207 lines
8.2 KiB
Markdown
207 lines
8.2 KiB
Markdown
|
# APOPHIS Enforce-Readiness Hardening List
|
||
|
|
|
||
|
|
This document captures the hardening backlog based on recent multi-persona adoption evaluations (startup product, platform security, QA determinism, enterprise monorepo, and LLM-heavy org workflows).
|
||
|
|
|
||
|
|
Goal: move from **"Optional standard"** to **"Enforce"** safely.
|
||
|
|
|
||
|
|
## How to use this list
|
||
|
|
|
||
|
|
- Treat this as a release gate checklist.
|
||
|
|
- Each item includes an outcome and acceptance criteria.
|
||
|
|
- Do not mark complete without automated tests and clean-environment evidence.
|
||
|
|
|
||
|
|
## P0 - Must Fix Before Company Enforcement
|
||
|
|
|
||
|
|
## 1) CLI installation and invocation reliability
|
||
|
|
|
||
|
|
**Problem**
|
||
|
|
- In local file installs/temp projects, users often could not run `npx apophis` directly and had to call `node .../dist/cli/index.js`.
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- `npx apophis` works predictably for supported package managers and install modes.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- Fresh temp project matrix (`npm`, `pnpm`, `yarn`, `bun`) passes:
|
||
|
|
- install local package
|
||
|
|
- `npx apophis --help` exits `0`
|
||
|
|
- `npx apophis doctor` runs successfully
|
||
|
|
- Packaging test asserts executable bin/shebang correctness and command resolution.
|
||
|
|
|
||
|
|
## 2) Doctor route-discovery consistency with plugin registration
|
||
|
|
|
||
|
|
**Problem**
|
||
|
|
- `doctor` can report route-discovery failures (e.g., decorator already added) while `verify` works, which undermines trust.
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- `doctor` readiness checks are consistent with `verify` behavior and avoid false negatives when plugin is already present.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- Fixture matrix for app states:
|
||
|
|
- plugin pre-registered
|
||
|
|
- plugin not registered
|
||
|
|
- duplicate registration attempt
|
||
|
|
- `doctor` emits accurate status (`pass`/`warn` with remediation), never contradictory hard-fail when `verify` succeeds.
|
||
|
|
|
||
|
|
## 3) First-run contract discoverability and scaffold clarity
|
||
|
|
|
||
|
|
**Problem**
|
||
|
|
- New users can end up with "No behavioral contracts found" due to missing/unclear contract and plugin wiring expectations.
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- First-run path guides users to a successful behavioral check with explicit file names, commands, and expected outputs.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- `init -> doctor -> verify` in fresh project reaches a known-good contract execution path.
|
||
|
|
- If contracts are missing, message includes exact next steps and sample contract snippet.
|
||
|
|
- Docs and scaffold output are fully aligned (no conflicting file names/expectations).
|
||
|
|
|
||
|
|
## 4) Replay trustworthiness for failure triage
|
||
|
|
|
||
|
|
**Problem**
|
||
|
|
- In some scenarios, replay confidence can degrade when nondeterministic app behavior or identity mismatch is involved.
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Replay remains dependable for intended deterministic paths and clearly labels non-repro conditions.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- Failing verify artifact replay reproduces failure for deterministic fixtures.
|
||
|
|
- For nondeterministic cases, replay explains why reproduction can differ and points to stabilization guidance.
|
||
|
|
- Qualify and verify artifacts preserve route identity in replay-compatible form.
|
||
|
|
|
||
|
|
## 5) CI truthfulness for real install/runtime parity
|
||
|
|
|
||
|
|
**Problem**
|
||
|
|
- CI can be green while install/runtime path differences still hurt real users.
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- CI includes packaged-distribution smoke checks and fresh-project end-to-end flow.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- CI job runs:
|
||
|
|
- package build
|
||
|
|
- temp project install of package artifact/local reference
|
||
|
|
- `npx apophis --help`
|
||
|
|
- `init -> doctor -> verify` scenario
|
||
|
|
- failure artifact + replay smoke test
|
||
|
|
|
||
|
|
## P1 - High-Value Hardening for Wide Rollout
|
||
|
|
|
||
|
|
## 6) Determinism guardrails and triage quality
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Clear separation between deterministic product failures and environment/data nondeterminism.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] Deterministic-mode guidance and flags in docs/output.
|
||
|
|
- [x] Repeated-run CI test for fixed-seed deterministic fixtures (`verify-ux.test.ts`, `qualify-signal.test.ts`).
|
||
|
|
- [x] Failure text includes nondeterminism guidance when replay diverges.
|
||
|
|
|
||
|
|
## 7) Qualify profile scoping and route control transparency
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Users can predict and verify route/profile scope from CLI output and artifacts.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] Artifacts include explicit executed route list.
|
||
|
|
- [x] Artifacts include skipped-route reasons.
|
||
|
|
- [x] Qualify summary reports per-profile gate execution counts.
|
||
|
|
- [x] Route/profile filters covered by integration tests.
|
||
|
|
|
||
|
|
## 8) Monorepo operator ergonomics
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Multi-service operation is straightforward and scriptable.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] Monorepo example/docs show recommended root/workspace scripts.
|
||
|
|
- [x] Workspace fan-out command paths work without manual dist entrypoint hacks.
|
||
|
|
- [x] Doctor/verify output is package-attributed and aggregation-friendly.
|
||
|
|
|
||
|
|
## 9) Machine-output scalability and logging ergonomics
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Machine outputs remain parseable and practical at scale.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] Concise machine summary modes (`json-summary`, `ndjson-summary`) with CI filtering examples.
|
||
|
|
- [x] Documented recommended CI parsers and retention strategy.
|
||
|
|
- [x] ndjson/json schema stability validated in tests.
|
||
|
|
|
||
|
|
## P2 - Protocol/RFC Conformance Hardening
|
||
|
|
|
||
|
|
## 10) JWT verification depth and keying policy
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Strong, test-backed JWT conformance behavior for supported algorithms and key configurations.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] Test vectors for valid/invalid signatures, missing keys, malformed tokens, alg mismatch.
|
||
|
|
- [x] Clear docs on supported algs, key formats, and verification limits.
|
||
|
|
|
||
|
|
**Evidence**
|
||
|
|
- `src/test/protocol-extensions.test.ts` covers HS256 valid/invalid, missing key, malformed token, alg mismatch, kid lookup.
|
||
|
|
- `src/test/cli/protocol-conformance-p2.test.ts` adds RS256 and ES256 valid/invalid signature vectors.
|
||
|
|
- `src/extensions/jwt.ts` documents supported algorithms: `HS256`, `RS256`, `ES256`.
|
||
|
|
|
||
|
|
## 11) HTTP Signature conformance breadth
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Explicit signature-input parsing and covered-component behavior for the supported subset.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] Negative corpus tests for malformed signature-input/signature headers.
|
||
|
|
- [x] Multi-label and covered-component edge-case tests.
|
||
|
|
- [x] Explicitly documented supported subset and known gaps.
|
||
|
|
|
||
|
|
**Evidence**
|
||
|
|
- `src/test/protocol-extensions.test.ts` covers parsing, coverage, RSA verification, malformed input (missing label, empty components), bad base64, multi-label headers, `@authority` resolution.
|
||
|
|
- `src/test/cli/protocol-conformance-p2.test.ts` adds unsupported algorithm and mismatched label rejection.
|
||
|
|
|
||
|
|
## 12) X.509 and SPIFFE strictness matrix
|
||
|
|
|
||
|
|
**Status**: Complete
|
||
|
|
|
||
|
|
**Required outcome**
|
||
|
|
- Deterministic and strict identity parsing behavior with clear support boundaries.
|
||
|
|
|
||
|
|
**Acceptance criteria**
|
||
|
|
- [x] DER/PEM fixture matrix with multiple SAN combinations and malformed certs.
|
||
|
|
- [x] SPIFFE invalid-case matrix (path, trust domain, dot segments, authority variants).
|
||
|
|
- [x] Docs align with actual strictness rules and examples.
|
||
|
|
|
||
|
|
**Evidence**
|
||
|
|
- `src/test/protocol-extensions.test.ts` covers URI SAN extraction, real PEM certificate, malformed PEM rejection, SPIFFE parsing/validation, empty path, dot-segments, invalid trust domain labels, percent-encoded segments, query/fragment rejection, userinfo/port rejection.
|
||
|
|
- `src/extensions/x509.ts` and `src/extensions/spiffe.ts` implement strict validation rules.
|
||
|
|
|
||
|
|
## Enforcement Gate Checklist
|
||
|
|
|
||
|
|
Before switching company policy to **Enforce**, all of the following must be true:
|
||
|
|
|
||
|
|
- [x] P0 items 1-5 are complete and tested in CI.
|
||
|
|
- [x] A fresh temp project can run `npx apophis --help`, `init`, `doctor`, `verify`, and `replay` without manual workarounds.
|
||
|
|
- [x] No contradictory `doctor` vs `verify` readiness outcomes in supported app patterns.
|
||
|
|
- [x] Failure -> artifact -> replay loop is deterministic on designated deterministic fixtures.
|
||
|
|
- [x] CI includes packaged/install parity tests, not only in-repo source tests.
|
||
|
|
- [x] Documentation is aligned with actual behavior and first-run commands.
|
||
|
|
|
||
|
|
## Suggested ownership split
|
||
|
|
|
||
|
|
- CLI/Packaging: items 1, 5
|
||
|
|
- Doctor/Discovery: item 2
|
||
|
|
- Onboarding UX/Docs: item 3, 9
|
||
|
|
- Replay/Determinism: items 4, 6, 7
|
||
|
|
- Platform/Monorepo: item 8
|
||
|
|
- Protocol Extensions: items 10, 11, 12
|