A hidden /admin path (not in nav) protected by a TOTP secret you enroll
by scanning a QR into Google Authenticator / Authy, then entering the
rotating 6-digit code. adminauth.py persists the secret + session key
under DATA_DIR (gitignored); the QR only renders until first successful
verification so the provisioning secret isn't perpetually exposed.
SessionMiddleware carries a 60-min admin session. This becomes the
secured control center the rest of the system gets built into.
Verified end-to-end: gate renders QR, the live code authenticates and
sets the session, the dashboard renders only with the session cookie,
a wrong code is rejected, and an unauthenticated request never leaks
the dashboard. Deps: pyotp, qrcode[pil], itsdangerous.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Three load-bearing operational pieces before any new features:
* .env.example committed, .env gitignored — per-developer API keys
(THREATFOX_AUTH_KEY, OTX_API_KEY, NVD_API_KEY) ready for the registrations
ahead; python-dotenv loads it in the venv CLI; compose picks it up via
env_file: .env on the cockpit service.
* Cockpit /api/inference-status endpoint + a topbar status chip that polls it
on page load — "model · live" green when up, "model · offline" amber when
the inference server is unreachable. No more manual checking. Compose also
gains a healthcheck on the inference service (applies on next recreate).
* New `psyc backup` command — tars the audit trail (db + sealed packages +
recipient keys + ledger + datasets) to data/backups/psyc-data-<ts>.tar.gz.
Excludes the HF model cache, mock-cert receipts, and the re-trainable
adapters — the goal is the irrecoverable evidence, not bulk artifacts.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
38 tests covering the pure worker-line logic: Classifyline rules, Routeline
TLP/country/incident-type gates, Sealine seal/unseal round-trip, Proofline
confidence scoring, Mapline CVEResolver escalation, Trainline dataset
well-posedness (the v1/v3 input-signal bugs are now regression-guarded), and
the Scoutline feed parsers. pytest added as a dev extra.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
