- [ ] Entry gate approved: 3.6 SPIFFE baseline is stable in integration tests - [ ] Workstream A: API contract and schema closure - [ ] Fill `api/proto/` with canonical schemas for key, crypto, authz, audit operations - [ ] Generate and validate OpenAPI in `api/openapi/` (single source-of-truth flow) - [ ] Freeze v1 request/response schema compatibility matrix - [ ] Workstream B: Crypto and lifecycle debt closure - [ ] Implement KEK/DEK hierarchy KDF (HKDF-based derivation model) - [ ] Implement time-based and usage-based rotation policies - [ ] Implement rotation scheduler and idempotent scheduled jobs - [ ] Complete graceful deprecation handling path and tests - [ ] Workstream C: AuthN/AuthZ reliability closure - [x] Fix OIDC token cache concurrency safety and add race tests - [ ] Integrate token refresh lifecycle into server auth flows - [x] Enforce explicit mTLS client CA pool loading in server TLS config - [ ] Align Casbin default model with domain/multi-tenant architecture target (or update architecture decisions explicitly) - [ ] Workstream D: Operability and admin surface closure - [ ] Complete CLI command set: `init`, `policy`, `audit`, `health`, `migrate` - [ ] Wire migration flow end-to-end (`openkms-cli migrate` + backend schema migration) - [ ] Complete append-only audit persistence/query API - [ ] Add pre-commit hooks to enforce local quality gates before CI - [ ] Workstream E: Quality gate uplift for transition to 3.7 - [ ] Raise coverage baseline to practical minimum gate (target: >=45% overall, critical packages >=70%) - [ ] Add race-test suite for auth/storage critical paths - [ ] Add regression tests for rotation scheduler, migration rollback, and strict SPIFFE mode - [ ] Ensure `make fix-all` and `make check-all` are green in clean workspace - [ ] Nuance controls for safe execution - [ ] Roll out high-risk changes (authn/crypto/storage) behind config flags where possible - [ ] Require reversible DB migration steps and tested rollback procedure - [ ] Validate HA behavior for mixed-version nodes during transition - [ ] Require canary rollout notes for production-impacting changes - [ ] Assign explicit owner + ETA for every unchecked item in this phase - [ ] Acceptance artifacts (must exist before phase closure) - [ ] Backfill report: each missed item mapped to PR/test/doc artifact - [ ] Updated threat model delta for all security-sensitive changes - [ ] Updated runbook sections for migrate/rotate/audit/health operational flows - [ ] Short postmortem: why items were missed earlier + preventive process changes - [ ] Exit gate approved: no open P0 items from Phase 5.4 relevant to runtime security/correctness - [ ] Exit gate approved: no unresolved stubs/TODOs in API/CLI paths required for operations - [ ] Exit gate approved: promote to 3.7 only after closure report is attached to docs
api/proto/with canonical schemas for key, crypto, authz, audit operationsapi/openapi/(single source-of-truth flow)init,policy,audit,health,migrateopenkms-cli migrate+ backend schema migration)make fix-allandmake check-allare green in clean workspace