diff --git a/tasks.md b/tasks.md new file mode 100644 index 0000000..8d08ee3 --- /dev/null +++ b/tasks.md @@ -0,0 +1,154 @@ +# M9-CredentialSecurity (0.0.9) - Orchestration Task List + +**Orchestrator:** Claude Code +**Started:** 2026-02-07 +**Branch:** develop +**Status:** In Progress + +## Overview + +Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credential storage. This milestone addresses critical security gaps in credential management and RLS enforcement. + +## Phase Sequence + +Following the implementation phases defined in `docs/design/credential-security.md`: + +### Phase 1: Security Foundations (P0) ✅ READY TO START + +Fix immediate security gaps with RLS enforcement and token encryption. + +### Phase 2: OpenBao Integration (P1) + +Add OpenBao container and VaultService for Transit encryption. + +### Phase 3: User Credential Storage (P1) + +Build credential management system with encrypted storage. + +### Phase 4: Frontend (P1) + +User-facing credential management UI. + +### Phase 5: Migration and Hardening (P1-P3) + +Encrypt remaining plaintext and harden federation. + +--- + +## Task Tracking + +| Issue | Priority | Title | Phase | Status | Subagent | Review Status | +| ----- | -------- | ---------------------------------------------------------- | ----- | ----------- | -------- | ----------------------- | +| #350 | P0 | Add RLS policies to auth tables with FORCE enforcement | 1 | 🔴 Pending | - | Ready to start | +| #351 | P0 | Create RLS context interceptor (fix SEC-API-4) | 1 | ✅ Complete | a91b37e | Closed - Commit 93d4038 | +| #352 | P0 | Encrypt existing plaintext Account tokens | 1 | 🔴 Blocked | - | Waiting on #350 | +| #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | 🔴 Blocked | - | - | +| #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | 🔴 Blocked | - | - | +| #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | 🔴 Blocked | - | - | +| #355 | P1 | Create UserCredential Prisma model with RLS policies | 3 | 🔴 Blocked | - | - | +| #356 | P1 | Build credential CRUD API endpoints | 3 | 🔴 Blocked | - | - | +| #358 | P1 | Build frontend credential management pages | 4 | 🔴 Blocked | - | - | +| #359 | P1 | Encrypt LLM provider API keys in database | 5 | 🔴 Blocked | - | - | +| #360 | P1 | Federation credential isolation | 5 | 🔴 Blocked | - | - | +| #361 | P3 | Credential audit log viewer (stretch) | 5 | 🔴 Blocked | - | - | +| #346 | Epic | Security: Vault-based credential storage for agents and CI | - | 🔴 Pending | - | - | + +**Status Legend:** + +- 🔴 Pending - Not started +- 🟡 In Progress - Subagent working +- 🟢 Code Complete - Awaiting review +- ✅ Reviewed - Code/Security/QA passed +- 🚀 Complete - Committed and pushed +- 🔴 Blocked - Waiting on dependencies + +--- + +## Review Process + +Each issue must pass: + +1. **Code Review** - Independent review of implementation +2. **Security Review** - Security-focused analysis +3. **QA Review** - Testing and validation + +Reviews are conducted by separate subagents before commit/push. + +--- + +## Progress Log + +### 2026-02-07 - Orchestration Started + +- Created tasks.md tracking file +- Reviewed design document at `docs/design/credential-security.md` +- Identified 13 issues across 5 implementation phases +- Starting with Phase 1 (P0 security foundations) + +### 2026-02-07 - Issue #351 Code Complete + +- Subagent a91b37e implemented RLS context interceptor +- Files created: 6 new files (core + tests + docs) +- Test coverage: 100% on provider, 100% on interceptor +- All 19 new tests passing, 2,437 existing tests still pass +- Ready for review process: Code Review → Security Review → QA + +### 2026-02-07 - Issue #351 Code Review Complete + +- Reviewer: a76132c +- Status: 2 issues found requiring fixes +- Critical (92%): clearRlsContext() uses AsyncLocalStorage.disable() incorrectly +- Important (88%): No transaction timeout configured (5s default too short) +- Requesting fixes from implementation subagent + +### 2026-02-07 - Issue #351 Fixes Applied + +- Subagent a91b37e fixed both code review issues +- Removed dangerous clearRlsContext() function entirely +- Added transaction timeout config (30s timeout, 10s max wait) +- All tests pass (18 RLS tests + 2,436 full suite) +- 100% test coverage maintained +- Ready for security review + +### 2026-02-07 - Issue #351 Security Review Complete + +- Reviewer: ab8d767 +- CRITICAL finding: FORCE RLS not set - Expected, addressed in issue #350 +- HIGH: Error information disclosure (needs fix) +- MODERATE: Transaction client type cast (needs fix) +- Requesting security fixes from implementation subagent + +### 2026-02-07 - Issue #351 Security Fixes Applied + +- Subagent a91b37e fixed both security issues +- Error sanitization: Generic errors to clients, full logging server-side +- Type safety: Proper TransactionClient type prevents invalid method calls +- All tests pass (19 RLS tests + 2,437 full suite) +- 100% test coverage maintained +- Ready for QA review + +### 2026-02-07 - Issue #351 QA Review Complete + +- Reviewer: aef62bc +- Status: ✅ PASS - All acceptance criteria met +- Test coverage: 95.75% (exceeds 85% requirement) +- 19 tests passing, build successful, lint clean +- Ready to commit and push + +### 2026-02-07 - Issue #351 COMPLETED ✅ + +- Fixed 154 Quality Rails lint errors in llm-usage module (agent a4f312e) +- Committed: 93d4038 feat(#351): Implement RLS context interceptor +- Pushed to origin/develop +- Issue closed in repo +- Unblocks: #350, #352 +- Phase 1 progress: 1/3 complete + +--- + +## Next Actions + +1. Start Phase 1 with issue #350 (RLS policies to auth tables) +2. Follow with #351 (RLS context interceptor) +3. Complete with #352 (Encrypt plaintext Account tokens) +4. Each issue requires code → code review → security review → QA → commit/push