Apr–Jul 2026 — Consolidated Release Notes
Period: April 21 – July 2, 2026 Why a consolidated note: the per-sprint cadence paused at Sprint W16 (Apr 14–20). This page catches the release log up on the work that shipped since, grouped by theme rather than by week. Each item links the Architectural Decision Record (ADR) that governs it.
Multi-tenant isolation — RLS enforced
PostgreSQL Row-Level Security moved from defined to enforced. The application now runs as a non-superuser role (trustrelay_app) so RLS policies are no longer bypassed, with the DDL/DML connection URLs split (Alembic migrations use a privileged migration_database_url; the app runtime does not).
- ADR-0050 — RLS enforcement via non-superuser role-flip (DDL/DML URL split)
- ADR-0051 — tenant-scoped session selection for RLS-enforced access
UBO & AMLR arc
The beneficial-ownership and AMLR-alignment programme landed across a fourteen-ADR sequence — from the ownership-computation engine through typed AMLR entities to live risk-paced re-screening.
- ADR-0053 — UBO ownership computation engine (multi-path summation, jurisdiction-configurable threshold, append-only audit)
- ADR-0054 — UBO control dimension (ControlEdge,
>50%-implies-control) - ADR-0055 — UBO senior-managing-official fallback when no ownership/control UBO
- ADR-0056 — 1-to-many person/UBO verification model
- ADR-0057 — min-2-independent-source verification gate (independence by distinct source)
- ADR-0058 — central register = cross-check only (require ≥1 non-central source)
- ADR-0059 — block approval on open UBO discrepancy (hard, fail-closed, audited override) + discrepancy SAR lifecycle
- ADR-0060 — NaturalPerson AMLR fields (plural nationalities, PEP/RCA, place of birth)
- ADR-0061 — role-based LegalArrangement model (trusts/foundations) + separate UBO path
- ADR-0062 — typed SubjectEntity + PurposeProfile (StatedPurpose, SoF/SoW)
- ADR-0063 — typed persisted ScreeningResult (append-only RLS table; ongoing-monitoring evidence trail)
- ADR-0064 — DB-enforced
audit_eventsimmutability (trigger + REVOKE + FK RESTRICT) - ADR-0065 — dissolved-entity onboarding block-by-default (terminal status → 409 unless audited override)
- ADR-0066 — live risk-paced UBO re-screening + general-population monitoring (AMLR Art. 21/26)
Data-honesty controls — fail-closed, case-pack, four-eyes, SAR/STR, EU AI Act
A milestone cluster that makes compliance outputs honest and auditable end-to-end: the system may add scrutiny but never reports "clear" when no check ran.
- ADR-0067 — fail-closed compliance outputs & "not assessed" contract (never report clear when no check ran)
- ADR-0068 — country-capability registry & honest "not assessed for X" per jurisdiction
- ADR-0069 — regulator-ready case-pack export (tamper-evident ZIP + SHA-256 manifest + AMLR 5-year retention; carries honest gaps)
- ADR-0070 — maker-checker / four-eyes control (high-risk approve or fail-closed-gate override needs a second, different approver;
PENDING_SECOND_APPROVALstate; both actors audited) - ADR-0071 — SAR/STR lifecycle (draft → pending_mlro → approved → submitted → acknowledged, no-skip + fail-closed) + MLRO four-eyes gate + AMLD Art. 39 tipping-off boundary
- ADR-0072 — EU AI Act conformity record (system-level, data-driven Art. 11–15 from live model-tiers/prompt-registry; honest per-obligation satisfied/partial/gap)
Adverse-media recall & jurisdictional financials
Corrects the earlier "bot-blocked / vendor-limited" belief: the missed signals were free and public — the problem was recall (English-only queries, no alias/group expansion, no native-language escalators, non-fetched EE financials).
- ADR-0077 — multi-provider adverse-media retrieval (Tavily hardening + native ET/LT queries + mandatory deterministic escalator terms + triggered BrightData fallback, fail-closed-not-empty + per-provider provenance)
- ADR-0078 — adverse-media alias/brand/group expansion (screen the brand/group, not just the legal name; verified-identifier vs identifier-less two-lane attribution)
- ADR-0079 — Estonian company financials via RIK e-Äriregister avaandmed open data (free primary channel; sourced FHR or honest data-gap)
- ADR-0080 —
Signal.FINANCIAL_STATEMENTSjurisdiction-gated capability (capability-gap vs data-gap distinction; extends ADR-0068)
Access control — RBAC Phase 2 active
Role-based access control moved from log-first to enforcing. A Permission enum and layered ROLE_PERMISSIONS (officer < mlro < tenant_admin < super_admin) back a require_permission dependency. After telemetry validation and human sign-off, Phase 2 went active on 2026-06-28 — rbac_enforcement_enabled=True, so unauthorized calls now return 403 instead of logging rbac.would_deny and allowing.
- ADR-0074 — RBAC enforcement, phased (log-first → enforcing)
Audit-pack governance & CI recovery — PR #166
Two MLRO/CTO reviews of the OB Holding regulator pack drove Waves 1–4 of governance hardening (10 commits): a verification-overlay note, provenance and decided-by fields, a standalone SAR/STR assessment artifact (migration + record_assessment + sar_assessment.html + fail-closed pack inclusion), memo HARD-STOP action + Art. 69 consistency, report "basis of overall rating", and an SOP + pre-seal checklist. Wave 4 added a runtime SAR-first gate (single-sourced predicate; gates evidence-request / decision / portal / chat) — adversarial verification caught and fixed a critical fail-open (wrong workflow-state key) before merge.
In the same PR, GitHub Actions billing was restored and the Backend Tests job was rebuilt (packages installed, pydantic-ai<2 pin, schema materialised from Alembic on the pgvector/pgvector:pg16 image, trustrelay_app RLS role, MinIO service, SCAN_MOCK_MODE). CI now runs for real: ~7,268 backend tests passing, with ~80 pre-existing residual failures tracked in issue #167. The prior "CI red = billing disabled" assumption is now stale.
Decision-memo PDF — PR #169
The Officer Decision Memorandum now renders as a PDF, making the officer's rationale a first-class, exportable artifact alongside the case pack.
Case-pack provenance & network adverse-recall gap — PR #171
The case-pack source appendix now carries honest per-source provenance, and the pack surfaces a network-level adverse-media recall gap rather than silently omitting it — keeping the "never suppress a signal" invariant intact at the network scope.
See also
- ADR index — the full decision register (81 ADRs, latest ADR-0082)
- Sprint W16 release notes — the last per-sprint entry before this consolidated note