# M9-CredentialSecurity (0.0.9) - Orchestration Task List **Orchestrator:** Claude Code **Started:** 2026-02-07 **Branch:** develop **Status:** In Progress ## Overview Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credential storage. This milestone addresses critical security gaps in credential management and RLS enforcement. ## Phase Sequence Following the implementation phases defined in `docs/design/credential-security.md`: ### Phase 1: Security Foundations (P0) ✅ COMPLETE Fix immediate security gaps with RLS enforcement and token encryption. ### Phase 2: OpenBao Integration (P1) ✅ COMPLETE Add OpenBao container and VaultService for Transit encryption. **Issues #357, #353, #354 closed in repository on 2026-02-07.** ### Phase 3: User Credential Storage (P1) ✅ COMPLETE Build credential management system with encrypted storage. **Issues #355, #356 closed in repository on 2026-02-07.** ### Phase 4: Frontend (P1) 🟡 IN PROGRESS User-facing credential management UI. ### Phase 5: Migration and Hardening (P1-P3) 🟡 IN PROGRESS Encrypt remaining plaintext and harden federation. --- ## Task Tracking | Issue | Priority | Title | Phase | Status | Subagent | Review Status | | ----- | -------- | ---------------------------------------------------------- | ----- | ---------- | -------- | -------------------------- | | #350 | P0 | Add RLS policies to auth tables with FORCE enforcement | 1 | ✅ Closed | ae6120d | ✅ Closed - Commit cf9a3dc | | #351 | P0 | Create RLS context interceptor (fix SEC-API-4) | 1 | ✅ Closed | a91b37e | ✅ Closed - Commit 93d4038 | | #352 | P0 | Encrypt existing plaintext Account tokens | 1 | ✅ Closed | a3f917d | ✅ Closed - Commit 737eb40 | | #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | ✅ Closed | a740e4a | ✅ Closed - Commit d4d1e59 | | #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | ✅ Closed | aa04bdf | ✅ Closed - Commit dd171b2 | | #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | ✅ Closed | Direct | ✅ Closed - Commit 40f7e7e | | #355 | P1 | Create UserCredential Prisma model with RLS policies | 3 | ✅ Closed | a3501d2 | ✅ Closed - Commit 864c23d | | #356 | P1 | Build credential CRUD API endpoints | 3 | ✅ Closed | aae3026 | ✅ Closed - Commit 46d0a06 | | #358 | P1 | Build frontend credential management pages | 4 | 🔴 Pending | - | - | | #359 | P1 | Encrypt LLM provider API keys in database | 5 | ✅ Closed | adebb4d | ✅ Closed - Commit aa2ee5a | | #360 | P1 | Federation credential isolation | 5 | 🔴 Pending | - | - | | #361 | P3 | Credential audit log viewer (stretch) | 5 | 🔴 Pending | - | - | | #346 | Epic | Security: Vault-based credential storage for agents and CI | - | 🔴 Pending | - | - | **Status Legend:** - 🔴 Pending - Not started - 🟡 In Progress - Subagent working - 🟢 Code Complete - Awaiting review - ✅ Reviewed - Code/Security/QA passed - 🚀 Complete - Committed and pushed - 🔴 Blocked - Waiting on dependencies --- ## Review Process Each issue must pass: 1. **Code Review** - Independent review of implementation 2. **Security Review** - Security-focused analysis 3. **QA Review** - Testing and validation Reviews are conducted by separate subagents before commit/push. --- ## Progress Log ### 2026-02-07 - Orchestration Started - Created tasks.md tracking file - Reviewed design document at `docs/design/credential-security.md` - Identified 13 issues across 5 implementation phases - Starting with Phase 1 (P0 security foundations) ### 2026-02-07 - Issue #351 Code Complete - Subagent a91b37e implemented RLS context interceptor - Files created: 6 new files (core + tests + docs) - Test coverage: 100% on provider, 100% on interceptor - All 19 new tests passing, 2,437 existing tests still pass - Ready for review process: Code Review → Security Review → QA ### 2026-02-07 - Issue #351 Code Review Complete - Reviewer: a76132c - Status: 2 issues found requiring fixes - Critical (92%): clearRlsContext() uses AsyncLocalStorage.disable() incorrectly - Important (88%): No transaction timeout configured (5s default too short) - Requesting fixes from implementation subagent ### 2026-02-07 - Issue #351 Fixes Applied - Subagent a91b37e fixed both code review issues - Removed dangerous clearRlsContext() function entirely - Added transaction timeout config (30s timeout, 10s max wait) - All tests pass (18 RLS tests + 2,436 full suite) - 100% test coverage maintained - Ready for security review ### 2026-02-07 - Issue #351 Security Review Complete - Reviewer: ab8d767 - CRITICAL finding: FORCE RLS not set - Expected, addressed in issue #350 - HIGH: Error information disclosure (needs fix) - MODERATE: Transaction client type cast (needs fix) - Requesting security fixes from implementation subagent ### 2026-02-07 - Issue #351 Security Fixes Applied - Subagent a91b37e fixed both security issues - Error sanitization: Generic errors to clients, full logging server-side - Type safety: Proper TransactionClient type prevents invalid method calls - All tests pass (19 RLS tests + 2,437 full suite) - 100% test coverage maintained - Ready for QA review ### 2026-02-07 - Issue #351 QA Review Complete - Reviewer: aef62bc - Status: ✅ PASS - All acceptance criteria met - Test coverage: 95.75% (exceeds 85% requirement) - 19 tests passing, build successful, lint clean - Ready to commit and push ### 2026-02-07 - Issue #351 COMPLETED ✅ - Fixed 154 Quality Rails lint errors in llm-usage module (agent a4f312e) - Committed: 93d4038 feat(#351): Implement RLS context interceptor - Pushed to origin/develop - Issue closed in repo - Unblocks: #350, #352 - Phase 1 progress: 1/3 complete ### 2026-02-07 - Issue #350 Code Complete - Subagent ae6120d implemented RLS policies on auth tables - Migration created: 20260207_add_auth_rls_policies - FORCE RLS added to accounts and sessions tables - Integration tests using RLS context provider from #351 - Critical discovery: PostgreSQL superusers bypass ALL RLS (documented in migration) - Production deployment requires non-superuser application role - Ready for review process ### 2026-02-07 - Issue #350 COMPLETED ✅ - All security/QA issues fixed (SQL injection, DELETE verification, CREATE tests) - 22 comprehensive integration tests passing with 100% coverage - Complete CRUD coverage for accounts and sessions tables - Committed: cf9a3dc feat(#350): Add RLS policies to auth tables - Pushed to origin/develop - Issue closed in repo - Unblocks: #352 - Phase 1 progress: 2/3 complete (67%) --- ### 2026-02-07 - Issue #352 COMPLETED ✅ - Subagent a3f917d encrypted plaintext Account tokens - Migration created: Encrypts access_token, refresh_token, id_token - Committed: 737eb40 feat(#352): Encrypt existing plaintext Account tokens - Pushed to origin/develop - Issue closed in repo - **Phase 1 COMPLETE: 3/3 tasks (100%)** ### 2026-02-07 - Phase 2 Started - Phase 1 complete, unblocking Phase 2 - Starting with issue #357: Add OpenBao to Docker Compose - Target: Turnkey OpenBao deployment with auto-init and auto-unseal ### 2026-02-07 - Issue #357 COMPLETED ✅ - Subagent a740e4a implemented complete OpenBao integration - Code review: 5 issues fixed (health check, cwd parameters, volume cleanup) - Security review: P0 issues fixed (localhost binding, unseal verification, error sanitization) - QA review: Test suite lifecycle restructured - all 22 tests passing - Features: Auto-init, auto-unseal with retries, 4 Transit keys, AppRole auth - Security: Localhost-only API, verified unsealing, sanitized errors - Committed: d4d1e59 feat(#357): Add OpenBao to Docker Compose - Pushed to origin/develop - Issue closed in repo - Unblocks: #353, #354 - **Phase 2 progress: 1/3 complete (33%)** --- ### 2026-02-07 - Phase 2 COMPLETE ✅ All Phase 2 issues closed in repository: - Issue #357: OpenBao Docker Compose - Closed - Issue #353: VaultService NestJS module - Closed - Issue #354: OpenBao documentation - Closed - **Phase 2 COMPLETE: 3/3 tasks (100%)** ### 2026-02-07 - Phase 3 Started Starting Phase 3: User Credential Storage - Next: Issue #355 - Create UserCredential Prisma model with RLS policies ### 2026-02-07 - Issue #355 COMPLETED ✅ - Subagent a3501d2 implemented UserCredential Prisma model - Code review identified 2 critical issues (down migration, SQL injection) - Security review identified systemic issues (RLS dormancy in existing tables) - QA review: Conditional pass (28 tests, cannot run without DB) - Subagent ac6b753 fixed all critical issues - Committed: 864c23d feat(#355): Create UserCredential model with RLS and encryption support - Pushed to origin/develop - Issue closed in repo ### 2026-02-07 - Parallel Implementation (Issues #356 + #359) **Two agents running in parallel to speed up implementation:** **Agent 1 - Issue #356 (aae3026):** Credential CRUD API endpoints - 13 files created (service, controller, 5 DTOs, tests, docs) - Encryption via VaultService, RLS via getRlsClient(), rate limiting - 26 tests passing, 95.71% coverage - Committed: 46d0a06 feat(#356): Build credential CRUD API endpoints - Issue closed in repo - **Phase 3 COMPLETE: 2/2 tasks (100%)** **Agent 2 - Issue #359 (adebb4d):** Encrypt LLM API keys - 6 files created (middleware, tests, migration script) - Transparent encryption for LlmProviderInstance.config.apiKey - 14 tests passing, 90.76% coverage - Committed: aa2ee5a feat(#359): Encrypt LLM provider API keys - Issue closed in repo - **Phase 5 progress: 1/3 complete (33%)** --- ## Next Actions 1. **Issue #358** (Phase 4): Build frontend credential management pages (NEXT) 2. **Issue #360** (Phase 5): Federation credential isolation 3. **Issue #361** (Phase 5): Credential audit log viewer (stretch) 4. **Issue #346** (Epic): Close when all sub-issues complete 5. **Issue #356** (Phase 3): Build credential CRUD API endpoints 6. **Issue #358** (Phase 4): Build frontend credential management pages 7. Each issue requires code → code review → security review → QA → commit/push