d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
3bf47efa2bace8530fab2e55aa219ec02329fd3c
the_order/docs/governance/eresidency-ecitizenship-task-map.md
defiQUG 2633de4d33 feat(eresidency): Complete eResidency service implementation 
- Implement credential revocation endpoint with proper database integration
- Fix database row mapping (snake_case to camelCase) for eResidency applications
- Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider)
- Fix environment variable type checking for Veriff and ComplyAdvantage providers
- Add required 'message' field to notification service calls
- Fix risk assessment type mismatches
- Update audit logging to use 'verified' action type (supported by schema)
- Resolve all TypeScript errors and unused variable warnings
- Add TypeScript ignore comments for placeholder implementations
- Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility
- Service now builds successfully with no linter errors

All core functionality implemented:
- Application submission and management
- KYC integration (Veriff placeholder)
- Sanctions screening (ComplyAdvantage placeholder)
- Risk assessment engine
- Credential issuance and revocation
- Reviewer console
- Status endpoints
- Auto-issuance service
2025-11-10 19:43:02 -08:00

296 lines
10 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# eResidency & eCitizenship Task Map
Complete execution-ready task map to stand up both **eResidency** and **eCitizenship** for a decentralized sovereign body (DSB) modeled on SMOM-style sovereignty (recognition without permanent territory).
## Phase 0 — Program Charter & Guardrails (23 weeks)
### 0.1 Foundational Charter
* Draft: Purpose, powers, immunities sought, governance model, membership classes (Resident, Citizen, Honorary, Service).
* Define scope: digital-only status vs. claims with diplomatic effects.
* Deliverable: DSB Charter v1 + Glossary.
* Accept: Approved by Founding Council with recorded vote.
### 0.2 Legal & Risk Frame
* Commission legal opinions on: personality under international law (IO/NGO/Order), recognition pathways, host-state agreements/MOUs, data protection regimes, sanctions compliance, export controls.
* Map constraints for KYC/AML, conflict-of-laws, tax neutrality, consumer protections.
* Deliverable: Legal Risk Matrix + Opinion Letters Index.
* Accept: Red/Amber/Green ratings with mitigations.
### 0.3 Trust & Assurance Model
* Choose trust posture: "Assured Identity Provider" with defined Levels of Assurance (LOA 13) and assurance events (onboard, renew, recover).
* Deliverable: Trust Framework Policy (TFP), including incident handling & audit.
* Accept: External reviewer sign-off.
---
## Phase 1 — Governance & Policy Stack (46 weeks)
### 1.1 Constitutional Instruments
* Citizenship Code (rights/duties, oath), Residency Code (privileges/limits), Due Process & Appeals, Code of Conduct, Anti-corruption & Ethics.
* Deliverable: Statute Book v1.
* Accept: Published and version-controlled.
### 1.2 Data & Privacy
* Privacy Policy, Lawful Bases Register, Data Processing Agreements, DPIA, Records of Processing Activities, Retention & Deletion Schedules.
* Deliverable: Privacy & Data Governance Pack.
* Accept: DPIA low/medium residual risk.
### 1.3 Sanctions/KYC/AML Policy
* Define screening lists, risk scoring, Enhanced Due Diligence triggers, PEP handling, source-of-funds rules (if fees/donations), audit trail requirements.
* Deliverable: KYC/AML Standard Operating Procedures (SOPs).
* Accept: Mock audit passed.
### 1.4 Benefits & Obligations Catalog
* Enumerate tangible benefits (digital ID, signatures, notarial layer, dispute forum, community services, ordinaries, honors) and duties (updating info, code compliance).
* Deliverable: Benefits Matrix + Service SLAs.
* Accept: SLA thresholds defined and met in testing.
---
## Phase 2 — Identity & Credential Architecture (68 weeks)
### 2.1 Identifier Strategy
* Pick scheme: Decentralized Identifiers (DIDs) + UUIDs; namespace rules; revocation & recovery flows.
* Deliverable: Identifier & Namespace RFC.
* Accept: Collision tests + recovery drill.
### 2.2 Credentials & Schemas
* Define verifiable credential (VC) schemas for: eResident Card, eCitizen Passport (digital), Address Attestation, Good Standing, Professional Orders.
* Deliverable: JSON-LD schemas + Registry.
* Accept: Interop tests with 3rd-party verifiers.
### 2.3 PKI / Trust Anchors
* Stand up Sovereign Root CA (offline), Issuing CAs (online), Certificate Policy/Practice Statements (CP/CPS), CRL/OCSP endpoints.
* Deliverable: Root ceremony artifacts + HSM key custody procedures.
* Accept: External PKI audit checklist passed.
### 2.4 Wallet & Verification
* User wallet options: web wallet + mobile wallet (iOS/Android) with secure enclave; verifier portal; QR/NFC presentation.
* Deliverable: Wallet apps + Verifier SDK (JS/TS) + sample verifier site.
* Accept: LOA-aligned presentation proofs; offline-capable QR working.
---
## Phase 3 — Application, Vetting & Issuance (610 weeks)
### 3.1 eResidency Workflow (MVP)
* Application: email + device binding, basic identity, selfie liveness.
* KYC: doc scan (passport/ID), sanctions/PEP screening, proof-of-funds if needed.
* Issuance: eResident VC + X.509 client cert; optional pseudonymous handle tied to real identity at LOA 2.
* Deliverable: eResidency Portal v1 + Reviewer Console.
* Accept: Median approval time <48h; false-reject rate <3%.
### 3.2 eCitizenship Workflow (elevated assurance)
* Eligibility: tenure as eResident, sponsorship, service merit, oath ceremony (digital).
* Additional checks: video interview, multi-source corroboration, background attestations.
* Issuance: eCitizen VC (higher LOA), qualified e-signature capability, digital heraldry/insignia.
* Deliverable: eCitizenship Portal v1 + Ceremony Module.
* Accept: Chain-of-custody logs complete; ceremony audit trail immutable.
### 3.3 Appeals & Ombuds
* Build case management, independent panel roster, timelines, remedy types.
* Deliverable: Appeals System + Public Register of Decisions (redacted).
* Accept: Two mock cases resolved end-to-end.
---
## Phase 4 — Services Layer & Interoperability (68 weeks)
### 4.1 Qualified e-Signatures & Notarial
* Implement signature flows (advanced/qualified), timestamping authority (TSA), document registry hashes.
* Deliverable: Signature Service + Notarial Policy.
* Accept: External relying party verifies signatures without DSB assistance.
### 4.2 Interop & Recognition
* Map to global standards (ISO/IEC 24760 identity; W3C VC/DID; ICAO Digital Travel Credentials roadmap; ETSI eIDAS profiles for cross-recognition where feasible).
* Deliverable: Interop Gateway + Conformance Reports.
* Accept: Successful cross-verification with at least 3 external ecosystems.
### 4.3 Membership & Services
* Roll out directories (opt-in), guilds/orders, dispute resolution forum, grant program, education/badging.
* Deliverable: Service Catalog live.
* Accept: ≥3 live services consumed by ≥20% of cohort.
---
## Phase 5 — Security, Audit, & Resilience (continuous; gate before GA)
### 5.1 Security
* Threat model (insider, phishing, bot farms, deepfakes), red team, bug bounty, key compromise drills, geo-redundant infra.
* Deliverable: Security Plan + PenTest Report + DR/BCP playbooks.
* Accept: RTO/RPO targets met in exercise.
### 5.2 Compliance & Audit
* Annual external audits for PKI and issuance, privacy audits, sanctions/KYC reviews, SOC2-style controls where applicable.
* Deliverable: Audit Pack.
* Accept: No critical findings outstanding.
### 5.3 Ethics & Human Rights
* Anti-discrimination tests, appeal transparency, proportionality guidelines.
* Deliverable: Human Rights Impact Assessment (HRIA).
* Accept: Board attestation.
---
## Phase 6 — Diplomacy & External Relations (parallel tracks)
### 6.1 Recognition Strategy
* Prioritize MOUs with NGOs, universities, chambers, standards bodies, and willing states for limited-purpose recognition (e.g., accepting DSB e-signatures or credentials).
* Deliverable: Recognition Dossier + Template MOU.
* Accept: ≥3 executed MOUs in Year 1.
### 6.2 Host-State Arrangements
* Negotiate data hosting safe harbors, registered offices (non-territorial), or cultural mission status to facilitate operations.
* Deliverable: Host Agreement Playbook.
* Accept: At least one host agreement finalized.
---
## Product & Engineering Backlog (cross-phase)
### Core Systems
* Member Registry (event-sourced), Credential Registry (revocation lists), Case/Appeals, Payments (if fees), Messaging & Ceremony.
### APIs/SDKs
* Issuance API, Verification API, Webhooks for status changes, Admin API with immutable audit logs.
### Integrations
* KYC providers (document, selfie liveness), sanctions screening, HSM/KMS, email/SMS gateways.
### UX
* Application flows ≤10 minutes, save/resume, accessibility AA+, multilingual, oath UX.
### Observability
* Metrics: time-to-issue, approval rates, fraud rate, credential use rate, verifier NPS.
---
## Distinguishing eResidency vs eCitizenship (policy knobs)
### Assurance
* **eResidency**: LOA 12
* **eCitizenship**: LOA 23
### Rights
* **eResident**: Use DSB digital ID, signatures, services
* **eCitizen**: Governance vote, public offices, honors, diplomatic corps (as policy allows)
### Duties
* **eCitizen**: Oath; possible service contribution/hour benchmarks
### Fees
* **eResidency**: Lower, subscription-like
* **eCitizenship**: One-time plus renewal/continuing good standing
### Revocation
* Graduated sanctions; transparent registry
---
## Acceptance Metrics (90-day MVP)
* 95% issuance uptime; <48h median eResidency decision
* <0.5% confirmed fraud after adjudication
* ≥2 independent external verifiers using the SDK
* First recognition MOU executed
* Public policy corpus published and versioned
---
## Minimal Document Set (ready-to-draft list)
* Charter & Statute Book
* TFP (Trust Framework Policy)
* CP/CPS (Certificate Policy/Practice Statements)
* KYC/AML SOP
* Privacy Pack (DPIA, DPA templates)
* Security Plan
* HRIA (Human Rights Impact Assessment)
* Benefits & SLA Catalog
* Ceremony & Oath Script
* Appeals Rules
* Recognition MOU Template
* Host-State Playbook
---
## RACI Snapshot (who does what)
* **Founding Council**: Approves Charter, Statutes, Recognition targets
* **Chancellor (Policy Lead)**: Owns legal/policy stack, diplomacy
* **CIO/CISO**: Owns PKI, security, audits
* **CTO/Eng**: Platforms, wallets, APIs, issuance & verification
* **Registrar**: Operations, case management, ceremonies
* **Ombuds Panel**: Appeals & remedies
* **External Counsel/Auditors**: Opinions, audits, certifications
---
## Implementation Priority
### Immediate (Phase 0-1)
1. Draft DSB Charter
2. Legal & Risk Framework
3. Trust Framework Policy
4. Constitutional Instruments
5. Privacy & Data Governance
### Short-term (Phase 2-3)
1. Identifier Strategy
2. Credential Schemas
3. PKI Infrastructure
4. eResidency Workflow
5. eCitizenship Workflow
### Medium-term (Phase 4-5)
1. Qualified e-Signatures
2. Interoperability
3. Security & Compliance
4. Services Layer
### Long-term (Phase 6)
1. Recognition Strategy
2. Host-State Arrangements
3. External Relations
---
## Integration with The Order
This task map integrates with The Order's existing systems:
* **Identity Service**: Extends credential issuance for eResidency and eCitizenship
* **Database Package**: Member registry, credential registry, case management
* **Auth Package**: Enhanced authentication and authorization for membership classes
* **Workflows Package**: Application workflows, appeals, ceremonies
* **Notifications Package**: Application status, ceremony invitations, renewal reminders
* **Compliance Package**: KYC/AML, sanctions screening, risk scoring
Reference in New Issue View Git Blame Copy Permalink