Document status: Planning baseline
Version: 1.0
Date: June 14, 2026
Source: Sentra Gateway Technical Documentation
Important: The current workspace contains design documents only. Every implementation item below is therefore unchecked until code or verifiable evidence exists.
[ ]means no implementation evidence has been verified.[x]means the item has implementation, automated tests, and required documentation.- Priority is expressed as
P0critical,P1high,P2normal, orP3optional. - Each pull request should reference one or more task IDs.
- A feature is not complete until its positive tests, negative tests, metrics, audit behavior, and documentation are complete.
- Security-sensitive changes require threat review and explicit evidence that secrets are not logged.
-
PGM-001 P0All P0 requirements in the SRS are implemented and traceable to tests. -
PGM-002 P0External traffic can reach downstream services only through Sentra Gateway. -
PGM-003 P0Authentication, authorization, IP policy, signing, and rate-limit failures default to deny. -
PGM-004 P0PostgreSQL and Redis failure modes are documented and tested. -
PGM-005 P0No token, API key, signing secret, password, or full credential is logged. -
PGM-006 P0Docker Compose starts the complete local platform from a clean machine. -
PGM-007 P0Unit, integration, security, contract, resilience, and smoke suites pass in CI. -
PGM-008 P1Performance targets are measured with committed k6 scenarios and reports. -
PGM-009 P1Dashboards, alerts, runbooks, backup, and restore exercises are verified. -
PGM-010 P1OpenAPI, architecture, microservices, SRS, README, and operator docs agree.
-
ARC-001 P0Create a multi-module Maven or Gradle repository rooted atsentra-gateway/. -
ARC-002 P0Record the selected build tool and version in an ADR. -
ARC-003 P0Verify Java 25 compatibility with the chosen Spring Boot and Spring Cloud release train. -
ARC-004 P0Pin all dependency and plugin versions through dependency management. -
ARC-005 P0Create modules for gateway, user, order, payment, and notification services. -
ARC-006 P1Create directories for observability, performance, deployment, scripts, and documentation. -
ARC-007 P0Define package rootcom.omar.sentra.gateway. -
ARC-008 P0Add.gitignore,.editorconfig, formatting rules, and line-ending policy. -
ARC-009 P1Add license, contribution guide, code of conduct, and security policy. -
ARC-010 P0Add a root README with prerequisites, build, test, and local-start commands. -
ARC-011 P0Add CI workflows for compile, test, static analysis, and artifact packaging. -
ARC-012 P1Add dependency update automation with controlled merge rules. -
ARC-013 P0Enable compiler warnings and fail on avoidable build warnings. -
ARC-014 P1Configure Spotless or equivalent deterministic formatting. -
ARC-015 P1Configure Checkstyle, PMD, SpotBugs, or justified equivalents. -
ARC-016 P0Add OWASP dependency scanning and secret scanning. -
ARC-017 P0Add software bill of materials generation. -
ARC-018 P1Add container image vulnerability scanning. -
ARC-019 P1Define semantic versioning and branch/release conventions. -
ARC-020 P1Create ADRs for reactive stack, persistence style, route storage, and cache consistency. -
ARC-021 P0Decide whether the gateway uses R2DBC or isolates blocking JPA work from event-loop threads. -
ARC-022 P0Define service ownership and code-owner rules. -
ARC-023 P1Establish common logging, error, clock, ID, and test utilities. -
ARC-024 P1Add architecture tests that prevent forbidden package dependencies. -
ARC-025 P1Add a reproducible developer bootstrap script.
-
PLT-001 P0Createdocker-compose.ymlfor gateway, four mock services, PostgreSQL, Redis, Prometheus, and Grafana. -
PLT-002 P0Assign stable internal DNS names and non-conflicting ports. -
PLT-003 P0Keep downstream application ports off the public host interface by default. -
PLT-004 P0Add container health checks for every service. -
PLT-005 P1Add startup dependency conditions without assuming readiness from process start. -
PLT-006 P1Add named volumes for PostgreSQL and Grafana. -
PLT-007 P1Add an isolated internal network and explicit edge network. -
PLT-008 P0Inject credentials through environment or secret files, never committed values. -
PLT-009 P1Add resource limits and restart policies for production-like Compose. -
PLT-010 P0Add local, test, performance, and production-like configuration profiles. -
PLT-011 P0Validate required configuration at application startup. -
PLT-012 P1Publish a complete environment-variable catalog. -
PLT-013 P1Add.env.examplecontaining placeholders only. -
PLT-014 P0Add gateway liveness and readiness health groups. -
PLT-015 P1Add dependency health indicators with bounded timeouts. -
PLT-016 P0Create mock user-service skeleton and health endpoint. -
PLT-017 P0Create mock order-service skeleton and health endpoint. -
PLT-018 P0Create mock payment-service skeleton and health endpoint. -
PLT-019 P0Create mock notification-service skeleton and health endpoint. -
PLT-020 P1Add deterministic sample data to all mock services. -
PLT-021 P1Add configurable delay and failure simulation to mock services. -
PLT-022 P1Add request-ID echoing to mock services. -
PLT-023 P1Add graceful shutdown and readiness withdrawal. -
PLT-024 P0Add a platform smoke test that waits for healthy services. -
PLT-025 P1Document Windows, Linux, and macOS local setup differences.
-
DB-001 P0Configure PostgreSQL connectivity and connection-pool limits. -
DB-002 P0Configure Flyway and create an immutable migration convention. -
DB-003 P0Creategateway_routeswith stable route ID, URI, predicates, priority, enabled state, and version. -
DB-004 P0Createroute_permissionsfor roles and scopes. -
DB-005 P0Createapi_clientswith lifecycle and ownership metadata. -
DB-006 P0Createapi_keyswith prefix, strong hash, status, expiry, rotation lineage, and last-used time. -
DB-007 P0Createapi_scopesand normalized key/route scope mappings. -
DB-008 P0Createrate_limit_policieswith subject type, route, method, capacity, refill, and precedence. -
DB-009 P0Createip_ruleswith CIDR, action, route scope, reason, expiry, and priority. -
DB-010 P1Createrisk_ruleswith condition, weight, threshold action, and enabled state. -
DB-011 P0Create partition-readyaudit_events. -
DB-012 P0Create append-onlyadmin_action_logs. -
DB-013 P1Add optimistic-lock versions to mutable policy entities. -
DB-014 P0Add uniqueness and check constraints for invalid policy states. -
DB-015 P0Add indexes for active route lookup and route ordering. -
DB-016 P0Add indexes for API key prefix/status lookup. -
DB-017 P1Add audit indexes for time, request ID, route, event type, and subject. -
DB-018 P1Define audit partitioning and retention strategy. -
DB-019 P0Ensure migrations never insert production secrets. -
DB-020 P1Add idempotent local seed data in a development-only migration. -
DB-021 P0Add Testcontainers migration and repository tests. -
DB-022 P1Add schema documentation and entity relationship diagram. -
DB-023 P1Add backup, restore, and migration rollback runbooks. -
DB-024 P0Test startup against empty and previously migrated databases. -
DB-025 P1Define data deletion, pseudonymization, and retention jobs.
-
RTE-001 P0Implement persistent route loading into Spring Cloud Gateway. -
RTE-002 P0Validate route paths, methods, schemes, target hosts, and priorities. -
RTE-003 P0Reject unsafe target schemes and unapproved destination networks. -
RTE-004 P0Prevent admin and actuator paths from being shadowed by dynamic routes. -
RTE-005 P0Implement create, read, update, enable, disable, and delete route operations. -
RTE-006 P0Refresh route definitions after committed changes. -
RTE-007 P1Publish route-change events for multi-instance cache invalidation. -
RTE-008 P0Preserve the last known valid route set if refresh fails. -
RTE-009 P1Add route configuration dry-run validation. -
RTE-010 P1Add route conflict and ambiguity detection. -
RTE-011 P0Support method predicates and path predicates. -
RTE-012 P1Support controlled header, host, query, and weight predicates. -
RTE-013 P0Strip untrusted identity and internal control headers. -
RTE-014 P0Generate or validateX-Request-Id. -
RTE-015 P0Forward a bounded set of trusted identity headers after authentication. -
RTE-016 P0Define request and response header size limits. -
RTE-017 P0Define maximum request body size globally and per route. -
RTE-018 P1Support route metadata for auth, signing, rate limit, timeout, retry, and audit policy. -
RTE-019 P0Add controlled 404 behavior for unmatched routes. -
RTE-020 P0Add unit and integration tests for ordering, refresh, conflict, and header sanitation.
-
AUTH-001 P0Configure reactive OAuth2 resource-server JWT validation. -
AUTH-002 P0Validate signature, issuer, audience, expiration, not-before, and required claims. -
AUTH-003 P0Restrict accepted JWT algorithms. -
AUTH-004 P0Implement bounded JWK retrieval, caching, refresh, and rotation behavior. -
AUTH-005 P0Define clock-skew tolerance and test boundary conditions. -
AUTH-006 P0Normalize roles and scopes without trusting arbitrary claim shapes. -
AUTH-007 P0Implement public, user, partner, admin, and internal route categories. -
AUTH-008 P0Enforce route roles and scopes with deny-by-default semantics. -
AUTH-009 P0Return stable 401 and 403 problem codes without leaking token details. -
AUTH-010 P0Audit authentication and authorization failures. -
AUTH-011 P1Add metrics by route and outcome without subject-cardinality explosion. -
AUTH-012 P0Create API clients through an admin API. -
AUTH-013 P0Generate API keys using a cryptographically secure random source. -
AUTH-014 P0Display plaintext API key material exactly once. -
AUTH-015 P0Store only a strong password-style hash or keyed verifier. -
AUTH-016 P0Use a non-secret key prefix for indexed candidate lookup. -
AUTH-017 P0Compare key verifiers in constant-time where applicable. -
AUTH-018 P0Enforce key status, expiry, client status, scopes, and route restrictions. -
AUTH-019 P0Implement overlapping zero-downtime key rotation. -
AUTH-020 P0Implement immediate key revocation and cache invalidation. -
AUTH-021 P1Record last-used timestamp asynchronously or with bounded write frequency. -
AUTH-022 P0Protect all admin APIs with an explicit admin authority. -
AUTH-023 P1Support separation of route-admin, security-admin, auditor, and operator roles. -
AUTH-024 P0Add JWT and API-key positive, negative, expiry, rotation, and revocation tests. -
AUTH-025 P0Add tests proving spoofed trusted headers are replaced.
-
SIG-001 P0Publish a canonical request format specification. -
SIG-002 P0Canonicalize HTTP method, normalized path, canonical query, body hash, timestamp, nonce, and key ID. -
SIG-003 P0Specify percent-encoding, duplicate-query, empty-body, and content-encoding behavior. -
SIG-004 P0Validate signatures with HMAC-SHA-256 or a documented approved alternative. -
SIG-005 P0Reject missing, malformed, stale, or future timestamps. -
SIG-006 P0Use Redis atomic set-if-absent with TTL for nonce replay protection. -
SIG-007 P0Scope nonce keys by client/key identity. -
SIG-008 P0Fail closed when signing is required and replay storage is unavailable. -
SIG-009 P0Apply route-specific signing requirements. -
SIG-010 P0Bound cached request bodies and reject oversized signed payloads. -
SIG-011 P0Avoid logging canonical strings, signatures, or signing secrets. -
SIG-012 P1Provide Java and curl-compatible signing examples. -
SIG-013 P0Test body mutation, path normalization, query order, clock skew, and replay. -
SIG-014 P1Add signature validation latency metrics. -
SIG-015 P1Audit signature failures with non-sensitive reason codes.
-
POL-001 P0Define trusted proxy and client-IP resolution rules. -
POL-002 P0Ignore forwarded headers from untrusted peers. -
POL-003 P0Implement IPv4 and IPv6 exact-address and CIDR matching. -
POL-004 P0Define deterministic allow, block, temporary-block, and route-rule precedence. -
POL-005 P0Support rule expiry and disabled state. -
POL-006 P0Prevent accidental self-lockout from administrative access. -
POL-007 P1Add bulk import/export for reviewed IP rules. -
POL-008 P0Audit every denied IP decision. -
POL-009 P0Implement atomic Redis token-bucket logic. -
POL-010 P0Support subjects: global, IP, user, client, tenant, route, and composite. -
POL-011 P0Define policy precedence from most-specific to default. -
POL-012 P0Return429,Retry-After, limit, remaining, and reset metadata. -
POL-013 P0Define fail-open/fail-closed behavior per route if Redis is unavailable. -
POL-014 P1Add protection against unbounded Redis key cardinality. -
POL-015 P1Add TTL jitter where it prevents synchronized expiry. -
POL-016 P0Test concurrency across multiple gateway instances. -
POL-017 P1Define risk signals for invalid auth, repeated 404s, scanning, burst, and signature failures. -
POL-018 P1Implement explainable weighted risk scoring. -
POL-019 P1Support observe, challenge-ready, throttle, temporary-block, and deny actions. -
POL-020 P1Add decay windows and automatic temporary-block expiry. -
POL-021 P1Keep risk-rule evaluation bounded and deterministic. -
POL-022 P1Add false-positive review workflow and override audit. -
POL-023 P0Add policy CRUD APIs with validation and optimistic locking. -
POL-024 P0Add negative tests for bypass attempts and precedence errors. -
POL-025 P1Add policy decision metrics with bounded labels.
-
ADM-001 P0Define one JSON error schema with timestamp, request ID, status, code, message, path, and route ID. -
ADM-002 P0Define stable error codes for every gateway rejection class. -
ADM-003 P0Never expose stack traces or dependency internals to clients. -
ADM-004 P0Ensure every denial creates one final audit decision. -
ADM-005 P0Define audit event types and reason-code taxonomy. -
ADM-006 P0Include request ID, route, method, normalized path, actor type, decision, status, latency, and source IP. -
ADM-007 P0Exclude credentials, request bodies, sensitive query values, and raw tokens. -
ADM-008 P1Buffer or asynchronously persist high-volume audit events with bounded memory. -
ADM-009 P0Define behavior if audit persistence is unavailable. -
ADM-010 P1Add audit retention, partition archival, and purge jobs. -
ADM-011 P0Implement paginated audit search with validated filters and maximum ranges. -
ADM-012 P1Implement audit export with authorization and size limits. -
ADM-013 P0Audit every administrative mutation before/after state safely. -
ADM-014 P0Require idempotency keys for sensitive create/rotate operations. -
ADM-015 P1Add ETags or version fields to prevent lost updates. -
ADM-016 P0Implement complete CRUD for routes, clients, keys, rate limits, IP rules, risk rules, and permissions. -
ADM-017 P0Validate SSRF-sensitive route targets and reserved networks. -
ADM-018 P0Add pagination, filtering, sorting, and bounded page sizes. -
ADM-019 P0Generate OpenAPI for admin APIs and shared errors. -
ADM-020 P0Add controller, validation, authorization, and audit integration tests.
-
RES-001 P0Define connect, response, and total timeout budgets per route. -
RES-002 P0Apply retries only to idempotent operations or explicitly idempotent requests. -
RES-003 P0Use bounded exponential backoff with jitter. -
RES-004 P0Prevent retry amplification across gateway and downstream services. -
RES-005 P0Configure route-specific circuit breakers. -
RES-006 P0Provide stable fallback responses for eligible routes. -
RES-007 P1Add bulkhead/concurrency limits for expensive downstreams. -
RES-008 P0Propagate remaining request deadlines where possible. -
RES-009 P0Distinguish gateway rejection, timeout, connection failure, and downstream response. -
RES-010 P0Add circuit, retry, timeout, and fallback metrics. -
RES-011 P0Build user-service endpoints for public profile and authenticated user scenarios. -
RES-012 P0Build order-service read/create endpoints with role/scope examples. -
RES-013 P0Build payment-service partner endpoints requiring key and signature. -
RES-014 P0Build notification-service endpoints suitable for timeout/retry scenarios. -
RES-015 P1Add admin-service behavior inside gateway admin APIs rather than a public mock. -
RES-016 P1Add configurable status, delay, malformed response, and disconnect simulation. -
RES-017 P0Add consumer/provider contracts for gateway-to-service calls. -
RES-018 P0Test circuit opening, half-open recovery, and fallback. -
RES-019 P0Test that POST payment calls are not automatically retried. -
RES-020 P1Document downstream service onboarding requirements.
-
OBS-001 P0Emit structured JSON application logs. -
OBS-002 P0Correlate logs by request ID, route ID, and trace ID. -
OBS-003 P0Redact authorization, cookies, API keys, signatures, and configured sensitive headers. -
OBS-004 P0Add HTTP request count, duration, in-flight, and response-size metrics. -
OBS-005 P0Add auth, authorization, signing, IP, risk, and rate-limit decision counters. -
OBS-006 P0Add downstream timeout, retry, circuit, and fallback metrics. -
OBS-007 P0Add PostgreSQL pool, Redis, JVM, Netty, and process metrics. -
OBS-008 P0Restrict Actuator exposure to the minimum required endpoints. -
OBS-009 P0Protect or network-isolate/actuator/prometheus. -
OBS-010 P1Add OpenTelemetry tracing and W3C trace-context propagation. -
OBS-011 P1Sanitize inbound trace headers at the trust boundary. -
OBS-012 P0Configure Prometheus scrape targets and retention. -
OBS-013 P0Create Grafana overview, security, routes, dependencies, and JVM dashboards. -
OBS-014 P1Provision dashboards and data sources from version-controlled files. -
OBS-015 P0Add alerts for availability, error ratio, latency, denial spikes, and dependency failures. -
OBS-016 P1Add circuit-open, Redis saturation, DB pool, and audit-backlog alerts. -
OBS-017 P1Link alerts to runbooks. -
OBS-018 P0Verify metric labels cannot contain user IDs, raw paths, keys, or unbounded values. -
OBS-019 P1Define SLI/SLO calculations and error-budget reporting. -
OBS-020 P0Add an observability smoke test that verifies logs, metrics, and dashboard data.
-
TST-001 P0Establish minimum unit coverage for policy and security logic. -
TST-002 P0Add WebTestClient tests for all gateway filters and errors. -
TST-003 P0Add PostgreSQL and Redis Testcontainers integration suites. -
TST-004 P0Add end-to-end Compose smoke tests. -
TST-005 P0Add route hot-refresh and multi-instance invalidation tests. -
TST-006 P0Add JWT invalid signature, issuer, audience, expiry, nbf, and algorithm tests. -
TST-007 P0Add API-key brute-force resistance, revocation, expiry, and rotation tests. -
TST-008 P0Add signature canonicalization and replay tests. -
TST-009 P0Add forwarded-header spoofing and trusted-proxy tests. -
TST-010 P0Add SSRF route-target validation tests. -
TST-011 P0Add request smuggling, oversized header, oversized body, and malformed URI tests. -
TST-012 P0Add SQL injection and unsafe filter-input tests for admin APIs. -
TST-013 P0Add authorization matrix tests for every admin role. -
TST-014 P1Add property-based tests for CIDR and canonicalization. -
TST-015 P1Add fuzz tests for parsers and security headers. -
TST-016 P0Add contract tests for error schema and downstream trusted headers. -
TST-017 P0Add Redis outage, PostgreSQL outage, JWK outage, and downstream outage tests. -
TST-018 P1Add network latency, packet-loss, and restart resilience scenarios. -
TST-019 P0Add k6 smoke, average-load, stress, spike, and soak scenarios. -
TST-020 P0Measure gateway-added latency separately from downstream latency. -
TST-021 P1Define p50, p95, p99, throughput, and error-rate thresholds. -
TST-022 P1Add memory, connection, Redis-key, and audit-volume soak checks. -
TST-023 P0Add SAST, dependency, container, IaC, and secret scans to CI. -
TST-024 P1Perform an OWASP API Security Top 10 review. -
TST-025 P1Record a release security assessment and accepted risks.
-
OPS-001 P0Create multi-stage, non-root Dockerfiles with read-only-compatible filesystems. -
OPS-002 P0Pin base images and publish image digests and SBOMs. -
OPS-003 P0Add graceful termination, startup, liveness, and readiness behavior. -
OPS-004 P0Define horizontal scaling and shared-state assumptions. -
OPS-005 P1Document rolling deployment and route-cache compatibility. -
OPS-006 P0Automate database backup and verify restoration. -
OPS-007 P1Define Redis persistence expectations and disaster behavior. -
OPS-008 P0Write runbooks for gateway outage, DB outage, Redis outage, JWK outage, latency, denial spikes, and certificate expiry. -
OPS-009 P1Write key compromise and emergency revocation runbooks. -
OPS-010 P1Write route rollback and bad-policy recovery runbooks. -
OPS-011 P0Document TLS termination and trusted proxy configuration. -
OPS-012 P1Document certificate and secret rotation. -
OPS-013 P0Define production configuration validation and prohibited defaults. -
OPS-014 P1Add release notes and migration notes templates. -
OPS-015 P0Build a release checklist with rollback and verification steps. -
OPS-016 P0Reconcile README, technical document, SRS, microservices guide, and OpenAPI. -
OPS-017 P1Add architecture diagrams using version-controlled Mermaid. -
OPS-018 P1Add onboarding tutorials for user JWT and partner signed requests. -
OPS-019 P1Add admin API examples for route and key lifecycle. -
OPS-020 P1Add troubleshooting FAQ and known limitations.
- Gateway routes to all four mock services.
- JWT, API key, route authorization, Redis rate limiting, and consistent errors work.
- PostgreSQL migrations and admin route/client APIs work.
- Audit records and Prometheus metrics are visible.
- Compose smoke tests pass from a clean environment.
- Threat model has been reviewed.
- Secret and dependency scans pass.
- Authentication, signing, replay, proxy-header, SSRF, and authorization negative tests pass.
- Trusted headers cannot be supplied by external clients.
- Security-sensitive failures default to deny as documented.
- Multi-instance rate limiting and policy refresh are verified.
- SLO dashboards and alerts are provisioned.
- Backup and restore are exercised.
- Failure-injection and k6 reports meet approved thresholds.
- Runbooks and release rollback have been rehearsed.
-
FUT-001 P3Add Kubernetes manifests or Helm chart. -
FUT-002 P3Add service discovery integration. -
FUT-003 P3Add external policy engine evaluation. -
FUT-004 P3Add mTLS between gateway and downstream services. -
FUT-005 P3Add Web Application Firewall integration. -
FUT-006 P3Add adaptive anomaly detection after explainable rules are mature. -
FUT-007 P3Add multi-region policy distribution. -
FUT-008 P3Add tenant self-service API client administration. -
FUT-009 P3Add event-stream export of audit events. -
FUT-010 P3Add a web administration console.