Skip to main content

Known Gaps & Roadmap

This page is the honest register of what Trust Relay does not yet do, or does only under a mock/stub. It succeeds the retired atlas/gaps-and-next-steps.md register (2026-06-11), whose items have largely closed. Keeping this list current is itself a compliance posture: an MLRO evaluating the platform should see the limitations plainly, not discover them in production.

Detailed engineering findings from internal code reviews (including security-sensitive items) are tracked in the repository under docs/research/ and in GitHub issues — not on this public page.

Closed since the 2026-06-11 register

Former gapClosed by
RLS inert (app ran as DB superuser)ADR-0050 / ADR-0051 — app runs as non-superuser trustrelay_app; RLS enforced since 2026-06-12
Sanctions false-positive suppression not evidence-basedADR-0045 — evidence-based, tenant-scoped, always-visible suppression (implemented)
No maker-checker on high-risk decisionsADR-0070 — four-eyes PENDING_SECOND_APPROVAL control
Compliance outputs could report "clear" when no check ranADR-0067 — fail-closed "not assessed" contract
audit_events immutability by convention onlyADR-0064 — DB trigger + REVOKE UPDATE/DELETE + FK RESTRICT
RBAC log-only (Phase 1)ADR-0074 — Phase 2 deny-by-default 403 enforcement, active 2026-06-28

Open — capability gaps (mock/stub gated)

These raise NotImplementedError when their *_MOCK_MODE flag is false, so they are explicitly not silently faked in production:

  • Identity verification — real eID Easy / itsme / eIDAS integration is stubbed (app/services/eid_easy_service.py). KYC_MOCK_MODE=true uses realistic fixtures.
  • Sanctions / PEP / adverse-media screening — the live screening client is stubbed (app/services/kyc_screening.py); OSINT retrieval paths are real, the verified-list screening client is not.
  • Live company-status monitoringcompany_status / aeo_status monitoring checks are stubs that fail closed: they return an indeterminate WARNING (never a benign no-change) so a possible dissolution cannot be ruled out (ADR-0067 extension).

Open — coverage gaps

  • Per-entity / per-director adverse-media recall (Tier B) — GitHub issue #170. The network adverse-media recall gap finding (PR #171) is the honest surface for this: related entities and named persons that were sanctions/PEP-screened but not individually adverse-media-searched are flagged as not assessed, not cleared. The recall work itself (searching each related entity) is parked.
  • Country depth — 12-country registry architecture (ADR-0034/0042/0079) with honest per-country capability gating (ADR-0068/0080); depth varies by jurisdiction, and an unsupported country/signal is labelled not assessed for X rather than silently skipped.

Open — platform / governance

  • SSO federation — design only (ADR-0076, Proposed), not implemented.
  • SCIM provisioning, ISO 27001/42001/27701 certification, data-residency controls — named as gaps in the EU AI Act conformity record (ADR-0072); not yet in place.
  • CI residual — GitHub issue #167: ~80 pre-existing backend-test failures remain after the Backend Tests job was rebuilt (PR #166); tracked for cleanup.

Doc-infrastructure items fixed 2026-07-02

  • Architecture-index undocumented list and the check-docs-sync.sh staleness gate had a path-normalization mismatch that made the gate silently skip backend files — corrected so the coverage metric and the pre-commit gate work as designed.
  • The published ADR registry table had drifted (stopped at ADR-0049) and 16 ADR mirror pages were uncommitted — both reconciled; a canonical docs/adr/README.md index now exists.