chore: upgrade Node.js runtime to v24 across codebase #419
53
tasks.md
53
tasks.md
@@ -13,23 +13,23 @@ Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credentia
|
||||
|
||||
Following the implementation phases defined in `docs/design/credential-security.md`:
|
||||
|
||||
### Phase 1: Security Foundations (P0) ✅ READY TO START
|
||||
### Phase 1: Security Foundations (P0) ✅ COMPLETE
|
||||
|
||||
Fix immediate security gaps with RLS enforcement and token encryption.
|
||||
|
||||
### Phase 2: OpenBao Integration (P1)
|
||||
### Phase 2: OpenBao Integration (P1) ✅ COMPLETE
|
||||
|
||||
Add OpenBao container and VaultService for Transit encryption.
|
||||
|
||||
### Phase 3: User Credential Storage (P1)
|
||||
### Phase 3: User Credential Storage (P1) 🔴 BLOCKED
|
||||
|
||||
Build credential management system with encrypted storage.
|
||||
|
||||
### Phase 4: Frontend (P1)
|
||||
### Phase 4: Frontend (P1) 🔴 BLOCKED
|
||||
|
||||
User-facing credential management UI.
|
||||
|
||||
### Phase 5: Migration and Hardening (P1-P3)
|
||||
### Phase 5: Migration and Hardening (P1-P3) 🔴 BLOCKED
|
||||
|
||||
Encrypt remaining plaintext and harden federation.
|
||||
|
||||
@@ -42,9 +42,9 @@ Encrypt remaining plaintext and harden federation.
|
||||
| #350 | P0 | Add RLS policies to auth tables with FORCE enforcement | 1 | ✅ Complete | ae6120d | Closed - Commit cf9a3dc |
|
||||
| #351 | P0 | Create RLS context interceptor (fix SEC-API-4) | 1 | ✅ Complete | a91b37e | Closed - Commit 93d4038 |
|
||||
| #352 | P0 | Encrypt existing plaintext Account tokens | 1 | ✅ Complete | a3f917d | Closed - Commit 737eb40 |
|
||||
| #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | 🔴 Blocked | - | - |
|
||||
| #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | 🔴 Blocked | - | - |
|
||||
| #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | 🔴 Blocked | - | - |
|
||||
| #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | ✅ Complete | a740e4a | Closed - Commit d4d1e59 |
|
||||
| #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | ✅ Complete | aa04bdf | Closed - Commit dd171b2 |
|
||||
| #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | ✅ Complete | Direct | Closed - Commit 40f7e7e |
|
||||
| #355 | P1 | Create UserCredential Prisma model with RLS policies | 3 | 🔴 Blocked | - | - |
|
||||
| #356 | P1 | Build credential CRUD API endpoints | 3 | 🔴 Blocked | - | - |
|
||||
| #358 | P1 | Build frontend credential management pages | 4 | 🔴 Blocked | - | - |
|
||||
@@ -167,9 +167,40 @@ Reviews are conducted by separate subagents before commit/push.
|
||||
|
||||
---
|
||||
|
||||
### 2026-02-07 - Issue #352 COMPLETED ✅
|
||||
|
||||
- Subagent a3f917d encrypted plaintext Account tokens
|
||||
- Migration created: Encrypts access_token, refresh_token, id_token
|
||||
- Committed: 737eb40 feat(#352): Encrypt existing plaintext Account tokens
|
||||
- Pushed to origin/develop
|
||||
- Issue closed in repo
|
||||
- **Phase 1 COMPLETE: 3/3 tasks (100%)**
|
||||
|
||||
### 2026-02-07 - Phase 2 Started
|
||||
|
||||
- Phase 1 complete, unblocking Phase 2
|
||||
- Starting with issue #357: Add OpenBao to Docker Compose
|
||||
- Target: Turnkey OpenBao deployment with auto-init and auto-unseal
|
||||
|
||||
### 2026-02-07 - Issue #357 COMPLETED ✅
|
||||
|
||||
- Subagent a740e4a implemented complete OpenBao integration
|
||||
- Code review: 5 issues fixed (health check, cwd parameters, volume cleanup)
|
||||
- Security review: P0 issues fixed (localhost binding, unseal verification, error sanitization)
|
||||
- QA review: Test suite lifecycle restructured - all 22 tests passing
|
||||
- Features: Auto-init, auto-unseal with retries, 4 Transit keys, AppRole auth
|
||||
- Security: Localhost-only API, verified unsealing, sanitized errors
|
||||
- Committed: d4d1e59 feat(#357): Add OpenBao to Docker Compose
|
||||
- Pushed to origin/develop
|
||||
- Issue closed in repo
|
||||
- Unblocks: #353, #354
|
||||
- **Phase 2 progress: 1/3 complete (33%)**
|
||||
|
||||
---
|
||||
|
||||
## Next Actions
|
||||
|
||||
1. Start Phase 1 with issue #350 (RLS policies to auth tables)
|
||||
2. Follow with #351 (RLS context interceptor)
|
||||
3. Complete with #352 (Encrypt plaintext Account tokens)
|
||||
1. **Issue #353** (Phase 2): Create VaultService NestJS module (NEXT)
|
||||
2. **Issue #354** (Phase 2): Write OpenBao documentation
|
||||
3. **Issue #355** (Phase 3): Create UserCredential Prisma model
|
||||
4. Each issue requires code → code review → security review → QA → commit/push
|
||||
|
||||
Reference in New Issue
Block a user