docs: update for v1.5.0 features

- Add PKI audit logging, request duration metrics to features list - Update test count from 216 to 283 - Add audit.py and metrics.py to project structure - Document audit logging in api.md - Update TASKLIST.md with completed tasks - Update TODO.md (remove resolved debt items) - Update ROADMAP.md decision log
2025-12-24 17:10:42 +01:00
parent 045f73c998
commit cb6eebee59
5 changed files with 58 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -22,6 +22,8 @@ A lightweight, secure pastebin REST API built with Flask.
 - **Security headers** - HSTS, CSP, X-Frame-Options, X-Content-Type-Options
 - **CLI client** - Standalone `fpaste` tool with encryption support
 - **Request tracing** - X-Request-ID for log correlation
+- **Audit logging** - PKI certificate lifecycle events (issue, revoke, auth failure)
+- **Observability** - Request duration metrics via Prometheus histogram
 - **Minimal dependencies** - Flask + SQLite, optional cryptography for CLI

 ## Quick Start
@@ -356,10 +358,12 @@ flaskpaste/
 │   ├── __init__.py      # Flask app factory
 │   ├── config.py        # Configuration classes
 │   ├── database.py      # SQLite management
+│   ├── audit.py         # Audit logging for PKI events
+│   ├── metrics.py       # Prometheus metrics and histograms
 │   └── api/
 │       ├── __init__.py  # Blueprint setup
 │       └── routes.py    # API endpoints
-├── tests/               # Test suite
+├── tests/               # Test suite (283 tests)
 ├── data/                # SQLite database
 ├── run.py               # Development server
 ├── wsgi.py              # Production WSGI entry
@@ -384,6 +388,8 @@ flaskpaste/
 - **Rate limiting** - Per-IP throttling with auth multiplier
 - **Request tracing** - X-Request-ID for log correlation
 - **PKI support** - Built-in CA for client certificate issuance
+- **Audit logging** - PKI certificate events for compliance and forensics
+- **Observability** - Prometheus metrics for monitoring and alerting

 ## License

--- a/ROADMAP.md
+++ b/ROADMAP.md
@@ -28,7 +28,10 @@ FlaskPaste v1.5.0 is deployed with comprehensive security hardening and abuse pr
 - CLI with list, search, update, export commands
 - Public certificate registration (PoW-protected)
 - CLI register command for certificate enrollment
- Comprehensive test suite (216 tests)
+- Comprehensive test suite (283 tests)
+- PKI audit logging (certificate lifecycle events)
+- Request duration metrics (Prometheus histogram)
+- Memory leak detection in CI pipeline

 ## Phase 1: Hardening (Complete)

@@ -44,7 +47,7 @@ Focus: Production readiness and operational excellence.
 │ 4 │ Proxy trust validation          │ Done
 │ 5 │ Proof-of-work spam prevention   │ Done
 │ 6 │ Entropy enforcement             │ Done
-│ 7 │ Test coverage > 90%             │ Done (205 tests)
+│ 7 │ Test coverage > 90%             │ Done (283 tests)
 │ 8 │ Documentation complete          │ Done
 └───┴─────────────────────────────────┴────────────────────────────────────┘
 ```
@@ -178,6 +181,9 @@ These features will not be implemented:
 | 2024-12    | CLI encrypt-by-default             | Security-first design
 | 2024-12    | CLI retry on PoW failure           | Graceful handling of stale tokens
 | 2024-12    | Public cert registration           | Self-service onboarding with PoW protection
+| 2024-12    | PKI audit logging                  | Full certificate lifecycle traceability
+| 2024-12    | Request duration metrics           | Prometheus histogram for observability
+| 2024-12    | Memory leak CI job                 | tracemalloc-based leak detection in CI

 ## Review Schedule

--- a/TASKLIST.md
+++ b/TASKLIST.md
@@ -23,8 +23,6 @@ Prioritized, actionable tasks. Each task is small and completable in one session
 | Status | Task
 |--------|--------------------------------------------------------------
 | ☐      | Fix mypy type errors (currently ignored)
-| ☐      | Add test for concurrent identical submissions
-| ☐      | Add integration tests for container deployment

 ## Priority 4: Documentation

@@ -37,6 +35,11 @@ Prioritized, actionable tasks. Each task is small and completable in one session

 | Date       | Task
 |------------|--------------------------------------------------------------
+| 2024-12    | Integrate PKI audit logging (CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE)
+| 2024-12    | Integrate request duration metrics (Prometheus histogram)
+| 2024-12    | Add memory leak detection tests (tracemalloc)
+| 2024-12    | Add concurrent paste creation tests
+| 2024-12    | Add container deployment integration tests
 | 2024-12    | Add tiered auto-expiry (anon/untrusted/trusted)
 | 2024-12    | Add admin list all pastes (`--all` flag)
 | 2024-12    | Add batch delete with confirmation (`--confirm N`)
--- a/TODO.md
+++ b/TODO.md
@@ -9,11 +9,12 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 - Rate limit headers in responses (X-RateLimit-*)
 - Paste compression for large text content
 - ETag support for conditional requests
- Paste listing for authenticated users (their own pastes only)
 - Neovim/Vim plugin for editor integration
 - Webhook notifications for paste events
 - Certificate renewal reminder in CLI
 - Admin endpoint for CA key rotation
+- Shell completions (bash, zsh, fish)
+- Clipboard integration (pbcopy/xclip)

 ## Observations

@@ -23,6 +24,9 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 - CI pipeline: lint runs parallel with security, tests wait for lint
 - Ruff replaces flake8/isort/pyupgrade with single fast tool
 - Bandit configured for medium+ severity only (-ll flag)
+- PKI audit events now logged: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE
+- Request duration metrics recorded via Prometheus histogram
+- Memory leak tests use tracemalloc to detect leaks (CI job)

 ## Questions

@@ -36,8 +40,6 @@ Unstructured intake buffer for ideas, issues, and observations. Items here are r
 ## Debt

 - Mypy has pre-existing type errors (runs with --ignore-missing-imports)
- No integration tests for container deployment
- Missing test for concurrent paste creation
 - Could add more deployment examples (Kubernetes, systemd)

 ## External Dependencies
--- a/documentation/api.md
+++ b/documentation/api.md
@@ -1198,3 +1198,36 @@ curl -H "X-SSL-Client-SHA1: $(openssl x509 -in client.crt -fingerprint -sha1 -no

 | Event | Trigger | Details |
 |-------|---------|---------|
+| `cert_issued` | Certificate registration or issuance | Type, CN, fingerprint, expiry |
+| `cert_revoked` | Certificate revocation | Serial, fingerprint |
+| `auth_failure` | Revoked/expired certificate used | Fingerprint, reason |
+
+**Log Format (production):**
+```json
+{
+  "time": "2024-12-24T10:30:00",
+  "level": "INFO",
+  "logger": "app.audit",
+  "event": "cert_issued",
+  "outcome": "success",
+  "client_id": "a1b2c3d4...",
+  "client_ip": "192.168.1.100",
+  "details": {"type": "registration", "common_name": "alice"}
+}
+```
+
+**Notes:**
+- Audit logs are written to stdout in JSON format (production mode)
+- Events include client IP and certificate fingerprint for traceability
+- AUTH_FAILURE events are logged when revoked/expired certificates are used
+  "outcome": "success",
+  "client_id": "a1b2c3d4...",
+  "client_ip": "192.168.1.100",
+  "details": {"type": "registration", "common_name": "alice"}
+}
+```
+
+**Notes:**
+- Audit logs are written to stdout in JSON format (production mode)
+- Events include client IP and certificate fingerprint for traceability
+- AUTH_FAILURE events are logged when revoked/expired certificates are used