stack/tasks.md

M9-CredentialSecurity (0.0.9) - Orchestration Task List

Orchestrator: Claude Code Started: 2026-02-07 Branch: develop Status: In Progress

Overview

Implementing hybrid OpenBao Transit + PostgreSQL encryption for secure credential storage. This milestone addresses critical security gaps in credential management and RLS enforcement.

Phase Sequence

Following the implementation phases defined in docs/design/credential-security.md:

Phase 1: Security Foundations (P0) ✅ READY TO START

Fix immediate security gaps with RLS enforcement and token encryption.

Phase 2: OpenBao Integration (P1)

Add OpenBao container and VaultService for Transit encryption.

Phase 3: User Credential Storage (P1)

Build credential management system with encrypted storage.

Phase 4: Frontend (P1)

User-facing credential management UI.

Phase 5: Migration and Hardening (P1-P3)

Encrypt remaining plaintext and harden federation.

---

Task Tracking

Issue	Priority	Title	Phase	Status	Subagent	Review Status
#350	P0	Add RLS policies to auth tables with FORCE enforcement	1	✅ Complete	ae6120d	Closed - Commit cf9a3dc
#351	P0	Create RLS context interceptor (fix SEC-API-4)	1	✅ Complete	a91b37e	Closed - Commit 93d4038
#352	P0	Encrypt existing plaintext Account tokens	1	✅ Complete	a3f917d	Closed - Commit 737eb40
#357	P1	Add OpenBao to Docker Compose (turnkey setup)	2	🔴 Blocked	-	-
#353	P1	Create VaultService NestJS module for OpenBao Transit	2	🔴 Blocked	-	-
#354	P2	Write OpenBao documentation and production hardening guide	2	🔴 Blocked	-	-
#355	P1	Create UserCredential Prisma model with RLS policies	3	🔴 Blocked	-	-
#356	P1	Build credential CRUD API endpoints	3	🔴 Blocked	-	-
#358	P1	Build frontend credential management pages	4	🔴 Blocked	-	-
#359	P1	Encrypt LLM provider API keys in database	5	🔴 Blocked	-	-
#360	P1	Federation credential isolation	5	🔴 Blocked	-	-
#361	P3	Credential audit log viewer (stretch)	5	🔴 Blocked	-	-
#346	Epic	Security: Vault-based credential storage for agents and CI	-	🔴 Pending	-	-

Status Legend:

• 🔴 Pending - Not started
• 🟡 In Progress - Subagent working
• 🟢 Code Complete - Awaiting review
• ✅ Reviewed - Code/Security/QA passed
• 🚀 Complete - Committed and pushed
• 🔴 Blocked - Waiting on dependencies

---

Review Process

Each issue must pass:

1. Code Review - Independent review of implementation
2. Security Review - Security-focused analysis
3. QA Review - Testing and validation

Reviews are conducted by separate subagents before commit/push.

---

Progress Log

2026-02-07 - Orchestration Started

• Created tasks.md tracking file
• Reviewed design document at docs/design/credential-security.md
• Identified 13 issues across 5 implementation phases
• Starting with Phase 1 (P0 security foundations)

2026-02-07 - Issue #351 Code Complete

• Subagent a91b37e implemented RLS context interceptor
• Files created: 6 new files (core + tests + docs)
• Test coverage: 100% on provider, 100% on interceptor
• All 19 new tests passing, 2,437 existing tests still pass
• Ready for review process: Code Review → Security Review → QA

2026-02-07 - Issue #351 Code Review Complete

• Reviewer: a76132c
• Status: 2 issues found requiring fixes
• Critical (92%): clearRlsContext() uses AsyncLocalStorage.disable() incorrectly
• Important (88%): No transaction timeout configured (5s default too short)
• Requesting fixes from implementation subagent

2026-02-07 - Issue #351 Fixes Applied

• Subagent a91b37e fixed both code review issues
• Removed dangerous clearRlsContext() function entirely
• Added transaction timeout config (30s timeout, 10s max wait)
• All tests pass (18 RLS tests + 2,436 full suite)
• 100% test coverage maintained
• Ready for security review

2026-02-07 - Issue #351 Security Review Complete

• Reviewer: ab8d767
• CRITICAL finding: FORCE RLS not set - Expected, addressed in issue #350
• HIGH: Error information disclosure (needs fix)
• MODERATE: Transaction client type cast (needs fix)
• Requesting security fixes from implementation subagent

2026-02-07 - Issue #351 Security Fixes Applied

• Subagent a91b37e fixed both security issues
• Error sanitization: Generic errors to clients, full logging server-side
• Type safety: Proper TransactionClient type prevents invalid method calls
• All tests pass (19 RLS tests + 2,437 full suite)
• 100% test coverage maintained
• Ready for QA review

2026-02-07 - Issue #351 QA Review Complete

• Reviewer: aef62bc
• Status: ✅ PASS - All acceptance criteria met
• Test coverage: 95.75% (exceeds 85% requirement)
• 19 tests passing, build successful, lint clean
• Ready to commit and push

2026-02-07 - Issue #351 COMPLETED ✅

• Fixed 154 Quality Rails lint errors in llm-usage module (agent a4f312e)
• Committed: 93d4038 feat(#351): Implement RLS context interceptor
• Pushed to origin/develop
• Issue closed in repo
• Unblocks: #350, #352
• Phase 1 progress: 1/3 complete

2026-02-07 - Issue #350 Code Complete

• Subagent ae6120d implemented RLS policies on auth tables
• Migration created: 20260207_add_auth_rls_policies
• FORCE RLS added to accounts and sessions tables
• Integration tests using RLS context provider from #351
• Critical discovery: PostgreSQL superusers bypass ALL RLS (documented in migration)
• Production deployment requires non-superuser application role
• Ready for review process

2026-02-07 - Issue #350 COMPLETED ✅

• All security/QA issues fixed (SQL injection, DELETE verification, CREATE tests)
• 22 comprehensive integration tests passing with 100% coverage
• Complete CRUD coverage for accounts and sessions tables
• Committed: cf9a3dc feat(#350): Add RLS policies to auth tables
• Pushed to origin/develop
• Issue closed in repo
• Unblocks: #352
• Phase 1 progress: 2/3 complete (67%)

---

Next Actions

1. Start Phase 1 with issue #350 (RLS policies to auth tables)
2. Follow with #351 (RLS context interceptor)
3. Complete with #352 (Encrypt plaintext Account tokens)
4. Each issue requires code → code review → security review → QA → commit/push