Develop: v0.1.6

.gitignore

@@ -69,4 +69,4 @@ cmd/server/server
 
 vendor
 go.work
-go.work.sum
+go.work.sumdata/

cmd/server/handlers.go

@@ -1,7 +1,10 @@
 package main
 
 import (
+	"database/sql"
+
 	"github.com/openctemio/api/internal/app"
+	"github.com/openctemio/api/pkg/crypto"
 	"github.com/openctemio/api/internal/config"
 	"github.com/openctemio/api/internal/infra/http/handler"
 	"github.com/openctemio/api/internal/infra/http/middleware"
@@ -124,12 +127,31 @@ func NewHandlers(deps *HandlerDeps) routes.Handlers {
 		SLA: handler.NewSLAHandler(svc.SLA, v, log),
 
 		// Pentest Campaign Management
-		Pentest:                handler.NewPentestHandler(svc.Pentest, repos.User, log),
+		Pentest: func() *handler.PentestHandler {
+			h := handler.NewPentestHandler(svc.Pentest, repos.User, log)
+			h.SetImportService(app.NewFindingImportService(repos.Finding, log))
+			return h
+		}(),
 		PentestCampaignRoleQry: repos.PentestCampaignMember,
 
+		// File Attachments (shared across pentest/retest/campaign)
+		Attachment: newAttachmentHandlerWithAccessCheck(svc.Attachment, svc.Pentest, deps.DB.DB, svc.Encryptor, log),
+
 		// Compliance Framework Management
 		Compliance: handler.NewComplianceHandler(svc.Compliance, log),
 
+		// Attack Simulation & Control Testing
+		Simulation: handler.NewSimulationHandler(svc.Simulation, log),
+
+		// Threat Actor Intelligence
+		ThreatActor: handler.NewThreatActorHandler(svc.ThreatActor, log),
+
+		// Remediation Campaigns
+		RemediationCampaign: handler.NewRemediationCampaignHandler(svc.RemediationCampaign, log),
+
+		// Business Units
+		BusinessUnit: handler.NewBusinessUnitHandler(svc.BusinessUnit, log),
+
 		// API Keys & Webhooks
 		APIKey:  handler.NewAPIKeyHandler(svc.APIKey, v, log),
 		Webhook: handler.NewWebhookHandler(svc.Webhook, v, log),
@@ -242,3 +264,12 @@ func newAgentHandlerWithTemplates(
 
 	return h
 }
+
+// newAttachmentHandlerWithAccessCheck creates an AttachmentHandler with campaign
+// membership verification for finding-scoped attachments.
+func newAttachmentHandlerWithAccessCheck(attachSvc *app.AttachmentService, pentestSvc *app.PentestService, db *sql.DB, enc crypto.Encryptor, log *logger.Logger) *handler.AttachmentHandler {
+	h := handler.NewAttachmentHandler(attachSvc, log)
+	h.SetAccessChecker(pentestSvc)
+	h.SetStorageResolver(app.NewSettingsStorageResolver(db, enc, log))
+	return h
+}

cmd/server/main.go

@@ -173,6 +173,10 @@ func run() int {
 		app.WithEmailEnqueuer(emailEnqueuer),
 	)
 	services.Tenant.SetPermissionServices(services.PermCache, services.PermVersion)
+	// Re-wire session service after rebuilding the tenant service —
+	// the constructor above replaces services.Tenant, dropping the
+	// SetSessionService call from initServices().
+	services.Tenant.SetSessionService(services.Session)
 
 	// Wire AI triage job enqueuer if service is enabled
 	if services.AITriage != nil {
@@ -222,7 +226,7 @@ func run() int {
 	}
 
 	server := http.NewServer(cfg, log)
-	routes.Register(server.Router(), handlers, cfg, log, authCfg, repos.Tenant, services.User)
+	routes.Register(server.Router(), handlers, cfg, log, authCfg, repos.Tenant, services.User, services.MembershipCache)
 
 	// Handle --routes flag
 	if *showRoutes {

cmd/server/repositories.go

@@ -53,12 +53,28 @@ type Repositories struct {
 	PentestTemplate  *postgres.PentestTemplateRepository
 	PentestReport    *postgres.PentestReportRepository
 
+	// Attachments (file upload metadata)
+	Attachment *postgres.AttachmentRepository
+
 	// Compliance
 	ComplianceFramework  *postgres.ComplianceFrameworkRepository
 	ComplianceControl    *postgres.ComplianceControlRepository
 	ComplianceAssessment *postgres.ComplianceAssessmentRepository
 	ComplianceMapping    *postgres.ComplianceMappingRepository
 
+	// Attack Simulation & Control Testing
+	Simulation  *postgres.SimulationRepository
+	ControlTest *postgres.ControlTestRepository
+
+	// Threat Actor Intelligence
+	ThreatActor *postgres.ThreatActorRepository
+
+	// Remediation Campaigns
+	RemediationCampaign *postgres.RemediationCampaignRepository
+
+	// Business Units
+	BusinessUnit *postgres.BusinessUnitRepository
+
 	// SLA & Integration
 	SLA                        *postgres.SLAPolicyRepository
 	Integration                *postgres.IntegrationRepository
@@ -183,12 +199,28 @@ func NewRepositories(db *postgres.DB) *Repositories {
 		PentestTemplate: postgres.NewPentestTemplateRepository(db),
 		PentestReport:   postgres.NewPentestReportRepository(db),
 
+		// Attachments
+		Attachment: postgres.NewAttachmentRepository(db),
+
 		// Compliance
 		ComplianceFramework:  postgres.NewComplianceFrameworkRepository(db),
 		ComplianceControl:    postgres.NewComplianceControlRepository(db),
 		ComplianceAssessment: postgres.NewComplianceAssessmentRepository(db),
 		ComplianceMapping:    postgres.NewComplianceMappingRepository(db),
 
+		// Attack Simulation & Control Testing
+		Simulation:  postgres.NewSimulationRepository(db),
+		ControlTest: postgres.NewControlTestRepository(db),
+
+		// Threat Actor Intelligence
+		ThreatActor: postgres.NewThreatActorRepository(db),
+
+		// Remediation Campaigns
+		RemediationCampaign: postgres.NewRemediationCampaignRepository(db),
+
+		// Business Units
+		BusinessUnit: postgres.NewBusinessUnitRepository(db),
+
 		SLA:         postgres.NewSLAPolicyRepository(db),
 		Integration: postgres.NewIntegrationRepository(db),
 		// IntegrationSCMExt and IntegrationNotificationExt initialized after Integration

cmd/server/services.go

@@ -13,7 +13,9 @@ import (
 	"github.com/openctemio/api/internal/infra/jobs"
 	"github.com/openctemio/api/internal/infra/llm"
 	"github.com/openctemio/api/internal/infra/redis"
+	"github.com/openctemio/api/internal/infra/storage"
 	"github.com/openctemio/api/internal/infra/websocket"
+	"github.com/openctemio/api/pkg/domain/attachment"
 	"github.com/openctemio/api/pkg/crypto"
 	"github.com/openctemio/api/pkg/domain/suppression"
 	"github.com/openctemio/api/pkg/email"
@@ -120,18 +122,39 @@ type Services struct {
 	PermVersion *app.PermissionVersionService
 	PermCache   *app.PermissionCacheService
 
+	// Membership cache (Redis-backed wrapper around tenant.Repository
+	// .GetMembership). Read by RequireMembership +
+	// RequireActiveMembershipFromJWT middlewares so the membership
+	// status check on every tenant-scoped request becomes a Redis GET
+	// instead of a DB round trip. Invalidated by TenantService when
+	// role / status / membership rows change.
+	MembershipCache *app.MembershipCacheService
+
 	// Module Service (OSS - all modules enabled, UI metadata only)
 	Module *app.ModuleService
 
 	// SLA
 	SLA *app.SLAService
 
 	// Pentest
-	Pentest *app.PentestService
+	Pentest    *app.PentestService
+	Attachment *app.AttachmentService
 
 	// Compliance
 	Compliance *app.ComplianceService
 
+	// Attack Simulation & Control Testing
+	Simulation *app.SimulationService
+
+	// Threat Actor Intelligence
+	ThreatActor *app.ThreatActorService
+
+	// Remediation Campaigns
+	RemediationCampaign *app.RemediationCampaignService
+
+	// Business Units
+	BusinessUnit *app.BusinessUnitService
+
 	// API Keys & Webhooks
 	APIKey  *app.APIKeyService
 	Webhook *app.WebhookService
@@ -258,9 +281,52 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 	// Wire unified finding repository for CTEM integration (pentest findings → findings table)
 	s.Pentest.SetUnifiedFindingRepository(repos.Finding)
 	s.Pentest.SetCampaignMemberRepository(repos.PentestCampaignMember)
+	s.Pentest.SetAuditService(s.Audit)                    // audit logging for team changes + status changes
+	s.Pentest.SetFindingActivityService(s.FindingActivity) // finding activity trail
 	// Note: Pentest notification wiring happens later after NotificationService is initialized
 
+	// Initialize Attachment service (file upload/download).
+	// Storage provider selected via STORAGE_PROVIDER env var (default: "local").
+	// Local path configurable via STORAGE_LOCAL_PATH (default: ./data/attachments).
+	// In Docker: mount a volume at the local path to persist across rebuilds.
+	var fileStorage attachment.FileStorage
+	switch cfg.Storage.Provider {
+	case "local", "":
+		storagePath := cfg.Storage.LocalPath
+		if storagePath == "" {
+			storagePath = "./data/attachments"
+		}
+		fileStorage = storage.NewLocalStorage(storagePath)
+		log.Info("attachment storage: local filesystem", "path", storagePath)
+	default:
+		// Future: case "s3", "minio", "gcs" → initialize respective provider
+		log.Warn("unsupported storage provider, falling back to local", "provider", cfg.Storage.Provider)
+		fileStorage = storage.NewLocalStorage("./data/attachments")
+	}
+	s.Attachment = app.NewAttachmentService(repos.Attachment, fileStorage, log)
+	// Wire per-tenant storage resolution (tenants can configure S3/MinIO in settings)
+	storageResolver := app.NewSettingsStorageResolver(deps.DB, s.Encryptor, log)
+	s.Attachment.SetTenantStorageResolver(storageResolver, func(cfg attachment.StorageConfig) (attachment.FileStorage, error) {
+		switch cfg.Provider {
+		case "local":
+			basePath := cfg.BasePath
+			if basePath == "" {
+				basePath = "./data/attachments"
+			}
+			return storage.NewLocalStorage(basePath), nil
+		case "s3", "minio":
+			return storage.NewS3Storage(cfg.Bucket, cfg.Region, cfg.Endpoint, cfg.AccessKey, cfg.SecretKey)
+		default:
+			return nil, fmt.Errorf("unsupported tenant storage provider: %s", cfg.Provider)
+		}
+	})
+
 	// Initialize Compliance service
+	s.Simulation = app.NewSimulationService(repos.Simulation, repos.ControlTest, log)
+	s.ThreatActor = app.NewThreatActorService(repos.ThreatActor, log)
+	s.RemediationCampaign = app.NewRemediationCampaignService(repos.RemediationCampaign, log)
+	s.BusinessUnit = app.NewBusinessUnitService(repos.BusinessUnit, log)
+
 	s.Compliance = app.NewComplianceService(
 		repos.ComplianceFramework, repos.ComplianceControl,
 		repos.ComplianceAssessment, repos.ComplianceMapping, log,
@@ -508,6 +574,14 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 		return nil, fmt.Errorf("failed to initialize permission cache service: %w", err)
 	}
 
+	// Initialize membership cache. Hard error if Redis is unreachable
+	// at boot — without this cache the RequireMembership middleware
+	// hammers the database on every request.
+	s.MembershipCache, err = app.NewMembershipCacheService(deps.RedisClient, repos.Tenant, log)
+	if err != nil {
+		return nil, fmt.Errorf("failed to initialize membership cache service: %w", err)
+	}
+
 	s.Role = app.NewRoleService(repos.Role, repos.RolePermission, log,
 		app.WithRoleAuditService(s.Audit),
 		app.WithRolePermissionVersionService(s.PermVersion),
@@ -517,6 +591,10 @@ func NewServices(deps *ServiceDeps) (*Services, error) {
 	// Wire permission services to tenant service
 	s.Tenant.SetPermissionServices(s.PermCache, s.PermVersion)
 
+	// Wire membership cache so mutations (suspend / reactivate / role
+	// change / member removal) can drop the cached entry immediately.
+	s.Tenant.SetMembershipCache(s.MembershipCache)
+
 	// Initialize licensing service (OSS edition - modules from database)
 	s.Module = app.NewModuleService(repos.Module, log)
 	s.Module.SetTenantModuleRepo(repos.TenantModule)
@@ -592,6 +670,12 @@ func (s *Services) InitAuthServices(cfg *config.Config, repos *Repositories, log
 	// Wire session service to user service for session revocation on suspension
 	s.User.SetSessionService(s.Session)
 
+	// Wire session service to tenant service so SuspendMember can revoke
+	// all sessions of a suspended user immediately. Without this, the
+	// user's existing JWT continues to work on JWT-claim-scoped routes
+	// (e.g. /api/v1/me/*, /api/v1/notifications) until it expires.
+	s.Tenant.SetSessionService(s.Session)
+
 	// Initialize SSO service for per-tenant identity provider authentication
 	s.SSO = app.NewSSOService(
 		repos.IdentityProvider,
@@ -630,11 +714,12 @@ func (s *Services) InitEmailServices(cfg *config.Config, log *logger.Logger) err
 	return nil
 }
 
-// SetEmailEnqueuer sets the email job enqueuer.
-func (s *Services) SetEmailEnqueuer(enqueuer app.EmailJobEnqueuer) {
-	s.EmailEnqueue = enqueuer
-	s.Tenant = app.NewTenantService(nil, nil, app.WithEmailEnqueuer(enqueuer))
-}
+// Note: SetEmailEnqueuer was removed. The previous implementation
+// rebuilt s.Tenant with `app.NewTenantService(nil, nil, ...)`, which
+// dropped the repo and the logger and would panic on any subsequent
+// call. The actual wiring of the email enqueuer happens in main.go
+// where it can also re-attach the permission and session services
+// after the tenant service is reconstructed.
 
 // initEncryptor initializes the credentials encryptor.
 func initEncryptor(cfg *config.Config, log *logger.Logger) (crypto.Encryptor, error) {