Merge pull request #248 from jplock/jp-kiro

Author: jplock

.kiro/steering/product.md

@@ -0,0 +1,22 @@
+# AWS Nitro Enclaves Vault
+
+A secure vault solution for storing and protecting sensitive data (PII/PHI) using AWS Nitro Enclaves.
+
+## Purpose
+
+Provides a secure mechanism to store sensitive data encrypted at rest, with decryption only possible through approved channels within isolated Nitro Enclave environments.
+
+## Key Features
+
+- Flexible data model supporting PII fields (email, SSN, DOB, address, phone, etc.)
+- HPKE encryption (RFC 9180) using P-384 curve, HKDF-SHA384, and AES-256-GCM
+- Symmetric keys secured via AWS KMS
+- CEL (Common Expression Language) support for field transformations during decryption
+- Audit logging of all vault operations
+
+## Architecture Overview
+
+Three-tier architecture:
+1. **API Tier**: API Gateway + Lambda (Python) + DynamoDB for metadata/audit
+2. **Decryption Tier**: EC2 instances with NGINX, parent application (Rust), vsock proxy
+3. **Enclave Tier**: Nitro Enclave running enclave application (Rust) for secure decryption

.kiro/steering/structure.md

@@ -0,0 +1,58 @@
+# Project Structure
+
+```
+├── api/                    # Python Lambda API
+│   ├── src/app/           # Application code
+│   │   ├── routers/       # API route handlers
+│   │   ├── resources/     # AWS resource clients (DynamoDB, KMS)
+│   │   ├── models.py      # Pydantic models and vault schema
+│   │   ├── vault.py       # Core vault operations
+│   │   ├── encryptors.py  # HPKE encryption logic
+│   │   └── lambda_handler.py  # Lambda entry point
+│   ├── dependencies/      # Lambda layer dependencies
+│   └── template.yml       # SAM template
+│
+├── enclave/               # Rust Nitro Enclave application
+│   └── src/
+│       ├── main.rs        # Enclave entry point (vsock listener)
+│       ├── hpke.rs        # HPKE decryption
+│       ├── kms.rs         # KMS integration
+│       ├── expressions.rs # CEL expression execution
+│       ├── models.rs      # Request/response types
+│       └── protocol.rs    # Vsock message protocol
+│
+├── parent/                # Rust parent instance application
+│   └── src/
+│       ├── main.rs        # Parent entry point
+│       ├── application.rs # Axum app setup
+│       ├── routes.rs      # HTTP route handlers
+│       ├── enclaves.rs    # Enclave management
+│       ├── imds.rs        # EC2 instance metadata
+│       └── protocol.rs    # Vsock communication
+│
+├── canary/                # Python canary Lambda for monitoring
+│   └── src/app/
+│
+├── docs/                  # MkDocs documentation
+│
+├── scripts/               # Development scripts
+│
+├── Cargo.toml             # Rust workspace root
+├── deploy.sh              # Main deployment script
+├── uninstall.sh           # Cleanup script
+│
+# CloudFormation Templates
+├── vpc_template.yml       # VPC infrastructure
+├── kms_template.yml       # KMS key setup
+├── ci_template.yml        # CI/CD pipeline
+├── vault_template.yml     # Vault EC2 infrastructure
+└── deploy_template.yml    # Deployment orchestration
+```
+
+## Key Patterns
+
+- **Workspace**: Rust workspace with `enclave` and `parent` members
+- **Lambda Layers**: Python dependencies in `api/dependencies/`
+- **SAM**: Each Lambda component has its own `template.yml` and `samconfig.toml`
+- **Makefiles**: Each component has a Makefile for common operations
+- **License Headers**: All source files include MIT-0 license header

.kiro/steering/tech.md

@@ -0,0 +1,74 @@
+# Technology Stack
+
+## Languages
+
+- **Rust** (Edition 2024): Enclave and parent applications
+- **Python 3.13**: API Lambda functions
+
+## Rust Stack
+
+- **Runtime**: Tokio async runtime (parent)
+- **Web Framework**: Axum (parent HTTP server)
+- **Serialization**: serde, serde_json
+- **Crypto**: aws-lc-rs, rustls
+- **AWS SDK**: aws-config, aws-credential-types
+- **Enclave Communication**: vsock
+- **Expression Language**: cel-interpreter
+- **CLI Parsing**: clap
+- **Error Handling**: anyhow, thiserror
+- **Memory**: mimalloc (enclave, musl target)
+- **Security**: zeroize for sensitive data
+
+## Python Stack
+
+- **Framework**: AWS Lambda Powertools (logging, tracing, metrics, validation)
+- **Validation**: Pydantic (via Powertools parser)
+- **HTTP Client**: requests
+- **Crypto**: cryptography, hpke
+- **ID Generation**: pksuid
+- **AWS SDK**: boto3
+
+## Infrastructure
+
+- **IaC**: AWS SAM (Serverless Application Model) + CloudFormation
+- **Container**: Docker (enclave and parent images)
+- **Build**: docker-bake.hcl for multi-platform builds
+
+## Build Commands
+
+### API (Python Lambda)
+```bash
+cd api
+make setup    # Create venv and install dependencies
+make build    # SAM build
+make deploy   # SAM deploy
+make format   # Run black formatter
+make clean    # SAM delete
+```
+
+### Enclave (Rust)
+```bash
+cd enclave
+make build           # Build for aarch64-unknown-linux-musl
+make build-docker    # Build Docker image
+make build-enclave   # Build Nitro Enclave EIF
+make clean           # Cargo clean
+```
+
+### Parent (Rust)
+```bash
+cd parent
+make build         # Build for aarch64-unknown-linux-gnu
+make build-docker  # Build Docker image
+make clean         # Cargo clean
+```
+
+### Full Deployment
+```bash
+./deploy.sh  # Interactive deployment script
+```
+
+## Code Style
+
+- **Python**: Black formatter, line length 120, target Python 3.13
+- **Rust**: Edition 2024, release profile optimized for size (strip, LTO, panic=abort)