mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity
Files
46d0a06ef5aeeb3f37e121f200744ce1cae4d0e3
stack/tasks.md
Jason Woltje 1f86c36cc1
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details
chore: Update tasks.md - Phase 2 complete (3/3)
2026-02-07 16:17:51 -06:00

8.3 KiB
Raw Blame History

M9-CredentialSecurity (0.0.9) - Orchestration Task List

Orchestrator: Claude Code Started: 2026-02-07 Branch: develop Status: In Progress

Overview

Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credential storage. This milestone addresses critical security gaps in credential management and RLS enforcement.

Phase Sequence

Following the implementation phases defined in docs/design/credential-security.md:

Phase 1: Security Foundations (P0) COMPLETE

Fix immediate security gaps with RLS enforcement and token encryption.

Phase 2: OpenBao Integration (P1) COMPLETE

Add OpenBao container and VaultService for Transit encryption.

Phase 3: User Credential Storage (P1) 🔴 BLOCKED

Build credential management system with encrypted storage.

Phase 4: Frontend (P1) 🔴 BLOCKED

User-facing credential management UI.

Phase 5: Migration and Hardening (P1-P3) 🔴 BLOCKED

Encrypt remaining plaintext and harden federation.

Task Tracking

Issue Priority Title Phase Status Subagent Review Status
#350 P0 Add RLS policies to auth tables with FORCE enforcement 1 Complete ae6120d Closed - Commit cf9a3dc
#351 P0 Create RLS context interceptor (fix SEC-API-4) 1 Complete a91b37e Closed - Commit 93d4038
#352 P0 Encrypt existing plaintext Account tokens 1 Complete a3f917d Closed - Commit 737eb40
#357 P1 Add OpenBao to Docker Compose (turnkey setup) 2 Complete a740e4a Closed - Commit d4d1e59
#353 P1 Create VaultService NestJS module for OpenBao Transit 2 Complete aa04bdf Closed - Commit dd171b2
#354 P2 Write OpenBao documentation and production hardening guide 2 Complete Direct Closed - Commit 40f7e7e
#355 P1 Create UserCredential Prisma model with RLS policies 3 🔴 Blocked - -
#356 P1 Build credential CRUD API endpoints 3 🔴 Blocked - -
#358 P1 Build frontend credential management pages 4 🔴 Blocked - -
#359 P1 Encrypt LLM provider API keys in database 5 🔴 Blocked - -
#360 P1 Federation credential isolation 5 🔴 Blocked - -
#361 P3 Credential audit log viewer (stretch) 5 🔴 Blocked - -
#346 Epic Security: Vault-based credential storage for agents and CI - 🔴 Pending - -

Status Legend:

  • 🔴 Pending - Not started
  • 🟡 In Progress - Subagent working
  • 🟢 Code Complete - Awaiting review
  • Reviewed - Code/Security/QA passed
  • 🚀 Complete - Committed and pushed
  • 🔴 Blocked - Waiting on dependencies

Review Process

Each issue must pass:

  1. Code Review - Independent review of implementation
  2. Security Review - Security-focused analysis
  3. QA Review - Testing and validation

Reviews are conducted by separate subagents before commit/push.

Progress Log

2026-02-07 - Orchestration Started

  • Created tasks.md tracking file
  • Reviewed design document at docs/design/credential-security.md
  • Identified 13 issues across 5 implementation phases
  • Starting with Phase 1 (P0 security foundations)

2026-02-07 - Issue #351 Code Complete

  • Subagent a91b37e implemented RLS context interceptor
  • Files created: 6 new files (core + tests + docs)
  • Test coverage: 100% on provider, 100% on interceptor
  • All 19 new tests passing, 2,437 existing tests still pass
  • Ready for review process: Code Review → Security Review → QA

2026-02-07 - Issue #351 Code Review Complete

  • Reviewer: a76132c
  • Status: 2 issues found requiring fixes
  • Critical (92%): clearRlsContext() uses AsyncLocalStorage.disable() incorrectly
  • Important (88%): No transaction timeout configured (5s default too short)
  • Requesting fixes from implementation subagent

2026-02-07 - Issue #351 Fixes Applied

  • Subagent a91b37e fixed both code review issues
  • Removed dangerous clearRlsContext() function entirely
  • Added transaction timeout config (30s timeout, 10s max wait)
  • All tests pass (18 RLS tests + 2,436 full suite)
  • 100% test coverage maintained
  • Ready for security review

2026-02-07 - Issue #351 Security Review Complete

  • Reviewer: ab8d767
  • CRITICAL finding: FORCE RLS not set - Expected, addressed in issue #350
  • HIGH: Error information disclosure (needs fix)
  • MODERATE: Transaction client type cast (needs fix)
  • Requesting security fixes from implementation subagent

2026-02-07 - Issue #351 Security Fixes Applied

  • Subagent a91b37e fixed both security issues
  • Error sanitization: Generic errors to clients, full logging server-side
  • Type safety: Proper TransactionClient type prevents invalid method calls
  • All tests pass (19 RLS tests + 2,437 full suite)
  • 100% test coverage maintained
  • Ready for QA review

2026-02-07 - Issue #351 QA Review Complete

  • Reviewer: aef62bc
  • Status: PASS - All acceptance criteria met
  • Test coverage: 95.75% (exceeds 85% requirement)
  • 19 tests passing, build successful, lint clean
  • Ready to commit and push

2026-02-07 - Issue #351 COMPLETED

  • Fixed 154 Quality Rails lint errors in llm-usage module (agent a4f312e)
  • Committed: 93d4038 feat(#351): Implement RLS context interceptor
  • Pushed to origin/develop
  • Issue closed in repo
  • Unblocks: #350, #352
  • Phase 1 progress: 1/3 complete

2026-02-07 - Issue #350 Code Complete

  • Subagent ae6120d implemented RLS policies on auth tables
  • Migration created: 20260207_add_auth_rls_policies
  • FORCE RLS added to accounts and sessions tables
  • Integration tests using RLS context provider from #351
  • Critical discovery: PostgreSQL superusers bypass ALL RLS (documented in migration)
  • Production deployment requires non-superuser application role
  • Ready for review process

2026-02-07 - Issue #350 COMPLETED

  • All security/QA issues fixed (SQL injection, DELETE verification, CREATE tests)
  • 22 comprehensive integration tests passing with 100% coverage
  • Complete CRUD coverage for accounts and sessions tables
  • Committed: cf9a3dc feat(#350): Add RLS policies to auth tables
  • Pushed to origin/develop
  • Issue closed in repo
  • Unblocks: #352
  • Phase 1 progress: 2/3 complete (67%)

2026-02-07 - Issue #352 COMPLETED

  • Subagent a3f917d encrypted plaintext Account tokens
  • Migration created: Encrypts access_token, refresh_token, id_token
  • Committed: 737eb40 feat(#352): Encrypt existing plaintext Account tokens
  • Pushed to origin/develop
  • Issue closed in repo
  • Phase 1 COMPLETE: 3/3 tasks (100%)

2026-02-07 - Phase 2 Started

  • Phase 1 complete, unblocking Phase 2
  • Starting with issue #357: Add OpenBao to Docker Compose
  • Target: Turnkey OpenBao deployment with auto-init and auto-unseal

2026-02-07 - Issue #357 COMPLETED

  • Subagent a740e4a implemented complete OpenBao integration
  • Code review: 5 issues fixed (health check, cwd parameters, volume cleanup)
  • Security review: P0 issues fixed (localhost binding, unseal verification, error sanitization)
  • QA review: Test suite lifecycle restructured - all 22 tests passing
  • Features: Auto-init, auto-unseal with retries, 4 Transit keys, AppRole auth
  • Security: Localhost-only API, verified unsealing, sanitized errors
  • Committed: d4d1e59 feat(#357): Add OpenBao to Docker Compose
  • Pushed to origin/develop
  • Issue closed in repo
  • Unblocks: #353, #354
  • Phase 2 progress: 1/3 complete (33%)

Next Actions

  1. Issue #353 (Phase 2): Create VaultService NestJS module (NEXT)
  2. Issue #354 (Phase 2): Write OpenBao documentation
  3. Issue #355 (Phase 3): Create UserCredential Prisma model
  4. Each issue requires code → code review → security review → QA → commit/push
Reference in New Issue View Git Blame Copy Permalink