Cert-IX MVP1 — Compliance Baseline Matrix (38 Services)

Date: 2026-02-22
Scope: Minimum launchable compliance baseline on critical flows
Estimated remediation: 2–4 days (validated below)

---

Table of Contents

1. Service Compliance Matrix (38 services)
2. Critical Flows & Dependencies
3. P0/P1/P2 Gap Summary
4. Remediation Plan per Flow
5. E2E Testing Strategy by Flow
6. Kafka Event Contract Freeze
7. Go/No-Go Criteria
8. Timeline

---

1. Service Compliance Matrix

Legend

Symbol	Meaning
✅	Implemented and verified
⚠️	Partially implemented / needs hardening
❌	Missing / not implemented
N/A	Not applicable for this service type

Compliance Dimensions

#	Dimension	Code
A	AuthN/AuthZ & Access Control	AUTHN
B	Audit Logging (who/what/when + traceId)	AUDIT
C	Secrets Management (no hardcoded secrets)	SECRETS
D	Encryption in Transit (TLS) + at Rest	ENCRYPT
E	Input Validation/Sanitization + Rate Limiting	INPUT
F	Monitoring/Alerting (health, logs, APM)	MONITOR

---

1.1 Admin Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
1	admin-backend	P1	✅ JWT+Passport, RBAC via rbac.service, token blacklist (Redis)	✅ authAuditLogger middleware, session.service.createAuditLog, DB-persisted	⚠️ Env vars via Joi validation; DB_SSL defaults false	⚠️ Helmet headers; DB_SSL=false default; session cookie secure only in prod	✅ Joi validate middleware on all routes	⚠️ Winston logger; no APM agent detected	None	PG (cert_ix_admin), Redis, auth DB, assets DB, messages DB
2	admin-ui	P1	✅ JWT auth via admin-backend API	N/A (frontend)	✅ No secrets in client code	✅ HTTPS via Nginx/Kong	✅ DOMPurify, client-side validation	⚠️ Elastic APM RUM	Consumer of admin-backend API	admin-backend

1.2 Authentication & Identity Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
3	qr-auth-service	P0	✅ JWT+session, CSRF (Redis-backed), WebAuthn, MFA, device fingerprint, token blacklist, bot detection, IP reputation	✅ AuditLogger class with tamper-resistant hashes (SHA-384 chain), DB+Kafka dual write, compliance tags (SOC2/GDPR/PCI)	⚠️ Env vars; CSRF_ENCRYPTION_KEY falls back to crypto.randomBytes (ephemeral)	⚠️ Kafka SSL configurable but ssl: process.env.KAFKA_SSL === 'true'; Redis TLS conditional	✅ Joi validation, CAPTCHA integration, email validation, SQL injection patterns, rate limiting (DB-backed, 10 req/15min auth)	⚠️ Structured logging; no APM	Producer: 50+ topics (auth events, CSRF, sessions, security)	PG (cert_ix_auth), Redis, Kafka, captcha-service
4	qr-auth-ui	P1	✅ Login/register/2FA/WebAuthn UI	N/A (frontend)	✅ No secrets in client	✅ HTTPS	✅ Client-side validation, DOMPurify	⚠️ Elastic APM RUM	N/A	qr-auth-service
5	otp-service	P0	✅ JWT auth, TOTP support	✅ Kafka audit events	⚠️ Env vars via config	✅ Kafka TLS, Redis TLS configurable	✅ Rate limiting (Redis-backed)	⚠️ Logger only	Producer: OTP events	PG, Redis, Kafka
6	captcha-service	P1	✅ API key auth for service-to-service	✅ Kafka audit events	⚠️ Env vars	✅ Kafka TLS, TLS server	✅ Challenge validation, rate limiting	⚠️ Logger only	Producer: CAPTCHA events	Redis, Kafka

1.3 Client Frontend Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
7	client-dashboard	P0	✅ AuthContext with JWT, session mgmt, CapabilityGate (tier-based), permission-based nav	N/A (frontend)	✅ No secrets; encrypted token storage (CryptoJS)	✅ HTTPS, security headers in layout.js	✅ DOMPurify on all inputs, client-side Joi	✅ Elastic APM RUM	N/A	qr-auth-service, all backend APIs via Kong
8	client-verifier-ui	P1	✅ Token-based email verification	N/A (frontend)	✅ No secrets	✅ HTTPS	✅ Input validation	⚠️ Elastic APM RUM	N/A	qr-auth-service
9	payment-ui	P1	✅ Session-based auth from checkout flow	N/A (frontend)	✅ No secrets; Stripe.js handles PCI	✅ HTTPS, Stripe Elements (PCI DSS)	✅ Zod validation	⚠️ Elastic APM RUM	N/A	checkout-orchestration, Stripe

1.4 Asset Management Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
10	asset-management-service	P0	⚠️ Kafka-based permission validation (with fallback auth); no direct JWT middleware	⚠️ Security events service; audit via Kafka events on CRUD	⚠️ Env vars; encryption service uses env key	⚠️ Kafka TLS configurable; encryption.service.js for data at rest	⚠️ Rate limiting in config; validation in routes	⚠️ Logger only	Producer: asset CRUD events, quota sync; Consumer: permission responses	PG (cert_ix_assets), Redis, Kafka
11	asset-verification-service	P1	✅ JWT auth middleware (Go)	⚠️ DB logging of verification attempts	⚠️ Env vars; HMAC key in env	✅ TLS server (Go), HTTPS endpoints	✅ Input validation on verification requests	⚠️ Structured Go logging	Producer: verification events	PG (cert_ix_asset_verification), Redis
12	assets-sync-service	P1	⚠️ Kafka SCRAM auth for broker; no HTTP auth (internal)	❌ No audit logging found	⚠️ Env vars; Kafka SCRAM credentials	✅ Kafka TLS via SCRAM config	⚠️ Trust validator for data integrity	❌ No monitoring	Consumer: asset events; Producer: sync events	PG, Kafka

1.5 Vulnerability & Scanning Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
13	vulnerability-management-service (Go)	P0	✅ JWT auth middleware with tenant isolation	⚠️ Audit in service layer; no dedicated audit table	⚠️ Env vars; config validation	✅ TLS server, DB TLS, Kafka TLS	✅ Request validation, security middleware (CORS, headers)	⚠️ Structured Go logging	Producer: vuln events; Consumer: scan events, capability responses	PG (cert_ix_vulnerabilities), Redis, Kafka, ES
14	vulnerability-classifier-service (Go)	P1	✅ JWT auth middleware	⚠️ Redis-based scan tracking	⚠️ Env vars	✅ TLS configurable	⚠️ Basic validation	⚠️ Go logging	Consumer: scan results; Producer: classified vulns	PG (cert_ix_vuln_classifier), Redis, Kafka
15	vulnerability-policy-service (Go)	P1	✅ JWT auth middleware	⚠️ Config-level audit	⚠️ Env vars	✅ TLS configurable	⚠️ Model validation	⚠️ Go logging	Consumer: vuln events; Producer: policy decisions	PG (cert_ix_vuln_policy), Redis, Kafka
16	vulnerability-remediation-service (Go)	P1	✅ JWT auth middleware	⚠️ Config-level audit	⚠️ Env vars	✅ TLS configurable	✅ Model validation, auth middleware validation	⚠️ Go logging	Consumer: vuln events; Producer: remediation tasks	PG (cert_ix_vuln_remediation), Redis, Kafka
17	go-tools (9 scanner engines)	P0	✅ JWT auth middleware (pkg/middleware/auth.go)	✅ pkg/scanner/audit.go — scan audit trail with retention	⚠️ Env vars via config	✅ TLS server, ES TLS	✅ Rate limiting (Redis), input validation	⚠️ Go logging	Producer: scan results; Consumer: scan requests	PG (cert_ix_tools_service), Redis, Kafka, ES
18	scan-api-service (Go)	P0	✅ JWT auth + API key auth (api_key_service)	✅ Call log repository for API audit	⚠️ Env vars	✅ TLS, Kafka TLS	✅ Validation, rate limiting	⚠️ Go logging	Producer: scan dispatch to engines	PG, Redis, Kafka
19	scan-worker-service (Go)	P1	❌ Internal service, no HTTP auth (Kafka consumer only)	❌ No audit logging	⚠️ Env vars	⚠️ Kafka TLS configurable	❌ No HTTP input validation (Kafka only)	❌ No monitoring	Consumer: scan tasks; Producer: scan results	Kafka

1.6 Compliance & Audit Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
20	compliance-guard-service	P1	❌ No auth middleware found	❌ No audit logging	❌ No secrets management	❌ No TLS config	❌ No validation	❌ No monitoring	N/A	asset-verification-service
21	compliance-management-service (Go)	P1	⚠️ Auth references in service layer	✅ Activity log in service, Kafka producer	⚠️ Env vars	✅ TLS configurable	✅ Repository-level validation	⚠️ Go logging	Producer: compliance events	PG, Redis, Kafka
22	compliance-management-service (Node, unused)	P2	❌ Not in use	❌ Not in use	❌ Not in use	❌ Not in use	❌ Not in use	❌ Not in use	N/A	N/A
23	audit-evidence-service	P1	⚠️ PQC decryption middleware only	⚠️ Audit in middleware	❌ No secrets management	❌ No TLS config	❌ No validation	❌ No monitoring	N/A	PG

1.7 Payment Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
24	payment-processing-service (Go)	P0	✅ Auth middleware, user existence check	❌ No audit logging found	⚠️ Env vars; Vault AppRole configured but not integrated in code	✅ TLS server, DB TLS, Redis TLS, Kafka TLS	✅ Rate limiting middleware, OTP validation	⚠️ Go logging	Producer: payment events; Consumer: OTP events	PG, Redis, Kafka, Stripe
25	checkout-orchestration-service (Go)	P0	⚠️ Config-level auth; no JWT middleware on routes	⚠️ Kafka audit events	⚠️ Env vars; Vault configured but not integrated	✅ TLS, DB TLS, Kafka TLS, Redis TLS	✅ Rate limiting (Redis), checkout validation	⚠️ Go logging	Producer: checkout events; Consumer: plan data	PG, Redis, Kafka
26	invoice-service (Go)	P1	❌ No auth middleware found	❌ No audit logging	⚠️ Env vars; Vault configured but not integrated	✅ TLS server, DB TLS	❌ No rate limiting, no input validation	❌ No monitoring	Consumer: payment events; Producer: invoice events	PG, Kafka, R2 (Cloudflare)
27	account-provisioning-service (Go)	P1	⚠️ Auth in provisioning service	❌ No audit logging	⚠️ Env vars; Vault configured but not integrated	✅ TLS server, DB TLS	❌ No rate limiting	❌ No monitoring	Consumer: subscription events; Producer: provisioning events	PG (cert_ix_subscription), Kafka

1.8 Agent & Telemetry Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
28	agent-gateway-service (Go)	P1	✅ Agent registration auth, JWT	✅ Audit in agent service + repository	⚠️ Env vars	✅ TLS, Kafka TLS	✅ Validation, rate limiting	⚠️ Go logging	Producer: agent events	PG, Redis, Kafka
29	agent-ingestion-gateway (Go)	P1	⚠️ Config-level auth	⚠️ Config-level audit	⚠️ Env vars	✅ TLS configurable	⚠️ Config-level validation	⚠️ Go logging	Producer: telemetry to Kafka	Kafka, Redis
30	agent-stream-processor (Go)	P2	❌ No auth (internal Kafka consumer)	⚠️ Audit in processors	⚠️ Env vars	✅ TLS configurable	⚠️ Config-level validation	⚠️ Go logging	Consumer: telemetry; Producer: processed data	PG, Kafka, Redis
31	bits (bitcollector + sentinel)	P2	⚠️ mTLS for agent-to-gateway; sentinel has ES auth	⚠️ Sentinel has ES-based audit	⚠️ Env vars + config YAML	⚠️ TLS configurable for ES connections	⚠️ Basic validation	❌ No monitoring	Agent → Gateway (HTTP)	agent-gateway, ES

1.9 Supporting Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
32	email-service	P0	⚠️ Kafka auth for broker; no HTTP auth (internal)	✅ Email audit logging, security config	⚠️ Env vars; SendGrid API key in env	✅ TLS server, Kafka TLS	✅ Rate limiting, email security validation	⚠️ Logger	Consumer: auth events, password reset, free plan, etc.	Kafka, SendGrid, PG
33	notification-service	P1	⚠️ PQC decryption middleware only	⚠️ Audit in middleware	❌ No secrets management	❌ No TLS config found	❌ No rate limiting	❌ No monitoring	Consumer: notification events	Kafka
34	bobby-service	P2	❌ No auth found	❌ No audit	❌ No secrets management	❌ No TLS	❌ No validation	❌ No monitoring	N/A	AI/LLM API
35	nvd-service	P2	❌ No auth found	❌ No audit	❌ No secrets management	❌ No TLS	❌ No validation	❌ No monitoring	N/A	NVD API
36	subscription-service (Go)	P0	✅ JWT auth, tenant isolation	✅ Usage tracking, audit in services	⚠️ Env vars	✅ TLS, DB TLS, Kafka TLS, Redis TLS	✅ Validation, rate limiting	⚠️ Go logging	Producer: capability responses, quota events; Consumer: capability requests, free plan, quota sync	PG (cert_ix_subscription), Redis, Kafka
37	teams-management-service (Go)	P1	✅ JWT auth	⚠️ Model-level audit fields	⚠️ Env vars	✅ TLS configurable	⚠️ Model validation	⚠️ Go logging	Producer: team events	PG, Redis, Kafka
38	quota-sync-service (Go)	P1	❌ No auth (internal Kafka consumer)	❌ No audit logging	⚠️ Env vars	⚠️ Kafka TLS configurable	❌ No validation (internal)	❌ No monitoring	Consumer: quota sync events; Producer: subscription quota sync	PG, Kafka

1.10 Static/Content Services

#	Service	Criticality	A:AUTHN	B:AUDIT	C:SECRETS	D:ENCRYPT	E:INPUT	F:MONITOR	Kafka Role	Dependencies
—	docs (Docusaurus)	P2	N/A (static)	N/A	N/A	✅ HTTPS via Nginx	N/A	⚠️ APM RUM	N/A	Nginx
—	cert-ix-blog	P2	⚠️ Admin login for blog mgmt	❌ No audit	⚠️ Env vars	✅ HTTPS	⚠️ Basic validation	⚠️ APM RUM	N/A	MongoDB
—	cert-ix-v1-landing-site-v1	P2	N/A (static + message API)	❌ No audit	⚠️ Env vars	✅ HTTPS	⚠️ Basic validation	⚠️ APM RUM	N/A	PG (message API)

---

2. Critical Flows & Dependencies

Flow 1: User Registration & Login (P0)

client-dashboard → qr-auth-ui → qr-auth-service → captcha-service
                                       ↓
                              PG (cert_ix_auth) + Redis
                                       ↓
                              Kafka → email-service (verification email)
                              Kafka → subscription-service (free plan activation)
                              Kafka → account-provisioning-service (tenant setup)

Services: qr-auth-service, qr-auth-ui, client-dashboard, captcha-service, email-service, subscription-service, account-provisioning-service
Kafka Topics: cert-ix.auth.user.registered.success, cert-ix.subscription.plan.free.request, cert-ix.subscription.plan.free.activated

Flow 2: Vulnerability Scanning (P0)

client-dashboard → Kong → scan-api-service → Kafka → go-tools (9 engines)
                                                         ↓
                                              Kafka → vulnerability-management-service
                                                         ↓
                                              Kafka → vulnerability-classifier-service
                                              Kafka → vulnerability-remediation-service
                                              Kafka → vulnerability-policy-service

Services: client-dashboard, scan-api-service, go-tools, vulnerability-management-service, vulnerability-classifier-service
Kafka Topics: cert-ix.scans.{engine}.{priority}, cert-ix.scan-results, cert-ix.scans.events

Flow 3: Asset Management (P0)

client-dashboard → Kong → asset-management-service → Kafka (permission check)
                                       ↓
                              PG (cert_ix_assets) + Redis
                                       ↓
                              Kafka → quota-sync-service → subscription-service
                              Kafka → assets-sync-service

Services: client-dashboard, asset-management-service, quota-sync-service, subscription-service, assets-sync-service
Kafka Topics: cert-ix.asset.created/updated/deleted, cert-ix.quota.sync.assets

Flow 4: Payment & Subscription (P0)

client-dashboard → payment-ui → checkout-orchestration-service → payment-processing-service → Stripe
                                                                          ↓
                                                               Kafka → invoice-service
                                                               Kafka → account-provisioning-service
                                                               Kafka → subscription-service

Services: payment-ui, checkout-orchestration-service, payment-processing-service, invoice-service, account-provisioning-service, subscription-service
Kafka Topics: cert-ix.payment.*, cert-ix.checkout.*, cert-ix.subscription.*

Flow 5: Compliance & Audit (P1)

client-dashboard → Kong → admin-backend → compliance-management-service (Go)
                                       → audit-evidence-service
                                       → compliance-guard-service → asset-verification-service

Services: admin-backend, compliance-management-service, audit-evidence-service, compliance-guard-service, asset-verification-service

Flow 6: Agent Telemetry (P2)

bits (bitcollector) → agent-gateway-service → agent-ingestion-gateway → Kafka → agent-stream-processor → PG

Services: bits, agent-gateway-service, agent-ingestion-gateway, agent-stream-processor

---

3. P0/P1/P2 Gap Summary

P0 — BLOCKING (Must fix before launch)

ID	Service	Gap Type	Description	Effort
P0-01	asset-management-service	AUTHN	No direct JWT middleware — relies on Kafka permission check with fallback that grants access when Kafka is down	4h
P0-02	asset-management-service	AUDIT	No structured audit trail with traceId/correlationId	4h
P0-03	checkout-orchestration-service	AUTHN	No JWT middleware on HTTP routes; config-level auth only	3h
P0-04	payment-processing-service	AUDIT	No audit logging for payment operations (PCI DSS requirement)	4h
P0-05	email-service	AUTHN	No HTTP auth (internal service) — needs service-to-service auth or network isolation verification	2h
P0-06	admin-backend	ENCRYPT	DB_SSL defaults to false — must default to true for production	1h
P0-07	All Go services	SECRETS	All use env vars directly — need to verify no hardcoded secrets in docker-compose or .env committed to git	2h
P0-08	All services	MONITOR	No centralized health check dashboard; most services have health endpoints but no alerting	4h
P0-09	scan-worker-service	AUDIT	No audit logging at all — scan execution must be auditable	3h
P0-10	qr-auth-service	SECRETS	CSRF_ENCRYPTION_KEY falls back to ephemeral crypto.randomBytes — must be persistent env var	1h

P1 — IMPORTANT (Should fix for launch, can be day-2 if blocked)

ID	Service	Gap Type	Description	Effort
P1-01	compliance-guard-service	AUTHN	No auth, no audit, no TLS, no validation — entire service needs security baseline	6h
P1-02	audit-evidence-service	AUTHN	Only PQC middleware; no JWT auth, no validation, no TLS	4h
P1-03	notification-service	AUTHN	Only PQC middleware; no auth, no TLS, no rate limiting	4h
P1-04	invoice-service	AUTHN	No auth middleware, no audit, no rate limiting, no input validation	4h
P1-05	account-provisioning-service	AUDIT	No audit logging for tenant provisioning	3h
P1-06	assets-sync-service	AUDIT	No audit logging for sync operations	2h
P1-07	quota-sync-service	AUDIT	No audit logging, no monitoring	2h
P1-08	admin-backend	INPUT	No rate limiting middleware (only session-level)	3h
P1-09	All Node.js services	ENCRYPT	Kafka SSL and Redis TLS defaults vary — need uniform true defaults	3h
P1-10	Vault integration	SECRETS	Vault AppRole configured for payment services but NOT integrated in Go code — still using env vars	8h

P2 — POST-MVP

ID	Service	Gap Type	Description	Effort
P2-01	bobby-service	ALL	No security baseline at all — AI assistant service	8h
P2-02	nvd-service	ALL	No security baseline — CVE data fetcher	4h
P2-03	agent-stream-processor	AUTHN	No auth (internal Kafka consumer)	2h
P2-04	bits	MONITOR	No monitoring/alerting for agent	2h
P2-05	cert-ix-blog	AUDIT	No audit logging for admin actions	2h
P2-06	compliance-management-service (Node)	ALL	Unused — should be removed or marked deprecated	1h
P2-07	All services	MONITOR	APM agent missing from most backend services	8h

---

4. Remediation Plan per Flow

Flow 1: Registration & Login — Day 1 (8h)

Task	Service	Gap ID	Effort	Owner
Fix CSRF_ENCRYPTION_KEY to require env var	qr-auth-service	P0-10	1h	—
Verify email-service is network-isolated or add service auth	email-service	P0-05	2h	—
Verify no hardcoded secrets in docker-compose/.env files	All auth flow	P0-07	2h	—
Add health check alerting for auth flow services	qr-auth, captcha, email	P0-08	3h	—

Smoke test: Register → verify email → login → get JWT → access dashboard → logout

Flow 2: Vulnerability Scanning — Day 1-2 (10h)

Task	Service	Gap ID	Effort	Owner
Add audit logging to scan-worker-service	scan-worker-service	P0-09	3h	—
Verify scan-api-service audit trail completeness	scan-api-service	—	2h	—
Add health check alerting for scan flow	go-tools, scan-api	P0-08	2h	—
Verify Kafka TLS is enforced for scan topics	All scan services	P1-09	3h	—

Smoke test: Create scan → dispatch to engine → get results → view in dashboard

Flow 3: Asset Management — Day 2 (8h)

Task	Service	Gap ID	Effort	Owner
Add JWT middleware to asset-management-service	asset-management-service	P0-01	4h	—
Add structured audit logging with traceId	asset-management-service	P0-02	4h	—

Smoke test: CRUD asset → verify ownership → quota sync → subscription update

Flow 4: Payment & Subscription — Day 2-3 (11h)

Task	Service	Gap ID	Effort	Owner
Add JWT middleware to checkout-orchestration routes	checkout-orchestration	P0-03	3h	—
Add audit logging to payment-processing-service	payment-processing	P0-04	4h	—
Fix DB_SSL default to true in admin-backend	admin-backend	P0-06	1h	—
Add auth + audit to invoice-service	invoice-service	P1-04	3h	—

Smoke test: Select plan → checkout → Stripe payment → invoice generated → subscription active

Flow 5: Compliance & Audit — Day 3 (6h)

Task	Service	Gap ID	Effort	Owner
Add security baseline to compliance-guard-service	compliance-guard	P1-01	6h	—

Smoke test: Run compliance check → view results → export evidence

Cross-Cutting — Day 3-4 (8h)

Task	Scope	Gap ID	Effort	Owner
Uniform Kafka SSL + Redis TLS defaults	All services	P1-09	3h	—
Add rate limiting to admin-backend	admin-backend	P1-08	3h	—
Centralized health check dashboard	All P0 services	P0-08	2h	—

---

5. E2E Testing Strategy by Flow

Principle: Test by flow, not by service

Each flow gets a smoke test script that validates the complete chain end-to-end.

Flow 1: Auth E2E Test

# scripts/e2e/test-auth-flow.sh
# 1. Get CSRF token
# 2. Get CAPTCHA challenge
# 3. Register user (POST /api/v1/register/individual)
# 4. Verify email (GET /api/v1/register/verify-email/:token)
# 5. Login (POST /api/v1/auth/login)
# 6. Verify JWT works (GET /api/v1/auth/check-session)
# 7. Verify subscription activated (GET /api/v1/subscriptions/current)
# 8. Logout (POST /api/v1/auth/logout)
# 9. Verify token blacklisted (GET /api/v1/auth/check-session → 401)
# PASS criteria: All steps return expected status codes

Flow 2: Scan E2E Test

# scripts/e2e/test-scan-flow.sh
# 1. Login → get JWT
# 2. Create asset (POST /api/v1/assets)
# 3. Verify ownership (POST /api/v1/verification/proofs)
# 4. Start scan (POST /api/v1/scans)
# 5. Poll scan status (GET /api/v1/scans/:id) until complete
# 6. Get scan results (GET /api/v1/scans/:id/results)
# 7. Verify vulnerability created in vuln-mgmt (GET /api/v1/vulnerabilities)
# PASS criteria: Scan completes, results available, vuln synced

Flow 3: Asset E2E Test

# scripts/e2e/test-asset-flow.sh
# 1. Login → get JWT
# 2. Create asset (POST /api/v1/assets)
# 3. Read asset (GET /api/v1/assets/:id)
# 4. Update asset (PATCH /api/v1/assets/:id)
# 5. Verify quota updated (GET /api/v1/subscriptions/current → usage)
# 6. Delete asset (DELETE /api/v1/assets/:id)
# 7. Verify quota decremented
# PASS criteria: CRUD works, quota syncs within 30s

Flow 4: Payment E2E Test

# scripts/e2e/test-payment-flow.sh
# 1. Login → get JWT
# 2. Get plans (GET /api/v1/plans)
# 3. Create checkout session (POST /api/v1/checkout/sessions)
# 4. Simulate Stripe webhook (POST /api/v1/webhooks/stripe)
# 5. Verify subscription updated (GET /api/v1/subscriptions/current)
# 6. Verify invoice created (GET /api/v1/invoices)
# PASS criteria: Subscription tier upgraded, invoice exists

---

6. Kafka Event Contract Freeze

Frozen Topics (v1.0 — backward compatible)

All topic schemas below are frozen for MVP1. Any change must be backward-compatible (additive fields only).

Topic Pattern	Producer	Consumer(s)	Schema Version
cert-ix.auth.user.registered.success	qr-auth-service	email-service, subscription-service	v1.0
cert-ix.auth.user.login.success	qr-auth-service	email-service	v1.0
cert-ix.subscription.plan.free.request	qr-auth-service	subscription-service	v1.0
cert-ix.subscription.plan.free.activated	subscription-service	email-service	v1.0
cert-ix.subscription.capability-request	vuln-mgmt-service	subscription-service	v1.0
cert-ix.subscription.capability-response	subscription-service	vuln-mgmt-service	v1.0
cert-ix.scans.{engine}.{priority}	scan-api-service	go-tools workers	v1.0
cert-ix.scan-results	go-tools	results-processor	v1.0
cert-ix.scans.events	go-tools	vuln-mgmt-service	v1.0
cert-ix.asset.created/updated/deleted	asset-mgmt-service	assets-sync, quota-sync	v1.0
cert-ix.quota.sync.assets	asset-mgmt-service	quota-sync-service	v1.0
cert-ix.subscription.quota.sync	quota-sync-service	subscription-service	v1.0
cert-ix.payment.*	payment-processing	invoice-service, account-provisioning	v1.0
cert-ix.checkout.*	checkout-orchestration	payment-processing	v1.0

Schema Versioning Rules

1. Header: Every Kafka message MUST include schema-version: "1.0" header
2. Additive only: New fields can be added; existing fields cannot be removed or renamed
3. Consumer tolerance: All consumers MUST ignore unknown fields
4. Breaking changes: Require new topic (e.g., cert-ix.auth.user.registered.success.v2)

---

7. Go/No-Go Criteria

Go Criteria (ALL must be met)

#	Criterion	Verification Method
1	All P0 gaps remediated	Code review + deployment verification
2	All 4 E2E flow smoke tests pass	Automated test scripts on staging
3	No hardcoded secrets in any deployed service	grep audit of docker-compose, .env, source
4	TLS enforced on all external endpoints	curl -k test against Kong + all public ports
5	Kafka SSL enabled for all producers/consumers	Config audit + connection test
6	Redis TLS enabled for all services	Config audit + connection test
7	Auth flow: register → login → access → logout works E2E	Flow 1 smoke test
8	Scan flow: create → scan → results works E2E	Flow 2 smoke test
9	Payment flow: checkout → pay → subscription active works E2E	Flow 4 smoke test
10	All P0 services have health endpoints responding	Health check script
11	Kafka event contracts frozen and documented	This document
12	Audit logs exist for auth events (login/logout/register)	DB query verification

No-Go Triggers

• Any P0 gap not remediated
• Any E2E flow smoke test failing
• Hardcoded secret found in production config
• TLS not enforced on external-facing endpoint
• Auth bypass possible on any P0 service
• Payment flow broken (Stripe integration)

---

8. Timeline

Day 1 (8h) — Auth + Scan Flows

Time	Task	Services
0-1h	Fix CSRF_ENCRYPTION_KEY, verify secrets	qr-auth-service
1-3h	Verify email-service isolation, add health alerts	email-service, captcha
3-6h	Add audit logging to scan-worker-service	scan-worker-service
6-8h	Verify scan flow Kafka TLS, write Flow 1+2 smoke tests	All scan services

Day 2 (8h) — Asset + Payment Flows

Time	Task	Services
0-4h	Add JWT middleware + audit to asset-management-service	asset-management-service
4-7h	Add JWT to checkout-orchestration, audit to payment-processing	payment services
7-8h	Fix DB_SSL default, write Flow 3+4 smoke tests	admin-backend

Day 3 (8h) — Cross-Cutting + P1 Critical

Time	Task	Services
0-3h	Uniform Kafka SSL + Redis TLS defaults	All services
3-6h	Add rate limiting to admin-backend	admin-backend
6-8h	Security baseline for compliance-guard-service	compliance-guard

Day 4 (4h) — Validation + Go/No-Go

Time	Task	Services
0-2h	Run all 4 E2E smoke tests on staging	All
2-3h	Fix any failures from smoke tests	As needed
3-4h	Final Go/No-Go review against criteria	All

Total estimated effort: ~28h (3.5 working days)

---

Appendix: Service Dependency Graph

                    ┌─────────────────┐
                    │  client-dashboard│
                    │  (Next.js)       │
                    └────────┬────────┘
                             │ HTTPS
                    ┌────────▼────────┐
                    │   Kong Gateway   │
                    │   (API Proxy)    │
                    └────────┬────────┘
                             │
        ┌────────────────────┼────────────────────┐
        │                    │                    │
  ┌─────▼─────┐     ┌───────▼───────┐    ┌──────▼──────┐
  │qr-auth-svc│     │asset-mgmt-svc │    │scan-api-svc │
  │  (Fastify) │     │  (Fastify)    │    │   (Go)      │
  └─────┬─────┘     └───────┬───────┘    └──────┬──────┘
        │                    │                    │
        │ Kafka              │ Kafka              │ Kafka
        ▼                    ▼                    ▼
  ┌───────────┐     ┌───────────────┐    ┌──────────────┐
  │email-svc  │     │quota-sync-svc │    │go-tools (x9) │
  │captcha-svc│     │assets-sync-svc│    │scan-worker   │
  └───────────┘     └───────┬───────┘    └──────┬───────┘
                            │                    │
                            ▼                    ▼
                    ┌───────────────┐    ┌──────────────┐
                    │subscription-  │    │vuln-mgmt-svc │
                    │service (Go)   │    │classifier-svc│
                    └───────┬───────┘    │policy-svc    │
                            │            │remediation   │
                            ▼            └──────────────┘
                    ┌───────────────┐
                    │payment-proc   │
                    │checkout-orch  │
                    │invoice-svc    │
                    │acct-provision │
                    └───────────────┘

---

Appendix: Compliance Gap Type Distribution

Gap Type	P0 Count	P1 Count	P2 Count	Total
AUTHN/AUTHZ	3	4	1	8
AUDIT	3	4	1	8
SECRETS	2	1	0	3
ENCRYPT	1	1	0	2
INPUT	0	1	0	1
MONITOR	1	0	1	2
ALL (full baseline)	0	0	2	2
Total	10	11	5	26