Implementation Status

As-of: 2026-05-09. Source: direct code inspection of passkey-shell repo, file-by-file verification. Status values: Done (shipped, tested) / In progress (partial) / Stubbed (code-ready, not wired) / Not started / Deprecated.

Backend — Core Services

Component	Status	Code Path	Test Coverage	Blockers	Notes
Vault read service (KSM SDK)	Done	`services/vault-read.service.ts`	`vault.factory.test.ts`	None	Real impl (`RealVaultReadService`) uses `@keeper-security/secrets-manager-core`. Mock has test helpers for revision bumps, orphan simulation.
Vault share service (Commander)	Done	`services/vault-share.service.ts`	`vault.factory.test.ts`	KSM Application IP lock needs unchecking	Three impls: `RealVaultShareService` (Commander subprocess), `StubVaultShareService` (staging), `MockVaultShareService` (local).
Commander subprocess wrapper	Done	`services/commander.ts`	Indirect via share service tests	None	`runCommander()` shells out to `python3 -m keepercommander`. Error classification: transient/persistent/terminal.
Vault factory (mode switching)	Done	`services/vault.factory.ts`	`vault.factory.test.ts`	None	Maps `VAULT_DEPLOYMENT_MODE` → service pairs. Legacy shim for v1 callers during convergence.
Governance service	Done	`services/governance.service.ts`	`governance.service.test.ts`	None	Resource/authority sync, approver resolution, policy context building, decision trace append.
Authority service (INV-1)	Done	`services/authority.service.ts`	`authority.service.test.ts`	None	Append-only authority history. Assign/revoke/replace operations. Drift reporting against vault state. INV-1 enforced by Postgres BEFORE UPDATE trigger.
Approval service	Done	`services/approval.service.ts`	`approval.service.test.ts`	None	Approval/denial workflow with policy engine evaluation and decision trace.
Lease service	Done	`services/lease.service.ts`	Integration tests	None	`startLease`, `releaseLease`, `expireLease`, `promptRenewal`. Sync-first/async-fallback issuance pattern.
Issuance service	Done	`services/issuance.service.ts`	`issuance.service.test.ts`	None	Token generation, constant-time verification, rate-limit predicate, INV-5 guard (rejects URL-shaped hashes).
Revocation service	Done	`services/revocation.service.ts`	`revocation.service.test.ts`	None	Batch revocation of issuance events by request ID. Calls `vaultShareService.removeOneTimeShare`.
Request service	Done	`services/request.service.ts`	`request-status.test.ts`	None	CRUD operations on Request model.
Record service	Done	`services/record.service.ts`	Indirect	None	Record CRUD with vault sync metadata.
Notification service	Done (mock)	`services/notification.service.ts`	`notification.service.test.ts`	Bot registration needed for real	Mock writes to Prisma `Notification` table. Real impl (Bot Framework Adaptive Cards) is interface-only. Share link no longer embedded in notification body — deep link to `/requests/:id#issue` instead.
Identity service (Entra ID)	Done	`services/identity.service.ts`	Indirect via auth middleware	None	JWT validation via `jose`, Entra tenant/audience/issuer config, group caching (5 min TTL).
Permission service	Done	`services/permission.service.ts`	Indirect	None	Resolves permissions from Vault folder ACLs + Entra groups. 5-minute cache in `UserPermissionCache`.
Audit service	Done	`services/audit.service.ts`	Indirect via integration tests	None	27-action audit enum. Writes `AuditEvent` rows.
Telemetry service	Done	`services/telemetry.service.ts`	`telemetry.service.test.ts`, `telemetry-fixtures.test.ts`, `telemetry.types.test.ts`	None	OpenTelemetry spans + metrics. Application Insights export.
Probe service	Done	`services/probe.service.ts`	`probe.service.test.ts`	None	Governance probe execution with event audit logging.
Serialization service	Done	`services/serialization.service.ts`	`serialization.service.test.ts`	None	Request/record serialization for API responses.
Auth status service	Done	`services/auth-status.service.ts`	Indirect	None	Resolves authentication status from request headers.
Commander health service	Done	`services/commander-health.service.ts`	Indirect	None	Health check for Commander subprocess availability.
Log redaction middleware	Done	`middleware/log-redaction.middleware.ts`	`log-redaction.middleware.test.ts`	None	Defense-in-depth: scrubs share URLs from console output. Installed before any other import in `server.ts`.

Backend — Policy Engine

Component	Status	Code Path	Test Coverage	Blockers	Notes
Policy engine (pure evaluator)	Done	`policy/engine.ts`	`engine.test.ts`	None	DENY short-circuits, TRIAGE > ROUTE > AUTO_APPROVE. No side effects.
Self-approval block rule	Done	`policy/rules/self-approval-block.ts`	`self-approval-block.test.ts`	None
Sensitivity escalation rule	Done	`policy/rules/sensitivity-escalation.ts`	`sensitivity-escalation.test.ts`	None
Visibility rule	Done	`policy/rules/visibility.ts`	`visibility.test.ts`	None
Duration caps rule	Done	`policy/rules/duration-caps.ts`	`duration-caps.test.ts`	None	Covers INITIAL, EXTENSION, RENEWAL request kinds.
Request state rule	Done	`policy/rules/request-state.ts`	`request-state.test.ts`	None	Validates transitions on 9-state machine.
Authority routing rule	Done	`policy/rules/authority-routing.ts`	`authority-routing.test.ts`	None
Access policy types	Done	`policy/access-policy.ts`	`access-policy.test.ts`	None	`PolicyActor`, `PolicySubject`, `GovernedResourcePolicyContext` types.
Context builder	Done	`policy/context-builder.ts`	`context-builder.test.ts`	None
Inputs hash	Done	`policy/inputs-hash.ts`	`inputs-hash.test.ts`	None	SHA-256 of canonicalized policy context.
Replay context	Done	`policy/replay-context.ts`	`replay-context.test.ts`	None
Rule composition	Done	`policy/rules/index.ts`	`composition.test.ts`	None	Standard rule chain wiring.

Backend — Background Jobs

Component	Status	Code Path	Test Coverage	Blockers	Notes
Lease scheduler	Done	`jobs/lease-scheduler.ts`	Indirect	None	60s interval. Expires leases, prompts renewals.
Vault sync job	Done	`jobs/vault-sync.job.ts`	Indirect	None	Syncs vault record metadata, detects rotations/orphans.
Permission sync job	Done	`jobs/permission-sync.job.ts`	Indirect	None	Re-resolves vault folder permissions, invalidates caches.
Discovery job	Done	`jobs/discovery.job.ts`	Indirect	None	Discovers new vault records not registered in Postgres.
Issuance retry job	Done	`jobs/issuance-retry.job.ts`	Indirect	None	Retries failed issuances. Budget N=3, backoff [30s, 1m, 2m, 4m].
Commander rotation check	Done	`jobs/commander-rotation-check.job.ts`	Indirect	None	Flags records where rotation is due.

Backend — Integration Tests

Component	Status	Code Path	Test Coverage	Blockers	Notes
Approve-then-issue flow	Done	`integration/approve-then-issue.test.ts`	—	None	End-to-end: request → approve → issue → verify INV-5 (no URLs in DB).
Governance snapshot	Done	`integration/governance-snapshot.test.ts`	—	None
Issuance cap trace	Done	`integration/issuance-cap-trace.test.ts`	—	None	Verifies maxIssuances enforcement.
Replay harness	Done	`integration/replay-harness.test.ts`	—	None	Decision replay verification.

Backend — Routes

Component	Status	Code Path	Test Coverage	Blockers	Notes
Auth routes	Done	`routes/auth.routes.ts`	Indirect	None
Records routes	Done	`routes/records.routes.ts`	Indirect	None
Requests routes	Done	`routes/requests.routes.ts`	Indirect	None
Leases routes	Done	`routes/leases.routes.ts`	Indirect	None
Audit routes	Done	`routes/audit.routes.ts`	Indirect	None
Notifications routes	Done	`routes/notifications.routes.ts`	Indirect	None
Admin routes	Done	`routes/admin.routes.ts`	Indirect	None	ADMIN role required. Vault sync, permission sync, discovery, record registration, folder listing.
Probe routes	Done	`routes/probe.routes.ts`	Indirect	None
Authority routes	Done	`routes/authority.routes.ts`	Indirect	None
Governance routes	Done	`routes/governance.routes.ts`	`governance.routes.test.ts`	None
Issuance routes	Done	`routes/issuance.routes.ts`	`issuance.routes.test.ts`	None	`POST /api/requests/:id/issue` — token-exchange endpoint.
Vault webhooks routes	Done	`routes/vault-webhooks.routes.ts`	Indirect	None
Commander health routes	Done	`routes/commander-health.routes.ts`	Indirect	None

Frontend

Component	Status	Code Path	Test Coverage	Blockers	Notes
React app (Fluent UI 9 + Tailwind)	Done	`frontend/src/`	Minimal	None	Full UI with routing, auth store, settings.
Teams theme hook	Done	`frontend/src/hooks/useTeamsTheme.ts`	None	None
Active lease hook	Done	`frontend/src/hooks/useMyActiveLease.ts`	None	None
Countdown hook	Done	`frontend/src/hooks/useCountdown.ts`	None	None
Resizable width hook	Done	`frontend/src/hooks/useResizableWidth.ts`	None	None
API service	Done	`frontend/src/services/api.ts`	None	None
Probe API service	Done	`frontend/src/services/probe-api.ts`	None	None
Teams service	Done	`frontend/src/services/teamsService.ts`	None	None
Auth store (Zustand)	Done	`frontend/src/stores/auth.store.ts`	None	None
Frontend test runner (vitest)	Stubbed	`frontend/tests/governance.spec.ts`, `frontend/src/components/RequestIssuancePanel.test.tsx`	2 test files exist	`vitest` not in package.json scripts	Test files exist but no `test` script in `frontend/package.json`. Cannot run tests.

Infrastructure & Deployment

Component	Status	Code Path	Test Coverage	Blockers	Notes
Staging deploy script	Done	`deploy/deploy-staging.ps1`	Manual	None	9-step PowerShell: build → package → zip deploy → smoke test.
Prod deploy script	Done	`deploy/deploy-prod.ps1`	Manual	None	Same 9 steps + confirmation prompt.
Staging app settings	Done	`deploy/appsettings-staging.json`	Manual	None	`VAULT_DEPLOYMENT_MODE=staging`.
Prod app settings	In progress	`deploy/appsettings-prod.json`	Manual	Entra values are placeholders	`ENTRA_APP_ID_HERE` etc. not yet populated.
Staging App Service	Done	Azure: `app-passkey-stg-ben-6b2f`	`/healthz` 200	None	B1 Linux, Node 22.
Prod App Service	Not started	Azure: `app-passkey-prod-1353`	Not deployed	Entra config, VNet setup, NAT Gateway	Provisioned but not serving traffic.
Prisma migration chain	In progress	`backend/prisma/`	—	Incomplete baseline	Used `db push` for staging. Need baseline migration before next environment.
KSM Application setup	In progress	External (Keeper Console)	—	IP lock checked at creation	KSM Application created. IP lock must be unchecked or application recreated. Folders not yet granted.
Bot Framework registration	Not started	—	—	M365 admin needed	`notification.service.ts` and card templates exist. No bot registered. No `BOT_REGISTERED` flag.
`getFolderPermissions()` in Real impl	Stubbed	`vault-read.service.ts`	—	KSM SDK doesn’t expose folder ACL	Interface method defined. `RealVaultReadService` throws “not supported by KSM SDK.” Zero callers in production code.
VNet + NAT Gateway (prod)	Not started	Azure: `rg-passkey-prod`	—	Prod deploy decision	`natgw-passkey-prod` referenced in CLAUDE.md but not provisioned.
Hand-linked SQL (Postgres ↔ Keeper UIDs)	Tactical	`seed-definition.ts`, manual	—	Discovery rebuild	Works but needs reconciliation or reset for v3.
Custom domain (pazzkey.com for portal)	Not started	—	—	DNS + SSL cert	No custom domain binding on any App Service.

Seed & Fixtures

Component	Status	Code Path	Test Coverage	Blockers	Notes
Seed definition (single source)	Done	`seed/seed-definition.ts`	Used by tests	None	Canonical record/user/folder/authority shapes.
Postgres seed emitter	Done	`seed/emit-postgres-seed.ts`	—	None
Vault fixture emitter	Done	`seed/emit-vault-fixture.ts`	—	None
Governance fixtures	Done	`backend/seed/governance-fixtures.ts`	—	None