stack/tasks.md

# M9-CredentialSecurity (0.0.9) - Orchestration Task List

**Orchestrator:** Claude Code
**Started:** 2026-02-07
**Branch:** develop
**Status:** In Progress

## Overview

Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credential storage. This milestone addresses critical security gaps in credential management and RLS enforcement.

## Phase Sequence

Following the implementation phases defined in `docs/design/credential-security.md`:

### Phase 1: Security Foundations (P0) ✅ READY TO START

Fix immediate security gaps with RLS enforcement and token encryption.

### Phase 2: OpenBao Integration (P1)

Add OpenBao container and VaultService for Transit encryption.

### Phase 3: User Credential Storage (P1)

Build credential management system with encrypted storage.

### Phase 4: Frontend (P1)

User-facing credential management UI.

### Phase 5: Migration and Hardening (P1-P3)

Encrypt remaining plaintext and harden federation.

---

## Task Tracking

| Issue | Priority | Title                                                      | Phase | Status      | Subagent | Review Status           |
| ----- | -------- | ---------------------------------------------------------- | ----- | ----------- | -------- | ----------------------- |
| #350  | P0       | Add RLS policies to auth tables with FORCE enforcement     | 1     | ✅ Complete | ae6120d  | Closed - Commit cf9a3dc |
| #351  | P0       | Create RLS context interceptor (fix SEC-API-4)             | 1     | ✅ Complete | a91b37e  | Closed - Commit 93d4038 |
| #352  | P0       | Encrypt existing plaintext Account tokens                  | 1     | ✅ Complete | a3f917d  | Closed - Commit 737eb40 |
| #357  | P1       | Add OpenBao to Docker Compose (turnkey setup)              | 2     | 🔴 Blocked  | -        | -                       |
| #353  | P1       | Create VaultService NestJS module for OpenBao Transit      | 2     | 🔴 Blocked  | -        | -                       |
| #354  | P2       | Write OpenBao documentation and production hardening guide | 2     | 🔴 Blocked  | -        | -                       |
| #355  | P1       | Create UserCredential Prisma model with RLS policies       | 3     | 🔴 Blocked  | -        | -                       |
| #356  | P1       | Build credential CRUD API endpoints                        | 3     | 🔴 Blocked  | -        | -                       |
| #358  | P1       | Build frontend credential management pages                 | 4     | 🔴 Blocked  | -        | -                       |
| #359  | P1       | Encrypt LLM provider API keys in database                  | 5     | 🔴 Blocked  | -        | -                       |
| #360  | P1       | Federation credential isolation                            | 5     | 🔴 Blocked  | -        | -                       |
| #361  | P3       | Credential audit log viewer (stretch)                      | 5     | 🔴 Blocked  | -        | -                       |
| #346  | Epic     | Security: Vault-based credential storage for agents and CI | -     | 🔴 Pending  | -        | -                       |

**Status Legend:**

- 🔴 Pending - Not started
- 🟡 In Progress - Subagent working
- 🟢 Code Complete - Awaiting review
- ✅ Reviewed - Code/Security/QA passed
- 🚀 Complete - Committed and pushed
- 🔴 Blocked - Waiting on dependencies

---

## Review Process

Each issue must pass:

1. **Code Review** - Independent review of implementation
2. **Security Review** - Security-focused analysis
3. **QA Review** - Testing and validation

Reviews are conducted by separate subagents before commit/push.

---

## Progress Log

### 2026-02-07 - Orchestration Started

- Created tasks.md tracking file
- Reviewed design document at `docs/design/credential-security.md`
- Identified 13 issues across 5 implementation phases
- Starting with Phase 1 (P0 security foundations)

### 2026-02-07 - Issue #351 Code Complete

- Subagent a91b37e implemented RLS context interceptor
- Files created: 6 new files (core + tests + docs)
- Test coverage: 100% on provider, 100% on interceptor
- All 19 new tests passing, 2,437 existing tests still pass
- Ready for review process: Code Review → Security Review → QA

### 2026-02-07 - Issue #351 Code Review Complete

- Reviewer: a76132c
- Status: 2 issues found requiring fixes
- Critical (92%): clearRlsContext() uses AsyncLocalStorage.disable() incorrectly
- Important (88%): No transaction timeout configured (5s default too short)
- Requesting fixes from implementation subagent

### 2026-02-07 - Issue #351 Fixes Applied

- Subagent a91b37e fixed both code review issues
- Removed dangerous clearRlsContext() function entirely
- Added transaction timeout config (30s timeout, 10s max wait)
- All tests pass (18 RLS tests + 2,436 full suite)
- 100% test coverage maintained
- Ready for security review

### 2026-02-07 - Issue #351 Security Review Complete

- Reviewer: ab8d767
- CRITICAL finding: FORCE RLS not set - Expected, addressed in issue #350
- HIGH: Error information disclosure (needs fix)
- MODERATE: Transaction client type cast (needs fix)
- Requesting security fixes from implementation subagent

### 2026-02-07 - Issue #351 Security Fixes Applied

- Subagent a91b37e fixed both security issues
- Error sanitization: Generic errors to clients, full logging server-side
- Type safety: Proper TransactionClient type prevents invalid method calls
- All tests pass (19 RLS tests + 2,437 full suite)
- 100% test coverage maintained
- Ready for QA review

### 2026-02-07 - Issue #351 QA Review Complete

- Reviewer: aef62bc
- Status: ✅ PASS - All acceptance criteria met
- Test coverage: 95.75% (exceeds 85% requirement)
- 19 tests passing, build successful, lint clean
- Ready to commit and push

### 2026-02-07 - Issue #351 COMPLETED ✅

- Fixed 154 Quality Rails lint errors in llm-usage module (agent a4f312e)
- Committed: 93d4038 feat(#351): Implement RLS context interceptor
- Pushed to origin/develop
- Issue closed in repo
- Unblocks: #350, #352
- Phase 1 progress: 1/3 complete

### 2026-02-07 - Issue #350 Code Complete

- Subagent ae6120d implemented RLS policies on auth tables
- Migration created: 20260207_add_auth_rls_policies
- FORCE RLS added to accounts and sessions tables
- Integration tests using RLS context provider from #351
- Critical discovery: PostgreSQL superusers bypass ALL RLS (documented in migration)
- Production deployment requires non-superuser application role
- Ready for review process

### 2026-02-07 - Issue #350 COMPLETED ✅

- All security/QA issues fixed (SQL injection, DELETE verification, CREATE tests)
- 22 comprehensive integration tests passing with 100% coverage
- Complete CRUD coverage for accounts and sessions tables
- Committed: cf9a3dc feat(#350): Add RLS policies to auth tables
- Pushed to origin/develop
- Issue closed in repo
- Unblocks: #352
- Phase 1 progress: 2/3 complete (67%)

---

## Next Actions

1. Start Phase 1 with issue #350 (RLS policies to auth tables)
2. Follow with #351 (RLS context interceptor)
3. Complete with #352 (Encrypt plaintext Account tokens)
4. Each issue requires code → code review → security review → QA → commit/push