Implementation Plan
This document outlines the roadmap to transform the current system into an enterprise-grade, procurement-ready platform.
Priority Matrixβ
| Priority | Timeframe | Focus | Outcome |
|---|---|---|---|
| P0 | This week | Blockers | System coherence |
| P1 | 2 sprints | Procurement-grade | Enterprise sales ready |
| P2 | 1-2 months | Full enterprise | Complete platform |
Dependency Graphβ
flowchart TD
P0_1[P0.1: QSA as IdP] --> P0_2[P0.2: QuantumLock Core]
P0_1 --> P0_3[P0.3: Evidence Skeleton]
P0_2 --> P0_3
P0_3 --> P1_1[P1.1: Observability]
P0_1 --> P1_4[P1.4: Security]
P1_1 --> P2_3[P2.3: DR/Backups]
P1_4 --> P2_2[P2.2: Supply Chain]
P0_1 --> P2_1[P2.1: SCIM/SAML UI]
P1_2[P1.2: Billing UI]
P1_3[P1.3: Entitlements CRUD]
P2_4[P2.4: Multi-Env]
P0 β Immediate Blockers (This Week)β
P0.1 β QSA as Primary IdPβ
Current: Portal uses Zitadel, QSA exists separately
Target: QSA is single IdP for all services
| Task | File | Status |
|---|---|---|
| Configure Portal Frontend OIDC | portal-frontend/public/config.js | β¬ |
| Configure Admin Frontend OIDC | admin-frontend/public/config.js | β¬ |
| Update Portal Backend JWT validation | portal-backend/app/auth.py | β¬ |
| Create Service Principals in QSA | QSA Admin | β¬ |
| Deprecate Zitadel integration | portal-backend/app/zitadel_service.py | β¬ |
Dependencies: QSA running with OIDC endpoints
Effort: 3-4 days
P0.2 β QuantumLock as Coreβ
Current: Portal has some license logic
Target: Portal is gateway-only; QuantumLock is source of truth
| Task | File | Status |
|---|---|---|
| Implement M2M client | portal-backend/app/quantumlock_client.py | β |
| Refactor license routes | portal-backend/app/quantumlock_routes.py | β¬ |
| Add KMS endpoints to QuantumLock | quantumlock/quantumlock_api/main.py | β¬ |
| Test license flow E2E | Tests | β¬ |
Dependencies: P0.1 (Service Principal)
Effort: 3-4 days
P0.3 β Evidence Plane Skeletonβ
Current: QCOS Shim returns demo data
Target: Real storage, DB, and signing
| Task | File | Status |
|---|---|---|
| Set up Object Storage | MinIO/S3 | β¬ |
| Create Evidence DB tables | migrations/004_evidence_tables.sql | β |
| Implement Storage Service | portal-backend/app/storage_service.py | β |
| Implement Evidence Service | portal-backend/app/evidence_service.py | β |
| Create Evidence Models | portal-backend/app/evidence_models.py | β |
Dependencies: P0.2 (QuantumLock for signing)
Effort: 5-7 days
P1 β Procurement-Grade (2 Sprints)β
P1.1 β Observability Stackβ
| Task | Description |
|---|---|
| Structured Logging | JSON logs with correlation_id, tenant_id |
| Metrics (Prometheus) | Request latency, error rates, business metrics |
| Tracing (OpenTelemetry) | Distributed tracing across services |
| Alerting | SLOs, PagerDuty/Slack integration |
P1.2 β Billing Admin UIβ
| Task | Description |
|---|---|
| Billing resource | CRUD for invoices in Admin Frontend |
| Usage Dashboard | Charts, MRR, churn metrics |
| Billing Settings | Tax, payment methods, webhooks |
P1.3 β Entitlements CRUDβ
| Task | Description |
|---|---|
| Backend endpoints | POST/PUT/DELETE for entitlements |
| Frontend UI | Create/Edit forms with feature picker |
P1.4 β Security Hardeningβ
| Task | Description |
|---|---|
| API Gateway | Traefik/Kong with rate limiting |
| Security Headers | CORS, CSP, HSTS |
| mTLS | For M2M communication |
| Secrets Management | Vault/Azure Key Vault |
P2 β Full Enterprise (1-2 Months)β
P2.1 β SCIM/SAML UIβ
- SAML Configuration UI (metadata, attribute mapping)
- SCIM Configuration UI (endpoints, sync status)
- SSO Testing Tools (assertion viewer, diagnostics)
P2.2 β Supply Chain Securityβ
- SBOM Generation (Syft/Trivy)
- Vulnerability Scanning (CI/CD)
- Image Signing (Cosign)
- Dependency Review (Dependabot)
P2.3 β DR and Backupsβ
- Automated daily backups
- Point-in-time recovery
- Cross-region replication
- DR runbook and testing
P2.4 β Multi-Environment Setupβ
- DEV/STG/PROD parity
- CI/CD pipelines
- Feature flags
- Seed data automation
Success Criteriaβ
P0 Completeβ
- All frontends authenticate via QSA
- All licenses generated via QuantumLock M2M
- Evidence bundles stored with DB metadata
- Evidence signatures verified via QuantumLock
P1 Completeβ
- Structured logs with correlation IDs
- Prometheus metrics exposed
- Billing manageable in Admin UI
- Entitlements CRUD working
- Rate limiting active
P2 Completeβ
- SCIM/SAML configurable via UI
- SBOM for all images
- Daily backups verified
- DR tested
- CI/CD to all environments
Risk Registerβ
| Risk | Impact | Mitigation |
|---|---|---|
| QSA migration breaks auth | High | Feature flag, parallel auth |
| QuantumLock unavailable | High | Circuit breaker, cache validations |
| Storage costs spike | Medium | Retention policies, compression |
| Evidence signing latency | Medium | Async worker, queue |
| Breaking API changes | Medium | Versioning, deprecation policy |
Team Allocationβ
| Phase | Backend | Frontend | DevOps | QSA |
|---|---|---|---|---|
| P0 | 80% | 20% | 40% | 20% |
| P1 | 40% | 60% | 60% | 20% |
| P2 | 20% | 40% | 80% | 60% |