Readiness
:::info Source
Sourced from services/identity-service/SERVICE_READINESS.md in the documentation repo.
:::
1. Readiness Level per Milestone
| Milestone | Target Level | Justification |
|---|---|---|
| M0 | L2 (Internal MVP) | Auth, sessions, devices, API keys, JWKS. Internal customers only. |
| M1 | L3 (Customer-facing MVP) | Device binding, MFA, password reset, audit log. 3–5 paid pilots. |
| M2 | L3 | No change — additive hardening. |
| M3 | L4 (GA-grade) | SAML SSO, adaptive MFA, JIT provisioning. Enterprise-ready. |
| M4 | L4 | Chaos-tested, pen-test #2 closed. |
| M5 | L4 | Multi-region active-active. HIPAA-ready. |
2. Canonical Gates (G1–G8)
G1 — Domain
- Aggregates (
User,Credential,Session,Device,MFAFactor,APIKey) in pure TS. - Authentication backends implemented behind ports (
IdentityAuthenticationProvider,OIDCClient,SAMLClient, optionalFederatedIdentityBroker) — in-house default; Keycloak / vendor OIDC adapters gated per deployment. - Invariants enforced in domain layer (password-policy, session-unique-active-per-device, device-fingerprint-unique).
- Unit coverage ≥ 95% (lines), ≥ 98% (branches) on aggregates.
- Stryker mutation score ≥ 80% on aggregates.
G2 — API
- OpenAPI published at
/openapi/identity.yaml; diff-reviewed in CI. -
Idempotency-Keyrequired on all writes. -
problem+jsonerror envelope on every error path. - Cursor pagination on every list endpoint.
- Pact contract tests with every JWT-consumer (tenant, delivery, authoring, …).
G3 — Events
- Subjects registered:
identity.user.*,identity.session.*,identity.device.*,identity.api_key.*,identity.password.*. - JSON Schemas committed to
event-schemas/identity/. - Outbox + inbox tables, relay worker.
- Pact event contracts with every consumer.
- GDPR participation:
gdpr.subject_request.received.v1→ emitgdpr.subject_request.acknowledged.v1within 7 days.
G4 — Sync
-
Deviceentity registered as sync-replicable (server_authoritativepolicy). - Sync conformance test green.
G5 — AI
- Adaptive-MFA risk classifier uses AIClient port only.
- No authoring/content AI — N/A.
- Prompts (none for identity) — N/A.
G6 — Observability
- SLOs defined (§3).
- OTel traces across auth flow.
- Grafana dashboards published (
grafana/identity/). - Runbooks linked from every alert.
G7 — Performance
-
/auth/loginp95 < 200ms, p99 < 500ms (k6 report attached). -
/auth/refreshp95 < 100ms. - JWKS serve < 10ms p95 (CDN-cached).
- Sustains 5k login/sec sustained; 20k burst.
G8 — Security
- Two-tenant isolation suite green.
- Pen-test #1 closed with all HIGH/CRITICAL resolved (M1).
- Threat model reviewed (§SECURITY_MODEL.md).
- OWASP ASVS L2 baseline; auth + sessions at L3.
- SBOM + SLSA provenance attestations shipped.
- Secrets via KMS; no secrets in code or env files committed.
3. SLOs (Service Level Objectives)
| SLI | Target | Error Budget |
|---|---|---|
Availability (/auth/*, /users/me/*) | 99.99% | 4.38 min/month |
Latency /auth/login p95 | < 200ms | 1% > 500ms |
Latency /auth/refresh p95 | < 100ms | 1% > 300ms |
| JWKS availability | 99.999% | 26s/month |
| Outbox lag p99 | < 5s | 1% > 30s |
4. Definition of Done (per story)
- Unit + integration + contract tests green.
- OpenAPI updated;
openapi:checkpasses. - Event schemas registered; consumer Pact passes.
- Migrations applied + rolled back on ephemeral Postgres.
- Security review for any touching auth / secrets / cryptography.
- Two-tenant isolation test added if surface changes.
- Runbook updated if new alert added.
- Dashboard updated if new metric added.
- Docs updated (API reference, help article if user-visible).
- Labels
needs-tests,needs-security-reviewresolved.
5. Release-Readiness Checklist (per milestone)
M1 Release
- F — All M1 identity stories delivered (US-1, US-3, US-4, US-6 partial).
- N — k6 load test at 2x expected M1 traffic.
- A — N/A (no AI surfaces in identity-M1).
- O — Device binding E2E airplane-mode green.
- S — Pen-test #1 closed; threat model reviewed.
- T — RLS on every table; JWT
tidverified on every request. - V — Dashboards + runbooks for login, refresh, MFA.
- D — OpenAPI published; 5 user-facing help articles.
M3 Release (L4 transition)
- F — SAML SSO + adaptive MFA + JIT provisioning complete.
- N — k6 at 10x M1 traffic; load-test burst profile passes.
- S — Pen-test #2 closed; SOC 2 Type I obtained.
- T — SAML attribute mapping tested for tenant isolation.
- V — Adaptive-MFA dashboard + alerts.
- D — SSO admin configuration guide published.
6. Owner Sign-Off Required
| Role | Who | Signature needed at |
|---|---|---|
| Engineering Lead | Identity team lead | Every L transition |
| Security | Security lead | L3+, pen-test gates |
| SRE | SRE lead | L3+ |
| Product | PM | Release to customers |
| Compliance | Compliance officer | M3+ (SSO, SOC 2) |
| CTO | CTO | L4 transitions |