[EPIC] Local Development Security Improvements - Post PR #246 #326
Description
Overview
This epic tracks security improvements for local development mode after PR #246 merges. All items identified by 6 comprehensive code reviews and automated testing.
Related PR: #246 (Minikube Migration)
Current State: 69/74 tests passing, 5 known TODOs tracked
Timeline: Complete within 2 weeks of PR #246 merge
Critical Path
1. 🔴 Token Minting Implementation
Issue: #322
Priority: CRITICAL
Effort: 2-3 hours
Blocks: Realistic RBAC testing in local dev
Must implement TokenRequest API to mint tokens for local-dev-user instead of using backend service account.
Impact:
- Enables RBAC testing locally
- Removes cluster-admin usage in dev mode
- Aligns with CLAUDE.md security standards
Tests Fixed: 26, 28, 21.1, 21.2
2. 🟡 Cluster Type Detection
Issue: #323
Priority: MAJOR
Effort: 30 minutes
Depends on: None
Add detection to ensure dev mode only activates on actual Minikube clusters.
Impact:
- Defense-in-depth layer
- Prevents accidental activation on real clusters
3. 🟡 RBAC Permission Scoping
Issue: #324
Priority: MAJOR
Effort: 1-2 hours
Depends on: #322 (token minting)
Replace wildcard permissions with scoped permissions for backend-api and agentic-operator.
Impact:
- More realistic local dev environment
- Better testing of production RBAC boundaries
4. 🟢 Automated Manifest Security Check
Issue: #325
Priority: MEDIUM
Effort: 30 minutes
Depends on: None
Create dedicated GitHub Actions workflow for fast production manifest validation.
Impact:
- Fast feedback (< 1 min)
- Prevents configuration drift
Implementation Order
Week 1:
├─ #322 Token Minting (CRITICAL) ← Start here
└─ #323 Cluster Detection (MAJOR) ← Quick win
Week 2:
├─ #324 RBAC Scoping (MAJOR) ← After #322
└─ #325 CI Manifest Check (MEDIUM) ← Anytime
Success Metrics
Current State (PR #246)
Test Results:
Passed: 69
Failed: 0
Known TODOs: 5
Total: 74
Known TODOs:
- Token minting not implemented (Test 26)
- Backend uses wrong SA (Test 28)
- local-dev-user permission checks (Tests 21.1, 21.2)
Target State (After Epic)
Test Results:
Passed: 74
Failed: 0
Known TODOs: 0
Total: 74
Improvements:
✅ Token minting implemented
✅ Namespace-scoped permissions
✅ Cluster type detection
✅ Scoped RBAC (no wildcards)
✅ Automated manifest validation
Benefits
-
Security:
- RBAC testable locally
- Namespace isolation enforced
- Multiple protection layers
-
Development:
- Realistic environment
- Catches permission issues early
- Better production parity
-
Operations:
- Automated safety checks
- Clear security boundaries
- Comprehensive testing
Documentation Updates Needed
After completion:
- Update
docs/SECURITY_DEV_MODE.md(remove TODO sections) - Update
tests/local-dev-test.sh(remove intentional failures) - Update
REVIEW_RESPONSE.md(mark as completed) - Update
CLAUDE.md(confirm compliance)
References
Code Reviews
All 6 automated reviews on PR #246 identified these gaps:
- Token minting: 6/6 reviews (100%)
- Namespace validation: 5/6 reviews (83%)
- Cluster detection: 4/6 reviews (67%)
- RBAC scoping: 3/6 reviews (50%)
Documentation
docs/SECURITY_DEV_MODE.md- Comprehensive security analysisREVIEW_RESPONSE.md- Response to reviewsPR_REVIEW_RESPONSE_PLAN.md- Implementation plan
Test Coverage
tests/local-dev-test.sh- 28 comprehensive tests- Tests 21, 26, 28 specifically track these TODOs
Progress Tracking
- CRITICAL: Implement Token Minting for local-dev-user Service Account #322 Token Minting
- Add Cluster Type Detection to Prevent Dev Mode on Non-Minikube Clusters #323 Cluster Detection
- Scope Down RBAC Permissions for Local Dev Service Accounts #324 RBAC Scoping
- Add Automated Production Manifest Security Validation to CI #325 Manifest CI Check
- Documentation updates
- All tests passing (74/74)
Created: Following PR #246 merge
Target Completion: 2 weeks
Owner: TBD