d-bis/the_order
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2633de4d3386f7194663e3d442b017e820fc16de
the_order/docs/governance/eresidency-ecitizenship-task-map.md
defiQUG 2633de4d33 feat(eresidency): Complete eResidency service implementation 
- Implement credential revocation endpoint with proper database integration
- Fix database row mapping (snake_case to camelCase) for eResidency applications
- Add missing imports (getRiskAssessmentEngine, VeriffKYCProvider, ComplyAdvantageSanctionsProvider)
- Fix environment variable type checking for Veriff and ComplyAdvantage providers
- Add required 'message' field to notification service calls
- Fix risk assessment type mismatches
- Update audit logging to use 'verified' action type (supported by schema)
- Resolve all TypeScript errors and unused variable warnings
- Add TypeScript ignore comments for placeholder implementations
- Temporarily disable security/detect-non-literal-regexp rule due to ESLint 9 compatibility
- Service now builds successfully with no linter errors

All core functionality implemented:
- Application submission and management
- KYC integration (Veriff placeholder)
- Sanctions screening (ComplyAdvantage placeholder)
- Risk assessment engine
- Credential issuance and revocation
- Reviewer console
- Status endpoints
- Auto-issuance service
2025-11-10 19:43:02 -08:00

10 KiB
Raw Blame History

eResidency & eCitizenship Task Map

Complete execution-ready task map to stand up both eResidency and eCitizenship for a decentralized sovereign body (DSB) modeled on SMOM-style sovereignty (recognition without permanent territory).

Phase 0 — Program Charter & Guardrails (23 weeks)

0.1 Foundational Charter

  • Draft: Purpose, powers, immunities sought, governance model, membership classes (Resident, Citizen, Honorary, Service).
  • Define scope: digital-only status vs. claims with diplomatic effects.
  • Deliverable: DSB Charter v1 + Glossary.
  • Accept: Approved by Founding Council with recorded vote.

0.2 Legal & Risk Frame

  • Commission legal opinions on: personality under international law (IO/NGO/Order), recognition pathways, host-state agreements/MOUs, data protection regimes, sanctions compliance, export controls.
  • Map constraints for KYC/AML, conflict-of-laws, tax neutrality, consumer protections.
  • Deliverable: Legal Risk Matrix + Opinion Letters Index.
  • Accept: Red/Amber/Green ratings with mitigations.

0.3 Trust & Assurance Model

  • Choose trust posture: "Assured Identity Provider" with defined Levels of Assurance (LOA 13) and assurance events (onboard, renew, recover).
  • Deliverable: Trust Framework Policy (TFP), including incident handling & audit.
  • Accept: External reviewer sign-off.

Phase 1 — Governance & Policy Stack (46 weeks)

1.1 Constitutional Instruments

  • Citizenship Code (rights/duties, oath), Residency Code (privileges/limits), Due Process & Appeals, Code of Conduct, Anti-corruption & Ethics.
  • Deliverable: Statute Book v1.
  • Accept: Published and version-controlled.

1.2 Data & Privacy

  • Privacy Policy, Lawful Bases Register, Data Processing Agreements, DPIA, Records of Processing Activities, Retention & Deletion Schedules.
  • Deliverable: Privacy & Data Governance Pack.
  • Accept: DPIA low/medium residual risk.

1.3 Sanctions/KYC/AML Policy

  • Define screening lists, risk scoring, Enhanced Due Diligence triggers, PEP handling, source-of-funds rules (if fees/donations), audit trail requirements.
  • Deliverable: KYC/AML Standard Operating Procedures (SOPs).
  • Accept: Mock audit passed.

1.4 Benefits & Obligations Catalog

  • Enumerate tangible benefits (digital ID, signatures, notarial layer, dispute forum, community services, ordinaries, honors) and duties (updating info, code compliance).
  • Deliverable: Benefits Matrix + Service SLAs.
  • Accept: SLA thresholds defined and met in testing.

Phase 2 — Identity & Credential Architecture (68 weeks)

2.1 Identifier Strategy

  • Pick scheme: Decentralized Identifiers (DIDs) + UUIDs; namespace rules; revocation & recovery flows.
  • Deliverable: Identifier & Namespace RFC.
  • Accept: Collision tests + recovery drill.

2.2 Credentials & Schemas

  • Define verifiable credential (VC) schemas for: eResident Card, eCitizen Passport (digital), Address Attestation, Good Standing, Professional Orders.
  • Deliverable: JSON-LD schemas + Registry.
  • Accept: Interop tests with 3rd-party verifiers.

2.3 PKI / Trust Anchors

  • Stand up Sovereign Root CA (offline), Issuing CAs (online), Certificate Policy/Practice Statements (CP/CPS), CRL/OCSP endpoints.
  • Deliverable: Root ceremony artifacts + HSM key custody procedures.
  • Accept: External PKI audit checklist passed.

2.4 Wallet & Verification

  • User wallet options: web wallet + mobile wallet (iOS/Android) with secure enclave; verifier portal; QR/NFC presentation.
  • Deliverable: Wallet apps + Verifier SDK (JS/TS) + sample verifier site.
  • Accept: LOA-aligned presentation proofs; offline-capable QR working.

Phase 3 — Application, Vetting & Issuance (610 weeks)

3.1 eResidency Workflow (MVP)

  • Application: email + device binding, basic identity, selfie liveness.
  • KYC: doc scan (passport/ID), sanctions/PEP screening, proof-of-funds if needed.
  • Issuance: eResident VC + X.509 client cert; optional pseudonymous handle tied to real identity at LOA 2.
  • Deliverable: eResidency Portal v1 + Reviewer Console.
  • Accept: Median approval time <48h; false-reject rate <3%.

3.2 eCitizenship Workflow (elevated assurance)

  • Eligibility: tenure as eResident, sponsorship, service merit, oath ceremony (digital).
  • Additional checks: video interview, multi-source corroboration, background attestations.
  • Issuance: eCitizen VC (higher LOA), qualified e-signature capability, digital heraldry/insignia.
  • Deliverable: eCitizenship Portal v1 + Ceremony Module.
  • Accept: Chain-of-custody logs complete; ceremony audit trail immutable.

3.3 Appeals & Ombuds

  • Build case management, independent panel roster, timelines, remedy types.
  • Deliverable: Appeals System + Public Register of Decisions (redacted).
  • Accept: Two mock cases resolved end-to-end.

Phase 4 — Services Layer & Interoperability (68 weeks)

4.1 Qualified e-Signatures & Notarial

  • Implement signature flows (advanced/qualified), timestamping authority (TSA), document registry hashes.
  • Deliverable: Signature Service + Notarial Policy.
  • Accept: External relying party verifies signatures without DSB assistance.

4.2 Interop & Recognition

  • Map to global standards (ISO/IEC 24760 identity; W3C VC/DID; ICAO Digital Travel Credentials roadmap; ETSI eIDAS profiles for cross-recognition where feasible).
  • Deliverable: Interop Gateway + Conformance Reports.
  • Accept: Successful cross-verification with at least 3 external ecosystems.

4.3 Membership & Services

  • Roll out directories (opt-in), guilds/orders, dispute resolution forum, grant program, education/badging.
  • Deliverable: Service Catalog live.
  • Accept: ≥3 live services consumed by ≥20% of cohort.

Phase 5 — Security, Audit, & Resilience (continuous; gate before GA)

5.1 Security

  • Threat model (insider, phishing, bot farms, deepfakes), red team, bug bounty, key compromise drills, geo-redundant infra.
  • Deliverable: Security Plan + PenTest Report + DR/BCP playbooks.
  • Accept: RTO/RPO targets met in exercise.

5.2 Compliance & Audit

  • Annual external audits for PKI and issuance, privacy audits, sanctions/KYC reviews, SOC2-style controls where applicable.
  • Deliverable: Audit Pack.
  • Accept: No critical findings outstanding.

5.3 Ethics & Human Rights

  • Anti-discrimination tests, appeal transparency, proportionality guidelines.
  • Deliverable: Human Rights Impact Assessment (HRIA).
  • Accept: Board attestation.

Phase 6 — Diplomacy & External Relations (parallel tracks)

6.1 Recognition Strategy

  • Prioritize MOUs with NGOs, universities, chambers, standards bodies, and willing states for limited-purpose recognition (e.g., accepting DSB e-signatures or credentials).
  • Deliverable: Recognition Dossier + Template MOU.
  • Accept: ≥3 executed MOUs in Year 1.

6.2 Host-State Arrangements

  • Negotiate data hosting safe harbors, registered offices (non-territorial), or cultural mission status to facilitate operations.
  • Deliverable: Host Agreement Playbook.
  • Accept: At least one host agreement finalized.

Product & Engineering Backlog (cross-phase)

Core Systems

  • Member Registry (event-sourced), Credential Registry (revocation lists), Case/Appeals, Payments (if fees), Messaging & Ceremony.

APIs/SDKs

  • Issuance API, Verification API, Webhooks for status changes, Admin API with immutable audit logs.

Integrations

  • KYC providers (document, selfie liveness), sanctions screening, HSM/KMS, email/SMS gateways.

UX

  • Application flows ≤10 minutes, save/resume, accessibility AA+, multilingual, oath UX.

Observability

  • Metrics: time-to-issue, approval rates, fraud rate, credential use rate, verifier NPS.

Distinguishing eResidency vs eCitizenship (policy knobs)

Assurance

  • eResidency: LOA 12
  • eCitizenship: LOA 23

Rights

  • eResident: Use DSB digital ID, signatures, services
  • eCitizen: Governance vote, public offices, honors, diplomatic corps (as policy allows)

Duties

  • eCitizen: Oath; possible service contribution/hour benchmarks

Fees

  • eResidency: Lower, subscription-like
  • eCitizenship: One-time plus renewal/continuing good standing

Revocation

  • Graduated sanctions; transparent registry

Acceptance Metrics (90-day MVP)

  • 95% issuance uptime; <48h median eResidency decision
  • <0.5% confirmed fraud after adjudication
  • ≥2 independent external verifiers using the SDK
  • First recognition MOU executed
  • Public policy corpus published and versioned

Minimal Document Set (ready-to-draft list)

  • Charter & Statute Book
  • TFP (Trust Framework Policy)
  • CP/CPS (Certificate Policy/Practice Statements)
  • KYC/AML SOP
  • Privacy Pack (DPIA, DPA templates)
  • Security Plan
  • HRIA (Human Rights Impact Assessment)
  • Benefits & SLA Catalog
  • Ceremony & Oath Script
  • Appeals Rules
  • Recognition MOU Template
  • Host-State Playbook

RACI Snapshot (who does what)

  • Founding Council: Approves Charter, Statutes, Recognition targets
  • Chancellor (Policy Lead): Owns legal/policy stack, diplomacy
  • CIO/CISO: Owns PKI, security, audits
  • CTO/Eng: Platforms, wallets, APIs, issuance & verification
  • Registrar: Operations, case management, ceremonies
  • Ombuds Panel: Appeals & remedies
  • External Counsel/Auditors: Opinions, audits, certifications

Implementation Priority

Immediate (Phase 0-1)

  1. Draft DSB Charter
  2. Legal & Risk Framework
  3. Trust Framework Policy
  4. Constitutional Instruments
  5. Privacy & Data Governance

Short-term (Phase 2-3)

  1. Identifier Strategy
  2. Credential Schemas
  3. PKI Infrastructure
  4. eResidency Workflow
  5. eCitizenship Workflow

Medium-term (Phase 4-5)

  1. Qualified e-Signatures
  2. Interoperability
  3. Security & Compliance
  4. Services Layer

Long-term (Phase 6)

  1. Recognition Strategy
  2. Host-State Arrangements
  3. External Relations

Integration with The Order

This task map integrates with The Order's existing systems:

  • Identity Service: Extends credential issuance for eResidency and eCitizenship
  • Database Package: Member registry, credential registry, case management
  • Auth Package: Enhanced authentication and authorization for membership classes
  • Workflows Package: Application workflows, appeals, ceremonies
  • Notifications Package: Application status, ceremony invitations, renewal reminders
  • Compliance Package: KYC/AML, sanctions screening, risk scoring
Reference in New Issue View Git Blame Copy Permalink