souleyez 2.28.0__py3-none-any.whl → 2.32.0__py3-none-any.whl

souleyez/__init__.py

@@ -1 +1 @@
-__version__ = '2.28.0'
+__version__ = '2.32.0'

souleyez/core/tool_chaining.py

@@ -1759,6 +1759,20 @@ class ToolChaining:
             )
         )
 
+        # Database Admin → SQLMap (gentler settings for phpMyAdmin/Adminer)
+        # These panels are slow and easily overwhelmed - use single thread and basic tests
+        self.rules.append(
+            ChainRule(
+                trigger_tool='gobuster',
+                trigger_condition='category:database_admin',
+                target_tool='sqlmap',
+                priority=6,  # Lower priority than CVE/exploit scans
+                args_template=['-u', '{target}', '--batch', '--forms', '--threads=1', '--time-sec=10',
+                              '--level=1', '--risk=1', '--technique=BEU', '--timeout=30'],
+                description='Database admin panel detected, testing login form for SQL injection (low intensity)'
+            )
+        )
+
         # WordPress → WPScan enumeration
         self.rules.append(
             ChainRule(
@@ -5017,6 +5031,7 @@ class ToolChaining:
                     label=f"Auto-retry: gobuster (wildcard {exclude_length}b)",
                     engagement_id=engagement_id,
                     parent_id=job.get('id'),
+                    reason=f"Auto-triggered by gobuster: Wildcard response detected, retrying with --exclude-length {exclude_length}",
                     metadata={'retry_attempt': 1, 'retry_parent_job_id': job.get('id')}
                 )
 
@@ -5116,7 +5131,8 @@ class ToolChaining:
                                 args=sqlmap_args,
                                 label=f"Auto-chain: SQLMap testing {endpoint_url}",
                                 engagement_id=engagement_id,
-                                parent_id=job.get('id')
+                                parent_id=job.get('id'),
+                                reason=f"Auto-triggered by ffuf: Database/dynamic endpoint detected ({status_code} response)"
                             )
 
                             job_ids.append(sqlmap_job_id)
@@ -5144,6 +5160,7 @@ class ToolChaining:
                                 label=f"Auto-chain: ffuf recursive {endpoint_url}",
                                 engagement_id=engagement_id,
                                 parent_id=job.get('id'),
+                                reason=f"Auto-triggered by ffuf: {status_code} response suggests deeper path, fuzzing recursively",
                                 metadata={'ffuf_depth': current_depth + 1}
                             )
 
@@ -5367,7 +5384,8 @@ class ToolChaining:
                         args=['-m', '18200', '-a', '0', 'data/wordlists/top100.txt'],
                         label='CRACK_ASREP',
                         engagement_id=engagement_id,
-                        parent_id=job.get('id')
+                        parent_id=job.get('id'),
+                        reason="Auto-triggered by impacket-getnpusers: AS-REP hash extracted, attempting to crack"
                     )
 
                     job_ids.append(job_id)
@@ -5412,7 +5430,8 @@ class ToolChaining:
                         args=['-m', '1000', '-a', '0', 'data/wordlists/top100.txt'],
                         label='CRACK_NTLM',
                         engagement_id=engagement_id,
-                        parent_id=job.get('id')
+                        parent_id=job.get('id'),
+                        reason="Auto-triggered by impacket-secretsdump: NTLM hash extracted, attempting to crack"
                     )
 
                     job_ids.append(job_id)
@@ -5452,7 +5471,8 @@ class ToolChaining:
                             args=[cred_str],
                             label='EXTRACT_CREDS',
                             engagement_id=engagement_id,
-                            parent_id=job.get('id')
+                            parent_id=job.get('id'),
+                            reason="Auto-triggered by hydra: Valid credentials found, attempting to extract domain secrets"
                         )
 
                         job_ids.append(job_id)

souleyez/docs/README.md

@@ -1,6 +1,6 @@
 # SoulEyez Documentation
 
-**Version:** 2.28.0
+**Version:** 2.32.0
 **Last Updated:** January 9, 2026
 **Organization:** CyberSoul Security
 

souleyez/integrations/wazuh/config.py

@@ -22,10 +22,14 @@ class WazuhConfig:
     """
 
     @staticmethod
-    def get_config(engagement_id: int) -> Optional[Dict[str, Any]]:
+    def get_config(engagement_id: int, siem_type: str = None) -> Optional[Dict[str, Any]]:
         """
         Get SIEM config for an engagement.
 
+        Args:
+            engagement_id: Engagement ID
+            siem_type: Optional SIEM type to filter by. If None, returns first/active config.
+
         Returns:
             Config dict or None if not configured
         """
@@ -33,19 +37,31 @@ class WazuhConfig:
         conn = db.get_connection()
         cursor = conn.cursor()
 
-        # Check if new columns exist (migration 025)
+        # Check if new columns exist (migration 025+)
         cursor.execute("PRAGMA table_info(wazuh_config)")
         columns = [col[1] for col in cursor.fetchall()]
         has_new_columns = 'siem_type' in columns
 
         # Query with or without new columns
         if has_new_columns:
-            cursor.execute("""
-                SELECT api_url, api_user, api_password, indexer_url, indexer_user,
-                       indexer_password, verify_ssl, enabled, siem_type, config_json
-                FROM wazuh_config
-                WHERE engagement_id = ?
-            """, (engagement_id,))
+            if siem_type:
+                cursor.execute("""
+                    SELECT api_url, api_user, api_password, indexer_url, indexer_user,
+                           indexer_password, verify_ssl, enabled, siem_type, config_json
+                    FROM wazuh_config
+                    WHERE engagement_id = ? AND siem_type = ?
+                """, (engagement_id, siem_type))
+            else:
+                # Get most recently updated config (the "current" selected SIEM)
+                # Not filtering by enabled - user may have selected but not configured yet
+                cursor.execute("""
+                    SELECT api_url, api_user, api_password, indexer_url, indexer_user,
+                           indexer_password, verify_ssl, enabled, siem_type, config_json
+                    FROM wazuh_config
+                    WHERE engagement_id = ?
+                    ORDER BY updated_at DESC
+                    LIMIT 1
+                """, (engagement_id,))
         else:
             cursor.execute("""
                 SELECT api_url, api_user, api_password, indexer_url, indexer_user,
@@ -190,7 +206,7 @@ class WazuhConfig:
                 pass
             config_json_str = json.dumps(encrypted_config)
 
-        # Upsert config
+        # Upsert config - keyed by (engagement_id, siem_type) for multi-SIEM support
         cursor.execute("""
             INSERT INTO wazuh_config (
                 engagement_id, api_url, api_user, api_password, indexer_url,
@@ -198,7 +214,7 @@ class WazuhConfig:
                 siem_type, config_json
             )
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            ON CONFLICT(engagement_id) DO UPDATE SET
+            ON CONFLICT(engagement_id, siem_type) DO UPDATE SET
                 api_url = excluded.api_url,
                 api_user = excluded.api_user,
                 api_password = excluded.api_password,
@@ -207,8 +223,8 @@ class WazuhConfig:
                 indexer_password = excluded.indexer_password,
                 verify_ssl = excluded.verify_ssl,
                 enabled = excluded.enabled,
-                siem_type = excluded.siem_type,
-                config_json = excluded.config_json
+                config_json = excluded.config_json,
+                updated_at = CURRENT_TIMESTAMP
         """, (
             engagement_id, api_url, api_user, encrypted_api_password,
             indexer_url, indexer_user or 'admin', encrypted_indexer_password,
@@ -262,17 +278,124 @@ class WazuhConfig:
             )
 
     @staticmethod
-    def delete_config(engagement_id: int) -> bool:
-        """Delete Wazuh config for an engagement."""
+    def delete_config(engagement_id: int, siem_type: str = None) -> bool:
+        """
+        Delete SIEM config for an engagement.
+
+        Args:
+            engagement_id: Engagement ID
+            siem_type: Optional SIEM type. If None, deletes ALL SIEM configs for engagement.
+        """
         db = get_db()
         conn = db.get_connection()
         cursor = conn.cursor()
-        cursor.execute("DELETE FROM wazuh_config WHERE engagement_id = ?", (engagement_id,))
+        if siem_type:
+            cursor.execute(
+                "DELETE FROM wazuh_config WHERE engagement_id = ? AND siem_type = ?",
+                (engagement_id, siem_type)
+            )
+        else:
+            cursor.execute("DELETE FROM wazuh_config WHERE engagement_id = ?", (engagement_id,))
         conn.commit()
         return cursor.rowcount > 0
 
     @staticmethod
-    def is_configured(engagement_id: int) -> bool:
-        """Check if Wazuh is configured for an engagement."""
-        config = WazuhConfig.get_config(engagement_id)
+    def is_configured(engagement_id: int, siem_type: str = None) -> bool:
+        """Check if SIEM is configured for an engagement."""
+        config = WazuhConfig.get_config(engagement_id, siem_type)
         return config is not None and config.get("enabled", False)
+
+    @staticmethod
+    def list_configured_siems(engagement_id: int) -> List[Dict[str, Any]]:
+        """
+        List all configured SIEMs for an engagement.
+
+        Returns:
+            List of dicts with siem_type, enabled, and api_url for each configured SIEM
+        """
+        db = get_db()
+        conn = db.get_connection()
+        cursor = conn.cursor()
+
+        cursor.execute("PRAGMA table_info(wazuh_config)")
+        columns = [col[1] for col in cursor.fetchall()]
+
+        if 'siem_type' not in columns:
+            # Old schema - only one config possible
+            cursor.execute("""
+                SELECT 'wazuh' as siem_type, enabled, api_url
+                FROM wazuh_config
+                WHERE engagement_id = ?
+            """, (engagement_id,))
+        else:
+            cursor.execute("""
+                SELECT siem_type, enabled, api_url, updated_at
+                FROM wazuh_config
+                WHERE engagement_id = ?
+                ORDER BY siem_type
+            """, (engagement_id,))
+
+        rows = cursor.fetchall()
+        return [
+            {
+                'siem_type': row[0],
+                'enabled': bool(row[1]),
+                'api_url': row[2],
+                'updated_at': row[3] if len(row) > 3 else None
+            }
+            for row in rows
+        ]
+
+    @staticmethod
+    def get_all_configs(engagement_id: int) -> Dict[str, Dict[str, Any]]:
+        """
+        Get all SIEM configs for an engagement, keyed by siem_type.
+
+        Returns:
+            Dict mapping siem_type to config dict
+        """
+        configs = {}
+        for siem in SIEM_TYPES:
+            config = WazuhConfig.get_config(engagement_id, siem)
+            if config:
+                configs[siem] = config
+        return configs
+
+    @staticmethod
+    def get_current_siem_type(engagement_id: int) -> str:
+        """
+        Get the currently selected SIEM type for an engagement.
+
+        Returns the most recently selected SIEM type, even if not fully configured.
+
+        Returns:
+            SIEM type string ('wazuh', 'splunk', etc.) or 'wazuh' as default
+        """
+        config = WazuhConfig.get_config(engagement_id)
+        if config:
+            return config.get('siem_type', 'wazuh')
+        return 'wazuh'
+
+    @staticmethod
+    def set_current_siem(engagement_id: int, siem_type: str) -> bool:
+        """
+        Set a SIEM type as current by updating its timestamp.
+
+        This makes the specified SIEM the "active" one without changing its config.
+
+        Args:
+            engagement_id: Engagement ID
+            siem_type: SIEM type to make current
+
+        Returns:
+            True if successful
+        """
+        db = get_db()
+        conn = db.get_connection()
+        cursor = conn.cursor()
+        cursor.execute(
+            "UPDATE wazuh_config SET updated_at = CURRENT_TIMESTAMP WHERE engagement_id = ? AND siem_type = ?",
+            (engagement_id, siem_type)
+        )
+        conn.commit()
+        return cursor.rowcount > 0

souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.28.0')
+@click.version_option(version='2.32.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging

souleyez/storage/database.py

@@ -31,7 +31,7 @@ class Database:
                 os.makedirs(db_dir, exist_ok=True)
 
             conn = sqlite3.connect(self.db_path, timeout=30.0)
-            
+
             # Set secure permissions (owner read/write only)
             os.chmod(self.db_path, 0o600)
             conn.row_factory = sqlite3.Row
@@ -46,7 +46,44 @@ class Database:
                 "foreign_keys": True
             })
 
+            # Check if this is an existing database (has tables)
+            cursor = conn.execute(
+                "SELECT name FROM sqlite_master WHERE type='table' AND name='engagements'"
+            )
+            is_existing_db = cursor.fetchone() is not None
+            conn.close()
+
+            # For EXISTING databases: Run migrations FIRST
+            # This ensures new columns exist before schema.sql tries to create indexes on them
+            if is_existing_db:
+                try:
+                    from .migrations.migration_manager import MigrationManager
+                    manager = MigrationManager(self.db_path)
+                    pending = manager.get_pending_migrations()
+                    if pending:
+                        logger.info("Running pending migrations for existing database", extra={
+                            "pending_count": len(pending)
+                        })
+                        manager.migrate()
+                        logger.info("Migrations completed successfully", extra={
+                            "count": len(pending)
+                        })
+                except Exception as migration_error:
+                    logger.error("Failed to run migrations on existing database", extra={
+                        "error": str(migration_error),
+                        "error_type": type(migration_error).__name__,
+                        "traceback": traceback.format_exc()
+                    })
+                    raise  # Don't continue if migrations fail for existing DB
+
+            # Reconnect for schema loading
+            conn = sqlite3.connect(self.db_path, timeout=30.0)
+            conn.row_factory = sqlite3.Row
+            conn.execute("PRAGMA foreign_keys = ON")
+
             # Load and execute schema from the same directory as this file
+            # For fresh DBs: Creates all tables with current schema
+            # For existing DBs: CREATE TABLE IF NOT EXISTS is no-op, but ensures new tables/indexes
             schema_path = Path(__file__).parent / "schema.sql"
 
             if schema_path.exists():
@@ -228,26 +265,28 @@ class Database:
 
             conn.commit()
             conn.close()
-            
-            # Run pending migrations after schema.sql loads
-            try:
-                from .migrations.migration_manager import MigrationManager
-                manager = MigrationManager(self.db_path)
-                pending = manager.get_pending_migrations()
-                if pending:
-                    logger.info("Running pending migrations for fresh database", extra={
-                        "pending_count": len(pending)
-                    })
-                    manager.migrate()
-                    logger.info("Migrations completed successfully", extra={
-                        "count": len(pending)
+
+            # For FRESH databases: Run migrations after schema.sql loads
+            # (Existing DBs already had migrations run before schema.sql)
+            if not is_existing_db:
+                try:
+                    from .migrations.migration_manager import MigrationManager
+                    manager = MigrationManager(self.db_path)
+                    pending = manager.get_pending_migrations()
+                    if pending:
+                        logger.info("Running pending migrations for fresh database", extra={
+                            "pending_count": len(pending)
+                        })
+                        manager.migrate()
+                        logger.info("Migrations completed successfully", extra={
+                            "count": len(pending)
+                        })
+                except Exception as migration_error:
+                    logger.error("Failed to run migrations", extra={
+                        "error": str(migration_error),
+                        "error_type": type(migration_error).__name__,
+                        "traceback": traceback.format_exc()
                     })
-            except Exception as migration_error:
-                logger.error("Failed to run migrations", extra={
-                    "error": str(migration_error),
-                    "error_type": type(migration_error).__name__,
-                    "traceback": traceback.format_exc()
-                })
 
         except Exception as e:
             logger.error("Database initialization failed", extra={

souleyez/storage/migrations/_027_multi_siem_persistence.py

@@ -0,0 +1,119 @@
+"""
+Migration 027: Multi-SIEM Persistence
+
+Changes wazuh_config table to support multiple SIEM configs per engagement.
+- Removes UNIQUE constraint on engagement_id
+- Adds UNIQUE constraint on (engagement_id, siem_type)
+- Allows each engagement to have separate configs for Wazuh, Splunk, etc.
+"""
+import os
+
+
+def upgrade(conn):
+    """Migrate to multi-SIEM persistence."""
+    cursor = conn.cursor()
+
+    # Check if siem_type column exists (from migration 025)
+    cursor.execute("PRAGMA table_info(wazuh_config)")
+    columns = [col[1] for col in cursor.fetchall()]
+
+    if 'siem_type' not in columns:
+        cursor.execute("ALTER TABLE wazuh_config ADD COLUMN siem_type TEXT DEFAULT 'wazuh'")
+    if 'config_json' not in columns:
+        cursor.execute("ALTER TABLE wazuh_config ADD COLUMN config_json TEXT")
+
+    # Create new table with correct constraint
+    cursor.execute("""
+        CREATE TABLE IF NOT EXISTS siem_config_new (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            engagement_id INTEGER NOT NULL,
+            siem_type TEXT NOT NULL DEFAULT 'wazuh',
+            api_url TEXT,
+            api_user TEXT,
+            api_password TEXT,
+            indexer_url TEXT,
+            indexer_user TEXT DEFAULT 'admin',
+            indexer_password TEXT,
+            verify_ssl BOOLEAN DEFAULT 0,
+            enabled BOOLEAN DEFAULT 1,
+            config_json TEXT,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE,
+            UNIQUE(engagement_id, siem_type)
+        )
+    """)
+
+    # Copy existing data
+    cursor.execute("""
+        INSERT OR IGNORE INTO siem_config_new (
+            id, engagement_id, siem_type, api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            config_json, created_at, updated_at
+        )
+        SELECT
+            id, engagement_id, COALESCE(siem_type, 'wazuh'), api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            config_json, created_at, updated_at
+        FROM wazuh_config
+    """)
+
+    # Drop old table and rename new one
+    cursor.execute("DROP TABLE wazuh_config")
+    cursor.execute("ALTER TABLE siem_config_new RENAME TO wazuh_config")
+
+    # Recreate index
+    cursor.execute("CREATE INDEX IF NOT EXISTS idx_wazuh_config_engagement ON wazuh_config(engagement_id)")
+    cursor.execute("CREATE INDEX IF NOT EXISTS idx_wazuh_config_siem_type ON wazuh_config(siem_type)")
+
+    conn.commit()
+
+    if not os.environ.get('SOULEYEZ_MIGRATION_SILENT'):
+        print("Migration 027: Multi-SIEM persistence enabled")
+
+
+def downgrade(conn):
+    """Revert to single SIEM per engagement (lossy - keeps only first config per engagement)."""
+    cursor = conn.cursor()
+
+    cursor.execute("""
+        CREATE TABLE IF NOT EXISTS wazuh_config_old (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            engagement_id INTEGER NOT NULL UNIQUE,
+            api_url TEXT NOT NULL,
+            api_user TEXT NOT NULL,
+            api_password TEXT,
+            indexer_url TEXT,
+            indexer_user TEXT DEFAULT 'admin',
+            indexer_password TEXT,
+            verify_ssl BOOLEAN DEFAULT 0,
+            enabled BOOLEAN DEFAULT 1,
+            siem_type TEXT DEFAULT 'wazuh',
+            config_json TEXT,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE
+        )
+    """)
+
+    # Copy only first config per engagement
+    cursor.execute("""
+        INSERT OR IGNORE INTO wazuh_config_old (
+            engagement_id, api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            siem_type, config_json, created_at, updated_at
+        )
+        SELECT
+            engagement_id, api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            siem_type, config_json, created_at, updated_at
+        FROM wazuh_config
+        GROUP BY engagement_id
+    """)
+
+    cursor.execute("DROP TABLE wazuh_config")
+    cursor.execute("ALTER TABLE wazuh_config_old RENAME TO wazuh_config")
+    cursor.execute("CREATE INDEX IF NOT EXISTS idx_wazuh_config_engagement ON wazuh_config(engagement_id)")
+
+    conn.commit()
+    print("Migration 027: Reverted to single SIEM per engagement")

souleyez/storage/migrations/__init__.py

@@ -29,6 +29,9 @@ from . import (
     _022_wazuh_indexer_columns,
     _023_fix_detection_results_fk,
     _024_wazuh_vulnerabilities,
+    _025_multi_siem_support,
+    _026_add_engagement_scope,
+    _027_multi_siem_persistence,
 )
 
 # Migration registry - maps version to module
@@ -56,6 +59,9 @@ MIGRATIONS_REGISTRY = {
     '022': _022_wazuh_indexer_columns,
     '023': _023_fix_detection_results_fk,
     '024': _024_wazuh_vulnerabilities,
+    '025': _025_multi_siem_support,
+    '026': _026_add_engagement_scope,
+    '027': _027_multi_siem_persistence,
 }
 
 

souleyez/storage/schema.sql

@@ -6,6 +6,7 @@ CREATE TABLE IF NOT EXISTS engagements (
     owner_id INTEGER,
     estimated_hours FLOAT DEFAULT 0,
     actual_hours FLOAT DEFAULT 0,
+    scope_enforcement TEXT DEFAULT 'off',
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
     updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );
@@ -21,6 +22,7 @@ CREATE TABLE IF NOT EXISTS hosts (
     mac_address TEXT,
     status TEXT DEFAULT 'up',
     access_level TEXT DEFAULT 'none',
+    scope_status TEXT DEFAULT 'unknown',
     notes TEXT,
     tags TEXT,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
@@ -502,18 +504,21 @@ CREATE INDEX IF NOT EXISTS idx_msf_sessions_active ON msf_sessions(is_active);
 -- Wazuh SIEM Integration (Detection Validation)
 CREATE TABLE IF NOT EXISTS wazuh_config (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
-    engagement_id INTEGER NOT NULL UNIQUE,
-    api_url TEXT NOT NULL,
-    api_user TEXT NOT NULL,
+    engagement_id INTEGER NOT NULL,
+    siem_type TEXT NOT NULL DEFAULT 'wazuh',
+    api_url TEXT,
+    api_user TEXT,
     api_password TEXT,
     indexer_url TEXT,
     indexer_user TEXT DEFAULT 'admin',
     indexer_password TEXT,
     verify_ssl BOOLEAN DEFAULT 0,
     enabled BOOLEAN DEFAULT 1,
+    config_json TEXT,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
     updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE
+    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE,
+    UNIQUE(engagement_id, siem_type)
 );
 
 -- Detection validation results per job
@@ -537,6 +542,41 @@ CREATE TABLE IF NOT EXISTS detection_results (
 );
 
 CREATE INDEX IF NOT EXISTS idx_wazuh_config_engagement ON wazuh_config(engagement_id);
+CREATE INDEX IF NOT EXISTS idx_wazuh_config_siem_type ON wazuh_config(siem_type);
 CREATE INDEX IF NOT EXISTS idx_detection_results_job ON detection_results(job_id);
 CREATE INDEX IF NOT EXISTS idx_detection_results_engagement ON detection_results(engagement_id);
 CREATE INDEX IF NOT EXISTS idx_detection_results_status ON detection_results(detection_status);
+
+-- Engagement Scope Validation (from migration 026)
+CREATE TABLE IF NOT EXISTS engagement_scope (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    engagement_id INTEGER NOT NULL,
+    scope_type TEXT NOT NULL,
+    value TEXT NOT NULL,
+    is_excluded BOOLEAN DEFAULT 0,
+    description TEXT,
+    added_by TEXT,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE,
+    UNIQUE(engagement_id, scope_type, value)
+);
+
+CREATE TABLE IF NOT EXISTS scope_validation_log (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    engagement_id INTEGER NOT NULL,
+    job_id INTEGER,
+    target TEXT NOT NULL,
+    validation_result TEXT NOT NULL,
+    action_taken TEXT NOT NULL,
+    matched_scope_id INTEGER,
+    user_id TEXT,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_scope_engagement ON engagement_scope(engagement_id);
+CREATE INDEX IF NOT EXISTS idx_scope_type ON engagement_scope(scope_type);
+CREATE INDEX IF NOT EXISTS idx_scope_log_engagement ON scope_validation_log(engagement_id);
+CREATE INDEX IF NOT EXISTS idx_scope_log_result ON scope_validation_log(validation_result);
+CREATE INDEX IF NOT EXISTS idx_scope_log_timestamp ON scope_validation_log(created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_hosts_scope_status ON hosts(scope_status);