Last updated: 2026-03-08
Owner: Engineering
Plan reference: PROJECT_PLAN.md
- Remove tracked local secret-risk files from git index (
.env.local,attestations.sqlite,packages/core/registry/registry.private.jwk). - Harden root
.gitignoreto block.env*,*.sqlite, and private key artifacts. - Add repository hygiene check script (
scripts/check-repo-hygiene.sh). - Add root
.env.exampleplaceholders. - Rotate all historically exposed credentials and document evidence.
- Perform git history rewrite for historical secret exposure and force-push sanitized refs.
- Validate rewrite workflow in mirror clone (
scripts/rewrite-history-remove-sensitive-paths.sh). - Add full-history blocked-path scan (
scripts/history-secret-scan.sh). - Publish rotation/history remediation runbook (
docs/final/07_SECRET_ROTATION_AND_HISTORY_REMEDIATION.md). - Rewrite and force-push sanitized branch/tag refs to GitHub canonical remote.
- Open GitHub Support request to purge hidden
refs/pull/*object retention and confirm final full-history clean scan.
- Deploy Vercel preview with Supabase-backed PostgreSQL (
sslmode=require) and capture API/TLS probe evidence (docs/evidence/staging/vercel-staging-2026-02-27.md). - Collect staging evidence for PostgreSQL TLS and encrypted-at-rest controls (
docs/evidence/staging/supabase-db-security-2026-02-27.md). - Collect staging evidence for HTTPS ingress forwarding and TLS policy.
- Attach evidence references to
docs/PRODUCTION_GOVERNANCE_TRACKER.md. - Publish staging evidence checklist (
docs/final/08_STAGING_SECURITY_EVIDENCE_CHECKLIST.md). - Add staging evidence capture script (
scripts/capture-staging-evidence.sh). - Add Vercel-protected evidence capture script (
scripts/capture-vercel-staging-evidence.sh).
- Implement service-level health/status reporting (
/api/v1/health,/api/v1/status,/api/v1/metrics). - Define baseline API metrics instrumentation (
deedshield_http_requests_total,deedshield_http_request_duration_seconds). - Document incident/escalation workflow aligned with current architecture (
docs/final/10_INCIDENT_ESCALATION_AND_SLO_BASELINE.md). - Define alert thresholds and dashboard/SLO targets baseline (
docs/final/10_INCIDENT_ESCALATION_AND_SLO_BASELINE.md). - Implement dashboard and alert rules in staging monitoring stack.
- Capture alert fire/resolution evidence from staging.
- Enforce API key authentication on protected v1 endpoints.
- Add issuer-gated revocation with signature verification headers.
- Add rate limiting controls (
@fastify/rate-limit) with global and per-key policies. - Replace permissive CORS with env-driven allowlist and safe production default.
- Improve grantor/owner matching with normalized overlap scoring.
- Remove SQLite CLI shelling from legacy
src/apipaths in favor of in-process DB access.
- Add production startup guard for
NOTARY_API_KEY,PROPERTY_API_KEY, andTRUST_REGISTRY_SOURCE. - Replace
Receipt.rawInputspersistence withReceipt.rawInputsHash(inputs commitment only). - Add Prisma migration to rename
rawInputstorawInputsHash. - Update
.env.examplefiles with placeholder-only verifier and trust source configuration.
- Add live structured verification endpoint for Vanta ingestion (
GET /api/v1/integrations/vanta/verification/:receiptId). - Publish JSON schema endpoint for integration validation (
GET /api/v1/integrations/vanta/schema). - Start SOC 2 readiness process documentation (
docs/final/13_SOC2_READINESS_KICKOFF.md). - Document at least one integration pilot use case (
docs/final/14_VANTA_INTEGRATION_USE_CASE.md). - Publish partnership pitch and demo prep package for 2026-03-06 call (
docs/partnership/vanta-2026-03-06/). - Capture deployed endpoint evidence (staging/production probes + payload validation logs).
- Enhance endpoint evidence scripting for timeline/header/runtime placeholders (
scripts/capture-vanta-integration-evidence.sh).
- Implement repository guardrails and CI security checks in-repo (
AGENTS.md, override files, docs,.github/workflows/ci.yml). - Verify
masterbranch protection on GitHub: PR required, 1 approval, required checks, signed commits, conversation resolution, admin enforcement. - Add governance evidence capture scripts (
scripts/apply-github-branch-protection.sh,scripts/capture-github-governance-evidence.sh). - Capture governance evidence and CI-required-check artifacts under
docs/evidence/security/andnotebooks/. - Push
cm/integration-halo2-governance-20260308and open the consolidated integration PR tomaster. - Obtain required review approval and merge the consolidated integration PR.
- Capture fresh CI evidence tied to the consolidated integration PR after checks pass.
- Remove mock-style ZKP attestation flow and secret witness key usage from active TypeScript paths.
- Enforce production-only external prover flow for verifiable attestation generation.
- Add canonical document commitment/public input model for document hashing.
- Add Rust Halo2 service entrypoint for prove/verify bridging (
circuits/non_mem_gadget/src/bin/zkp_service.rs). - Add tests covering dev-only guardrails, external prove path, and API/Vanta integration.
- Run end-to-end proof generation benchmarks against the real prover path and record latency evidence.
- Generate and manage proving/verifying keys for the production circuit lifecycle.
- IL DMV adapter stub (
src/adapters/registries/il-dmv.ts). -
registries.sqlmigration (supabase/migrations/registries.sql). - E2E verify curl->proof test (
tests/e2e/verify.test.ts). - Free registry expansion backlog (next source wave prioritization and implementation queue).
- Fail-closed negative tests (
apps/api/src/registry-adapters.test.tscompliance gap coverage).
- Draft integration contract for Encompass-facing flows.
- Define idempotency, retry, and error semantics.
- Build integration validation suite and readiness report.
- Assemble marketplace submission packet.
- Key management uplift plan (KMS/HSM).
- Dependency and supply-chain hardening controls.
- Deferred advanced feature hardening (real ZKP latency optimization, portability, multi-chain anchor operations).