# DoD/MilSpec Compliance Quick Start

This guide provides a quick overview of the DoD/MilSpec compliance features implemented in Sankofa Phoenix.

## What's Been Implemented

### ✅ Critical Security (Phase 1)
- **Secret Management**: Fail-fast validation, no default secrets in production
- **Credential Protection**: Pre-commit hooks, rotation scripts, enhanced .gitignore
- **Security Headers**: Comprehensive DoD-compliant headers

### ✅ Access Control (Phase 2)
- **MFA**: TOTP support with backup codes, enforcement for privileged operations
- **RBAC**: Enhanced role-based access with ABAC support
- **Sessions**: Classification-based timeouts, concurrent session limits

### ✅ Audit Logging (Phase 3)
- **Comprehensive Logging**: All security events logged with cryptographic signatures
- **Tamper-Proof**: HMAC signatures on all audit logs
- **7+ Year Retention**: Database schema supports long-term retention

### ✅ Encryption (Phase 4)
- **FIPS 140-2 Crypto**: Wrapper for FIPS-approved algorithms
- **Data at Rest**: Field-level encryption service
- **Key Management**: Framework for Vault integration

## Quick Setup

### 1. Environment Variables

```bash
# Required in production
JWT_SECRET=<64+ character secret>
DB_PASSWORD=<32+ character password>
ENCRYPTION_KEY=<64 hex characters for AES-256>

# Optional
ENABLE_FIPS=true
AUDIT_LOG_SECRET=<secret for audit log signatures>
```

### 2. Run Migrations

```bash
cd api
npm run db:migrate
```

This will create:
- MFA tables
- RBAC tables
- Session tables
- Audit log tables

### 3. Enable Pre-commit Hooks

```bash
# Install git hooks
git config core.hooksPath .githooks
```

### 4. Validate Secrets

The application will automatically validate all secrets on startup in production mode.

## Key Features

### Secret Validation
- Secrets must be 32+ characters (64+ in production)
- Must include uppercase, lowercase, numbers, and special characters
- Fails fast if insecure defaults are detected

### MFA Enforcement
- Required for all privileged operations
- TOTP support with QR code generation
- Backup codes for recovery

### Audit Logging
- All security events automatically logged
- Cryptographic signatures prevent tampering
- Queryable audit trail

### Encryption
- AES-256-GCM for data encryption
- FIPS 140-2 approved algorithms
- Field-level encryption for sensitive data

## Compliance Standards

- **NIST SP 800-53**: ~40% implemented
- **NIST SP 800-171**: ~35% implemented
- **DISA STIGs**: Application Security partially implemented
- **FIPS 140-2**: Crypto wrapper complete

## Next Steps

See [IMPLEMENTATION_STATUS.md](./IMPLEMENTATION_STATUS.md) for detailed status and remaining work.