Lumo needs SSO/OIDC/SAML and RBAC for multi-tenant/org identity, audit trails and mTLS for API/agent communication, secrets/key rotation, envelope encryption for Postgres/Redis, and complete SBOM/image/binary signing coverage.
Paths to start:
- Identity/auth (SSO/OIDC/SAML): see current API users/keys; add OIDC/JWT plumbing alongside API key flows (
internal/api/auth.go, deployment configs)
- RBAC: org/project/resource model, role templates (admin/auditor/operator) (
internal/api/auth.go/internal/database/roles.go)
- Audit: inspect/remediate/fix flows (
internal/doctor/, internal/remediation/, internal/audit/ if present; otherwise, add)
- mTLS: agent and API server configs; see deployment/k8s manifests,
deploy-saas, agent CLI
- Key rotation: centralize API keys in DB, add expiry and rotation; inspection in
internal/api/auth.go, key ingestion in docs
- SBOM/signing: GoReleaser, container build GH Actions, validate with
trivy, cosign pipelines
Test coverage: add SAST/gitleaks/semgrep run on all critical flows.
References to update: internal/api/auth.go, deployments/kubernetes/kind/deploy-saas, release pipeline.
Lumo needs SSO/OIDC/SAML and RBAC for multi-tenant/org identity, audit trails and mTLS for API/agent communication, secrets/key rotation, envelope encryption for Postgres/Redis, and complete SBOM/image/binary signing coverage.
Paths to start:
internal/api/auth.go, deployment configs)internal/api/auth.go/internal/database/roles.go)internal/doctor/,internal/remediation/,internal/audit/if present; otherwise, add)deploy-saas, agent CLIinternal/api/auth.go, key ingestion in docstrivy,cosignpipelinesTest coverage: add SAST/gitleaks/semgrep run on all critical flows.
References to update:
internal/api/auth.go,deployments/kubernetes/kind/deploy-saas, release pipeline.