5a8c26cf5d
- Backend: ShallowEtagHeaderFilter for /api/v1/*, API-VERSIONING.md, README (tenant, CORS, Flyway, ETag) - k8s: backend-deployment.yaml (Deployment, Service, Secret/ConfigMap) - Web: scaffold with directory pull, 304 handling, touch-friendly UI - Android 16: ANDROID-16-TARGET.md; BuildConfig STUN/signaling, SMOAApplication configures InfrastructureManager - Domain: CertificateManager revocation stub, ReportService signReports, ZeroTrust/ThreatDetection minimal docs - TODO.md and IMPLEMENTATION_STATUS.md updated; communications README for endpoint config Co-authored-by: Cursor <cursoragent@cursor.com>
7.4 KiB
7.4 KiB
SMOA – Remaining and Optional Tasks
Single list of remaining and optional work. References: BACKEND-GAPS-AND-ROADMAP.md, REQUIREMENTS-ALIGNMENT.md, PLATFORM-REQUIREMENTS.md, IMPLEMENTATION_STATUS.md.
Backend
Remaining
- Prod profile and DB – Done: application-prod.yml, ddl-auto: validate, Flyway; document PostgreSQL in README.
- Unit/tenant scoping – Done: TenantFilter when smoa.tenant.require-unit=true; X-Unit required for /api/v1.
- Migrations – Done: Flyway, V1__baseline.sql, baseline-on-migrate.
Optional
- Pagination – Done: @Parameter on PullController for since/limit.
- ETag / If-None-Match – Done: ShallowEtagHeaderFilter for /api/v1/*; GET list supports ETag and 304.
- Request ID – Done: RequestIdFilter (X-Request-Id, MDC).
- API versioning – Doc: backend/docs/API-VERSIONING.md (when to add v2, deprecation).
- Fix Gradle/Kotlin plugin – Resolve “plugin already on classpath with unknown version” so
./gradlew :backend:testruns (root vs backend plugin alignment).
Android app
Remaining
- SyncService serialization – Done: Gson in core:common; serialize* produce JSON bytes.
- Pull on connect – Done: PullAPI + BackendPullAPI; startSync() runs pull when online and emits to pullResults (merge by observing modules).
- API key in app – Done: BuildConfig.SMOA_API_KEY, passed to BackendSyncAPI (build with -Psmoa.api.key=…).
- Android 16 doc – Done: docs/reference/ANDROID-16-TARGET.md. Actual SDK bump when AGP 8.5+ is adopted.
Optional
- Knox integration – If required, integrate Knox SDK (e.g. secure storage, VPN) for target devices; Knox API level 39 is supported on primary device.
- WebRTC full integration – Replace WebRTCManager TODOs with actual PeerConnection, audio/video capture, and track setup when library is fully integrated.
- Connection quality from WebRTC – Replace StubConnectionQualityMonitor with implementation that uses WebRTC
getStats()(bandwidth, RTT, loss) and calls SmartRoutingService/AdaptiveCodecSelector. - InfrastructureManager endpoints – Done: BuildConfig SMOA_STUN_URLS, SMOA_SIGNALING_URLS; SMOAApplication configures STUN and signaling at startup; TURN set programmatically (see modules/communications/README.md).
- Screen sharing / file transfer – Implement TODOs in VideoTransport for screen sharing and file transfer in meetings.
- SmartCardReader – Implement actual card detection, connection, disconnection (or remove if not required).
iOS (last 3 generations)
Remaining
- iOS app project – Scaffold: docs/ios/README.md. Create full app (Swift/SwiftUI) targeting iOS 15, 16, 17.
- Keychain for API key – To implement in iOS app.
- Offline queue – To implement in iOS app (queue sync when offline; retry when online).
Optional
- Face ID / Touch ID – Optional app unlock or sensitive-action auth.
- Certificate pinning – Optional for API calls.
Web Dapp (Desktop / Laptop + touch)
Remaining
- Web scaffold expand – Done: docs/web-scaffold/index.html – API info, health, Pull directory (GET /api/v1/directory, list display, 304 handling); vanilla JS, no build step. Full SPA (React/Vue/Svelte) remains optional.
- Build and host – Build pipeline and HTTPS hosting when SPA is ready.
- CORS – Configure backend
smoa.cors.allowed-originsfor web app origin(s) in production.
Optional
- Offline – Service Worker + Cache API; queue sync in IndexedDB/localStorage and flush when online.
- PWA – Installable; optional offline shell.
Infrastructure
Optional
- Reverse proxy – Done: nginx-smoa.conf.example, docker-compose.yml.
- TURN / signaling – Host TURN and/or signaling for WebRTC if not using external services.
- k8s manifests – Done: docs/infrastructure/k8s/backend-deployment.yaml (Deployment, Service, optional Secret/ConfigMap).
Domain / compliance (optional, by priority)
High (requires approvals / provider selection)
- NCIC/III integration – NCIC API (CJIS approval required).
- ATF eTrace – ATF eTrace API (federal approval required).
- eIDAS QTSP – Integrate with Qualified Trust Service Provider; qualified signatures, timestamps, EU Trust Lists.
Medium
- Digital signatures – Full BouncyCastle (or similar) signature generation/verification; certificate chain validation.
- XML security – Apache Santuario; XMLDSig/XMLEnc for AS4 and compliance.
- CertificateManager.checkRevocationStatus – Stub clarified: returns UNKNOWN; extend with OCSP/CRL for production.
- AS4 full implementation – Full AS4 message envelope, ebMS 3.0, WS-RM, receipts, CPA (see AS4Service TODOs).
- Report digital signature – Done: ReportService.signReports + minimal SHA-256 content-hash signature; full signing via dedicated service when needed.
- Electronic seal – Actual seal verification (ElectronicSealService TODO).
Lower / future
- ZeroTrustFramework – Replaced TODO with “Minimal implementation; extend for production”.
- ThreatDetection – Replaced TODOs with “Minimal implementation; extend for production”.
- ATF form storage – Add entities and storage for ATF forms (ATFFormDatabase TODO).
- NCIC query storage – Add entities for NCIC query storage (NCICQueryDatabase TODO).
- Compliance gaps – Address domain-specific gaps in COMPLIANCE_EVALUATION.md (eIDAS QES, credential formats, barcode, NIBRS/UCR, etc.) per deployment priorities.
Testing
Optional
- Backend tests – Fix Gradle plugin so
:backend:testruns; add more integration tests as needed. - Android unit/integration – More unit tests for remaining modules; integration tests; UI tests; target 80%+ coverage where practical.
- E2E – End-to-end tests for critical flows (sync, auth, meetings).
Documentation
Optional
- README/back-end – Done: Backend README lists DELETE/GET, rate limit, audit, Docker, tenant (smoa.tenant.require-unit), Request ID, Flyway, PostgreSQL prod, CORS (smoa.cors.allowed-origins), ETag.
- Timeline – Done: IMPLEMENTATION_STATUS.md “Next steps (short-term)” section added.
Summary
| Area | Remaining | Optional |
|---|---|---|
| Backend | 0 | 2 |
| Android | 0 | 6 |
| iOS | 3 | 2 |
| Web Dapp | 2 | 2 |
| Infra | 0 | 2 |
| Domain | 0 | 12+ |
| Testing | 0 | 3 |
| Docs | 0 | 0 |
Use this file as the single checklist for remaining and optional work; link to it from docs/README.md or IMPLEMENTATION_STATUS.md as needed.