id: T058
name: LightningSTOR S3 Auth Hardening
goal: Implement robust SigV4 authentication for LightningSTOR S3 API
status: planned
priority: P0
owner: peerB
created: 2025-12-12
depends_on: [T047]
blocks: [T039]

context: |
  **Findings from T047 Completion Report:**
  - SigV4 authentication middleware is active but signature validation fails due to canonicalization mismatch.
  - Auth was bypassed (`S3_AUTH_ENABLED=false`) for T047 completion.
  - This is a critical security vulnerability for production S3 API.

  **Foreman Recommendation:**
  - "Address the critical security issue in T047-lightningstor-s3 regarding SigV4 authentication."

acceptance:
  - SigV4 authentication fully functional and passes AWS CLI tests.
  - S3 API rejects invalid signatures.
  - IAM integration for credentials.

steps:
  - step: S1
    name: Debug SigV4 Canonicalization
    done: Identify and fix the canonicalization mismatch in SigV4 signature verification.
    status: in_progress
    owner: peerB
    priority: P0

  - step: S2
    name: Integrate with IAM
    done: Fetch IAM credentials for signature verification.
    status: pending
    owner: peerB
    priority: P1

  - step: S3
    name: Security Testing
    done: Add comprehensive security tests for S3 authentication.
    status: pending
    owner: peerB
    priority: P1

evidence: []
notes: |
  Critical for production security of the S3 object storage. Blocking T039 for a truly secure deployment.