264 lines
10 KiB
Markdown
264 lines
10 KiB
Markdown
# M9-CredentialSecurity (0.0.9) - Orchestration Task List
|
|
|
|
**Orchestrator:** Claude Code
|
|
**Started:** 2026-02-07
|
|
**Branch:** develop
|
|
**Status:** In Progress
|
|
|
|
## Overview
|
|
|
|
Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credential storage. This milestone addresses critical security gaps in credential management and RLS enforcement.
|
|
|
|
## Phase Sequence
|
|
|
|
Following the implementation phases defined in `docs/design/credential-security.md`:
|
|
|
|
### Phase 1: Security Foundations (P0) ✅ COMPLETE
|
|
|
|
Fix immediate security gaps with RLS enforcement and token encryption.
|
|
|
|
### Phase 2: OpenBao Integration (P1) ✅ COMPLETE
|
|
|
|
Add OpenBao container and VaultService for Transit encryption.
|
|
|
|
**Issues #357, #353, #354 closed in repository on 2026-02-07.**
|
|
|
|
### Phase 3: User Credential Storage (P1) ✅ COMPLETE
|
|
|
|
Build credential management system with encrypted storage.
|
|
|
|
**Issues #355, #356 closed in repository on 2026-02-07.**
|
|
|
|
### Phase 4: Frontend (P1) 🟡 IN PROGRESS
|
|
|
|
User-facing credential management UI.
|
|
|
|
### Phase 5: Migration and Hardening (P1-P3) 🟡 IN PROGRESS
|
|
|
|
Encrypt remaining plaintext and harden federation.
|
|
|
|
---
|
|
|
|
## Task Tracking
|
|
|
|
| Issue | Priority | Title | Phase | Status | Subagent | Review Status |
|
|
| ----- | -------- | ---------------------------------------------------------- | ----- | ---------- | -------- | -------------------------- |
|
|
| #350 | P0 | Add RLS policies to auth tables with FORCE enforcement | 1 | ✅ Closed | ae6120d | ✅ Closed - Commit cf9a3dc |
|
|
| #351 | P0 | Create RLS context interceptor (fix SEC-API-4) | 1 | ✅ Closed | a91b37e | ✅ Closed - Commit 93d4038 |
|
|
| #352 | P0 | Encrypt existing plaintext Account tokens | 1 | ✅ Closed | a3f917d | ✅ Closed - Commit 737eb40 |
|
|
| #357 | P1 | Add OpenBao to Docker Compose (turnkey setup) | 2 | ✅ Closed | a740e4a | ✅ Closed - Commit d4d1e59 |
|
|
| #353 | P1 | Create VaultService NestJS module for OpenBao Transit | 2 | ✅ Closed | aa04bdf | ✅ Closed - Commit dd171b2 |
|
|
| #354 | P2 | Write OpenBao documentation and production hardening guide | 2 | ✅ Closed | Direct | ✅ Closed - Commit 40f7e7e |
|
|
| #355 | P1 | Create UserCredential Prisma model with RLS policies | 3 | ✅ Closed | a3501d2 | ✅ Closed - Commit 864c23d |
|
|
| #356 | P1 | Build credential CRUD API endpoints | 3 | ✅ Closed | aae3026 | ✅ Closed - Commit 46d0a06 |
|
|
| #358 | P1 | Build frontend credential management pages | 4 | 🔴 Pending | - | - |
|
|
| #359 | P1 | Encrypt LLM provider API keys in database | 5 | ✅ Closed | adebb4d | ✅ Closed - Commit aa2ee5a |
|
|
| #360 | P1 | Federation credential isolation | 5 | 🔴 Pending | - | - |
|
|
| #361 | P3 | Credential audit log viewer (stretch) | 5 | 🔴 Pending | - | - |
|
|
| #346 | Epic | Security: Vault-based credential storage for agents and CI | - | 🔴 Pending | - | - |
|
|
|
|
**Status Legend:**
|
|
|
|
- 🔴 Pending - Not started
|
|
- 🟡 In Progress - Subagent working
|
|
- 🟢 Code Complete - Awaiting review
|
|
- ✅ Reviewed - Code/Security/QA passed
|
|
- 🚀 Complete - Committed and pushed
|
|
- 🔴 Blocked - Waiting on dependencies
|
|
|
|
---
|
|
|
|
## Review Process
|
|
|
|
Each issue must pass:
|
|
|
|
1. **Code Review** - Independent review of implementation
|
|
2. **Security Review** - Security-focused analysis
|
|
3. **QA Review** - Testing and validation
|
|
|
|
Reviews are conducted by separate subagents before commit/push.
|
|
|
|
---
|
|
|
|
## Progress Log
|
|
|
|
### 2026-02-07 - Orchestration Started
|
|
|
|
- Created tasks.md tracking file
|
|
- Reviewed design document at `docs/design/credential-security.md`
|
|
- Identified 13 issues across 5 implementation phases
|
|
- Starting with Phase 1 (P0 security foundations)
|
|
|
|
### 2026-02-07 - Issue #351 Code Complete
|
|
|
|
- Subagent a91b37e implemented RLS context interceptor
|
|
- Files created: 6 new files (core + tests + docs)
|
|
- Test coverage: 100% on provider, 100% on interceptor
|
|
- All 19 new tests passing, 2,437 existing tests still pass
|
|
- Ready for review process: Code Review → Security Review → QA
|
|
|
|
### 2026-02-07 - Issue #351 Code Review Complete
|
|
|
|
- Reviewer: a76132c
|
|
- Status: 2 issues found requiring fixes
|
|
- Critical (92%): clearRlsContext() uses AsyncLocalStorage.disable() incorrectly
|
|
- Important (88%): No transaction timeout configured (5s default too short)
|
|
- Requesting fixes from implementation subagent
|
|
|
|
### 2026-02-07 - Issue #351 Fixes Applied
|
|
|
|
- Subagent a91b37e fixed both code review issues
|
|
- Removed dangerous clearRlsContext() function entirely
|
|
- Added transaction timeout config (30s timeout, 10s max wait)
|
|
- All tests pass (18 RLS tests + 2,436 full suite)
|
|
- 100% test coverage maintained
|
|
- Ready for security review
|
|
|
|
### 2026-02-07 - Issue #351 Security Review Complete
|
|
|
|
- Reviewer: ab8d767
|
|
- CRITICAL finding: FORCE RLS not set - Expected, addressed in issue #350
|
|
- HIGH: Error information disclosure (needs fix)
|
|
- MODERATE: Transaction client type cast (needs fix)
|
|
- Requesting security fixes from implementation subagent
|
|
|
|
### 2026-02-07 - Issue #351 Security Fixes Applied
|
|
|
|
- Subagent a91b37e fixed both security issues
|
|
- Error sanitization: Generic errors to clients, full logging server-side
|
|
- Type safety: Proper TransactionClient type prevents invalid method calls
|
|
- All tests pass (19 RLS tests + 2,437 full suite)
|
|
- 100% test coverage maintained
|
|
- Ready for QA review
|
|
|
|
### 2026-02-07 - Issue #351 QA Review Complete
|
|
|
|
- Reviewer: aef62bc
|
|
- Status: ✅ PASS - All acceptance criteria met
|
|
- Test coverage: 95.75% (exceeds 85% requirement)
|
|
- 19 tests passing, build successful, lint clean
|
|
- Ready to commit and push
|
|
|
|
### 2026-02-07 - Issue #351 COMPLETED ✅
|
|
|
|
- Fixed 154 Quality Rails lint errors in llm-usage module (agent a4f312e)
|
|
- Committed: 93d4038 feat(#351): Implement RLS context interceptor
|
|
- Pushed to origin/develop
|
|
- Issue closed in repo
|
|
- Unblocks: #350, #352
|
|
- Phase 1 progress: 1/3 complete
|
|
|
|
### 2026-02-07 - Issue #350 Code Complete
|
|
|
|
- Subagent ae6120d implemented RLS policies on auth tables
|
|
- Migration created: 20260207_add_auth_rls_policies
|
|
- FORCE RLS added to accounts and sessions tables
|
|
- Integration tests using RLS context provider from #351
|
|
- Critical discovery: PostgreSQL superusers bypass ALL RLS (documented in migration)
|
|
- Production deployment requires non-superuser application role
|
|
- Ready for review process
|
|
|
|
### 2026-02-07 - Issue #350 COMPLETED ✅
|
|
|
|
- All security/QA issues fixed (SQL injection, DELETE verification, CREATE tests)
|
|
- 22 comprehensive integration tests passing with 100% coverage
|
|
- Complete CRUD coverage for accounts and sessions tables
|
|
- Committed: cf9a3dc feat(#350): Add RLS policies to auth tables
|
|
- Pushed to origin/develop
|
|
- Issue closed in repo
|
|
- Unblocks: #352
|
|
- Phase 1 progress: 2/3 complete (67%)
|
|
|
|
---
|
|
|
|
### 2026-02-07 - Issue #352 COMPLETED ✅
|
|
|
|
- Subagent a3f917d encrypted plaintext Account tokens
|
|
- Migration created: Encrypts access_token, refresh_token, id_token
|
|
- Committed: 737eb40 feat(#352): Encrypt existing plaintext Account tokens
|
|
- Pushed to origin/develop
|
|
- Issue closed in repo
|
|
- **Phase 1 COMPLETE: 3/3 tasks (100%)**
|
|
|
|
### 2026-02-07 - Phase 2 Started
|
|
|
|
- Phase 1 complete, unblocking Phase 2
|
|
- Starting with issue #357: Add OpenBao to Docker Compose
|
|
- Target: Turnkey OpenBao deployment with auto-init and auto-unseal
|
|
|
|
### 2026-02-07 - Issue #357 COMPLETED ✅
|
|
|
|
- Subagent a740e4a implemented complete OpenBao integration
|
|
- Code review: 5 issues fixed (health check, cwd parameters, volume cleanup)
|
|
- Security review: P0 issues fixed (localhost binding, unseal verification, error sanitization)
|
|
- QA review: Test suite lifecycle restructured - all 22 tests passing
|
|
- Features: Auto-init, auto-unseal with retries, 4 Transit keys, AppRole auth
|
|
- Security: Localhost-only API, verified unsealing, sanitized errors
|
|
- Committed: d4d1e59 feat(#357): Add OpenBao to Docker Compose
|
|
- Pushed to origin/develop
|
|
- Issue closed in repo
|
|
- Unblocks: #353, #354
|
|
- **Phase 2 progress: 1/3 complete (33%)**
|
|
|
|
---
|
|
|
|
### 2026-02-07 - Phase 2 COMPLETE ✅
|
|
|
|
All Phase 2 issues closed in repository:
|
|
|
|
- Issue #357: OpenBao Docker Compose - Closed
|
|
- Issue #353: VaultService NestJS module - Closed
|
|
- Issue #354: OpenBao documentation - Closed
|
|
- **Phase 2 COMPLETE: 3/3 tasks (100%)**
|
|
|
|
### 2026-02-07 - Phase 3 Started
|
|
|
|
Starting Phase 3: User Credential Storage
|
|
|
|
- Next: Issue #355 - Create UserCredential Prisma model with RLS policies
|
|
|
|
### 2026-02-07 - Issue #355 COMPLETED ✅
|
|
|
|
- Subagent a3501d2 implemented UserCredential Prisma model
|
|
- Code review identified 2 critical issues (down migration, SQL injection)
|
|
- Security review identified systemic issues (RLS dormancy in existing tables)
|
|
- QA review: Conditional pass (28 tests, cannot run without DB)
|
|
- Subagent ac6b753 fixed all critical issues
|
|
- Committed: 864c23d feat(#355): Create UserCredential model with RLS and encryption support
|
|
- Pushed to origin/develop
|
|
- Issue closed in repo
|
|
|
|
### 2026-02-07 - Parallel Implementation (Issues #356 + #359)
|
|
|
|
**Two agents running in parallel to speed up implementation:**
|
|
|
|
**Agent 1 - Issue #356 (aae3026):** Credential CRUD API endpoints
|
|
|
|
- 13 files created (service, controller, 5 DTOs, tests, docs)
|
|
- Encryption via VaultService, RLS via getRlsClient(), rate limiting
|
|
- 26 tests passing, 95.71% coverage
|
|
- Committed: 46d0a06 feat(#356): Build credential CRUD API endpoints
|
|
- Issue closed in repo
|
|
- **Phase 3 COMPLETE: 2/2 tasks (100%)**
|
|
|
|
**Agent 2 - Issue #359 (adebb4d):** Encrypt LLM API keys
|
|
|
|
- 6 files created (middleware, tests, migration script)
|
|
- Transparent encryption for LlmProviderInstance.config.apiKey
|
|
- 14 tests passing, 90.76% coverage
|
|
- Committed: aa2ee5a feat(#359): Encrypt LLM provider API keys
|
|
- Issue closed in repo
|
|
- **Phase 5 progress: 1/3 complete (33%)**
|
|
|
|
---
|
|
|
|
## Next Actions
|
|
|
|
1. **Issue #358** (Phase 4): Build frontend credential management pages (NEXT)
|
|
2. **Issue #360** (Phase 5): Federation credential isolation
|
|
3. **Issue #361** (Phase 5): Credential audit log viewer (stretch)
|
|
4. **Issue #346** (Epic): Close when all sub-issues complete
|
|
5. **Issue #356** (Phase 3): Build credential CRUD API endpoints
|
|
6. **Issue #358** (Phase 4): Build frontend credential management pages
|
|
7. Each issue requires code → code review → security review → QA → commit/push
|