Roadmap¶
Snapshot of what is shipped, in flight, and deferred.
Shipped¶
| Capability | Service / package |
|---|---|
| Clinical case storage with encryption + audit | clinical-api |
| AI-driven case review (DERM 5.0.0) | ai-review |
| Configurable per-customer workflows | orchestrator |
| Human reviewer queue + decision capture | human-review |
| Patient consent registry | consent |
| OAuth2 service authentication + JWT | auth |
| User / role / org management | user-management |
| Email + Slack notifications | notifications |
| Crypto-shredding for GDPR Article 17 erasure | clinical-api |
| Multi-tenant isolation (per-org access control) | @sa-platform/auth-client |
| Observability: structured audit trail per service | All services |
| Internal admin console — Phase 1 (read-only dashboard, per-org drill-down, Google SSO) | admin-ui + admin-api |
In flight¶
- Documentation strategy (this initiative — audience-segmented hub, generation toolchain, MkDocs site, regulatory artifacts)
Deferred / future¶
- Reviewer UI (currently API-only)
- Internal admin console — Phase 2 (organisation / user CRUD + audit-log viewer)
- Internal admin console — Phase 3 (workflow definition editor)
- KMS key provider for production (currently
LocalKeyProvider; AWS KMS provider scaffolded) - Image-processing pipeline (resize / tile / archive)
- OIDC SSO for end-users (currently OAuth2 client credentials only; SA staff already use Google OIDC for the admin console)
- Retention nightly cron (manual trigger today)
- Managed event bus (Redis Streams today)
- Automated SOUP classification updates
- ISO 14971 risk management file
- STRIDE-style threat model
- Traceability matrix (req → design → code → tests)
These are sequenced based on regulatory and customer demand, not effort.