From 65c34c3374f24c1f68db339bacd15fd390f79df9 Mon Sep 17 00:00:00 2001 From: kitos Date: Fri, 29 May 2026 16:21:06 +0200 Subject: [PATCH] fix(rt-import): require Blue Lead validation before coverage counts RT tests are created in 'in_review' state (not validated): - red_validation_status = 'approved' (RT confirmed execution) - blue_validation_status = null (pending Blue Lead review) - detection_result is pre-filled from the import JSON Blue Lead sees these in their normal validation queue and confirms or rejects the detection result. Only after Blue Lead approval does the technique coverage update to validated/not_covered/partial. This gives Blue Lead oversight over RT findings rather than auto- accepting external engagement results as ground truth. --- backend/app/routers/tests.py | 15 ++++++++------- frontend/src/pages/ImportRTPage.tsx | 5 +++-- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/backend/app/routers/tests.py b/backend/app/routers/tests.py index 0739791..3fc689b 100644 --- a/backend/app/routers/tests.py +++ b/backend/app/routers/tests.py @@ -820,7 +820,9 @@ def import_rt( parts.append(f"\n{entry.notes}") red_summary_text = "\n".join(parts) - # Create Test directly in validated state + # RT pre-validates the Red side (they ran it), but Blue Lead + # must still validate the detection result before it counts. + # State = in_review so it appears in the Blue Lead's validation queue. test = Test( technique_id=technique.id, name=test_name, @@ -828,18 +830,17 @@ def import_rt( platform=entry.platform, procedure_text=entry.notes, created_by=current_user.id, - state=TestState.validated, - # Red team fields + state=TestState.in_review, + # Red team — approved by the RT operator attack_success=entry.attack_success, red_summary=red_summary_text, red_validation_status="approved", red_validated_by=current_user.id, red_validated_at=datetime.utcnow(), - # Blue team fields + # Blue team — pre-fill the detection result but leave + # validation_status pending so Blue Lead must confirm detection_result=detection_result, - blue_validation_status="approved", - blue_validated_by=current_user.id, - blue_validated_at=datetime.utcnow(), + blue_validation_status=None, # Timing execution_date=exec_date_str, created_at=datetime.utcnow(), diff --git a/frontend/src/pages/ImportRTPage.tsx b/frontend/src/pages/ImportRTPage.tsx index c16587c..3a364da 100644 --- a/frontend/src/pages/ImportRTPage.tsx +++ b/frontend/src/pages/ImportRTPage.tsx @@ -145,8 +145,9 @@ export default function ImportRTPage() { Import Red Team Results

- Upload findings from a real Red Team engagement. Each technique becomes a validated test - with its detection result, maintaining full coverage history. + Upload findings from a real Red Team engagement. Each technique creates a test in + In Review state — Red side is pre-approved by the RT, + Blue Lead must still validate the detection result before it counts as coverage.