🗺️ SaaS — Product Roadmap & Task Map

reuseplatform backend ~85% factored (28 NuGet pkgs); dup is on the RN-web frontend (erevna-web↔katalogos-web near-clones). ✅ pwa-sw extracted + erevna migrated (stale-cache bug FIXED), LIVE prod. ✅ bff-web-client extracted + BOTH apps migrated (#194) — LIVE prod 2026-06-14; ~343 LOC/app removed; csrf/session/toast as ports; tarball-bridge Docker-safe. Verified: staging E2E (katalogos 19 + erevna-questioner 8) through real BFF login/CSRF/CRUD + prod smoke (login UI + /bff/config 200, no errors). ✅ tenant-theme-web extracted + BOTH apps migrated (#195) — LIVE prod 2026-06-14; ~800 LOC/app removed; react-query-free core, httpGet/httpPut + per-app palette as ports; staging E2E 19+8 + prod smoke green. ✅ orval-preset extracted + BOTH apps migrated (#196) — LIVE prod 2026-06-14; defineOrvalConfig factory + 6 mutators + createHttpClient; regenerated clients BYTE-IDENTICAL; ~314 LOC/app removed; staging E2E 19+8 + prod smoke green. 3-package RN-web dedup wave COMPLETE (~1,460 LOC removed per app across bff+theme+orval). P1 progress 2026-06-14: ✅ frontend-devtools (eslint 17 rules + i18n init) PUBLISHED @1.0.2 (1.0.1 shipped w/o dist — fixed w/ files:[dist]) + BOTH apps migrated, LIVE prod (19 eslint files deleted/app, lint-parity 0=0, i18n→initI18n; staging E2E 19+8). ✅ analytics-web @1.0.1 PUBLISHED (vehicle ready). ✅ kefi-web already on the shared stack (auth-web/auth-client, n=3). ✅ Keycloak realm-wiring→Identity.Keycloak 1.6.1 DONE — ALL 6 backend services LIVE PROD 2026-06-14 (Content/Notification/OnlineMenu/Questioner/Kefi/Tenant): extracted 4 byte-identical helpers into new Identity.Keycloak.Authentication ns (KeycloakHttpOptions / KeycloakHttpClientExtensions / MultiRealmJwtBearer.ConfigureMultiRealm / KeycloakClaimsHelper); each service deletes its 3 local Security/ copies, RealmAuthorization*/SuperUser*/IClaimsTransformation stay per-service; ~4,400 unit tests green; per-service staging→auth-E2E→prod; published Identity.Abstractions 1.6.2 to unblock the dep chain; caught+fixed a Tenant CrashLoopBackOff (CentralPackageTransitivePinning vs local-feed Identity.Abstractions mismatch — build passes, runtime FileNotFound 1.6.2). ✅ analytics instrumentation DONE 2026-06-15 — Umami snippet live on erevna.dloizides.com (id 2ecad02e) + katalogos.dloizides.com (id 493b52aa) via each app's +html.tsx head (data-domains-scoped to prod); curl-verified on prod. Kefi Marketing already instrumented (#188); kefi-web organizer is admin-exempt / covered by per-tenant ids. ✅ login-error E2E fixed 2026-06-15 — 2 stale login.spec tests asserted a legacy window.alert dialog; the shared <LoginForm> surfaces errors INLINE (testID auth-login-error) → tests updated; 7/7 login.spec green on prod. ✅ adopt-existing: ContentService→MultiTenancy.EntityFrameworkCore 1.4.1 DONE + LIVE prod 2026-06-15 — deleted local Content.Infrastructure.MultiTenancy (ICurrentTenantService+CurrentTenantService), now consumes the shared MultiTenancy.Abstractions + AddMultiTenancy() (claims via Security.Claims); matches the other 4 backend services; fixed broken superuser detection (real role superUser, local checked superuser/SuperUser); 208 unit tests + content E2E 23 (staging) + 17 (prod) green. ✅ P1 (shared-lib tier + adoption) COMPLETE — only Poueni→Email.Smtp remains, deferred to the parallel Poueni session. ✅ ALL shared pkgs now on npm (tarball bridge retired, P0 done). Deferred (premature): GDPR contract, subscription-gate (n1), Storage.S3, QR. audit

platformvision consolidated plan 2026-06-14 (owner-confirmed): a scaffolder that generates a FULL product across ALL tiers (backend · PWA/web · Expo-native mobile · CI/deploy/E2E pipeline) with ready-made features, on shared libraries + shared platform services. P0 ✅ DONE 2026-06-14 — npm publish fixed (4 pkgs @1.0.1) + tarball bridge retired (both apps on registry deps, LIVE prod, E2E-verified). Priority order (owner): reusability → libraries → shared services FIRST; scaffolding LAST. P1 ✅ DONE 2026-06-15 (shared-lib tier: pwa-sw/bff/theme/orval/frontend-devtools + analytics + Keycloak realm-wiring on all 6 services + Content→MultiTenancy; only Poueni→Email.Smtp deferred). P2 ✅ DONE 2026-06-15 — published platform-adoption-contract.md + platform-core-services.md; audited the 4 product APIs (~90% de-facto compliant); gaps filed/closed: ✅ G1 cross-realm-wall→Identity.Keycloak.Authorization 1.7.0 DONE — ALL 5 services LIVE PROD 2026-06-15 (Tenant/Content/OnlineMenu/Questioner/Kefi; deleted 4-6 local wall files/service, AddRealmAuthorization(realmsConfigKey,enableSuperUser); config-key-flexible so no ProductRealms→AllowedRealms rename; ~4,050 unit tests + per-service auth-E2E + prod smoke; superuser opt-in, dual-scheme/canary preserved) · ✅ G5 Kefi validation (#208) DONE — LIVE prod 2026-06-15 (dropped the pinned-unused DLoizides.Validation; no shared-rule fit, 1009 tests green, kefi-api@dac109e89021) · ✅ G4 Content→Storage.S3 (#207) DONE — LIVE prod 2026-06-15 (migrated Content off its local AWSSDK wrapper onto shared Storage.S3 1.1.1; enriched the pkg to a superset — DeletePrefixAsync + bucket settings + AutoCloseStream=false; n=2 with Tenant; Content 191 + pkg 20 unit + content E2E 17/17 staging+prod, content-api@09c2e5ea02b0) · ✅ G2 Email (#205) DONE — LIVE prod 2026-06-15 (premise was stale: OnlineMenu has NO email + Questioner's MimeKit senders were DEAD CODE — its real comms delegate to NotificationService via events; deleted the dead infra + dropped MailKit dep, 313 tests, questioner-api@52232a6a175b) · ✅ G3 OnlineMenu billing (#206) RESOLVED 2026-06-15 — accepted divergence, no migration (OnlineMenu is a CONSUMER of subscription status — cached fail-safe read of the central PaymentService — whereas Subscriptions.AspNetCore is for a service that OWNS a subscription store like Kefi; forcing it = pointless proxy adapter on a live billing gate. Documented as deliberate). ✅ ALL P2 gaps G1–G5 CLOSED — the adoption contract is fully satisfied. P3 ✅ v1 DONE 2026-06-15 — pipeline templatization: manage.sh scaffold-service <slug> generates a new .NET backend's full pipeline (k8s Service/Deployment/Ingress + standardized Dockerfile + the 9 Tilt resources + a Playwright E2E project + manage.sh registration), parameterized by name/realm/ports, from scripts/templates/service/. Generates files + emits paste-snippets for the shared multi-service files (apis.yml/Tiltfile/playwright.projects.ts/manage.sh) rather than auto-editing them. Validated against a throwaway demo service (YAML parses, Keycloak-before-Jwt order preserved, 9 Tilt resources, 0 leftover placeholders). Follow-ups (optional): marker-based auto-insert, custom-domain RBAC fragment, CI workflow (skipped — no per-service CI in use). P4 ✅ DONE — all 3 Android APKs BUILT + LIVE prod 2026-06-15 — mobile/Expo-EAS Android tier: erevna/katalogos/kefi each EAS-build-ready (app.json android com.dloizides.<slug>+versionCode, eas.json APK profiles) → EAS cloud builds → self-hosted download (erevna.dloizides.com/download + katalogos.dloizides.com/download direct; kefi via bff-kefi proxy at the tenant host). Templatized as manage.sh scaffold-mobile + manage.sh publish-apk; runbook mobile-eas-runbook.md. Fixed 2 native-bundle bugs surfaced by the first build: frontend-devtools main entry pulled Node fs (→1.0.3, eslint moved to /eslint subpath) + kefi @mlc-ai/web-llm browser-only (→webllm.native.ts stub). iOS/Play-Store/push deferred. Next: the Capability Wave C1–C9 (cross-product reuse) → THEN P5 (capstone, composes everything). plan

reusevision From the 7-agent cross-product audit (2026-06-15): the shared/standardizable functionality every product + future product needs, sequenced proven-first; the P5 scaffolder's feature-toggle catalog. Map: cross-product-capability-map.md · graphical shared-and-reusable.html · order CAPABILITY-WAVE-ROADMAP.md. Owner: self-host default · build proven-first → P5 last · stores deferred until accounts exist. Order: C1 frontend UI kit (#214, ✅ COMPLETE — LIVE prod 2026-06-15 — 7 shared pkgs: ui-feedback@1.2.0 (feedback + shared useUi context) · ui-forms · ui-tables · ui-icons · legal-ui · ui-layout · utils@1.1.0 (extended); erevna+katalogos fully migrated. settings-hub deferred (stateful screens — needs app substrate shared). Next epic: C2 comms/push) · C2 comms/push (#213, ✅ COMPLETE/LIVE prod — was the #1 functional gap): push (Expo Push.Expo + VAPID Push.WebPush@1.0.1, web opt-in on erevna+katalogos; mobile activation gated on owner FCM, 2026-06-15) · marketing/bulk email (Marketing.AspNetCore@1.0.0 bulk-send over Maddy SMTP + merge + RFC 8058 HMAC unsubscribe + Loki, /api/v1/marketing/* + erevna Campaigns UI + E2E, 2026-06-16) · delivery webhooks (notification.delivered/campaign.sent wired into the existing dispatcher) · email templating+i18n (Email.Templating@1.0.0 — shared layout + en/el localizer, kefi's EmailLayout now delegates) · digest batcher (NotificationService, built+tested, scheduler off by default) — 2026-06-17. NOT Postal (forward-looking swap). 539 NS tests. · C3 ✅ COMPLETE/LIVE prod 2026-06-17 — generation abstraction (#212): provider-agnostic "generate X" seam (in-browser model · API provider · self-host ComfyUI/Diffusers · build-time sharp). DoD met (2 seams, 2 consumers): image @dloizides/og-image-generator@1.0.0 (ImageRasterizer + sharp-injected SharpRasterizer, consumer = kefi-marketing build-og, byte-identical) + text/copy @dloizides/text-generation@1.0.0 (TextGenerator + ChatCompletionsTextGenerator driving an injected in-browser WebLLM engine OR a remote OpenAI-compatible API + fetch provider + JSON helpers, consumer = kefi-web onboarding "Generate with AI", deployed prod @61ec6a05a0c7). Both zero runtime deps / 100% cov. Forward (optional): game art (Aurora SDXL/ComfyUI) · register audio (music-runtime) · integrate forge/ ·C4 ✅ COMPLETE/LIVE prod 2026-06-17 — games kit (#215). Phase-0 audit corrected the scope (C4-duplication-audit.md): the games share far less copy-paste logic than assumed — only haptics + save-state are defensible same-stack extractions; menu-fw/i18n/input/monetization/achievements all n=1 or divergent or cross-stack → DEFERRED (forward). C4.1: @dloizides/game-input@1.0.0 (player-toggleable Web Vibration wrapper, zero-dep, injectable nav/storage, HAPTIC_PATTERNS vocabulary). C4.2: @dloizides/save-state@1.0.0 (storage port KeyValueStore/memory/default + corruption-safe readJson/writeJson/removeKeys + generic versioned slotted SlotStore<T>). Both zero-dep/isomorphic/100% cov. Consumers: Aurora (haptics re-export shim + progress.ts on the storage port; 617 tests; deployed prod @a251e0eb) + Morphe (new haptics adoption + SaveManager wraps SlotStore; 772 tests; committed — Morphe has no k8s pipeline so undeployed-as-before). NB: @eisaipollis scope was never on npm (music-runtime only vendored via file:) → games pkgs publish under @dloizides. · C5 landing/marketing kit (#216, ✅ COMPLETE/LIVE prod 2026-06-18) — Phase-0 audit corrected scope (C5-duplication-audit.md): the 2 Astro sites share NO copy-pasted code (theme-system/contact-reveal/funnel all n=1, not dups); the real dups are the vanilla static KUCY↔UBS sites (sw.js + a fork bug, ledger-stats, countdown, register→WhatsApp) which have NO build step → vendored vanilla `<script>`, not npm. C5.2 ✅ manage.sh scaffold-landing <slug> — generates a static site shipping the web-app-standards baseline by construction (Umami + SEO/OG/JSON-LD + robots/sitemap + spam-safe JS contact + gzip nginx + k8s/manage.sh wiring); feeds P5. C5.1 ✅ @dloizides/event-landing-kit@1.0.0 (TS, 100% cov, zero-dep IIFE bundles: EventLandingKit page kit [buildWhatsAppUrl · initLedgerStats · initCountdown] + EventSW service-worker core) — vendored into KUCY (cache kucy-v185) + UBS (ubs-v163), both LIVE prod + Chrome-verified; fixes the cross-site SW cache fork bug (cleanup scoped to each site's own prefix); register form stays per-site (KUCY Pro-Video add-on). · C6 mobile shell+OTA (#211, ✅ COMPLETE as-scoped 2026-06-18) — Phase-0 audit corrected scope (C6-duplication-audit.md): no Expo app ships native (erevna/katalogos/kefi are web-first RN-web), OTA is greenfield (n=0), the one shipped native app (Poueni) is Kotlin → a shared Expo shell/OTA runtime has zero consumers. Owner decision: web-first PWA. Delivered C6.1 = enhanced scaffold-mobile (full app.json native baseline: deep-link scheme + Android intentFilters + iOS associatedDomains + splash/icon/adaptiveIcon + optional off-by-default expo-updates/runtimeVersion OTA seam + README OTA/deep-link runbook; personalServerNotes 6765600). Runtime shell + live OTA deferred-for-P5 (revisit if an Expo app ships native); follow-up: kefi-web missing icon/splash assets. · C7 observability/quality (#217, ✅ COMPLETE as-scoped 2026-06-18) — Phase-0 audit corrected scope (C7-duplication-audit.md): C7 was ~80% already shipped — Sentry crash reporting (backends + erevna/katalogos), production OTel/Prometheus/Loki/health/canary/Daily-Report, Cloudflare Turnstile on Kefi signup, Lighthouse + a full GH-Actions CI + static-smoke, and all 3 GDPR export/delete flows (divergent-by-design → Gdpr.Contracts NOT built, the C4/C5/C6 anti-pattern). Delivered the small real-gap polish (all LIVE): kefi-web Sentry+ErrorBoundary (the only web app missing it; erevna/katalogos already wired) · Web Vitals→analytics ×3 (web-only, consent-gated) · axe-core a11y E2E (new a11y-public Playwright project; caught + fixed a real WCAG contrast bug on the kefi hero "live" chip → all 3 green on prod) · per-app Lighthouse (kefi-web real: perf 0.99/a11y 1.00/bp 1.00/seo 0.91). Deferred-forward: flags service · full-text search · A/B generalization · secrets Vault · games/Poueni crash reporting. Follow-up: set SENTRY_DSN in prod (owner). · ⛔C8 app-store dist (#209, needs Play+Apple accts) · ⛔C9 Steam+game-publish (#210, needs Steamworks) · P5 scaffolder (#202, ✅ COMPLETE/validated 2026-06-19 — P5.1+P5.2+P5.3 all shipped) — Phase-0 audit done (P5-phase0-audit.md): premise VALID (synthesis, not extraction); all primitives shipped; gaps = source-gen templates + orchestrator. Sequence P5.1→P5.2→P5.3, emit registration snippets (no auto-edit), honest DoD = no hand-wiring of CODE + a runbook for owner-gated seams. P5.1 ✅ manage.sh scaffold-backend — generates a buildable .NET service SOURCE skeleton wired to the adoption-contract baseline A–M (Clean Arch Core/UseCases/Infra/ServiceDefaults/Web+tests, CPM/net10, sample Widget aggregate+GET/POST+InitialCreate migration+docker-compose; pairs with scaffold-service for the pipeline); validated generate→build 0W/0E→test 7/7, near-zero delta vs ContentService; personalServerNotes 5abcf18. P5.2 ✅ manage.sh scaffold-web — generates a minimal runnable RN-web/PWA app SHELL on the shared @dloizides/* stack (login→dashboard: all config/tooling + _layout providers/Sentry/ErrorBoundary/Web-Vitals + auth login + placeholder protected dashboard; EXCLUDES product screens) + a thin Bff.<Proj> skeleton; validated generate→npm install→lint 0/tsc 0/yagni 0/jest 4-4→expo export web PASS; personalServerNotes 8774cec (75 web + 8 bff templates). P5.3 ✅ manage.sh create-app <slug> — the CAPSTONE orchestrator: COMPOSES the four generators (scaffold-backend/web/mobile/landing) under one command (tiers --backend/--web/--mobile/--landing, default backend+web), BINDS feature toggles by FILLING the P5.3 seam markers in the generated backend (--billing Subscriptions.AspNetCore+ISubscriptionStore stub · --storage Storage.S3+IS3StorageService stub · --custom-domains CustomDomains.AspNetCore+ICustomDomainStore stub · --email Email.Smtp · --gdpr UserDeleted/UserDataExport consumer stubs · --analytics/--theming/--notifications frontend), and emits a consolidated REGISTRATION.md (all chained snippets, no auto-edit per audit #2) + a per-product RUNBOOK.md (only the enabled tiers/toggles' owner-gated seams: realm/DNS/Stripe/S3/email/Turnstile/Umami/EAS). Toggle versions pinned to the nuget.org-available builds (private newer = local-feed only). Validated: create-app demo --backend --web --landing --billing --analytics → backend dotnet build -c Release 0W/0E (TreatWarningsAsErrors+Sonar) + 7/7 tests; ALL backend toggles together (billing+storage+email+custom-domains+gdpr) also build 0W/0E; web shell + valid package.json + REGISTRATION/RUNBOOK complete. Footguns found+fixed: child-namespace store refs must be FQ; stub TODO comments trip Sonar S1135 (use neutral wording); the template seam COMMENT literally contains using Storage.S3;/a fake PackageVersion so guards must anchor ^; Email.Smtp 1.0.0 floors Identity.Abstractions 1.0.1 (NU1109 vs Identity.Keycloak 1.7.0's 1.6.2) + MailKit 4.15.1 (NU1902 → pin 4.17.0). P5 is now COMPLETE — true 0→running across all tiers up to the owner-gated boundary.

AMLsellable + hosted separate product (own repo openmindednewby/AMLService), LIVE prod aml-screening.dloizides.com. Phases 0/1/4/5 LIVE — secrets/OIDC-RP/linter (P0) · tenant onboarding + API keys + screening engine (TP/PM/FP + decision) + direct-per-watchlist ingestion (UN/OFAC/EU/UK ~38k entities, pg_trgm + JaroWinkler) (P1) · per-tenant risk-scoring engine (P4) · per-tenant matching config + phonetic + Wikidata PEP ~6958 (bounded) + stats dashboard (P5). ✅ aml Keycloak realm PROVISIONED + admin OIDC path verified end-to-end on prod 2026-06-18 (3 clients + claims scope; both admin principals → 200 on /v1/admin/stats; built a reusable realm scaffolder + ADDING-A-SERVICE-REALM recipe). ✅ Batch C — per-tenant external-provider opt-in LIVE prod 2026-06-18 (the comprehensive-PEP lever): tenants opt into a commercial provider (OpenSanctions ref) with their OWN credentials, additive "over and above" the local engine — AES-256-GCM-encrypted key at rest, per-tenant resolver, admin API GET/PUT/DELETE /v1/tenants/{id}/providers (key write-only), resilient (a bad tenant key can't break the screen); 176 tests. ✅ Batch D — true ongoing monitoring LIVE prod 2026-06-19 (197 tests): HMAC-signed webhook dispatcher (encrypted secret, screening.completed) + MonitoredSubject registry (monitor:true enrol-on-screen, GET/DELETE /v1/monitoring/subjects) + re-screen-on-list-change sweep emitting monitoring.alert (opt-in Monitoring:Enabled); prod-verified onboard-with-webhook + enrol + list/delete. ✅ Token-based (whole-name) phonetic matching LIVE prod 2026-06-19 — per-token dmetaphone text[] + GIN array-overlap (replaces first-token-only), so a sound-alike surname matches even with a misspelt first name; backfilled 112k names, recall-only (scorer still gates). ✅ Adverse-media AM-1 LIVE (best-effort) prod 2026-06-19 — query-time GDELT news search + keyword/rules → decision Review (opt-in, self-resilient); owner path = GDELT-free now → per-tenant BYO → commercial, keyword/rules → self-hosted NER → LLM (docs/adverse-media.md). AM-1.1 per-name cache LIVE 2026-06-19 (TTL + negative-caching; own DbContext scope — fixed a parallel-provider 500). ⚠️ GDELT free rate-limits a shared cluster IP persistently → GDELT-free is best-effort/demo-grade. ✅ AM-2 per-tenant bring-your-own adverse-media LIVE 2026-06-19 — a tenant configures their OWN GDELT-compatible endpoint+key+keywords (PUT /v1/tenants/{id}/providers/AdverseMedia, reuses Batch C framework, overrides global by name); their own quota = the reliable path. Prod-verified (no-endpoint 400, endpoint-no-key 200, screen 201). ✅ AM-3 relevance precision filter LIVE 2026-06-19 — pluggable IAdverseMediaRelevanceFilter (rules: subject-in-headline + negative-context, score+threshold) drops noisy co-occurrence hits on both providers; a neural NER drops into the seam later (needs in-pod-vs-sidecar infra call). ✅ Per-tenant monthly screening quota LIVE 2026-06-19 — fair-use/billing cap (429 over limit; admin PUT /v1/tenants/{id}/quota, tenant GET /v1/usage; counts API screens only, not monitoring re-screens); prod-verified. ✅ Per-tenant rate limit (screens/minute) LIVE 2026-06-20 — rolling-60s throughput/burst cap alongside the monthly quota (429 + Retry-After; set at onboarding or admin PUT /v1/tenants/{id}/rate-limit; GET /v1/usage reports it); prod-verified (limit 3 → 3×201 then 429). ✅ White-label slice (M4 start) LIVE 2026-06-21 — per-tenant branding (display name / logo / accent), GET /v1/branding + admin PUT /v1/tenants/{id}/branding + at-onboarding + validation; the /playground re-brands from the tenant behind the key (API stays brand-neutral); prod-verified. Remaining M4: admin-dashboard/marketing theming, per-tenant custom domain, UI i18n. ✅ Backend integration tests added 2026-06-21 — AMLService.IntegrationTests (WebApplicationFactory + Testcontainers Postgres; 9 tests: auth/screening/quota+rate-limit 429/usage/admin), closing the gap that the repo had only unit tests + no Playwright coverage. 386 unit + 9 integration green. ✅ Cold-start warmup LIVE 2026-06-19 — readiness gated on a startup DB warmup so K8s won't route the first screen onto a cold pod (fixes the cold-start 500). ✅ Case-management back-office (CM-1/2/3) LIVE 2026-06-19 — review/disposition (open|cleared|confirmed|escalated) + audit note thread + CSV/regulator export + bundled console at /cases/index.html (filter/page table, detail drawer, dispositions, notes); tenant-scoped; Chrome visual-QA'd. ✅ Own IdP (OpenIddict) LIVE prod 2026-06-20 — replaces the Keycloak dependency: machine (client_credentials) + human (authorization_code/PKCE + hosted login UI) auth at aml-identity.dloizides.com; AMLService accepts BOTH Keycloak and the own IdP (dual-authority, zero-downtime); stats dashboard signs in via OIDC. Both issuers prod-verified → 200. ✅ Engine backlog E1/E2/E3/E4/E6 LIVE prod 2026-06-20 (built in parallel by 5 agents on isolated worktrees → integrated + migration-verified [357 tests] → deployed image daa3573f; prod-smoked): E1 bulk search (POST /v1/screenings/bulk, JSON/CSV) · E2 PEP tiering + warning-type/category config · E3 neural-NER seam client (remote provider + flag, default rules; sidecar deploy still pending the in-pod-vs-sidecar call) · E4 comprehensive audit log (GET /v1/audit + CSV) · E6 criminal-records BYO provider type. ✅ E5 nickname/hypocorism matching LIVE prod 2026-06-20 (image 3cc3448f) — query expansion + nickname-aware engine classification; prod-verified ('Joe Kony'→Fail/JOSEPH KONY, exact-match gate + no-FP). The PowerPoint AML-engine spec is now COMPLETE bar E3's optional NER-sidecar deploy (infra call). ✅ Go-to-market surfaces LIVE prod 2026-06-20 (built in parallel by 5 agents → integrated + green-gated [368 tests] → deployed): full product docs (docs/architecture.md · api-reference.md · operations-runbook.md + index); 5-minute onboarding quickstart.md + Postman/.http + bulk-CSV template + sample payloads + onboarding-wizard polish; bundled developer-docs portal at /docs (Scalar rendering the now-prod-exposed OpenAPI at /swagger/v1/swagger.json; fixed the bulk dual-action Swagger 500 + directory-root index serving); AI-agent automation guide + OpenAI/Anthropic tool schemas + a runnable @proovid/aml-mcp-server (MCP tools screen/bulk/get/review, 8/8 tests); and a marketing landing LIVE at aml.dloizides.com (separate static nginx svc + LE TLS, web-app-standards: SEO/sitemap/robots/spam-safe contact). ⚠️ Umami website-id is a placeholder → owner one-liner (create the aml.dloizides.com Umami entry, paste the id, redeploy aml-marketing). ✅ Non-technical "Try it" page + MCP verified 2026-06-20 — /playground (paste API key once → screen a name → visual Pass/Review/Fail + risk + matches; onboarding wizard hands the key over via localStorage + "Test it now" CTA = no-code onboard→test path); MCP server verified end-to-end live (stdio → 4 tools → screen_person→Fail) + npm run smoke; repo hygiene (untracked mcp-server node_modules/dist). ✅ Per-call list selection + engine gaps + async batch LIVE prod 2026-06-22 — built concurrently in 3 isolated git worktrees → merged + migration-reconciled + green (421 unit + 19 integration): per-screen lists override (request.Lists now actually filters matching; playground list-picker) · POST /v1/screenings/{id}/rescreen · GET /v1/cases/{id}/regulator-pack (JSON bundle) · tamper-evident audit hash-chain + GET /v1/audit/verify · first-class async batch (POST /v1/screenings/batch CSV/XLSX → background job → /results download; ClosedXML; 50k cap; xmin-claimed for multi-replica; playground upload now uses it; verified the OpenSanctions test sheet runs). git-secrets sweep = clean (removed a stray 89MB images.tar). ⚠️ NER sidecar built + deployed then ROLLED BACK prod 2026-06-22 — aml-ner (FastAPI + spaCy, /assess→0.9 verified, ran 1/1) but with it running there was no room for an aml-screening Recreate rollover → the API pod went Pending (Insufficient memory, ~6 min outage); deleting aml-ner recovered it immediately. NER on PROD is GATED on a NODE RESIZE (prod node chronically ~94% memory). ✅ NER now LIVE on STAGING 2026-06-22 — the staging cluster (jim@staging, 16 GB node @ ~51%) runs aml-ner 1/1 + its aml-screening wired to it (/assess→0.9 verified in-cluster), so NER is fully validated end-to-end there. PROD aml-screening stays wired AdverseMedia__RelevanceProvider=remote. Image + manifest in ner-service/. ✅ PROD→STAGING NER over PRIVATE WireGuard 2026-06-22 — staging aml-ner exposed via a hostPort bound to hostIP staging (private interface only, NOT public; iptables not available since staging sudo=kubectl-only); prod AdverseMedia__RemoteNerEndpoint=http://staging:8089/; prod→staging HTTP /health verified over the tunnel. Graceful NER-down handling hardened — detailed PII-free log (names the endpoint, classifies timeout / unreachable / HTTP-status / bad-response, states the screen was unaffected) then degrades to rules (442 unit tests, +1 asserting the message). ⚠️ FOOTGUN: the staging hostPort is a LIVE patch (not in the committed manifest, since standalone co-locates NER) — re-patch if staging aml-ner is re-applied, else prod silently falls back to rules. ✅ 4 more features (4 parallel worktree agents) LIVE/ready prod 2026-06-22 (441 unit + 32 integration green): full-text search (GET /v1/screenings/search, Postgres stored tsvector generated col + GIN + ts_rank; migration AddScreeningSearchVector; prod-verified 19 hits ranked) · turnover-threshold monitoring engine (M1) (opt-in: ThresholdLedger/TurnoverEvent, POST /v1/threshold/events rolling-window→auto-rescreen on breach + threshold.breached webhook, GET /v1/threshold/subjects/{ref}, GET/PUT /v1/tenants/{id}/threshold-config; inert until a threshold is set; migration AddThresholdEngine; prod-verified turnover accrues) · UI i18n (M4) (EN/ES/FR vanilla shared/i18n.js + locales across playground/onboarding/stats/cases/docs, key-parity checked; prod-verified assets 200) · TypeScript SDK (M3) @proovid/aml-sdk@0.1.0 (18 typed methods, 33 tests; npm package, not deployed). Two parallel migrations (threshold+search, disjoint) auto-merged the snapshot + integration AutoMigrate proved the chain. ✅ GDPR data-privacy + small-engine batch (2 parallel worktree agents) LIVE prod 2026-06-22 (498 unit + 41 integration green; migrations AddDataPrivacy + AddCaseAttachmentsAndRescreenSchedule auto-merged): GDPR — data-subject rights /v1/privacy/subjects/{ref}/export|erase|restrict|object|rectify (SAR + right-to-erasure that anonymizes-in-place + de-links the subject; monitoring skips restricted/objected), consent capture + versioned copy + withdrawal, per-tenant DataRetentionDays + RetentionPurgeHostedService (anonymize, off by default); prod-verified (export bundle, consent 201, erase→recordsAnonymized:1 + de-link). Engine — POST /v1/cases/bulk, case attachments upload/list/download (10 MB cap, bytea), scheduled re-screen cadence (daily-delta + monthly-full ScheduledRescreenHostedService, off by default), RBAC support+developer_read read-only roles; all prod-verified. ✅ Buildable-polish cluster (2 parallel worktree agents) LIVE prod 2026-06-22 (506 unit + 45 integration): regulator-pack PDF (?format=pdf, MIT PdfSharpCore+MigraDocCore; FOOTGUN — slim Linux container ships NO fonts so PdfSharpCore threw "No Fonts installed" 500 → fixed with an EMBEDDED DejaVu font + an IFontResolver registered UNCONDITIONALLY [the GlobalFontSettings.FontResolver getter is lazily non-null so a null-guard never fires]; prod %PDF 43KB verified) · decision explainability (persist risk factors as jsonb + return on check/get + cases "why this decision" panel) · WCAG 2.1 AA across all bundled UIs (skip-links/landmarks/aria-live/focus-visible/contrast; live axe = 0 violations). ✅ Final buildable polish (2 parallel worktree agents) LIVE prod 2026-06-22 (521 unit + 48 integration): regulator-pack Parquet export (Parquet.Net, ?format=parquet, prod PAR1 3KB) · design-token theming (6 brand tokens secondary/surface/text/font/radius via branding API theme object + shared applyBrandTheme → CSS custom properties, graceful fallback; migration AddBrandTheme) · PT + DE languages (switcher now EN/ES/PT/FR/DE, parity-checked). Screening engine + back-office + GDPR is FEATURE-COMPLETE and the buildable engine/UI backlog is CLOSED. Remaining (backlog aml-backlog.md): only WorldCheck/Dow Jones connectors (contract-gated). Then the owner/ops track — M2 enhanced KYC (out of scope) · M5 compliance/DPIA + pen-test/UAT (owner) · M6 pilot & GA · SLO/WAF/data-locality (ops) · resize prod node (NER first-class on prod). Owner one-time: rotate IdP/provider/mailbox secrets + scrub git history; replace dev Postgres passwords. ROADMAP.md · analysis

Public flow ✅ + analytics+funnel/crosstab ✅ + 12 question types ✅ + survey embeds ✅ + server-side validation ✅ all LIVE prod. ✅ quota/closing-date (#244), ✅ respondent metadata + anonymity toggle (#245), ✅ save & resume (#246) — all DONE + LIVE prod 2026-06-22. #245: per-survey RespondentContactMode (Anonymous/Optional/Require) + respondent email capture (migration AddRespondentContact); public flow collects+validates name/email per mode. #246: separate SurveyDraft aggregate (migration AddSurveyDrafts; kept out of analytics/quota) + public save-draft/get-draft endpoints + "Save & continue later" UI with shareable ?draft= resume link + prefill. QuestionerService 97aa027/70eb5ee (344 tests), erevna-web 044f8c0/538131c (lint/tsc/yagni clean, 278 tests); staging→prod rollouts green, migrations applied clean, erevna.dloizides.com 200. Email invitations ✅ RESOLVED (owner 2026-06-22) — covered by the existing erevna Campaigns recipient-list email (NotificationService/Maddy); no dedicated survey-invite flow (would duplicate Campaigns). File-upload question type ⏸ DEFERRED (owner 2026-06-22) — needs an anonymous ContentService S3 upload endpoint (public abuse/cost surface); revisit later, possibly token-gated. Erevna is now feature-complete except the deferred file-upload. Beats incumbents on privacy/ownership; behind on distribution. strategy · erevna.md