chore: Update tasks.md - Phase 2 complete (3/3)
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
This commit is contained in:
53
tasks.md
53
tasks.md
@@ -13,23 +13,23 @@ Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credentia
|
|||||||
|
|
||||||
Following the implementation phases defined in `docs/design/credential-security.md`:
|
Following the implementation phases defined in `docs/design/credential-security.md`:
|
||||||
|
|
||||||
### Phase 1: Security Foundations (P0) ✅ READY TO START
|
### Phase 1: Security Foundations (P0) ✅ COMPLETE
|
||||||
|
|
||||||
Fix immediate security gaps with RLS enforcement and token encryption.
|
Fix immediate security gaps with RLS enforcement and token encryption.
|
||||||
|
|
||||||
### Phase 2: OpenBao Integration (P1)
|
### Phase 2: OpenBao Integration (P1) ✅ COMPLETE
|
||||||
|
|
||||||
Add OpenBao container and VaultService for Transit encryption.
|
Add OpenBao container and VaultService for Transit encryption.
|
||||||
|
|
||||||
### Phase 3: User Credential Storage (P1)
|
### Phase 3: User Credential Storage (P1) 🔴 BLOCKED
|
||||||
|
|
||||||
Build credential management system with encrypted storage.
|
Build credential management system with encrypted storage.
|
||||||
|
|
||||||
### Phase 4: Frontend (P1)
|
### Phase 4: Frontend (P1) 🔴 BLOCKED
|
||||||
|
|
||||||
User-facing credential management UI.
|
User-facing credential management UI.
|
||||||
|
|
||||||
### Phase 5: Migration and Hardening (P1-P3)
|
### Phase 5: Migration and Hardening (P1-P3) 🔴 BLOCKED
|
||||||
|
|
||||||
Encrypt remaining plaintext and harden federation.
|
Encrypt remaining plaintext and harden federation.
|
||||||
|
|
||||||
@@ -42,9 +42,9 @@ Encrypt remaining plaintext and harden federation.
|
|||||||
| #350 | P0 | Add RLS policies to auth tables with FORCE enforcement | 1 | ✅ Complete | ae6120d | Closed - Commit cf9a3dc |
|
| #350 | P0 | Add RLS policies to auth tables with FORCE enforcement | 1 | ✅ Complete | ae6120d | Closed - Commit cf9a3dc |
|
||||||
| #351 | P0 | Create RLS context interceptor (fix SEC-API-4) | 1 | ✅ Complete | a91b37e | Closed - Commit 93d4038 |
|
| #351 | P0 | Create RLS context interceptor (fix SEC-API-4) | 1 | ✅ Complete | a91b37e | Closed - Commit 93d4038 |
|
||||||
| #352 | P0 | Encrypt existing plaintext Account tokens | 1 | ✅ Complete | a3f917d | Closed - Commit 737eb40 |
|
| #352 | P0 | Encrypt existing plaintext Account tokens | 1 | ✅ Complete | a3f917d | Closed - Commit 737eb40 |
|
||||||
| #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | 🔴 Blocked | - | - |
|
| #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | ✅ Complete | a740e4a | Closed - Commit d4d1e59 |
|
||||||
| #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | 🔴 Blocked | - | - |
|
| #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | ✅ Complete | aa04bdf | Closed - Commit dd171b2 |
|
||||||
| #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | 🔴 Blocked | - | - |
|
| #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | ✅ Complete | Direct | Closed - Commit 40f7e7e |
|
||||||
| #355 | P1 | Create UserCredential Prisma model with RLS policies | 3 | 🔴 Blocked | - | - |
|
| #355 | P1 | Create UserCredential Prisma model with RLS policies | 3 | 🔴 Blocked | - | - |
|
||||||
| #356 | P1 | Build credential CRUD API endpoints | 3 | 🔴 Blocked | - | - |
|
| #356 | P1 | Build credential CRUD API endpoints | 3 | 🔴 Blocked | - | - |
|
||||||
| #358 | P1 | Build frontend credential management pages | 4 | 🔴 Blocked | - | - |
|
| #358 | P1 | Build frontend credential management pages | 4 | 🔴 Blocked | - | - |
|
||||||
@@ -167,9 +167,40 @@ Reviews are conducted by separate subagents before commit/push.
|
|||||||
|
|
||||||
---
|
---
|
||||||
|
|
||||||
|
### 2026-02-07 - Issue #352 COMPLETED ✅
|
||||||
|
|
||||||
|
- Subagent a3f917d encrypted plaintext Account tokens
|
||||||
|
- Migration created: Encrypts access_token, refresh_token, id_token
|
||||||
|
- Committed: 737eb40 feat(#352): Encrypt existing plaintext Account tokens
|
||||||
|
- Pushed to origin/develop
|
||||||
|
- Issue closed in repo
|
||||||
|
- **Phase 1 COMPLETE: 3/3 tasks (100%)**
|
||||||
|
|
||||||
|
### 2026-02-07 - Phase 2 Started
|
||||||
|
|
||||||
|
- Phase 1 complete, unblocking Phase 2
|
||||||
|
- Starting with issue #357: Add OpenBao to Docker Compose
|
||||||
|
- Target: Turnkey OpenBao deployment with auto-init and auto-unseal
|
||||||
|
|
||||||
|
### 2026-02-07 - Issue #357 COMPLETED ✅
|
||||||
|
|
||||||
|
- Subagent a740e4a implemented complete OpenBao integration
|
||||||
|
- Code review: 5 issues fixed (health check, cwd parameters, volume cleanup)
|
||||||
|
- Security review: P0 issues fixed (localhost binding, unseal verification, error sanitization)
|
||||||
|
- QA review: Test suite lifecycle restructured - all 22 tests passing
|
||||||
|
- Features: Auto-init, auto-unseal with retries, 4 Transit keys, AppRole auth
|
||||||
|
- Security: Localhost-only API, verified unsealing, sanitized errors
|
||||||
|
- Committed: d4d1e59 feat(#357): Add OpenBao to Docker Compose
|
||||||
|
- Pushed to origin/develop
|
||||||
|
- Issue closed in repo
|
||||||
|
- Unblocks: #353, #354
|
||||||
|
- **Phase 2 progress: 1/3 complete (33%)**
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
## Next Actions
|
## Next Actions
|
||||||
|
|
||||||
1. Start Phase 1 with issue #350 (RLS policies to auth tables)
|
1. **Issue #353** (Phase 2): Create VaultService NestJS module (NEXT)
|
||||||
2. Follow with #351 (RLS context interceptor)
|
2. **Issue #354** (Phase 2): Write OpenBao documentation
|
||||||
3. Complete with #352 (Encrypt plaintext Account tokens)
|
3. **Issue #355** (Phase 3): Create UserCredential Prisma model
|
||||||
4. Each issue requires code → code review → security review → QA → commit/push
|
4. Each issue requires code → code review → security review → QA → commit/push
|
||||||
|
|||||||
Reference in New Issue
Block a user