Roadmap
As-of: 2026-05-09. Roadmap reviewed: 2026-05-09. Next review: 2026-06-09.
Source: codebase state,
manifest.yaml,appsettings-staging.json,appsettings-prod.json, project conversation history.
Now — v1 (Staging Pilot)
Goal: Demonstrate the governance-first credential issuance pattern end-to-end in a controlled environment. Validate that the architecture, policy engine, and Keeper integration hold up under real (if limited) use.
Current state as of 2026-05-09:
- Staging deployed and healthy (
app-passkey-stg-ben-6b2f,/healthz200). - Keeper trial active (12-day window from provisioning — expiry imminent).
- Vault mode:
staging(KSM reads live vault, Commander shares stubbed). - Governance gate:
HARDEN_GOVERNANCE_v1=false(soak mode). - Bot not registered — Teams notification flow is skeleton only.
- 33 backend test files passing.
- Frontend test runner not wired.
Key Components:
| Component | Status | Notes |
|---|---|---|
| Backend (Express + Prisma + Postgres) | Deployed | All core services, policy engine, 6 background jobs |
| Frontend (React + Fluent UI 9) | Deployed | Full UI, embedded in App Service static serve |
| Entra ID authentication | Working | JWT validation against configured tenant |
| KSM vault reads | Working | Real reads in staging via RealVaultReadService |
| Commander vault shares | Stubbed | StubVaultShareService — logs intent, returns synthetic result |
| Policy engine (6 rules) | Working | Pure evaluator, decision traces persisted |
| Governance authority model (INV-1) | Working | Append-only, DB trigger enforced |
| Audit trail (27 actions + decision traces) | Working | |
| Issuance token exchange (INV-5) | Working (code) | Not exercised in true mode on staging |
Dependencies: None external — v1 is self-contained on staging.
Estimated Effort: Complete (v1 is shipped to staging).
Risks:
- Keeper trial expires before integration validation completes.
HARDEN_GOVERNANCE_v1has never been tested intruemode.- No production path yet.
Decision Owner: Ben (engineering).
Next — v3 (Production Hardening)
Status: Scope not locked. The items below represent the expected minimum for a production-ready deployment. Several require PO/CTO input before work begins.
Goal: Deploy to production with full Keeper integration, Teams notifications, and hardened governance gate. Establish the system as a reliable, production-grade service.
Key Components:
| Component | Status | Decision Needed? |
|---|---|---|
| Production App Service deployment | Not started | Yes: SKU tier (S1 vs P1V2), custom domain, SSL cert |
| VNet + NAT Gateway + private endpoints | Not started | Yes: Network topology approval |
| Keeper trial → paid conversion | Not started | Yes: License tier, seat count, budget approval |
| KSM Application IP lock fix | Not started | No — operational task (uncheck or recreate) |
| KSM folder grants in Keeper Console | Not started | No — operational task |
Commander in full mode (live shares) | Not started | Depends on Keeper licensing |
HARDEN_GOVERNANCE_v1=true | Not started | No — but requires staging validation first |
| Bot Framework registration | Not started | Yes: M365 admin approval, bot identity owner |
| Teams Adaptive Card notifications (real) | Not started | Depends on bot registration |
| Frontend test runner (vitest) | Not started | No |
| Discovery strategy finalization (UID-pinned) | Not started | Yes: Reset vs. reconcile hand-linked SQL |
| Dedicated Postgres database | Not started | No — operational task |
| Baseline Prisma migration | Not started | No |
Prod appsettings-prod.json completion | Not started | Depends on Entra registration for prod |
| Monitoring + alerting baseline | Not started | Yes: SLA targets, alert thresholds |
Dependencies:
- Keeper licensing decision (blocks Commander full mode and any live share testing).
- M365 admin approval (blocks bot registration).
- Production Entra app registration (blocks prod auth).
- CTO approval for production infrastructure spend (~$220–260/mo, see Cost Model).
Estimated Effort: 80–125 engineering hours (see Cost Model).
Risks:
- Scope creep if v3 isn’t explicitly bounded.
- Keeper licensing negotiation timeline unknown.
- M365 admin approval timeline unknown.
Decision Owner: CTO (scope lock), Ben (execution).
Later — v4 (SMS Android MFA)
Status: Conceptual. All items are assumptions, not commitments.
Goal: Add SMS-based OTP as a second factor for credential retrieval. Strengthen the issuance token exchange with device-bound verification.
Key Components:
| Component | Notes |
|---|---|
| SMS gateway integration | Azure Communication Services or Twilio. Decision needed. |
| Two-step issuance flow | Challenge + OTP verification before share URL delivery |
ChallengeEvent schema model | New table for OTP challenge audit |
challenge.service.ts | New service for OTP generation, delivery, verification |
| Android companion app (option A) | If device-bound MFA is required beyond SMS |
| Standard SMS delivery (option B) | If SMS-only is acceptable for MVP |
| Threat model update | SIM swap, SMS interception, OTP replay analysis |
Dependencies:
- v3 production deployment complete.
- SMS gateway vendor decision.
- Companion app vs. SMS-only decision.
- Security review of SMS threat surface.
Estimated Effort: 70–220 engineering hours (range depends on companion app decision).
Risks:
- SMS is not a strong second factor (SIM swap, SS7).
- Companion app adds significant Android development scope.
- May need to revisit if Keeper adds native MFA for share retrieval.
Decision Owner: CTO (commit vs. defer).
Out of Scope
The following are explicitly not planned for any current phase:
| Item | Reason |
|---|---|
| Multi-tenant support | v1–v4 are single-tenant. Multi-tenant requires schema partitioning, per-tenant vault config, and significant architectural changes. |
| Self-hosted / on-premise deployment | Azure-only. The architecture assumes Azure platform services (App Service, Key Vault, Postgres Flexible Server). |
| Non-Keeper vault backends | The IVaultReadService / IVaultShareService interfaces are designed for swap-in, but no alternative implementation is planned. |
| Mobile-native app (iOS/Android) for portal UI | The React frontend is responsive but not a native app. v4’s Android scope is limited to MFA companion, not the full portal. |
| Real-time credential rotation | The system detects rotations (via vault-sync.job.ts) but does not trigger them. Rotation is a Keeper-side operation. |
| SAML / non-Entra identity providers | Authentication is Entra-only. SAML or other IdP support would require a new identity service implementation. |
| Offline / air-gapped operation | Requires Azure platform services and network access to Keeper. |
| Automated SOC 2 / HITRUST certification | The system is designed to align with these frameworks but certification requires external audit. |