diff --git a/ROADMAP.md b/ROADMAP.md new file mode 100644 index 0000000..2414a83 --- /dev/null +++ b/ROADMAP.md @@ -0,0 +1,366 @@ +# Bastion β€” Product Roadmap + +**Unified Device & Workspace Governance for the Enterprise** + +*Last updated: April 2026* + +--- + +## Vision + +One governance authority, every endpoint type, every management mode, unified by identity. Bastion is the open-source MDM control plane that governs physical endpoints and virtual workspaces under a single identity-aware, cryptographically attestable policy framework. + +--- + +## Feature Matrix + +### Legend + +| Status | Meaning | +|--------|---------| +| βœ… Shipped | Implemented, tested, in bastion-v0.3 | +| πŸ”¨ In Progress | Partially implemented or stubbed | +| πŸ“ Designed | Architecture defined, not yet coded | +| πŸ—ΊοΈ Planned | Scoped and prioritized, design pending | +| πŸ’‘ Future | Identified need, not yet scoped | + +--- + +### Identity & Authentication + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| Entra ID identity driver (JWKS-verified) | βœ… Shipped | v0.1 | Native JWT validation, device_id extraction, MFA detection | +| Keycloak identity driver (JWKS-verified) | βœ… Shipped | v0.3 | Shared JWKSVerifier, realm_access roles, DID construction | +| Shared JWKS verification framework | βœ… Shipped | v0.3 | Reusable across all identity drivers, kid-miss refresh | +| on_behalf_of impersonation gating | βœ… Shipped | v0.3 | Requires `gsap:impersonate` role | +| Okta identity driver | πŸ—ΊοΈ Planned | v0.6 | OIDC JWT verification, Okta-specific claims | +| SPIFFE/SPIRE workload identity | πŸ—ΊοΈ Planned | v0.7 | Service-to-service identity within governance infra | +| FIDO2/WebAuthn integration | πŸ’‘ Future | β€” | Hardware key attestation for operator authentication | +| Shared bearer auth middleware | πŸ”¨ In Progress | v0.4 | FastAPI `Depends(verify_bearer)` for all protected endpoints | + +### Device Management β€” Traditional Mode + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| Intune connector (7 operations) | βœ… Shipped | v0.1 | list, get, compliance, sync, lock, retire, wipe | +| Intune compliance cache | βœ… Shipped | v0.1 | In-memory with configurable TTL | +| Compliance-gated AC issuance | βœ… Shipped | v0.1 | Per-accord and global configuration | +| Entra device_id in AC metadata | βœ… Shipped | v0.1 | Extracted from JWT deviceid claim | +| device_id UUID validation | βœ… Shipped | v0.3 | Path traversal prevention for Graph API | +| Intune MCP tools | βœ… Shipped | v0.1 | 4 tools via governed connector invocation | +| Capability-enforced operations | βœ… Shipped | v0.3 | READ/PROPOSE/MUTATE per-operation | +| Keylime connector (TPM attestation) | πŸ“ Designed | v0.5 | Measured boot + IMA runtime integrity | +| Fleet/osquery connector | πŸ—ΊοΈ Planned | v0.5 | Cross-platform posture collection for Linux/macOS/Windows | +| Jamf connector (macOS) | πŸ—ΊοΈ Planned | v0.6 | macOS endpoint compliance and management | +| SNMP/API network device connector | πŸ’‘ Future | β€” | Switch/router/firewall posture assessment | +| Windows Device Health Attestation | πŸ“ Designed | v0.5 | TPM attestation via Intune DHA Graph API | + +### Device Management β€” VDI Mode + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| VDI mode architecture | πŸ“ Designed | v0.6 | Workspace provisioning, profile governance, session binding | +| Apache Guacamole adapter | πŸ—ΊοΈ Planned | v0.6 | REST API integration for session lifecycle | +| Governed shell integration (Bascule) | πŸ”¨ In Progress | v0.4 | Stubbed connector, needs Shellstream transport | +| FSLogix / profile governance | πŸ“ Designed | v0.7 | Content-addressed profiles as governed artifacts | +| Citrix CVAD adapter | πŸ—ΊοΈ Planned | v0.7 | Broker Service API for session lifecycle | +| VMware Horizon adapter | πŸ—ΊοΈ Planned | v0.8 | REST API integration | +| Session-device binding | πŸ“ Designed | v0.5 | Correlate Bascule session with originating device posture | +| Mid-session compliance re-evaluation | πŸ“ Designed | v0.6 | Revoke/restrict session when device posture degrades | + +### Hardware Security + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| TPM attestation (Linux via Keylime) | πŸ“ Designed | v0.5 | Measured boot, PCR verification, IMA integration | +| TPM attestation (Windows via DHA) | πŸ“ Designed | v0.5 | Intune Device Health Attestation Graph API | +| HBOM collection (Linux) | πŸ“ Designed | v0.5 | dmidecode, sysfs, lspci, lsusb, TPM PCR values | +| HBOM collection (Windows) | πŸ“ Designed | v0.5 | WMI hardware classes, TPM WMI | +| HBOM drift detection | πŸ“ Designed | v0.5 | Content-hash comparison, unexpected component alerting | +| Firmware version verification | πŸ“ Designed | v0.5 | HBOM declared version vs TPM-measured version | +| HardwareIntegrity posture condition | πŸ“ Designed | v0.5 | Composite: TPM + HBOM + firmware all valid | +| Barcode/QR enrollment scanning | πŸ—ΊοΈ Planned | v0.6 | USB/camera barcode scan for device onboarding, serial/model/SKU auto-population | +| Scan-to-HBOM verification | πŸ—ΊοΈ Planned | v0.6 | Compare scanned vendor declaration against TPM/OS-reported hardware at first boot | +| Supply chain provenance tracking | πŸ—ΊοΈ Planned | v0.7 | Full hardware lifecycle: procurement scan β†’ provisioning β†’ production β†’ decommission | + +### Connector Framework + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| ConnectorPlugin ABC | βœ… Shipped | v0.1 | API-mediated connector pattern | +| ConnectorRuntime with Chronicle audit | βœ… Shipped | v0.1 | Intent-before-execution, result-after | +| SessionTransport / SessionConnector | βœ… Shipped | v0.2 | Session-based connector pattern with lifecycle | +| OrchestratorConnector | βœ… Shipped | v0.2 | Multi-step workflow pattern with partial-completion | +| Bascule connector (stubbed) | πŸ”¨ In Progress | v0.4 | AC-as-credential, needs Shellstream transport | +| PowerShell connector (stubbed) | πŸ”¨ In Progress | v0.5 | Kerberos credential, needs pypsrp transport | +| Ansible connector (stubbed) | πŸ”¨ In Progress | v0.5 | Orchestrator pattern, needs ansible-runner | +| Keylime connector | πŸ“ Designed | v0.5 | TPM attestation API integration | +| Connector plugin SDK | πŸ—ΊοΈ Planned | v0.7 | Guild-facing SDK for third-party connectors | + +### Credential Management + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| CredentialResolver abstraction | βœ… Shipped | v0.2 | Type routing, expiry enforcement, zero-storage | +| Entra credential backend (OAuth) | βœ… Shipped | v0.2 | MSAL on-behalf-of token acquisition | +| Bascule credential passthrough | βœ… Shipped | v0.2 | AC is the credential | +| Stub credential backend | βœ… Shipped | v0.2 | Dev/testing only, requires explicit opt-in (v0.3) | +| Credential repr safety | βœ… Shipped | v0.3 | field(repr=False) on all sensitive fields | +| Kerberos credential resolution | πŸ”¨ In Progress | v0.5 | Entra Kerberos proxy or hybrid AD | +| SSH certificate credential | πŸ“ Designed | v0.5 | Short-lived certs from Bascule CA | +| HashiCorp Vault backend | πŸ—ΊοΈ Planned | v0.6 | Dynamic secrets for all credential types | +| CyberArk backend | πŸ—ΊοΈ Planned | v0.7 | Enterprise PAM integration | +| Azure Key Vault backend | πŸ—ΊοΈ Planned | v0.6 | Cloud-native secrets for Azure environments | + +### Authorization & Governance + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| AC issuance (GSAP spec) | βœ… Shipped | v0.1 | Full lifecycle: issue, poll, consume | +| Completion receipts | βœ… Shipped | v0.1 | Outcome recording with behavioral attestation | +| Capability mask enforcement | βœ… Shipped | v0.3 | READ/PROPOSE/MUTATE per-operation check | +| AC validation in ConnectorRuntime | βœ… Shipped | v0.3 | Exists, active, not expired | +| Session mode ACs | βœ… Shipped | v0.1 | Multi-operation sessions with session_end | +| Delegation lifecycle | βœ… Shipped | v0.1 | Create, revoke, query, list, TTL, command limits | +| Bounded delegation capability | βœ… Shipped | v0.3 | Cannot exceed delegator's capability mask | +| Atomic command counter | βœ… Shipped | v0.3 | SQL-level increment with limit check | +| DeviceRouter | βœ… Shipped | v0.2 | Automatic connector selection by device OS/channel | +| Declarative compliance policies | πŸ—ΊοΈ Planned | v0.5 | Cross-platform policy definitions | +| Accord template externalization | πŸ—ΊοΈ Planned | v0.5 | From hardcoded dict to CRD/file-based | +| Ceremony-gated operations | πŸ“ Designed | v0.6 | Multi-party approval for destructive operations | +| Delegation depth enforcement | πŸ”¨ In Progress | v0.4 | Chain traversal and depth limit | + +### AI Agent Integration + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| MCP tool surface | βœ… Shipped | v0.1 | JSON-RPC 2.0, 11 core + 4 Intune tools | +| Agent delegation system | βœ… Shipped | v0.1 | Ephemeral IdP registrations, scoped ACs | +| Delegation with Entra registrar | βœ… Shipped | v0.1 | App registration + service principal + client credential | +| Delegation with Keycloak registrar | βœ… Shipped | v0.1 | Ephemeral service-account clients | +| MCP authentication | πŸ”¨ In Progress | v0.4 | Bearer token required for all MCP operations | +| MCP AC validation | βœ… Shipped | v0.3 | Governed tools require real AC (no synthetic bypass) | +| Harness specification | πŸ“ Designed | v0.6 | Delegation scope, escalation boundary, observation/action mode | +| Harness enforcement in gsh | πŸ“ Designed | v0.7 | gsh reads harness.toml, enforces scope | +| Agent telemetry classification | πŸ“ Designed | v0.6 | Distinguish agent ops from human ops in Chronicle | +| Automated remediation harness | πŸ“ Designed | v0.7 | Compliance violation β†’ agent remediation within scope | + +### Compliance & Attestation + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| Compliance-gated authorization | βœ… Shipped | v0.1 | Non-compliant devices denied ACs | +| PostureLevel (Lockdown..Normal) | βœ… Shipped | witness-sprint1 | Wire-compatible with Shellstream | +| WitnessLevel (L1-L4) | βœ… Shipped | witness-sprint1 | Telemetry granularity per SAT-SPEC-ZONE-001 | +| PostureCondition framework | βœ… Shipped | witness-sprint1 | 9 condition kinds including Custom | +| WitnessConfig on AccordSpec | βœ… Shipped | witness-sprint1 | Conditions + delegates + interval + breach response | +| PostureTransitionArtifact | βœ… Shipped | witness-sprint1 | Merkle-anchored posture change evidence | +| Posture condition evaluator | βœ… Shipped | witness-sprint2 | 6 checkers implemented, 2 stubbed | +| Witness event classification | βœ… Shipped | witness-sprint2 | Operational/Witness/Forensic at ingestion bridge | +| TpmAttestationValid condition | πŸ“ Designed | v0.5 | Keylime-backed posture condition | +| HbomNoDrift condition | πŸ“ Designed | v0.5 | HBOM integrity-backed posture condition | +| HostPostureSnapshot generation | πŸ“ Designed | v0.6 | Selective merkle proofs for external observers | +| Witness delegation forwarding | πŸ“ Designed | v0.6 | Pulsar subscription β†’ filtered CloudEvents to delegates | +| Insurance observability API | πŸ—ΊοΈ Planned | v0.7 | Read-only posture history for insurers | +| Dynamic premium integration | πŸ’‘ Future | β€” | Insurer-side premium calculation from posture stream | +| CMMC compliance mapping | πŸ—ΊοΈ Planned | v0.7 | Map Bastion posture conditions to CMMC practices | +| SOC 2 evidence generation | πŸ—ΊοΈ Planned | v0.7 | Automated evidence collection for SOC 2 controls | +| SLSA build provenance integration | πŸ“ Designed | v0.8 | Build attestation feeding into device posture | + +### Audit & Telemetry + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| Chronicle event emission | βœ… Shipped | v0.1 | CloudEvents to ingestion bridge | +| Intent-before-execution audit | βœ… Shipped | v0.3 | INTENT event before, RESULT event after | +| GovernanceEnvelope | βœ… Shipped | cid-phase3 | Binds git ref + actor + accord + timestamp | +| ChronicleGitEvent | βœ… Shipped | cid-phase3 | Git-originated events in Chronicle chain | +| Witness event types (0x2801-0x2805) | βœ… Shipped | witness-sprint1 | Posture verified/breached, delegate lifecycle | +| Chronicle migration to CloudEvents | βœ… Shipped | boundary-cleanup | All emitters use CloudEvents 1.0 | +| DEVICE_COMPLIANCE_CHECKED event | βœ… Shipped | v0.1 | Compliance gate decisions audited | +| CONNECTOR_INVOCATION_INTENT event | βœ… Shipped | v0.3 | Pre-execution audit record | +| Broker Chronicle β†’ CloudEvents gRPC | πŸ—ΊοΈ Planned | v0.5 | Replace Forgejo webhook format (M6.2 TODO) | +| Forensic telemetry classification | πŸ“ Designed | v0.6 | Full Chronicle stream for incident investigation | + +### Multi-Tenancy & Fleet Management + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| Device inventory (Intune-sourced) | βœ… Shipped | v0.1 | Windows managed devices via Graph API | +| Device inventory (Linux) | πŸ”¨ In Progress | v0.5 | Via Bascule connector collect operation | +| Cross-tenant MSP dashboard | πŸ—ΊοΈ Planned | v0.6 | Dioxus frontend with per-client views | +| Tenant isolation in broker | πŸ—ΊοΈ Planned | v0.6 | Per-tenant Accord scope, data isolation | +| Vertical policy templates | πŸ—ΊοΈ Planned | v0.7 | Healthcare, legal, manufacturing, tribal presets | +| Fleet-wide posture aggregation | πŸ—ΊοΈ Planned | v0.7 | Cross-device posture summary per tenant | +| Billing/usage metering | πŸ’‘ Future | β€” | Per-tenant usage for MSP billing | + +### Platform & Infrastructure + +| Feature | Status | Version | Notes | +|---------|--------|---------|-------| +| FastAPI + SQLite (prototype) | βœ… Shipped | v0.1 | Single-container deployment | +| PostgreSQL migration | πŸ—ΊοΈ Planned | v0.5 | asyncpg, same SQLModel layer | +| SQLite file permissions (0o600) | πŸ”¨ In Progress | v0.4 | Security hardening | +| Pydantic SecretStr for secrets | βœ… Shipped | v0.3 | Settings safety | +| Helm chart | πŸ—ΊοΈ Planned | v0.6 | K8s deployment | +| Rust port β€” AC issuance | πŸ—ΊοΈ Planned | v1.0 | Axum/Tonic, governance-types crate | +| Rust port β€” connectors | πŸ—ΊοΈ Planned | v1.0 | reqwest + azure_identity | +| Rust port β€” credential resolver | πŸ—ΊοΈ Planned | v1.0 | Same zero-storage pattern | +| OpenAPI spec generation | πŸ—ΊοΈ Planned | v0.6 | Auto-generate from FastAPI routes | + +--- + +## Release Plan + +### v0.4 β€” Authentication Hardening (Q2 2026) + +**Theme:** Close the remaining security gaps and establish shared auth middleware. + +- Shared `Depends(verify_bearer)` FastAPI middleware (closes C-4, C-8) +- MCP endpoint full bearer authentication +- Delegation endpoint bearer authentication with DID from token +- Delegation depth enforcement (H-7) +- SQLite file permissions (H-6) +- Bascule connector: real Shellstream transport integration (first real session connector) + +**Exit criteria:** All 10 critical findings fully closed. Zero unauthenticated endpoints. + +### v0.5 β€” Hardware Trust & Real Transports (Q3 2026) + +**Theme:** TPM attestation, HBOM, and the first real management transports. + +- Keylime connector for TPM-based measured boot attestation +- Windows Device Health Attestation via Intune DHA Graph API +- HBOM collection (Linux via Bascule, Windows via PowerShell) +- HBOM drift detection with content-hash comparison +- HardwareIntegrity composite posture condition +- PowerShell connector: real pypsrp transport +- Ansible connector: real ansible-runner integration +- Fleet/osquery connector for cross-platform posture collection +- PostgreSQL migration (asyncpg) +- Declarative compliance policy engine (cross-platform evaluation) +- Accord template externalization (file/CRD-based) +- Broker Chronicle client migration to CloudEvents (not Forgejo format) +- Device inventory for Linux endpoints (via Bascule collect) +- Session-device binding (correlate Bascule session to originating device) + +**Exit criteria:** TPM attestation operational on Linux. At least two real transports (Bascule + PowerShell) executing against live targets. HBOM collected and verified. + +### v0.6 β€” VDI Mode & Multi-Tenancy (Q4 2026) + +**Theme:** Virtual workspace governance and MSP fleet management. + +- Apache Guacamole VDI adapter +- Governed shell (Bascule) as a VDI mode workspace +- Workspace provisioning lifecycle (auth β†’ provision β†’ monitor β†’ terminate) +- Mid-session compliance re-evaluation +- Session-device correlation in unified audit trail +- HostPostureSnapshot generation (Notarization Boundary) +- Witness delegation forwarding (Pulsar β†’ filtered CloudEvents) +- Tenant isolation in broker (per-client Accord scope) +- Cross-tenant MSP dashboard (Dioxus) +- Harness specification for AI agents +- Agent telemetry classification (agent vs human ops) +- Ceremony-gated destructive operations +- Barcode/QR device enrollment (USB scanner + camera/mobile support) +- Scan-to-HBOM verification (vendor declaration vs actual hardware at first boot) +- Helm chart for K8s deployment +- OpenAPI spec auto-generation +- Okta identity driver + +**Exit criteria:** VDI mode operational with at least one platform adapter. MSP can manage multiple clients with tenant isolation. Witness delegation producing snapshots. + +### v0.7 β€” Insurance & Compliance Frameworks (Q1 2027) + +**Theme:** Compliance automation and the insurance observability product. + +- Insurance observability API (read-only posture history) +- CMMC compliance mapping (posture conditions β†’ CMMC practices) +- SOC 2 evidence generation (automated control evidence) +- Vertical policy templates (healthcare, legal, manufacturing, tribal) +- Fleet-wide posture aggregation (cross-device summary) +- FSLogix / profile governance (content-addressed VDI profiles) +- Harness enforcement in gsh (harness.toml β†’ scope enforcement) +- Automated remediation harness (compliance violation β†’ agent action) +- Citrix CVAD adapter +- Jamf connector (macOS) +- SPIFFE/SPIRE workload identity +- HashiCorp Vault credential backend +- CyberArk credential backend +- Connector plugin SDK for guild/third-party development +- Supply chain provenance tracking (procurement scan β†’ provisioning β†’ production β†’ decommission) + +**Exit criteria:** Insurance observability API operational. At least one compliance framework (CMMC or SOC 2) mapped. Harness-governed AI agents performing automated remediation. + +### v0.8 β€” Ecosystem & Scale (Q2 2027) + +**Theme:** Scale, ecosystem growth, and advanced attestation. + +- VMware Horizon VDI adapter +- SLSA build provenance integration +- Supply chain provenance tracking (HBOM lifecycle) +- Distributed cache for multi-worker deployments +- Advanced posture analytics (trend analysis, predictive degradation) +- Guild marketplace integration (connector/policy template distribution) +- Forensic telemetry mode (full Chronicle stream for incident investigation) + +### v1.0 β€” Rust Port & Production Hardening (Q3 2027) + +**Theme:** Production-grade Rust implementation for performance and safety. + +- Rust port: AC issuance and CR ingestion (Axum/Tonic) +- Rust port: connector framework (reqwest + azure_identity) +- Rust port: credential resolver (same zero-storage architecture) +- Rust port: identity drivers (JWKS verification) +- Python broker archived as reference implementation +- Full conformance test suite (Python and Rust implementations must pass) +- Performance benchmarking and load testing +- Security audit of Rust implementation + +--- + +## Reference Deployment + +### Tribal Nation NOC (2026-2027) + +The primary reference deployment validating all Bastion capabilities: + +- **Sovereignty:** Self-hosted control plane, local governance authority +- **Mixed fleet:** Windows workstations (Entra/Intune) + Linux terminals (Bascule/GSH) +- **Dual-mode:** Physical NOC terminals + VDI remote access for off-site operators +- **Hardware trust:** TPM attestation on all NOC endpoints, HBOM verification +- **Compliance:** Continuous posture attestation for tribal cybersecurity requirements +- **Insurance:** Witness delegation to cyber insurer for dynamic premium model +- **AI agents:** Harness-governed automated monitoring and remediation + +--- + +## Architecture Principles + +1. **Zero credential storage.** The broker holds authorization decisions (ACs), never credentials. Short-lived credentials acquired at invocation time, discarded after use. + +2. **Governance by identity, not device.** The identity (who) determines the policy (what they can do). The device (where they are) is a posture signal, not the access decision. + +3. **Delegate enforcement, own decisions.** Bastion makes governance decisions. Platform-specific tools (Intune, Keylime, Ansible, Bascule) enforce them. The control plane is durable; backends evolve. + +4. **Attest, don't assert.** Every governance claim is backed by cryptographic evidence β€” TPM measurements, merkle-anchored posture records, signed attestation snapshots. Software assertions are corroborated by hardware proofs. + +5. **Pluggable everything.** Identity drivers, credential backends, connectors, VDI adapters, compliance policies. The framework ships; the ecosystem grows. + +6. **Audit before execute.** Chronicle INTENT event before every operation, RESULT event after. The audit trail survives execution failures. + +--- + +## Contributing + +Bastion follows the guild-based contribution model: + +- **License:** Apache 2.0 +- **Contributions:** Developer Certificate of Origin (DCO), not CLA +- **Connector development:** Implement the ConnectorPlugin ABC; the framework provides Chronicle audit, GSAP validation, and credential resolution +- **Identity drivers:** Implement the IdentityDriver ABC with JWKSVerifier for JWT validation +- **Credential backends:** Implement the CredentialBackend ABC with enforced TTL on all credentials +- **Policy templates:** Submit compliance policy definitions for specific verticals or frameworks + +See bastion-security-audit.md for the current security posture and known limitations.