iriscollab.app }}
spec:
securityContext:
{{- toYaml .Values.iriscollab.podSecurityContext | nindent 8 }}
containers:
- name: {{ .Values.iriscollab.name }}
securityContext:
{{- toYaml .Values.iriscollab.securityContext | nindent 12 }}
resources:
{{- toYaml .Values.iriscollab.resources | nindent 12 }}
image: "{{ .Values.iriscollab.image }}:{{ .Values.iriscollab.tag }}"
imagePullPolicy: "{{ .Values.iriscollab.imagePullPolicy }}"
command: ['uvicorn', 'app.collab_server:app', '--host', '0.0.0.0', '--port', '5001']

env:
{{- range $key := list "POSTGRES_USER" "POSTGRES_PASSWORD" "POSTGRES_ADMIN_USER" "POSTGRES_ADMIN_PASSWORD" "POSTGRES_PORT" "POSTGRES_SERVER" "IRIS_SECRET_KEY" "IRIS_SECURITY_PASSWORD_SALT" }}
- name: {{ $key }}
{{- if and (hasKey $.Values.iriscollab "envFromSecret") (has $key $.Values.iriscollab.envFromSecret.keys) }}
valueFrom:
secretKeyRef:
name: {{ $.Values.iriscollab.envFromSecret.name }}
key: {{ $key }}
{{- else }}
value: {{ index $.Values.iriscollab $key | quote }}
{{- end }}
{{- end }}

- name: IRIS_COLLAB_STORE_PATH
value: /home/iris/server_data/collab

ports:
- containerPort: 5001

readinessProbe:
httpGet:
path: /collab/healthz
port: 5001
initialDelaySeconds: 5
periodSeconds: 10

livenessProbe:
httpGet:
path: /collab/healthz
port: 5001
initialDelaySeconds: 15
periodSeconds: 30

volumeMounts:
- mountPath: /home/iris/server_data/collab
name: collab-data

volumes:
- name: collab-data
persistentVolumeClaim:
claimName: {{ .Values.iriscollab.name }}-pvc
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Values.iriscollab.name }}
labels:
app: {{ .Values.iriscollab.app }}
spec:
type: ClusterIP
ports:
- port: 5001
targetPort: 5001
selector:
app: {{ .Values.iriscollab.app }}
{{- if .Values.iriscollab.ingress.enabled }}
{{- if .Values.ingress.traefik.enabled }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ .Values.iriscollab.name }}-ingress-route
spec:
entryPoints:
- {{ .Values.ingress.traefik.entryPoint | default "web" }}
routes:
{{- range $host := .Values.ingress.hosts }}
- kind: Rule
match: >
Host(`{{ $host.host }}`) && PathPrefix(`/collab`)
services:
- name: {{ $.Values.iriscollab.name }}
port: 5001
{{- end }}
{{- else }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Values.iriscollab.name }}-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
{{- with .Values.iriscollab.ingress.customAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ingressClassName: {{ .Values.ingress.className }}
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host.host }}
http:
paths:
- path: /collab
pathType: Prefix
backend:
service:
name: {{ $.Values.iriscollab.name }}
port:
number: 5001
{{- end }}
{{- if and .Values.ingress.enableTls (gt (len .Values.ingress.tls.hosts) 0) }}
tls:
- hosts:
{{- range .Values.ingress.tls.hosts }}
- {{ . }}
{{- end }}
secretName: {{ .Values.ingress.tls.secretName }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
Loading
Loading