[ENHANCE] - Special Backfill Phase (Bridge: 3.6 -> 3.7);

[atlet99]

• Entry gate approved: 3.6 SPIFFE baseline is stable in integration tests
• Workstream A: API contract and schema closure
  • Fill api/proto/ with canonical schemas for key, crypto, authz, audit operations
  • Generate and validate OpenAPI in api/openapi/ (single source-of-truth flow)
  • Freeze v1 request/response schema compatibility matrix
• Workstream B: Crypto and lifecycle debt closure
  • Implement KEK/DEK hierarchy KDF (HKDF-based derivation model)
  • Implement time-based and usage-based rotation policies
  • Implement rotation scheduler and idempotent scheduled jobs
  • Complete graceful deprecation handling path and tests
• Workstream C: AuthN/AuthZ reliability closure
  • Fix OIDC token cache concurrency safety and add race tests
  • Integrate token refresh lifecycle into server auth flows
  • Enforce explicit mTLS client CA pool loading in server TLS config
  • Align Casbin default model with domain/multi-tenant architecture target (or update architecture decisions explicitly)
• Workstream D: Operability and admin surface closure
  • Complete CLI command set: init, policy, audit, health, migrate
  • Wire migration flow end-to-end (openkms-cli migrate + backend schema migration)
  • Complete append-only audit persistence/query API
  • Add pre-commit hooks to enforce local quality gates before CI
• Workstream E: Quality gate uplift for transition to 3.7
  • Raise coverage baseline to practical minimum gate (target: >=45% overall, critical packages >=70%)
  • Add race-test suite for auth/storage critical paths
  • Add regression tests for rotation scheduler, migration rollback, and strict SPIFFE mode
  • Ensure make fix-all and make check-all are green in clean workspace
• Nuance controls for safe execution
  • Roll out high-risk changes (authn/crypto/storage) behind config flags where possible
  • Require reversible DB migration steps and tested rollback procedure
  • Validate HA behavior for mixed-version nodes during transition
  • Require canary rollout notes for production-impacting changes
  • Assign explicit owner + ETA for every unchecked item in this phase
• Acceptance artifacts (must exist before phase closure)
  • Backfill report: each missed item mapped to PR/test/doc artifact
  • Updated threat model delta for all security-sensitive changes
  • Updated runbook sections for migrate/rotate/audit/health operational flows
  • Short postmortem: why items were missed earlier + preventive process changes
• Exit gate approved: no open P0 items from Phase 5.4 relevant to runtime security/correctness
• Exit gate approved: no unresolved stubs/TODOs in API/CLI paths required for operations
• Exit gate approved: promote to 3.7 only after closure report is attached to docs