Cert-IX MVP1 — Compliance Baseline Matrix (38 Services)
Date: 2026-02-22
Scope: Minimum launchable compliance baseline on critical flows
Estimated remediation: 2–4 days (validated below)
Table of Contents
- Service Compliance Matrix (38 services)
- Critical Flows & Dependencies
- P0/P1/P2 Gap Summary
- Remediation Plan per Flow
- E2E Testing Strategy by Flow
- Kafka Event Contract Freeze
- Go/No-Go Criteria
- Timeline
1. Service Compliance Matrix
Legend
| Symbol | Meaning |
|---|
| ✅ | Implemented and verified |
| ⚠️ | Partially implemented / needs hardening |
| ❌ | Missing / not implemented |
| N/A | Not applicable for this service type |
Compliance Dimensions
| # | Dimension | Code |
|---|
| A | AuthN/AuthZ & Access Control | AUTHN |
| B | Audit Logging (who/what/when + traceId) | AUDIT |
| C | Secrets Management (no hardcoded secrets) | SECRETS |
| D | Encryption in Transit (TLS) + at Rest | ENCRYPT |
| E | Input Validation/Sanitization + Rate Limiting | INPUT |
| F | Monitoring/Alerting (health, logs, APM) | MONITOR |
1.1 Admin Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 1 | admin-backend | P1 | ✅ JWT+Passport, RBAC via rbac.service, token blacklist (Redis) | ✅ authAuditLogger middleware, session.service.createAuditLog, DB-persisted | ⚠️ Env vars via Joi validation; DB_SSL defaults false | ⚠️ Helmet headers; DB_SSL=false default; session cookie secure only in prod | ✅ Joi validate middleware on all routes | ⚠️ Winston logger; no APM agent detected | None | PG (cert_ix_admin), Redis, auth DB, assets DB, messages DB |
| 2 | admin-ui | P1 | ✅ JWT auth via admin-backend API | N/A (frontend) | ✅ No secrets in client code | ✅ HTTPS via Nginx/Kong | ✅ DOMPurify, client-side validation | ⚠️ Elastic APM RUM | Consumer of admin-backend API | admin-backend |
1.2 Authentication & Identity Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 3 | qr-auth-service | P0 | ✅ JWT+session, CSRF (Redis-backed), WebAuthn, MFA, device fingerprint, token blacklist, bot detection, IP reputation | ✅ AuditLogger class with tamper-resistant hashes (SHA-384 chain), DB+Kafka dual write, compliance tags (SOC2/GDPR/PCI) | ⚠️ Env vars; CSRF_ENCRYPTION_KEY falls back to crypto.randomBytes (ephemeral) | ⚠️ Kafka SSL configurable but ssl: process.env.KAFKA_SSL === 'true'; Redis TLS conditional | ✅ Joi validation, CAPTCHA integration, email validation, SQL injection patterns, rate limiting (DB-backed, 10 req/15min auth) | ⚠️ Structured logging; no APM | Producer: 50+ topics (auth events, CSRF, sessions, security) | PG (cert_ix_auth), Redis, Kafka, captcha-service |
| 4 | qr-auth-ui | P1 | ✅ Login/register/2FA/WebAuthn UI | N/A (frontend) | ✅ No secrets in client | ✅ HTTPS | ✅ Client-side validation, DOMPurify | ⚠️ Elastic APM RUM | N/A | qr-auth-service |
| 5 | otp-service | P0 | ✅ JWT auth, TOTP support | ✅ Kafka audit events | ⚠️ Env vars via config | ✅ Kafka TLS, Redis TLS configurable | ✅ Rate limiting (Redis-backed) | ⚠️ Logger only | Producer: OTP events | PG, Redis, Kafka |
| 6 | captcha-service | P1 | ✅ API key auth for service-to-service | ✅ Kafka audit events | ⚠️ Env vars | ✅ Kafka TLS, TLS server | ✅ Challenge validation, rate limiting | ⚠️ Logger only | Producer: CAPTCHA events | Redis, Kafka |
1.3 Client Frontend Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 7 | client-dashboard | P0 | ✅ AuthContext with JWT, session mgmt, CapabilityGate (tier-based), permission-based nav | N/A (frontend) | ✅ No secrets; encrypted token storage (CryptoJS) | ✅ HTTPS, security headers in layout.js | ✅ DOMPurify on all inputs, client-side Joi | ✅ Elastic APM RUM | N/A | qr-auth-service, all backend APIs via Kong |
| 8 | client-verifier-ui | P1 | ✅ Token-based email verification | N/A (frontend) | ✅ No secrets | ✅ HTTPS | ✅ Input validation | ⚠️ Elastic APM RUM | N/A | qr-auth-service |
| 9 | payment-ui | P1 | ✅ Session-based auth from checkout flow | N/A (frontend) | ✅ No secrets; Stripe.js handles PCI | ✅ HTTPS, Stripe Elements (PCI DSS) | ✅ Zod validation | ⚠️ Elastic APM RUM | N/A | checkout-orchestration, Stripe |
1.4 Asset Management Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 10 | asset-management-service | P0 | ⚠️ Kafka-based permission validation (with fallback auth); no direct JWT middleware | ⚠️ Security events service; audit via Kafka events on CRUD | ⚠️ Env vars; encryption service uses env key | ⚠️ Kafka TLS configurable; encryption.service.js for data at rest | ⚠️ Rate limiting in config; validation in routes | ⚠️ Logger only | Producer: asset CRUD events, quota sync; Consumer: permission responses | PG (cert_ix_assets), Redis, Kafka |
| 11 | asset-verification-service | P1 | ✅ JWT auth middleware (Go) | ⚠️ DB logging of verification attempts | ⚠️ Env vars; HMAC key in env | ✅ TLS server (Go), HTTPS endpoints | ✅ Input validation on verification requests | ⚠️ Structured Go logging | Producer: verification events | PG (cert_ix_asset_verification), Redis |
| 12 | assets-sync-service | P1 | ⚠️ Kafka SCRAM auth for broker; no HTTP auth (internal) | ❌ No audit logging found | ⚠️ Env vars; Kafka SCRAM credentials | ✅ Kafka TLS via SCRAM config | ⚠️ Trust validator for data integrity | ❌ No monitoring | Consumer: asset events; Producer: sync events | PG, Kafka |
1.5 Vulnerability & Scanning Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 13 | vulnerability-management-service (Go) | P0 | ✅ JWT auth middleware with tenant isolation | ⚠️ Audit in service layer; no dedicated audit table | ⚠️ Env vars; config validation | ✅ TLS server, DB TLS, Kafka TLS | ✅ Request validation, security middleware (CORS, headers) | ⚠️ Structured Go logging | Producer: vuln events; Consumer: scan events, capability responses | PG (cert_ix_vulnerabilities), Redis, Kafka, ES |
| 14 | vulnerability-classifier-service (Go) | P1 | ✅ JWT auth middleware | ⚠️ Redis-based scan tracking | ⚠️ Env vars | ✅ TLS configurable | ⚠️ Basic validation | ⚠️ Go logging | Consumer: scan results; Producer: classified vulns | PG (cert_ix_vuln_classifier), Redis, Kafka |
| 15 | vulnerability-policy-service (Go) | P1 | ✅ JWT auth middleware | ⚠️ Config-level audit | ⚠️ Env vars | ✅ TLS configurable | ⚠️ Model validation | ⚠️ Go logging | Consumer: vuln events; Producer: policy decisions | PG (cert_ix_vuln_policy), Redis, Kafka |
| 16 | vulnerability-remediation-service (Go) | P1 | ✅ JWT auth middleware | ⚠️ Config-level audit | ⚠️ Env vars | ✅ TLS configurable | ✅ Model validation, auth middleware validation | ⚠️ Go logging | Consumer: vuln events; Producer: remediation tasks | PG (cert_ix_vuln_remediation), Redis, Kafka |
| 17 | go-tools (9 scanner engines) | P0 | ✅ JWT auth middleware (pkg/middleware/auth.go) | ✅ pkg/scanner/audit.go — scan audit trail with retention | ⚠️ Env vars via config | ✅ TLS server, ES TLS | ✅ Rate limiting (Redis), input validation | ⚠️ Go logging | Producer: scan results; Consumer: scan requests | PG (cert_ix_tools_service), Redis, Kafka, ES |
| 18 | scan-api-service (Go) | P0 | ✅ JWT auth + API key auth (api_key_service) | ✅ Call log repository for API audit | ⚠️ Env vars | ✅ TLS, Kafka TLS | ✅ Validation, rate limiting | ⚠️ Go logging | Producer: scan dispatch to engines | PG, Redis, Kafka |
| 19 | scan-worker-service (Go) | P1 | ❌ Internal service, no HTTP auth (Kafka consumer only) | ❌ No audit logging | ⚠️ Env vars | ⚠️ Kafka TLS configurable | ❌ No HTTP input validation (Kafka only) | ❌ No monitoring | Consumer: scan tasks; Producer: scan results | Kafka |
1.6 Compliance & Audit Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 20 | compliance-guard-service | P1 | ❌ No auth middleware found | ❌ No audit logging | ❌ No secrets management | ❌ No TLS config | ❌ No validation | ❌ No monitoring | N/A | asset-verification-service |
| 21 | compliance-management-service (Go) | P1 | ⚠️ Auth references in service layer | ✅ Activity log in service, Kafka producer | ⚠️ Env vars | ✅ TLS configurable | ✅ Repository-level validation | ⚠️ Go logging | Producer: compliance events | PG, Redis, Kafka |
| 22 | compliance-management-service (Node, unused) | P2 | ❌ Not in use | ❌ Not in use | ❌ Not in use | ❌ Not in use | ❌ Not in use | ❌ Not in use | N/A | N/A |
| 23 | audit-evidence-service | P1 | ⚠️ PQC decryption middleware only | ⚠️ Audit in middleware | ❌ No secrets management | ❌ No TLS config | ❌ No validation | ❌ No monitoring | N/A | PG |
1.7 Payment Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 24 | payment-processing-service (Go) | P0 | ✅ Auth middleware, user existence check | ❌ No audit logging found | ⚠️ Env vars; Vault AppRole configured but not integrated in code | ✅ TLS server, DB TLS, Redis TLS, Kafka TLS | ✅ Rate limiting middleware, OTP validation | ⚠️ Go logging | Producer: payment events; Consumer: OTP events | PG, Redis, Kafka, Stripe |
| 25 | checkout-orchestration-service (Go) | P0 | ⚠️ Config-level auth; no JWT middleware on routes | ⚠️ Kafka audit events | ⚠️ Env vars; Vault configured but not integrated | ✅ TLS, DB TLS, Kafka TLS, Redis TLS | ✅ Rate limiting (Redis), checkout validation | ⚠️ Go logging | Producer: checkout events; Consumer: plan data | PG, Redis, Kafka |
| 26 | invoice-service (Go) | P1 | ❌ No auth middleware found | ❌ No audit logging | ⚠️ Env vars; Vault configured but not integrated | ✅ TLS server, DB TLS | ❌ No rate limiting, no input validation | ❌ No monitoring | Consumer: payment events; Producer: invoice events | PG, Kafka, R2 (Cloudflare) |
| 27 | account-provisioning-service (Go) | P1 | ⚠️ Auth in provisioning service | ❌ No audit logging | ⚠️ Env vars; Vault configured but not integrated | ✅ TLS server, DB TLS | ❌ No rate limiting | ❌ No monitoring | Consumer: subscription events; Producer: provisioning events | PG (cert_ix_subscription), Kafka |
1.8 Agent & Telemetry Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 28 | agent-gateway-service (Go) | P1 | ✅ Agent registration auth, JWT | ✅ Audit in agent service + repository | ⚠️ Env vars | ✅ TLS, Kafka TLS | ✅ Validation, rate limiting | ⚠️ Go logging | Producer: agent events | PG, Redis, Kafka |
| 29 | agent-ingestion-gateway (Go) | P1 | ⚠️ Config-level auth | ⚠️ Config-level audit | ⚠️ Env vars | ✅ TLS configurable | ⚠️ Config-level validation | ⚠️ Go logging | Producer: telemetry to Kafka | Kafka, Redis |
| 30 | agent-stream-processor (Go) | P2 | ❌ No auth (internal Kafka consumer) | ⚠️ Audit in processors | ⚠️ Env vars | ✅ TLS configurable | ⚠️ Config-level validation | ⚠️ Go logging | Consumer: telemetry; Producer: processed data | PG, Kafka, Redis |
| 31 | bits (bitcollector + sentinel) | P2 | ⚠️ mTLS for agent-to-gateway; sentinel has ES auth | ⚠️ Sentinel has ES-based audit | ⚠️ Env vars + config YAML | ⚠️ TLS configurable for ES connections | ⚠️ Basic validation | ❌ No monitoring | Agent → Gateway (HTTP) | agent-gateway, ES |
1.9 Supporting Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| 32 | email-service | P0 | ⚠️ Kafka auth for broker; no HTTP auth (internal) | ✅ Email audit logging, security config | ⚠️ Env vars; SendGrid API key in env | ✅ TLS server, Kafka TLS | ✅ Rate limiting, email security validation | ⚠️ Logger | Consumer: auth events, password reset, free plan, etc. | Kafka, SendGrid, PG |
| 33 | notification-service | P1 | ⚠️ PQC decryption middleware only | ⚠️ Audit in middleware | ❌ No secrets management | ❌ No TLS config found | ❌ No rate limiting | ❌ No monitoring | Consumer: notification events | Kafka |
| 34 | bobby-service | P2 | ❌ No auth found | ❌ No audit | ❌ No secrets management | ❌ No TLS | ❌ No validation | ❌ No monitoring | N/A | AI/LLM API |
| 35 | nvd-service | P2 | ❌ No auth found | ❌ No audit | ❌ No secrets management | ❌ No TLS | ❌ No validation | ❌ No monitoring | N/A | NVD API |
| 36 | subscription-service (Go) | P0 | ✅ JWT auth, tenant isolation | ✅ Usage tracking, audit in services | ⚠️ Env vars | ✅ TLS, DB TLS, Kafka TLS, Redis TLS | ✅ Validation, rate limiting | ⚠️ Go logging | Producer: capability responses, quota events; Consumer: capability requests, free plan, quota sync | PG (cert_ix_subscription), Redis, Kafka |
| 37 | teams-management-service (Go) | P1 | ✅ JWT auth | ⚠️ Model-level audit fields | ⚠️ Env vars | ✅ TLS configurable | ⚠️ Model validation | ⚠️ Go logging | Producer: team events | PG, Redis, Kafka |
| 38 | quota-sync-service (Go) | P1 | ❌ No auth (internal Kafka consumer) | ❌ No audit logging | ⚠️ Env vars | ⚠️ Kafka TLS configurable | ❌ No validation (internal) | ❌ No monitoring | Consumer: quota sync events; Producer: subscription quota sync | PG, Kafka |
1.10 Static/Content Services
| # | Service | Criticality | A:AUTHN | B:AUDIT | C:SECRETS | D:ENCRYPT | E:INPUT | F:MONITOR | Kafka Role | Dependencies |
|---|
| — | docs (Docusaurus) | P2 | N/A (static) | N/A | N/A | ✅ HTTPS via Nginx | N/A | ⚠️ APM RUM | N/A | Nginx |
| — | cert-ix-blog | P2 | ⚠️ Admin login for blog mgmt | ❌ No audit | ⚠️ Env vars | ✅ HTTPS | ⚠️ Basic validation | ⚠️ APM RUM | N/A | MongoDB |
| — | cert-ix-v1-landing-site-v1 | P2 | N/A (static + message API) | ❌ No audit | ⚠️ Env vars | ✅ HTTPS | ⚠️ Basic validation | ⚠️ APM RUM | N/A | PG (message API) |
2. Critical Flows & Dependencies
Flow 1: User Registration & Login (P0)
client-dashboard → qr-auth-ui → qr-auth-service → captcha-service
�↓
PG (cert_ix_auth) + Redis
↓
Kafka → email-service (verification email)
Kafka → subscription-service (free plan activation)
Kafka → account-provisioning-service (tenant setup)
Services: qr-auth-service, qr-auth-ui, client-dashboard, captcha-service, email-service, subscription-service, account-provisioning-service
Kafka Topics: cert-ix.auth.user.registered.success, cert-ix.subscription.plan.free.request, cert-ix.subscription.plan.free.activated
Flow 2: Vulnerability Scanning (P0)
client-dashboard → Kong → scan-api-service → Kafka → go-tools (9 engines)
↓
Kafka → vulnerability-management-service
↓
Kafka → vulnerability-classifier-service
Kafka → vulnerability-remediation-service
Kafka → vulnerability-policy-service
Services: client-dashboard, scan-api-service, go-tools, vulnerability-management-service, vulnerability-classifier-service
Kafka Topics: cert-ix.scans.{engine}.{priority}, cert-ix.scan-results, cert-ix.scans.events
Flow 3: Asset Management (P0)
client-dashboard → Kong → asset-management-service → Kafka (permission check)
↓
PG (cert_ix_assets) + Redis
↓
Kafka → quota-sync-service → subscription-service
Kafka → assets-sync-service
Services: client-dashboard, asset-management-service, quota-sync-service, subscription-service, assets-sync-service
Kafka Topics: cert-ix.asset.created/updated/deleted, cert-ix.quota.sync.assets
Flow 4: Payment & Subscription (P0)
client-dashboard → payment-ui → checkout-orchestration-service → payment-processing-service → Stripe
↓
Kafka → invoice-service
Kafka → account-provisioning-service
Kafka → subscription-service
Services: payment-ui, checkout-orchestration-service, payment-processing-service, invoice-service, account-provisioning-service, subscription-service
Kafka Topics: cert-ix.payment.*, cert-ix.checkout.*, cert-ix.subscription.*
Flow 5: Compliance & Audit (P1)
client-dashboard → Kong → admin-backend → compliance-management-service (Go)
→ audit-evidence-service
→ compliance-guard-service → asset-verification-service
Services: admin-backend, compliance-management-service, audit-evidence-service, compliance-guard-service, asset-verification-service
Flow 6: Agent Telemetry (P2)
bits (bitcollector) → agent-gateway-service → agent-ingestion-gateway → Kafka → agent-stream-processor → PG
Services: bits, agent-gateway-service, agent-ingestion-gateway, agent-stream-processor
3. P0/P1/P2 Gap Summary
P0 — BLOCKING (Must fix before launch)
| ID | Service | Gap Type | Description | Effort |
|---|
| P0-01 | asset-management-service | AUTHN | No direct JWT middleware — relies on Kafka permission check with fallback that grants access when Kafka is down | 4h |
| P0-02 | asset-management-service | AUDIT | No structured audit trail with traceId/correlationId | 4h |
| P0-03 | checkout-orchestration-service | AUTHN | No JWT middleware on HTTP routes; config-level auth only | 3h |
| P0-04 | payment-processing-service | AUDIT | No audit logging for payment operations (PCI DSS requirement) | 4h |
| P0-05 | email-service | AUTHN | No HTTP auth (internal service) — needs service-to-service auth or network isolation verification | 2h |
| P0-06 | admin-backend | ENCRYPT | DB_SSL defaults to false — must default to true for production | 1h |
| P0-07 | All Go services | SECRETS | All use env vars directly — need to verify no hardcoded secrets in docker-compose or .env committed to git | 2h |
| P0-08 | All services | MONITOR | No centralized health check dashboard; most services have health endpoints but no alerting | 4h |
| P0-09 | scan-worker-service | AUDIT | No audit logging at all — scan execution must be auditable | 3h |
| P0-10 | qr-auth-service | SECRETS | CSRF_ENCRYPTION_KEY falls back to ephemeral crypto.randomBytes — must be persistent env var | 1h |
P1 — IMPORTANT (Should fix for launch, can be day-2 if blocked)
| ID | Service | Gap Type | Description | Effort |
|---|
| P1-01 | compliance-guard-service | AUTHN | No auth, no audit, no TLS, no validation — entire service needs security baseline | 6h |
| P1-02 | audit-evidence-service | AUTHN | Only PQC middleware; no JWT auth, no validation, no TLS | 4h |
| P1-03 | notification-service | AUTHN | Only PQC middleware; no auth, no TLS, no rate limiting | 4h |
| P1-04 | invoice-service | AUTHN | No auth middleware, no audit, no rate limiting, no input validation | 4h |
| P1-05 | account-provisioning-service | AUDIT | No audit logging for tenant provisioning | 3h |
| P1-06 | assets-sync-service | AUDIT | No audit logging for sync operations | 2h |
| P1-07 | quota-sync-service | AUDIT | No audit logging, no monitoring | 2h |
| P1-08 | admin-backend | INPUT | No rate limiting middleware (only session-level) | 3h |
| P1-09 | All Node.js services | ENCRYPT | Kafka SSL and Redis TLS defaults vary — need uniform true defaults | 3h |
| P1-10 | Vault integration | SECRETS | Vault AppRole configured for payment services but NOT integrated in Go code — still using env vars | 8h |
P2 — POST-MVP
| ID | Service | Gap Type | Description | Effort |
|---|
| P2-01 | bobby-service | ALL | No security baseline at all — AI assistant service | 8h |
| P2-02 | nvd-service | ALL | No security baseline — CVE data fetcher | 4h |
| P2-03 | agent-stream-processor | AUTHN | No auth (internal Kafka consumer) | 2h |
| P2-04 | bits | MONITOR | No monitoring/alerting for agent | 2h |
| P2-05 | cert-ix-blog | AUDIT | No audit logging for admin actions | 2h |
| P2-06 | compliance-management-service (Node) | ALL | Unused — should be removed or marked deprecated | 1h |
| P2-07 | All services | MONITOR | APM agent missing from most backend services | 8h |
Flow 1: Registration & Login — Day 1 (8h)
| Task | Service | Gap ID | Effort | Owner |
|---|
| Fix CSRF_ENCRYPTION_KEY to require env var | qr-auth-service | P0-10 | 1h | — |
| Verify email-service is network-isolated or add service auth | email-service | P0-05 | 2h | — |
| Verify no hardcoded secrets in docker-compose/.env files | All auth flow | P0-07 | 2h | — |
| Add health check alerting for auth flow services | qr-auth, captcha, email | P0-08 | 3h | — |
Smoke test: Register → verify email → login → get JWT → access dashboard → logout
Flow 2: Vulnerability Scanning — Day 1-2 (10h)
| Task | Service | Gap ID | Effort | Owner |
|---|
| Add audit logging to scan-worker-service | scan-worker-service | P0-09 | 3h | — |
| Verify scan-api-service audit trail completeness | scan-api-service | — | 2h | — |
| Add health check alerting for scan flow | go-tools, scan-api | P0-08 | 2h | — |
| Verify Kafka TLS is enforced for scan topics | All scan services | P1-09 | 3h | — |
Smoke test: Create scan → dispatch to engine → get results → view in dashboard
Flow 3: Asset Management — Day 2 (8h)
| Task | Service | Gap ID | Effort | Owner |
|---|
| Add JWT middleware to asset-management-service | asset-management-service | P0-01 | 4h | — |
| Add structured audit logging with traceId | asset-management-service | P0-02 | 4h | — |
Smoke test: CRUD asset → verify ownership → quota sync → subscription update
Flow 4: Payment & Subscription — Day 2-3 (11h)
| Task | Service | Gap ID | Effort | Owner |
|---|
| Add JWT middleware to checkout-orchestration routes | checkout-orchestration | P0-03 | 3h | — |
| Add audit logging to payment-processing-service | payment-processing | P0-04 | 4h | — |
| Fix DB_SSL default to true in admin-backend | admin-backend | P0-06 | 1h | — |
| Add auth + audit to invoice-service | invoice-service | P1-04 | 3h | — |
Smoke test: Select plan → checkout → Stripe payment → invoice generated → subscription active
Flow 5: Compliance & Audit — Day 3 (6h)
| Task | Service | Gap ID | Effort | Owner |
|---|
| Add security baseline to compliance-guard-service | compliance-guard | P1-01 | 6h | — |
Smoke test: Run compliance check → view results → export evidence
Cross-Cutting — Day 3-4 (8h)
| Task | Scope | Gap ID | Effort | Owner |
|---|
| Uniform Kafka SSL + Redis TLS defaults | All services | P1-09 | 3h | — |
| Add rate limiting to admin-backend | admin-backend | P1-08 | 3h | — |
| Centralized health check dashboard | All P0 services | P0-08 | 2h | — |
5. E2E Testing Strategy by Flow
Principle: Test by flow, not by service
Each flow gets a smoke test script that validates the complete chain end-to-end.
Flow 1: Auth E2E Test
Flow 2: Scan E2E Test
Flow 3: Asset E2E Test
Flow 4: Payment E2E Test
6. Kafka Event Contract Freeze
Frozen Topics (v1.0 — backward compatible)
All topic schemas below are frozen for MVP1. Any change must be backward-compatible (additive fields only).
| Topic Pattern | Producer | Consumer(s) | Schema Version |
|---|
cert-ix.auth.user.registered.success | qr-auth-service | email-service, subscription-service | v1.0 |
cert-ix.auth.user.login.success | qr-auth-service | email-service | v1.0 |
cert-ix.subscription.plan.free.request | qr-auth-service | subscription-service | v1.0 |
cert-ix.subscription.plan.free.activated | subscription-service | email-service | v1.0 |
cert-ix.subscription.capability-request | vuln-mgmt-service | subscription-service | v1.0 |
cert-ix.subscription.capability-response | subscription-service | vuln-mgmt-service | v1.0 |
cert-ix.scans.{engine}.{priority} | scan-api-service | go-tools workers | v1.0 |
cert-ix.scan-results | go-tools | results-processor | v1.0 |
cert-ix.scans.events | go-tools | vuln-mgmt-service | v1.0 |
cert-ix.asset.created/updated/deleted | asset-mgmt-service | assets-sync, quota-sync | v1.0 |
cert-ix.quota.sync.assets | asset-mgmt-service | quota-sync-service | v1.0 |
cert-ix.subscription.quota.sync | quota-sync-service | subscription-service | v1.0 |
cert-ix.payment.* | payment-processing | invoice-service, account-provisioning | v1.0 |
cert-ix.checkout.* | checkout-orchestration | payment-processing | v1.0 |
Schema Versioning Rules
- Header: Every Kafka message MUST include
schema-version: "1.0" header
- Additive only: New fields can be added; existing fields cannot be removed or renamed
- Consumer tolerance: All consumers MUST ignore unknown fields
- Breaking changes: Require new topic (e.g.,
cert-ix.auth.user.registered.success.v2)
7. Go/No-Go Criteria
Go Criteria (ALL must be met)
| # | Criterion | Verification Method |
|---|
| 1 | All P0 gaps remediated | Code review + deployment verification |
| 2 | All 4 E2E flow smoke tests pass | Automated test scripts on staging |
| 3 | No hardcoded secrets in any deployed service | grep audit of docker-compose, .env, source |
| 4 | TLS enforced on all external endpoints | curl -k test against Kong + all public ports |
| 5 | Kafka SSL enabled for all producers/consumers | Config audit + connection test |
| 6 | Redis TLS enabled for all services | Config audit + connection test |
| 7 | Auth flow: register → login → access → logout works E2E | Flow 1 smoke test |
| 8 | Scan flow: create → scan → results works E2E | Flow 2 smoke test |
| 9 | Payment flow: checkout → pay → subscription active works E2E | Flow 4 smoke test |
| 10 | All P0 services have health endpoints responding | Health check script |
| 11 | Kafka event contracts frozen and documented | This document |
| 12 | Audit logs exist for auth events (login/logout/register) | DB query verification |
No-Go Triggers
- Any P0 gap not remediated
- Any E2E flow smoke test failing
- Hardcoded secret found in production config
- TLS not enforced on external-facing endpoint
- Auth bypass possible on any P0 service
- Payment flow broken (Stripe integration)
8. Timeline
Day 1 (8h) — Auth + Scan Flows
| Time | Task | Services |
|---|
| 0-1h | Fix CSRF_ENCRYPTION_KEY, verify secrets | qr-auth-service |
| 1-3h | Verify email-service isolation, add health alerts | email-service, captcha |
| 3-6h | Add audit logging to scan-worker-service | scan-worker-service |
| 6-8h | Verify scan flow Kafka TLS, write Flow 1+2 smoke tests | All scan services |
Day 2 (8h) — Asset + Payment Flows
| Time | Task | Services |
|---|
| 0-4h | Add JWT middleware + audit to asset-management-service | asset-management-service |
| 4-7h | Add JWT to checkout-orchestration, audit to payment-processing | payment services |
| 7-8h | Fix DB_SSL default, write Flow 3+4 smoke tests | admin-backend |
Day 3 (8h) — Cross-Cutting + P1 Critical
| Time | Task | Services |
|---|
| 0-3h | Uniform Kafka SSL + Redis TLS defaults | All services |
| 3-6h | Add rate limiting to admin-backend | admin-backend |
| 6-8h | Security baseline for compliance-guard-service | compliance-guard |
Day 4 (4h) — Validation + Go/No-Go
| Time | Task | Services |
|---|
| 0-2h | Run all 4 E2E smoke tests on staging | All |
| 2-3h | Fix any failures from smoke tests | As needed |
| 3-4h | Final Go/No-Go review against criteria | All |
Total estimated effort: ~28h (3.5 working days)
Appendix: Service Dependency Graph
┌─────────────────┐
│ client-dashboard│
│ (Next.js) │
└────────┬────────┘
│ HTTPS
┌────────▼────────┐
│ Kong Gateway │
│ (API Proxy) │
└────────┬────────┘
│
┌────────────────────┼────────────────────┐
│ │ │
┌─────▼─────┐ ┌───────▼────��───┐ ┌──────▼──────┐
│qr-auth-svc│ │asset-mgmt-svc │ │scan-api-svc │
│ (Fastify) │ │ (Fastify) │ │ (Go) │
└─────┬─────┘ └───────┬───────┘ └──────┬──────┘
│ │ │
│ Kafka │ Kafka │ Kafka
▼ ▼ ▼
┌───────────┐ ┌───────────────┐ ┌──────────────┐
│email-svc │ │quota-sync-svc │ │go-tools (x9) │
│captcha-svc│ │assets-sync-svc│ │scan-worker │
└───────────┘ └───────┬───────┘ └──────┬───────┘
│ │
▼ ▼
┌───────────────┐ ┌──────────────┐
│subscription- │ │vuln-mgmt-svc │
│service (Go) │ │classifier-svc│
└───────┬───────┘ │policy-svc │
│ │remediation │
▼ └──────────────┘
┌───────────────┐
│payment-proc │
│checkout-orch │
│invoice-svc │
│acct-provision │
└───────────────┘
Appendix: Compliance Gap Type Distribution
| Gap Type | P0 Count | P1 Count | P2 Count | Total |
|---|
| AUTHN/AUTHZ | 3 | 4 | 1 | 8 |
| AUDIT | 3 | 4 | 1 | 8 |
| SECRETS | 2 | 1 | 0 | 3 |
| ENCRYPT | 1 | 1 | 0 | 2 |
| INPUT | 0 | 1 | 0 | 1 |
| MONITOR | 1 | 0 | 1 | 2 |
| ALL (full baseline) | 0 | 0 | 2 | 2 |
| Total | 10 | 11 | 5 | 26 |