Main into Prod

.env-example

@@ -1,18 +1,22 @@
 # PostgreSQL
-# (Currently hardcoded in docker-compose.yaml)
+POSTGRES_USER=mlsec2
+POSTGRES_PASSWORD=mlsec2_pw
 
-# MinIO
-MINIO_ROOT_USER=minioadmin
-MINIO_ROOT_PASSWORD=minioadmin
+# MinIO Object Storage
+MINIO_ROOT_USER=mlsec2
+MINIO_ROOT_PASSWORD=mlsec2_pw
 
-# Docker Configuration
-DOCKER_GID=999
+# RabbitMQ
+RABBITMQ_USER=mlsec2
+RABBITMQ_PASSWORD=mlsec2_pw
 
 # Gateway Secret
-# (Currently hardcoded in docker-compose.yaml, could be moved here if needed)
-GATEWAY_SECRET=welovemarcus
+GATEWAY_SECRET=mlsec2_pw
+
+# Docker Configuration
+DOCKER_GID=999
 
-# VirusTotal API key (for attack similarity evaluation)
+# VirusTotal API key (for attack behavioral evaluation)
 VIRUSTOTAL_API_KEY=
 
 # Email MFA (SMTP) configuration

.github/workflows/api_ci.yaml

@@ -20,7 +20,7 @@ jobs:
           --health-retries 5
 
     env:
-      DATABASE_URL: postgresql://postgres:password123@localhost:5433/mlsec_test
+      DATABASE_URL: postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test
       REDIS_URL: redis://localhost:6379/0
 
     steps:
@@ -33,7 +33,7 @@ jobs:
       - name: Wait for test database readiness
         run: |
           for i in {1..30}; do
-            if docker exec test-postgres-db pg_isready -U postgres -d mlsec_test; then
+            if docker exec test-postgres-db pg_isready -U mlsec2 -d mlsec_test; then
               exit 0
             fi
             sleep 2

.github/workflows/worker_ci.yaml

@@ -9,11 +9,11 @@ jobs:
     runs-on: ubuntu-latest
 
     env:
-      DATABASE_URL: postgresql://postgres:password123@localhost:5433/mlsec_test
+      DATABASE_URL: postgresql://mlsec2:mlsec2_pw@localhost:5433/mlsec_test
       REDIS_URL: redis://localhost:6379/0
       MINIO_ENDPOINT: localhost:9000
-      MINIO_ACCESS_KEY: minioadmin
-      MINIO_SECRET_KEY: minioadmin
+      MINIO_ACCESS_KEY: mlsec2
+      MINIO_SECRET_KEY: mlsec2_pw
       CELERY_BROKER_URL: redis://localhost:6379/1
       CELERY_RESULT_BACKEND: redis://localhost:6379/2
 
@@ -39,7 +39,7 @@ jobs:
       - name: Wait for test database readiness
         run: |
           for i in {1..30}; do
-            if docker exec test-postgres-db pg_isready -U postgres -d mlsec_test; then
+            if docker exec test-postgres-db pg_isready -U mlsec2 -d mlsec_test; then
               exit 0
             fi
             sleep 2

Makefile

@@ -0,0 +1,23 @@
+.PHONY: up down build ps logs worker-count
+
+# Parse num_workers from config.yaml
+NUM_WORKERS=$(shell awk '/worker:/ {found=1} found && /num_workers:/ {print $$2; exit}' config.yaml)
+
+up:
+	@echo "Starting platform with $(NUM_WORKERS) workers..."
+	docker compose up --scale worker=$(NUM_WORKERS)
+
+down:
+	docker compose down
+
+build:
+	docker compose build
+
+ps:
+	docker compose ps
+
+logs:
+	docker compose logs -f
+
+worker-count:
+	@echo $(NUM_WORKERS)

config.yaml

@@ -1,5 +1,5 @@
 worker:
-  num_workers: 4   # number of concurrent Celery worker processes (maps to --concurrency)
+  num_workers: 4   # number of concurrent Worker containers (Total Possible Competitor Containers = num_workers*batch_size)
   defense_job:
     mem_limit: "1g"
     nano_cpus: 1000000000
@@ -8,19 +8,19 @@ worker:
     max_uncompressed_size_mb: 1024
   evaluation:
     requests_timeout_seconds: 5
-    batch_size: 4
+    batch_size: 2
     defense_max_ram: 1024        # MB - soft RAM threshold; sample marked evaded and container restarted if exceeded
     defense_max_time: 5000       # ms - per-sample time limit; exceeded = evaded
     defense_max_timeout: 20000   # ms - forced restart threshold (must be >= defense_max_time)
     defense_max_restarts: 3      # max container restarts before error state
     stats_sampling_rate: 25      # Number of samples evaluated before checking container stats again (This has a massive impact on total evaluation time)
   heuristic_validation:
-    enable_heuristic_validation: true
+    enable_heuristic_validation: false
     heurval_malware_fpr_minimum: 0.0
     heurval_malware_tpr_minimum: 0.30
     heurval_goodware_fpr_minimum: 0.0
     heurval_goodware_tpr_minimum: 0.30
-    reject_heurval_failures: true
+    reject_heurval_failures: false
   source:
     # Resource limits
     max_zip_size_mb: 512
@@ -41,9 +41,8 @@ worker:
     cleanup_pulled_images: true           # Remove pulled images after evaluation (Docker Hub sources only)
   minio:
     bucket_name: "mlsec-submissions"
-    access_key: "mlsec_minio_admin"
-    secret_key: "mlsec_minio_password_change_in_production"
   attack:
+    skip_seeding: true              # true = skip template seeding and all behavioral checks
     check_similarity: false           # false = skip evaluation, accept all validated attacks
     reject_dissimilar_attacks: false  # only applies when check_similarity=true
                                      #   true  = reject if score < minimum_attack_similarity
@@ -52,7 +51,10 @@ worker:
     max_zip_size_mb: 100
     sandbox_backend: "virustotal"    # "virustotal" | "local"
     cache_persistence_duration: 300  # seconds of inactivity before clearing the sample cache
+    cache_max_size_gb: 10            # Maximum size of local sample cache before pruning
 
 application:
   login_code: 'ABC'
+  defense_submission_cooldown: 30   # seconds between defense submissions per user; 0 = no cooldown
+  attack_submission_cooldown: 30    # seconds between attack submissions per user; 0 = no cooldown
   email_mfa_enabled: true