Known Gaps & Roadmap
This page is the honest register of what Trust Relay does not yet do, or does only under
a mock/stub. It succeeds the retired atlas/gaps-and-next-steps.md register (2026-06-11),
whose items have largely closed. Keeping this list current is itself a compliance posture:
an MLRO evaluating the platform should see the limitations plainly, not discover them in
production.
Detailed engineering findings from internal code reviews (including security-sensitive
items) are tracked in the repository under docs/research/ and in GitHub issues — not on
this public page.
Closed since the 2026-06-11 register
| Former gap | Closed by |
|---|---|
| RLS inert (app ran as DB superuser) | ADR-0050 / ADR-0051 — app runs as non-superuser trustrelay_app; RLS enforced since 2026-06-12 |
| Sanctions false-positive suppression not evidence-based | ADR-0045 — evidence-based, tenant-scoped, always-visible suppression (implemented) |
| No maker-checker on high-risk decisions | ADR-0070 — four-eyes PENDING_SECOND_APPROVAL control |
| Compliance outputs could report "clear" when no check ran | ADR-0067 — fail-closed "not assessed" contract |
audit_events immutability by convention only | ADR-0064 — DB trigger + REVOKE UPDATE/DELETE + FK RESTRICT |
| RBAC log-only (Phase 1) | ADR-0074 — Phase 2 deny-by-default 403 enforcement, active 2026-06-28 |
Open — capability gaps (mock/stub gated)
These raise NotImplementedError when their *_MOCK_MODE flag is false, so they are
explicitly not silently faked in production:
- Identity verification — real eID Easy / itsme / eIDAS integration is stubbed
(
app/services/eid_easy_service.py).KYC_MOCK_MODE=trueuses realistic fixtures. - Sanctions / PEP / adverse-media screening — the live screening client is stubbed
(
app/services/kyc_screening.py); OSINT retrieval paths are real, the verified-list screening client is not. - Live company-status monitoring —
company_status/aeo_statusmonitoring checks are stubs that fail closed: they return an indeterminate WARNING (never a benign no-change) so a possible dissolution cannot be ruled out (ADR-0067 extension).
Open — coverage gaps
- Per-entity / per-director adverse-media recall (Tier B) — GitHub issue #170. The network adverse-media recall gap finding (PR #171) is the honest surface for this: related entities and named persons that were sanctions/PEP-screened but not individually adverse-media-searched are flagged as not assessed, not cleared. The recall work itself (searching each related entity) is parked.
- Country depth — 12-country registry architecture (ADR-0034/0042/0079) with honest per-country capability gating (ADR-0068/0080); depth varies by jurisdiction, and an unsupported country/signal is labelled not assessed for X rather than silently skipped.
Open — platform / governance
- SSO federation — design only (ADR-0076, Proposed), not implemented.
- SCIM provisioning, ISO 27001/42001/27701 certification, data-residency controls — named as gaps in the EU AI Act conformity record (ADR-0072); not yet in place.
- CI residual — GitHub issue #167: ~80 pre-existing backend-test failures remain after the Backend Tests job was rebuilt (PR #166); tracked for cleanup.
Doc-infrastructure items fixed 2026-07-02
- Architecture-index
undocumentedlist and thecheck-docs-sync.shstaleness gate had a path-normalization mismatch that made the gate silently skip backend files — corrected so the coverage metric and the pre-commit gate work as designed. - The published ADR registry table had drifted (stopped at ADR-0049) and 16 ADR mirror
pages were uncommitted — both reconciled; a canonical
docs/adr/README.mdindex now exists.