mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 11:51:09 +00:00
Oleksandr Bezdieniezhnykh
d2b5308b45
Materializes cycle-2 hotfix sprint task specs from security_report_cycle2.md findings. All six roll up to epic AZ-530 per the `cycle-2-hotfix` / `AZ-530-followup` Jira labels. Total 11 story points; gates the next deploy. Tasks: - AZ-552 drop_jwt_secret_deploy_preflight (1 pt) — F-INFRA-1 Critical - AZ-553 bind_mount_es256_keys (2 pts) — F-INFRA-2 Critical - AZ-554 persist_dataprotection_keys (2 pts) — F-INFRA-3 High - AZ-555 secrets_readme_es256_rewrite (1 pt) — F-INFRA-4 High - AZ-556 unify_login_error_codes (2 pts) — F-AUTH-1+F-AUTH-3 High - AZ-557 mfa_brute_force_lockout (3 pts) — F-AUTH-2 High Also: - _dependencies_table.md updated (25 tasks / 82 pts; hotfix landing order) - _autodev_state.md rolled to step: 10 (Implement) not_started - _process_leftovers/2026-05-14_suite_infra_jwt_secret_drift.md logs the out-of-scope suite-level _infra/deploy/webserver/ JWT_SECRET drift — separate Jira ticket needed against the suite repo, not blocking. Step 9 (New Task) cycle-2-hotfix-intake output. Co-authored-by: Cursor <cursoragent@cursor.com>
5.2 KiB
5.2 KiB
Dependencies Table
Date: 2026-05-14 (post cycle-2 security audit; previous 2026-05-14) Total Tasks: 25 (7 done test tasks + 4 done product tasks + 5 done cross-workspace + 3 done CMMC + 5 done auth-modernization + 6 todo cycle-2 hotfix) Total Complexity Points: 82 (71 done + 11 todo)
| Task | Name | Complexity | Dependencies | Epic | Status |
|---|---|---|---|---|---|
| AZ-189 | test_infrastructure | 5 | None | AZ-188 | done |
| AZ-190 | auth_tests | 3 | AZ-189 | AZ-188 | done |
| AZ-191 | user_mgmt_tests | 5 | AZ-189, AZ-190 | AZ-188 | done |
| AZ-192 | hardware_tests | 3 | AZ-189, AZ-190 | AZ-188 | done |
| AZ-193 | resource_tests | 5 | AZ-189, AZ-190, AZ-192 | AZ-188 | done |
| AZ-194 | security_tests | 3 | AZ-189, AZ-190 | AZ-188 | done |
| AZ-195 | resilience_perf_tests | 5 | AZ-189, AZ-190 | AZ-188 | done |
| AZ-183 | resources_table_update_api | 3 | None | AZ-181 | done |
| AZ-196 | register_device_endpoint | 2 | None | AZ-181 | done |
| AZ-197 | remove_hardware_id | 3 | None | AZ-181 | done |
| AZ-513 | classes_crud_routes | 3 | None | AZ-509 | done |
| AZ-531 | refresh_token_flow | 5 | None | AZ-529 | done |
| AZ-532 | asymmetric_signing_jwks | 5 | None | AZ-529 | done |
| AZ-533 | mission_token_uav | 5 | AZ-531 | AZ-529 | done |
| AZ-534 | totp_2fa_login | 5 | None (coord. AZ-531/537) | AZ-529 | done |
| AZ-535 | logout_revocation | 3 | AZ-531 | AZ-529 | done |
| AZ-536 | argon2id_password_hashing | 3 | None | AZ-530 | done |
| AZ-537 | login_rate_limit_lockout | 3 | None (coord. AZ-536) | AZ-530 | done |
| AZ-538 | cors_https_only_hsts | 2 | None | AZ-530 | done |
| AZ-552 | drop_jwt_secret_deploy_preflight | 1 | None | AZ-530 | todo |
| AZ-553 | bind_mount_es256_keys | 2 | AZ-552 | AZ-530 | todo |
| AZ-554 | persist_dataprotection_keys | 2 | AZ-553 | AZ-530 | todo |
| AZ-555 | secrets_readme_es256_rewrite | 1 | AZ-552, AZ-553, AZ-554 | AZ-530 | todo |
| AZ-556 | unify_login_error_codes | 2 | None | AZ-530 | todo |
| AZ-557 | mfa_brute_force_lockout | 3 | AZ-534, AZ-537 | AZ-530 | todo |
Notes
- AZ-529 / AZ-530 added 2026-05-14: two new epics covering the auth-mechanism modernization and a focused CMMC compliance pass.
- AZ-529 — Auth Mechanism Modernization (5 tasks, 23 pts): refresh-token flow, asymmetric signing + JWKS, mission tokens for UAV, TOTP 2FA, logout/revocation. AZ-531 is the foundation that AZ-533 and AZ-535 build on; AZ-532 is independent and can land first or in parallel.
- AZ-530 — CMMC Compliance Hardening (3 tasks, 8 pts): Argon2id password hashing, /login rate limit + lockout, CORS https-only + HSTS. All three are independent and shippable now; AZ-536 + AZ-537 both touch
UserService.ValidateUserso land AZ-536 first.
- MFA scope: TOTP enrollment + login validation lives in admin only (AZ-534). Other services (satellite-provider, gps-denied, ui) consume the
amrclaim if they need step-up checks — they do NOT enforce MFA themselves. - Cross-workspace verifier work (satellite-provider, gps-denied, ui must switch from HS256 shared secret to JWKS verification, plus add denylist polling) is intentionally deferred to per-workspace tickets, to be filed once admin's AZ-529 epic is close to shipping.
- AZ-513 added 2026-05-13 (cross-workspace prerequisite from
ui/workspace AZ-512). Filed under epic AZ-509. - AZ-197 originally listed
Component: Admin API, Loader; the Loader workspace was architecturally retired (seesuite/_docs/_repo-config.yamlunresolved:loader-retirement-arch-doc) and the spec was adapted on 2026-05-13 to be admin-only. - AZ-552..AZ-557 added 2026-05-14 as the cycle-2 hotfix sprint blocking the next deploy. All six roll up to AZ-530 per the
cycle-2-hotfix/AZ-530-followupJira labels. Source of truth:_docs/05_security/security_report_cycle2.md"Tracker Follow-Ups" section. 11 story points total. Recommended landing order: AZ-552 → AZ-553 → AZ-554 → AZ-555 (docs) in one PR train; AZ-556 + AZ-557 (auth-surface) can land in parallel with the deploy chain. None of the six depend on the deferred Medium / Low items (AZ-NEW-7..AZ-NEW-15 — see security_report_cycle2.md "Open" table).