souleyez 2.28.0__py3-none-any.whl → 2.39.0__py3-none-any.whl

souleyez/integrations/wazuh/config.py

@@ -10,8 +10,8 @@ from pathlib import Path
 from souleyez.storage.database import get_db
 from souleyez.storage.crypto import get_crypto_manager
 
-# Supported SIEM types
-SIEM_TYPES = ['wazuh', 'splunk', 'elastic', 'sentinel']
+# Supported SIEM types (Open Source first, then Commercial)
+SIEM_TYPES = ['wazuh', 'elastic', 'splunk', 'sentinel', 'google_secops']
 
 
 class WazuhConfig:
@@ -22,10 +22,14 @@ class WazuhConfig:
     """
 
     @staticmethod
-    def get_config(engagement_id: int) -> Optional[Dict[str, Any]]:
+    def get_config(engagement_id: int, siem_type: str = None) -> Optional[Dict[str, Any]]:
         """
         Get SIEM config for an engagement.
 
+        Args:
+            engagement_id: Engagement ID
+            siem_type: Optional SIEM type to filter by. If None, returns first/active config.
+
         Returns:
             Config dict or None if not configured
         """
@@ -33,19 +37,31 @@ class WazuhConfig:
         conn = db.get_connection()
         cursor = conn.cursor()
 
-        # Check if new columns exist (migration 025)
+        # Check if new columns exist (migration 025+)
         cursor.execute("PRAGMA table_info(wazuh_config)")
         columns = [col[1] for col in cursor.fetchall()]
         has_new_columns = 'siem_type' in columns
 
         # Query with or without new columns
         if has_new_columns:
-            cursor.execute("""
-                SELECT api_url, api_user, api_password, indexer_url, indexer_user,
-                       indexer_password, verify_ssl, enabled, siem_type, config_json
-                FROM wazuh_config
-                WHERE engagement_id = ?
-            """, (engagement_id,))
+            if siem_type:
+                cursor.execute("""
+                    SELECT api_url, api_user, api_password, indexer_url, indexer_user,
+                           indexer_password, verify_ssl, enabled, siem_type, config_json
+                    FROM wazuh_config
+                    WHERE engagement_id = ? AND siem_type = ?
+                """, (engagement_id, siem_type))
+            else:
+                # Get most recently updated config (the "current" selected SIEM)
+                # Not filtering by enabled - user may have selected but not configured yet
+                cursor.execute("""
+                    SELECT api_url, api_user, api_password, indexer_url, indexer_user,
+                           indexer_password, verify_ssl, enabled, siem_type, config_json
+                    FROM wazuh_config
+                    WHERE engagement_id = ?
+                    ORDER BY updated_at DESC
+                    LIMIT 1
+                """, (engagement_id,))
         else:
             cursor.execute("""
                 SELECT api_url, api_user, api_password, indexer_url, indexer_user,
@@ -190,7 +206,7 @@ class WazuhConfig:
                 pass
             config_json_str = json.dumps(encrypted_config)
 
-        # Upsert config
+        # Upsert config - keyed by (engagement_id, siem_type) for multi-SIEM support
         cursor.execute("""
             INSERT INTO wazuh_config (
                 engagement_id, api_url, api_user, api_password, indexer_url,
@@ -198,7 +214,7 @@ class WazuhConfig:
                 siem_type, config_json
             )
             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-            ON CONFLICT(engagement_id) DO UPDATE SET
+            ON CONFLICT(engagement_id, siem_type) DO UPDATE SET
                 api_url = excluded.api_url,
                 api_user = excluded.api_user,
                 api_password = excluded.api_password,
@@ -207,8 +223,8 @@ class WazuhConfig:
                 indexer_password = excluded.indexer_password,
                 verify_ssl = excluded.verify_ssl,
                 enabled = excluded.enabled,
-                siem_type = excluded.siem_type,
-                config_json = excluded.config_json
+                config_json = excluded.config_json,
+                updated_at = CURRENT_TIMESTAMP
         """, (
             engagement_id, api_url, api_user, encrypted_api_password,
             indexer_url, indexer_user or 'admin', encrypted_indexer_password,
@@ -262,17 +278,124 @@ class WazuhConfig:
             )
 
     @staticmethod
-    def delete_config(engagement_id: int) -> bool:
-        """Delete Wazuh config for an engagement."""
+    def delete_config(engagement_id: int, siem_type: str = None) -> bool:
+        """
+        Delete SIEM config for an engagement.
+
+        Args:
+            engagement_id: Engagement ID
+            siem_type: Optional SIEM type. If None, deletes ALL SIEM configs for engagement.
+        """
         db = get_db()
         conn = db.get_connection()
         cursor = conn.cursor()
-        cursor.execute("DELETE FROM wazuh_config WHERE engagement_id = ?", (engagement_id,))
+        if siem_type:
+            cursor.execute(
+                "DELETE FROM wazuh_config WHERE engagement_id = ? AND siem_type = ?",
+                (engagement_id, siem_type)
+            )
+        else:
+            cursor.execute("DELETE FROM wazuh_config WHERE engagement_id = ?", (engagement_id,))
         conn.commit()
         return cursor.rowcount > 0
 
     @staticmethod
-    def is_configured(engagement_id: int) -> bool:
-        """Check if Wazuh is configured for an engagement."""
-        config = WazuhConfig.get_config(engagement_id)
+    def is_configured(engagement_id: int, siem_type: str = None) -> bool:
+        """Check if SIEM is configured for an engagement."""
+        config = WazuhConfig.get_config(engagement_id, siem_type)
         return config is not None and config.get("enabled", False)
+
+    @staticmethod
+    def list_configured_siems(engagement_id: int) -> List[Dict[str, Any]]:
+        """
+        List all configured SIEMs for an engagement.
+
+        Returns:
+            List of dicts with siem_type, enabled, and api_url for each configured SIEM
+        """
+        db = get_db()
+        conn = db.get_connection()
+        cursor = conn.cursor()
+
+        cursor.execute("PRAGMA table_info(wazuh_config)")
+        columns = [col[1] for col in cursor.fetchall()]
+
+        if 'siem_type' not in columns:
+            # Old schema - only one config possible
+            cursor.execute("""
+                SELECT 'wazuh' as siem_type, enabled, api_url
+                FROM wazuh_config
+                WHERE engagement_id = ?
+            """, (engagement_id,))
+        else:
+            cursor.execute("""
+                SELECT siem_type, enabled, api_url, updated_at
+                FROM wazuh_config
+                WHERE engagement_id = ?
+                ORDER BY siem_type
+            """, (engagement_id,))
+
+        rows = cursor.fetchall()
+        return [
+            {
+                'siem_type': row[0],
+                'enabled': bool(row[1]),
+                'api_url': row[2],
+                'updated_at': row[3] if len(row) > 3 else None
+            }
+            for row in rows
+        ]
+
+    @staticmethod
+    def get_all_configs(engagement_id: int) -> Dict[str, Dict[str, Any]]:
+        """
+        Get all SIEM configs for an engagement, keyed by siem_type.
+
+        Returns:
+            Dict mapping siem_type to config dict
+        """
+        configs = {}
+        for siem in SIEM_TYPES:
+            config = WazuhConfig.get_config(engagement_id, siem)
+            if config:
+                configs[siem] = config
+        return configs
+
+    @staticmethod
+    def get_current_siem_type(engagement_id: int) -> str:
+        """
+        Get the currently selected SIEM type for an engagement.
+
+        Returns the most recently selected SIEM type, even if not fully configured.
+
+        Returns:
+            SIEM type string ('wazuh', 'splunk', etc.) or 'wazuh' as default
+        """
+        config = WazuhConfig.get_config(engagement_id)
+        if config:
+            return config.get('siem_type', 'wazuh')
+        return 'wazuh'
+
+    @staticmethod
+    def set_current_siem(engagement_id: int, siem_type: str) -> bool:
+        """
+        Set a SIEM type as current by updating its timestamp.
+
+        This makes the specified SIEM the "active" one without changing its config.
+
+        Args:
+            engagement_id: Engagement ID
+            siem_type: SIEM type to make current
+
+        Returns:
+            True if successful
+        """
+        db = get_db()
+        conn = db.get_connection()
+        cursor = conn.cursor()
+        cursor.execute(
+            "UPDATE wazuh_config SET updated_at = CURRENT_TIMESTAMP WHERE engagement_id = ? AND siem_type = ?",
+            (engagement_id, siem_type)
+        )
+        conn.commit()
+        return cursor.rowcount > 0

souleyez/main.py

@@ -173,7 +173,7 @@ def _check_privileged_tools():
 
 
 @click.group()
-@click.version_option(version='2.28.0')
+@click.version_option(version='2.39.0')
 def cli():
     """SoulEyez - AI-Powered Pentesting Platform by CyberSoul Security"""
     from souleyez.log_config import init_logging
@@ -1512,47 +1512,14 @@ def _run_doctor(fix=False, verbose=False):
 
     # Section 4: Pentesting Tools
     click.echo(click.style("Pentesting Tools", bold=True))
-    # Map display name -> list of possible binary names (first found wins)
-    pentest_tools = {
-        # Core scanning
-        'nikto': ['nikto'],
-        'gobuster': ['gobuster'],
-        'ffuf': ['ffuf'],
-        'nuclei': ['nuclei'],
-        # Exploitation
-        'sqlmap': ['sqlmap'],
-        'hydra': ['hydra'],
-        'msfconsole': ['msfconsole'],
-        # Enumeration (enum4linux-ng on Ubuntu, netexec replaced crackmapexec)
-        'enum4linux': ['enum4linux', 'enum4linux-ng'],
-        'smbmap': ['smbmap'],
-        'netexec': ['netexec', 'nxc', 'crackmapexec'],
-        # Recon
-        'theHarvester': ['theHarvester'],
-        'dnsrecon': ['dnsrecon'],
-        'whois': ['whois'],
-        # Password cracking
-        'hashcat': ['hashcat'],
-        'john': ['john'],
-        # Router/IoT (rsf.py for pipx installs)
-        'routersploit': ['rsf', 'rsf.py', 'routersploit'],
-        'upnpc': ['upnpc'],
-        'binwalk': ['binwalk'],
-        # Remote access
-        'vncviewer': ['vncviewer'],
-    }
-    installed = 0
-    for display_name, binaries in pentest_tools.items():
-        found = any(shutil.which(b) for b in binaries)
-        if found:
-            installed += 1
-            if verbose:
-                check_pass(display_name)
+    # Use the same tool checker as the setup wizard for consistency
+    from souleyez.utils.tool_checker import get_tool_stats
+    installed, total = get_tool_stats()
 
-    if installed == len(pentest_tools):
-        check_pass(f"All {len(pentest_tools)} tools installed")
+    if installed == total:
+        check_pass(f"All {total} tools installed")
     elif installed > 0:
-        check_warn(f"{installed}/{len(pentest_tools)} tools installed", "Run: souleyez setup")
+        check_warn(f"{installed}/{total} tools installed", "Run: souleyez setup")
     else:
         check_fail("No pentesting tools installed", "souleyez setup")
 

souleyez/storage/database.py

@@ -31,7 +31,7 @@ class Database:
                 os.makedirs(db_dir, exist_ok=True)
 
             conn = sqlite3.connect(self.db_path, timeout=30.0)
-            
+
             # Set secure permissions (owner read/write only)
             os.chmod(self.db_path, 0o600)
             conn.row_factory = sqlite3.Row
@@ -46,7 +46,44 @@ class Database:
                 "foreign_keys": True
             })
 
+            # Check if this is an existing database (has tables)
+            cursor = conn.execute(
+                "SELECT name FROM sqlite_master WHERE type='table' AND name='engagements'"
+            )
+            is_existing_db = cursor.fetchone() is not None
+            conn.close()
+
+            # For EXISTING databases: Run migrations FIRST
+            # This ensures new columns exist before schema.sql tries to create indexes on them
+            if is_existing_db:
+                try:
+                    from .migrations.migration_manager import MigrationManager
+                    manager = MigrationManager(self.db_path)
+                    pending = manager.get_pending_migrations()
+                    if pending:
+                        logger.info("Running pending migrations for existing database", extra={
+                            "pending_count": len(pending)
+                        })
+                        manager.migrate()
+                        logger.info("Migrations completed successfully", extra={
+                            "count": len(pending)
+                        })
+                except Exception as migration_error:
+                    logger.error("Failed to run migrations on existing database", extra={
+                        "error": str(migration_error),
+                        "error_type": type(migration_error).__name__,
+                        "traceback": traceback.format_exc()
+                    })
+                    raise  # Don't continue if migrations fail for existing DB
+
+            # Reconnect for schema loading
+            conn = sqlite3.connect(self.db_path, timeout=30.0)
+            conn.row_factory = sqlite3.Row
+            conn.execute("PRAGMA foreign_keys = ON")
+
             # Load and execute schema from the same directory as this file
+            # For fresh DBs: Creates all tables with current schema
+            # For existing DBs: CREATE TABLE IF NOT EXISTS is no-op, but ensures new tables/indexes
             schema_path = Path(__file__).parent / "schema.sql"
 
             if schema_path.exists():
@@ -228,26 +265,28 @@ class Database:
 
             conn.commit()
             conn.close()
-            
-            # Run pending migrations after schema.sql loads
-            try:
-                from .migrations.migration_manager import MigrationManager
-                manager = MigrationManager(self.db_path)
-                pending = manager.get_pending_migrations()
-                if pending:
-                    logger.info("Running pending migrations for fresh database", extra={
-                        "pending_count": len(pending)
-                    })
-                    manager.migrate()
-                    logger.info("Migrations completed successfully", extra={
-                        "count": len(pending)
+
+            # For FRESH databases: Run migrations after schema.sql loads
+            # (Existing DBs already had migrations run before schema.sql)
+            if not is_existing_db:
+                try:
+                    from .migrations.migration_manager import MigrationManager
+                    manager = MigrationManager(self.db_path)
+                    pending = manager.get_pending_migrations()
+                    if pending:
+                        logger.info("Running pending migrations for fresh database", extra={
+                            "pending_count": len(pending)
+                        })
+                        manager.migrate()
+                        logger.info("Migrations completed successfully", extra={
+                            "count": len(pending)
+                        })
+                except Exception as migration_error:
+                    logger.error("Failed to run migrations", extra={
+                        "error": str(migration_error),
+                        "error_type": type(migration_error).__name__,
+                        "traceback": traceback.format_exc()
                     })
-            except Exception as migration_error:
-                logger.error("Failed to run migrations", extra={
-                    "error": str(migration_error),
-                    "error_type": type(migration_error).__name__,
-                    "traceback": traceback.format_exc()
-                })
 
         except Exception as e:
             logger.error("Database initialization failed", extra={

souleyez/storage/migrations/_027_multi_siem_persistence.py

@@ -0,0 +1,119 @@
+"""
+Migration 027: Multi-SIEM Persistence
+
+Changes wazuh_config table to support multiple SIEM configs per engagement.
+- Removes UNIQUE constraint on engagement_id
+- Adds UNIQUE constraint on (engagement_id, siem_type)
+- Allows each engagement to have separate configs for Wazuh, Splunk, etc.
+"""
+import os
+
+
+def upgrade(conn):
+    """Migrate to multi-SIEM persistence."""
+    cursor = conn.cursor()
+
+    # Check if siem_type column exists (from migration 025)
+    cursor.execute("PRAGMA table_info(wazuh_config)")
+    columns = [col[1] for col in cursor.fetchall()]
+
+    if 'siem_type' not in columns:
+        cursor.execute("ALTER TABLE wazuh_config ADD COLUMN siem_type TEXT DEFAULT 'wazuh'")
+    if 'config_json' not in columns:
+        cursor.execute("ALTER TABLE wazuh_config ADD COLUMN config_json TEXT")
+
+    # Create new table with correct constraint
+    cursor.execute("""
+        CREATE TABLE IF NOT EXISTS siem_config_new (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            engagement_id INTEGER NOT NULL,
+            siem_type TEXT NOT NULL DEFAULT 'wazuh',
+            api_url TEXT,
+            api_user TEXT,
+            api_password TEXT,
+            indexer_url TEXT,
+            indexer_user TEXT DEFAULT 'admin',
+            indexer_password TEXT,
+            verify_ssl BOOLEAN DEFAULT 0,
+            enabled BOOLEAN DEFAULT 1,
+            config_json TEXT,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE,
+            UNIQUE(engagement_id, siem_type)
+        )
+    """)
+
+    # Copy existing data
+    cursor.execute("""
+        INSERT OR IGNORE INTO siem_config_new (
+            id, engagement_id, siem_type, api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            config_json, created_at, updated_at
+        )
+        SELECT
+            id, engagement_id, COALESCE(siem_type, 'wazuh'), api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            config_json, created_at, updated_at
+        FROM wazuh_config
+    """)
+
+    # Drop old table and rename new one
+    cursor.execute("DROP TABLE wazuh_config")
+    cursor.execute("ALTER TABLE siem_config_new RENAME TO wazuh_config")
+
+    # Recreate index
+    cursor.execute("CREATE INDEX IF NOT EXISTS idx_wazuh_config_engagement ON wazuh_config(engagement_id)")
+    cursor.execute("CREATE INDEX IF NOT EXISTS idx_wazuh_config_siem_type ON wazuh_config(siem_type)")
+
+    conn.commit()
+
+    if not os.environ.get('SOULEYEZ_MIGRATION_SILENT'):
+        print("Migration 027: Multi-SIEM persistence enabled")
+
+
+def downgrade(conn):
+    """Revert to single SIEM per engagement (lossy - keeps only first config per engagement)."""
+    cursor = conn.cursor()
+
+    cursor.execute("""
+        CREATE TABLE IF NOT EXISTS wazuh_config_old (
+            id INTEGER PRIMARY KEY AUTOINCREMENT,
+            engagement_id INTEGER NOT NULL UNIQUE,
+            api_url TEXT NOT NULL,
+            api_user TEXT NOT NULL,
+            api_password TEXT,
+            indexer_url TEXT,
+            indexer_user TEXT DEFAULT 'admin',
+            indexer_password TEXT,
+            verify_ssl BOOLEAN DEFAULT 0,
+            enabled BOOLEAN DEFAULT 1,
+            siem_type TEXT DEFAULT 'wazuh',
+            config_json TEXT,
+            created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+            FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE
+        )
+    """)
+
+    # Copy only first config per engagement
+    cursor.execute("""
+        INSERT OR IGNORE INTO wazuh_config_old (
+            engagement_id, api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            siem_type, config_json, created_at, updated_at
+        )
+        SELECT
+            engagement_id, api_url, api_user, api_password,
+            indexer_url, indexer_user, indexer_password, verify_ssl, enabled,
+            siem_type, config_json, created_at, updated_at
+        FROM wazuh_config
+        GROUP BY engagement_id
+    """)
+
+    cursor.execute("DROP TABLE wazuh_config")
+    cursor.execute("ALTER TABLE wazuh_config_old RENAME TO wazuh_config")
+    cursor.execute("CREATE INDEX IF NOT EXISTS idx_wazuh_config_engagement ON wazuh_config(engagement_id)")
+
+    conn.commit()
+    print("Migration 027: Reverted to single SIEM per engagement")

souleyez/storage/migrations/__init__.py

@@ -29,6 +29,9 @@ from . import (
     _022_wazuh_indexer_columns,
     _023_fix_detection_results_fk,
     _024_wazuh_vulnerabilities,
+    _025_multi_siem_support,
+    _026_add_engagement_scope,
+    _027_multi_siem_persistence,
 )
 
 # Migration registry - maps version to module
@@ -56,6 +59,9 @@ MIGRATIONS_REGISTRY = {
     '022': _022_wazuh_indexer_columns,
     '023': _023_fix_detection_results_fk,
     '024': _024_wazuh_vulnerabilities,
+    '025': _025_multi_siem_support,
+    '026': _026_add_engagement_scope,
+    '027': _027_multi_siem_persistence,
 }
 
 

souleyez/storage/schema.sql

@@ -6,6 +6,7 @@ CREATE TABLE IF NOT EXISTS engagements (
     owner_id INTEGER,
     estimated_hours FLOAT DEFAULT 0,
     actual_hours FLOAT DEFAULT 0,
+    scope_enforcement TEXT DEFAULT 'off',
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
     updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
 );
@@ -21,6 +22,7 @@ CREATE TABLE IF NOT EXISTS hosts (
     mac_address TEXT,
     status TEXT DEFAULT 'up',
     access_level TEXT DEFAULT 'none',
+    scope_status TEXT DEFAULT 'unknown',
     notes TEXT,
     tags TEXT,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
@@ -502,18 +504,21 @@ CREATE INDEX IF NOT EXISTS idx_msf_sessions_active ON msf_sessions(is_active);
 -- Wazuh SIEM Integration (Detection Validation)
 CREATE TABLE IF NOT EXISTS wazuh_config (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
-    engagement_id INTEGER NOT NULL UNIQUE,
-    api_url TEXT NOT NULL,
-    api_user TEXT NOT NULL,
+    engagement_id INTEGER NOT NULL,
+    siem_type TEXT NOT NULL DEFAULT 'wazuh',
+    api_url TEXT,
+    api_user TEXT,
     api_password TEXT,
     indexer_url TEXT,
     indexer_user TEXT DEFAULT 'admin',
     indexer_password TEXT,
     verify_ssl BOOLEAN DEFAULT 0,
     enabled BOOLEAN DEFAULT 1,
+    config_json TEXT,
     created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
     updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
-    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE
+    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE,
+    UNIQUE(engagement_id, siem_type)
 );
 
 -- Detection validation results per job
@@ -537,6 +542,41 @@ CREATE TABLE IF NOT EXISTS detection_results (
 );
 
 CREATE INDEX IF NOT EXISTS idx_wazuh_config_engagement ON wazuh_config(engagement_id);
+CREATE INDEX IF NOT EXISTS idx_wazuh_config_siem_type ON wazuh_config(siem_type);
 CREATE INDEX IF NOT EXISTS idx_detection_results_job ON detection_results(job_id);
 CREATE INDEX IF NOT EXISTS idx_detection_results_engagement ON detection_results(engagement_id);
 CREATE INDEX IF NOT EXISTS idx_detection_results_status ON detection_results(detection_status);
+
+-- Engagement Scope Validation (from migration 026)
+CREATE TABLE IF NOT EXISTS engagement_scope (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    engagement_id INTEGER NOT NULL,
+    scope_type TEXT NOT NULL,
+    value TEXT NOT NULL,
+    is_excluded BOOLEAN DEFAULT 0,
+    description TEXT,
+    added_by TEXT,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE,
+    UNIQUE(engagement_id, scope_type, value)
+);
+
+CREATE TABLE IF NOT EXISTS scope_validation_log (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    engagement_id INTEGER NOT NULL,
+    job_id INTEGER,
+    target TEXT NOT NULL,
+    validation_result TEXT NOT NULL,
+    action_taken TEXT NOT NULL,
+    matched_scope_id INTEGER,
+    user_id TEXT,
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (engagement_id) REFERENCES engagements(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_scope_engagement ON engagement_scope(engagement_id);
+CREATE INDEX IF NOT EXISTS idx_scope_type ON engagement_scope(scope_type);
+CREATE INDEX IF NOT EXISTS idx_scope_log_engagement ON scope_validation_log(engagement_id);
+CREATE INDEX IF NOT EXISTS idx_scope_log_result ON scope_validation_log(validation_result);
+CREATE INDEX IF NOT EXISTS idx_scope_log_timestamp ON scope_validation_log(created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_hosts_scope_status ON hosts(scope_status);