Oplog Redesign for v6.3.0

[chrismaddalena]

This change adds the following features for v6.3.0:

• Redesigns the activity log view to be similar to a mail client
• Adds support for uploading evidence via activity log entries
• Adds support for linking an evidence file to log entries
• Adds support for uploading an Asciinema terminal recording to a log entry
• Adds GraphQL endpoints for these new actions
  • Linking an evidence file to a log entry
  • Uploading a terminal recording to a log entry
  • Downloading a terminal recording

[Copilot]

Pull request overview

This PR is a broad v6.3.0 set of UX + reporting/oplog enhancements across Django, Hasura metadata, templates, and frontend code—most notably a mail-client style Oplog UI, new evidence↔oplog linking paths, and expanded assignment/status tracking for reporting work items.

Changes:

• Redesign the Oplog entry UI into a split-pane “mail client” layout and add evidence upload/list plumbing for entries.
• Expand reporting workflows: add observation completion status + assignment UI, enhance evidence detail pages (including linked log entries), and harden several file download/view endpoints.
• Add/extend configuration and export robustness (default CVSS version preference, PPTX placeholder fallbacks), plus various admin/dashboard/UI refinements.

Reviewed changes

Copilot reviewed 96 out of 96 changed files in this pull request and generated 12 comments.

Show a summary per file

File	Description
javascript/src/frontend/collab_forms/plain_editors/cvss.tsx	Persist CVSS version preference in localStorage and read backend default.
hasura-docker/metadata/databases/default/tables/public_reporting_reportobservationlink.yaml	Expose new complete field in Hasura permissions.
hasura-docker/metadata/databases/default/tables/public_reporting_report.yaml	Permit include_bloodhound_data on insert.
hasura-docker/metadata/actions.yaml	Add Hasura action metadata for linkOplogEvidence.
hasura-docker/metadata/actions.graphql	Add GraphQL SDL for linkOplogEvidence.
ghostwriter/users/views.py	Avatar download/view changes (inline option + security headers).
ghostwriter/users/tests/test_views.py	Tests for avatar inline vs attachment behavior and headers.
ghostwriter/users/templates/users/profile_form.html	Use avatar-specific preview renderer.
ghostwriter/users/admin.py	Add admin search fields.
ghostwriter/templates/index.html	Show assigned findings/observations on dashboard.
ghostwriter/status/templates/health_check.html	Update health-check table formatting/classes.
ghostwriter/static/js/project.js	Improve image preview rendering; add avatar preview.
ghostwriter/static/js/admin/userprofile_admin.js	Fix admin avatar “Currently” link to use correct preview URL.
ghostwriter/static/js/admin/template_admin.js	Fix admin template “Currently” link to custom download/view URL.
ghostwriter/static/js/admin/evidence_admin.js	Fix admin evidence “Currently” link to custom download/view URL.
ghostwriter/static/css/styles.css	Large Oplog split-pane styling + various UI tweaks/dark mode adjustments.
ghostwriter/static/css/base_styles.css	Adjust CSS variables (notably --ghost-white).
ghostwriter/shepherd/views.py	Preserve operator on history updates; change redirect anchors.
ghostwriter/shepherd/tests/test_views.py	Tests ensuring operator preserved after update.
ghostwriter/shepherd/templates/snippets/domain_history_detail_modal.html	Remove “Checked Out By” block from modal.
ghostwriter/shepherd/templates/snippets/client_contact_detail_modal.html	Show phone number in contact modal.
ghostwriter/shepherd/templates/shepherd/server_detail.html	Display operator column safely with deleted/unknown users.
ghostwriter/shepherd/templates/shepherd/domain_detail.html	Display operator column safely with deleted/unknown users.
ghostwriter/shepherd/forms_server.py	Exclude operator from server checkout form.
ghostwriter/shepherd/forms.py	Exclude operator from domain checkout form.
ghostwriter/rolodex/views.py	Optimize contact assignment; add client logo download view.
ghostwriter/rolodex/urls.py	Route for client logo download endpoint.
ghostwriter/rolodex/tests/test_views.py	Tests for primary contact behavior + client logo download.
ghostwriter/rolodex/tests/test_models.py	Tests for ClientContact.primary behavior.
ghostwriter/rolodex/tests/test_forms.py	Extend formset tests for primary contact validation/auto-selection.
ghostwriter/rolodex/templates/snippets/server_checkout_detail_modal.html	Use description instead of note for checkout detail.
ghostwriter/rolodex/templates/snippets/project_contacts_table.html	Add screen-reader-only text for primary indicator.
ghostwriter/rolodex/templates/rolodex/project_detail.html	Safer display for missing created_by/operator fields.
ghostwriter/rolodex/templates/rolodex/client_form.html	Client-side single-primary checkbox toggle helper.
ghostwriter/rolodex/templates/rolodex/client_detail.html	Render client logo via new download endpoint; add primary column.
ghostwriter/rolodex/models.py	Add primary boolean to ClientContact.
ghostwriter/rolodex/migrations/0060_alter_clientcontact_options_and_more.py	Migration adding ClientContact.primary.
ghostwriter/rolodex/forms_project.py	Enforce/auto-set primary project contact in inline formset validation.
ghostwriter/rolodex/forms_client.py	Enforce/auto-set primary client contact in inline formset validation.
ghostwriter/reporting/views2/report_observation_link.py	Observation status endpoint + assignment view; default assigned_to on blank creation.
ghostwriter/reporting/views2/report.py	Template download/view behavior updates + headers.
ghostwriter/reporting/views.py	Evidence detail enhancements + evidence download/view behavior updates + headers.
ghostwriter/reporting/urls.py	Add routes for observation status + assignment view.
ghostwriter/reporting/tests/test_views.py	Tests for CVSS default propagation, downloads inline behavior, observation status/assignment.
ghostwriter/reporting/tests/test_models.py	Add uploaded_by_user property test; minor formatting fix.
ghostwriter/reporting/tests/test_forms.py	Update factories/fields for template form tests.
ghostwriter/reporting/templates/snippets/report_observations_table.html	Add Owner/Status columns and dropdown actions incl. AJAX status set.
ghostwriter/reporting/templates/snippets/report_findings_table.html	Small UX/HTML fixes in findings table.
ghostwriter/reporting/templates/reporting/report_template_form.html	Guard object checks in “global default” banner.
ghostwriter/reporting/templates/reporting/report_observation_link_assign.html	New template for assigning an observation.
ghostwriter/reporting/templates/reporting/observation_detail.html	Adjust CSS class used for observation description section.
ghostwriter/reporting/templates/reporting/evidence_form.html	Add breadcrumbs.
ghostwriter/reporting/templates/reporting/evidence_detail.html	Improve preview section and show linked oplog entries.
ghostwriter/reporting/models.py	Template export error handling; report FK non-null; evidence helper; add observation complete.
ghostwriter/reporting/migrations/0065_reportobservationlink_complete.py	Migration adding ReportObservationLink.complete.
ghostwriter/reporting/migrations/0064_alter_report_project.py	Migration altering Report.project nullability/default handling.
ghostwriter/reporting/migrations/0063_set_report_field_defaults.py	SQL defaults + migration altering Report.project.
ghostwriter/reporting/forms.py	New assignment form; require doc_type; expand observation link form fields; robustness tweaks.
ghostwriter/reporting/admin.py	Improve Evidence/Template admin file links + add supporting admin JS.
ghostwriter/oplog/views.py	Add oplog evidence upload + evidence list endpoints; report presence flag.
ghostwriter/oplog/urls.py	Routes for oplog evidence upload/list endpoints.
ghostwriter/oplog/tests/test_views.py	Tests for oplog evidence upload/list permissions and behavior.
ghostwriter/oplog/tests/test_models.py	Tests for oplog evidence link model and tag side-effects.
ghostwriter/oplog/tests/test_forms.py	Tests for oplog evidence form behavior and validation.
ghostwriter/oplog/templates/oplog/snippets/oplog_evidence_form_inner.html	Crispy form inner template for evidence upload modal.
ghostwriter/oplog/templates/oplog/oplog_detail.html	Split-pane Oplog UI layout + evidence modal + asciinema-player includes.
ghostwriter/oplog/signals.py	Add/remove “evidence” tag when evidence links created/deleted.
ghostwriter/oplog/models.py	Add OplogEntryEvidence model linking entries to evidence.
ghostwriter/oplog/migrations/0020_oplogentryevidence.py	Migration creating OplogEntryEvidence.
ghostwriter/oplog/forms.py	Add OplogEvidenceForm for uploading evidence tied to project reports.
ghostwriter/oplog/consumers.py	Add websocket action for fetching a single entry (deep-link support).
ghostwriter/oplog/admin.py	Register OplogEntryEvidence in admin.
ghostwriter/modules/reportwriter/report/pptx.py	Use safer placeholder/title helpers; final slide layout selection changes.
ghostwriter/modules/reportwriter/project/pptx.py	Add robust placeholder/title/subtitle detection helpers + logging.
ghostwriter/modules/reportwriter/base/pptx.py	Remove hard-coded final layout constant.
ghostwriter/home/views.py	Add assigned observations in dashboard context; rename variables.
ghostwriter/home/tests/test_views.py	Update dashboard tests for findings + observations.
ghostwriter/home/tests/test_models.py	Remove avatar_url tests after model property removal.
ghostwriter/home/models.py	Remove avatar_url property.
ghostwriter/home/forms.py	Update avatar upload help text.
ghostwriter/home/admin.py	Add admin download link + search for profiles; admin JS hook.
ghostwriter/factories.py	Add factory fields for new features (primary contact, CVSS default, oplog evidence link).
ghostwriter/commandcenter/views.py	Include default CVSS version in collab editing context.
ghostwriter/commandcenter/tests/test_forms.py	Add default CVSS version field to form test harness.
ghostwriter/commandcenter/templates/collab_editing/attrs_snippet.html	Expose backend default CVSS version in page snippet.
ghostwriter/commandcenter/models.py	Add default_cvss_version to ReportConfiguration singleton.
ghostwriter/commandcenter/migrations/0045_reportconfiguration_default_cvss_version.py	Migration adding default CVSS version field.
ghostwriter/commandcenter/admin.py	Expose CVSS default setting in admin.
ghostwriter/api/views.py	Add Hasura action handler endpoint for linkOplogEvidence.
ghostwriter/api/urls.py	Route for the new Hasura action endpoint.
ghostwriter/api/tests/test_views.py	Update domain factory setup to include explicit statuses.
SECURITY.md	Update supported version policy text.
DOCS/features/reporting/report-types/powerpoint-deck-customization.mdx	Expand PPTX template guidance and update links/content.
CHANGELOG.md	Add entries for 6.2.4–6.2.7 changes related to these features/fixes.
.github/workflows/workflow.yml	Ignore doc-only PRs in CI and upload Django logs on failure.

[Copilot]

Pull request overview

This PR introduces the v6.3.0 activity log (oplog) redesign and expands file-handling capabilities across the app, including evidence uploads/linking and terminal recording support, with corresponding Hasura GraphQL actions and backend endpoints.

Changes:

• Added oplog entry evidence + recording models, views/endpoints (UI + API/Hasura) to upload/link/download attachments.
• Added observation assignment + “complete” status workflow, plus dashboard surfacing of assigned findings/observations.
• Improved file serving UX (inline view option + security headers) and admin file links; enhanced PowerPoint export placeholder robustness and CVSS defaulting behavior.

Reviewed changes

Copilot reviewed 107 out of 109 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
javascript/src/frontend/collab_forms/plain_editors/cvss.tsx	Persist CVSS version preference in localStorage; default from backend config.
hasura-docker/metadata/databases/default/tables/tables.yaml	Registers new oplog evidence/recording tables in Hasura metadata.
hasura-docker/metadata/databases/default/tables/public_reporting_reportobservationlink.yaml	Exposes new complete field via Hasura permissions.
hasura-docker/metadata/databases/default/tables/public_reporting_report.yaml	Adds include_bloodhound_data to Hasura insert permissions.
hasura-docker/metadata/databases/default/tables/public_reporting_evidence.yaml	Adds reportId custom column mapping for evidence.
hasura-docker/metadata/databases/default/tables/public_oplog_oplogentryrecording.yaml	Adds Hasura metadata/permissions for oplog recordings.
hasura-docker/metadata/databases/default/tables/public_oplog_oplogentryevidence.yaml	Adds Hasura metadata/permissions for oplog evidence links.
hasura-docker/metadata/actions.yaml	Adds Hasura actions for linking evidence + upload/download recordings.
hasura-docker/metadata/actions.graphql	Defines GraphQL SDL for the new Hasura actions and response types.
ghostwriter/users/views.py	Adds inline avatar viewing option + content-type detection + security headers.
ghostwriter/users/tests/test_views.py	Adds tests for avatar inline view + security headers.
ghostwriter/users/templates/users/profile_form.html	Uses avatar-specific preview renderer for upload/paste.
ghostwriter/users/admin.py	Adds username/name/email admin search.
ghostwriter/templates/index.html	Adds dashboard widgets for assigned findings/observations.
ghostwriter/status/templates/health_check.html	Tweaks table headers/cell alignment classes.
ghostwriter/static/js/project.js	Hardens image preview rendering; adds avatar preview mode.
ghostwriter/static/js/admin/userprofile_admin.js	Fixes admin “Currently” avatar link to use authenticated download URL with view param.
ghostwriter/static/js/admin/template_admin.js	Fixes admin “Currently” template link to use authenticated download URL with view param.
ghostwriter/static/js/admin/oplog_recording_admin.js	Fixes admin “Currently” recording link to use authenticated download URL.
ghostwriter/static/js/admin/evidence_admin.js	Fixes admin “Currently” evidence link to use authenticated download URL with view param.
ghostwriter/static/css/base_styles.css	Updates --ghost-white color token.
ghostwriter/shepherd/views.py	Preserves operator on history updates; redirects to project detail anchor.
ghostwriter/shepherd/tests/test_views.py	Tests operator preservation on updates for domain/server history.
ghostwriter/shepherd/templates/snippets/domain_history_detail_modal.html	Removes “Checked Out By” display from modal.
ghostwriter/shepherd/templates/snippets/client_contact_detail_modal.html	Adds phone display with fallback message.
ghostwriter/shepherd/templates/shepherd/server_detail.html	Adds operator display column with deleted-user fallback.
ghostwriter/shepherd/templates/shepherd/domain_detail.html	Adds operator display column with deleted-user fallback.
ghostwriter/shepherd/forms_server.py	Excludes operator from checkout form fields.
ghostwriter/shepherd/forms.py	Excludes operator from checkout form fields.
ghostwriter/shepherd/apps.py	Updates app verbose name.
ghostwriter/rolodex/views.py	Adds client logo download view; improves primary contact inheritance + avoids extra DB hits.
ghostwriter/rolodex/urls.py	Adds route for client logo downloads.
ghostwriter/rolodex/tests/test_views.py	Adds tests for primary contact behavior and client logo download permissions/404.
ghostwriter/rolodex/tests/test_models.py	Adds tests for ClientContact.primary default/set behavior.
ghostwriter/rolodex/tests/test_forms.py	Expands contact formset tests to enforce exactly one primary contact.
ghostwriter/rolodex/templates/snippets/server_checkout_detail_modal.html	Displays description instead of note.
ghostwriter/rolodex/templates/snippets/project_contacts_table.html	Adds screen-reader text for primary indicator.
ghostwriter/rolodex/templates/rolodex/project_detail.html	Improves handling of missing report creator; displays operator info with fallbacks.
ghostwriter/rolodex/templates/rolodex/client_form.html	Adds JS helper to enforce a single primary checkbox selection.
ghostwriter/rolodex/templates/rolodex/client_detail.html	Serves client logo via authenticated endpoint; adds “Primary” column and removes phone column.
ghostwriter/rolodex/models.py	Adds primary boolean to ClientContact.
ghostwriter/rolodex/migrations/0060_alter_clientcontact_options_and_more.py	Adds DB migration for ClientContact.primary.
ghostwriter/rolodex/forms_project.py	Enforces/auto-sets primary contact in project contact formset.
ghostwriter/rolodex/forms_client.py	Enforces/auto-sets primary contact in client contact formset; adds SwitchToggle.
ghostwriter/rolodex/apps.py	Updates app verbose name.
ghostwriter/reporting/views2/report_observation_link.py	Adds observation status toggle endpoint and assignment UI/notification.
ghostwriter/reporting/views2/report.py	Adds inline template viewing option + content-type detection + security headers.
ghostwriter/reporting/views.py	Adds evidence-linked-oplog context; ensures report is in evidence templates; adds inline evidence viewing option + security headers.
ghostwriter/reporting/urls.py	Adds routes for observation status toggling and assignment.
ghostwriter/reporting/tests/test_views.py	Adds tests for CVSS default propagation, assignment defaults, inline download headers, and observation workflows.
ghostwriter/reporting/tests/test_models.py	Adds test for evidence uploaded_by_user convenience property.
ghostwriter/reporting/tests/test_forms.py	Updates template factory usage; adjusts doc_type arg naming.
ghostwriter/reporting/templates/snippets/report_observations_table.html	Adds owner/status columns + dropdown actions + AJAX status updates.
ghostwriter/reporting/templates/snippets/report_findings_table.html	Tweaks status help text and alignment; adjusts “You” display markup.
ghostwriter/reporting/templates/reporting/report_template_form.html	Guards default-template warning when object is null.
ghostwriter/reporting/templates/reporting/report_observation_link_assign.html	New template for observation assignment form.
ghostwriter/reporting/templates/reporting/observation_detail.html	Adjusts CSS class used for observation description container.
ghostwriter/reporting/templates/reporting/evidence_form.html	Adds breadcrumbs for evidence form.
ghostwriter/reporting/templates/reporting/evidence_detail.html	Improves evidence preview copy and adds “Linked Log Entries” section.
ghostwriter/reporting/models.py	Adds template/doc_type validation errors; adds evidence uploaded_by_user; adds observation complete; makes report.project non-nullable.
ghostwriter/reporting/migrations/0065_reportobservationlink_complete.py	Adds DB migration for ReportObservationLink.complete.
ghostwriter/reporting/migrations/0064_alter_report_project.py	Alters report.project FK (nullability/backfill behavior).
ghostwriter/reporting/migrations/0063_set_report_field_defaults.py	Sets DB defaults and alters report.project FK (nullability/backfill behavior).
ghostwriter/reporting/forms.py	Adds observation assignment form; enforces doc_type required; improves validation return behavior.
ghostwriter/reporting/admin.py	Adds admin “download/view” links for evidence/templates; adds admin JS fixes.
ghostwriter/oplog/views.py	Adds oplog evidence upload/link/list + recording upload/delete/download endpoints; adds context for project report existence.
ghostwriter/oplog/urls.py	Registers oplog evidence/recording endpoints.
ghostwriter/oplog/tests/test_views.py	Adds view tests for oplog evidence and recording endpoints + permissions.
ghostwriter/oplog/tests/test_models.py	Adds model tests for evidence links and recordings, including tag signal behavior.
ghostwriter/oplog/tests/test_forms.py	Adds tests for OplogEvidenceForm filtering and validation behavior.
ghostwriter/oplog/templates/oplog/snippets/oplog_evidence_form_inner.html	New inner template to render evidence form + toast errors for modal.
ghostwriter/oplog/templates/oplog/oplog_detail.html	Redesigns oplog page into split-pane UI; adds evidence upload modal and Asciinema assets.
ghostwriter/oplog/signals.py	Adds tag management + websocket updates for evidence links and recordings; deletes recording files on model delete.
ghostwriter/oplog/models.py	Adds OplogEntryEvidence + OplogEntryRecording models and upload path helper.
ghostwriter/oplog/migrations/0021_oplogentryrecording.py	Adds DB migration for recordings model.
ghostwriter/oplog/migrations/0020_oplogentryevidence.py	Adds DB migration for evidence link model.
ghostwriter/oplog/forms.py	Adds OplogEvidenceForm with project-scoped report selection and duplicate friendly-name validation.
ghostwriter/oplog/consumers.py	Adds websocket action to fetch a single entry (deep-linking).
ghostwriter/oplog/apps.py	Updates app verbose name.
ghostwriter/oplog/admin.py	Adds admin models + download links for oplog evidence/recordings; includes admin JS.
ghostwriter/modules/reportwriter/report/pptx.py	Uses safer placeholder/title helpers; uses last slide layout for final slide.
ghostwriter/modules/reportwriter/project/pptx.py	Adds robust placeholder/title/subtitle detection with fallbacks + logging.
ghostwriter/modules/reportwriter/base/pptx.py	Removes fixed final-slide layout constant.
ghostwriter/modules/custom_serializers.py	Adds recording_url field to OplogEntry serializer with safe DoesNotExist handling.
ghostwriter/home/views.py	Adds assigned observations to dashboard context; refactors variable naming.
ghostwriter/home/tests/test_views.py	Updates dashboard tests to include observations.
ghostwriter/home/tests/test_models.py	Removes tests for removed UserProfile.avatar_url property.
ghostwriter/home/models.py	Removes UserProfile.avatar_url property.
ghostwriter/home/forms.py	Updates avatar upload instructions to reflect circular crop behavior.
ghostwriter/home/admin.py	Adds avatar download link and admin JS to fix avatar file links.
ghostwriter/factories.py	Adds factories for oplog evidence/recording models and default CVSS config value.
ghostwriter/commandcenter/views.py	Passes default CVSS version into collab editing context.
ghostwriter/commandcenter/tests/test_forms.py	Adds default_cvss_version to ReportConfiguration form test data.
ghostwriter/commandcenter/templates/collab_editing/attrs_snippet.html	Emits default-cvss-version script tag for frontend.
ghostwriter/commandcenter/models.py	Adds ReportConfiguration.default_cvss_version.
ghostwriter/commandcenter/migrations/0045_reportconfiguration_default_cvss_version.py	Adds migration for default CVSS version config field.
ghostwriter/commandcenter/admin.py	Exposes default CVSS setting in admin.
ghostwriter/api/views.py	Adds Hasura action endpoints for linking evidence + uploading/downloading recordings.
ghostwriter/api/urls.py	Registers new Hasura action endpoints.
ghostwriter/api/tests/test_views.py	Adds tests for new Hasura actions and adjusts some domain factory setup.
ghostwriter/api/forms.py	Adds ApiOplogRecordingForm for validating .cast uploads.
SECURITY.md	Updates supported version statement.
DOCS/features/reporting/report-types/powerpoint-deck-customization.mdx	Updates PowerPoint template guidance and placeholder expectations.
CHANGELOG.md	Adds release notes entries for 6.2.4–6.2.7 changes.
.github/workflows/workflow.yml	Ignores docs-only changes for CI; uploads django logs on failure.

Comments suppressed due to low confidence (1)

ghostwriter/reporting/templates/snippets/report_findings_table.html:175

• Same issue as the observations table: the class attribute for the assignee/status <span>s is malformed because the closing quote (">) is inside the template conditional branches. This results in invalid markup and prevents CSS classes from applying reliably. Refactor the spans so the class value is just healthy/burned and the text is outside the attribute.