# SMOA – Remaining and Optional Tasks

Single list of **remaining** and **optional** work. References: [BACKEND-GAPS-AND-ROADMAP.md](backend/docs/BACKEND-GAPS-AND-ROADMAP.md), [REQUIREMENTS-ALIGNMENT.md](docs/reference/REQUIREMENTS-ALIGNMENT.md), [PLATFORM-REQUIREMENTS.md](docs/reference/PLATFORM-REQUIREMENTS.md), [IMPLEMENTATION_STATUS.md](docs/status/IMPLEMENTATION_STATUS.md).

---

## Backend

### Remaining
- [x] **Prod profile and DB** – Done: application-prod.yml, ddl-auto: validate, Flyway; document PostgreSQL in README.
- [x] **Unit/tenant scoping** – Done: TenantFilter when smoa.tenant.require-unit=true; X-Unit required for /api/v1.
- [x] **Migrations** – Done: Flyway, V1__baseline.sql, baseline-on-migrate.

### Optional
- [x] **Pagination** – Done: @Parameter on PullController for since/limit.
- [x] **ETag / If-None-Match** – Done: ShallowEtagHeaderFilter for /api/v1/*; GET list supports ETag and 304.
- [x] **Request ID** – Done: RequestIdFilter (X-Request-Id, MDC).
- [x] **API versioning** – Doc: backend/docs/API-VERSIONING.md (when to add v2, deprecation).
- [x] **Fix Gradle/Kotlin plugin** – Resolve “plugin already on classpath with unknown version” so `./gradlew :backend:test` runs (root vs backend plugin alignment).

---

## Android app

### Remaining
- [x] **SyncService serialization** – Done: Gson in core:common; serialize* produce JSON bytes.
- [x] **Pull on connect** – Done: PullAPI + BackendPullAPI; startSync() runs pull when online and emits to pullResults (merge by observing modules).
- [x] **API key in app** – Done: BuildConfig.SMOA_API_KEY, passed to BackendSyncAPI (build with -Psmoa.api.key=…).
- [x] **Android 16 doc** – Done: [docs/reference/ANDROID-16-TARGET.md](docs/reference/ANDROID-16-TARGET.md). Actual SDK bump when AGP 8.5+ is adopted.

### Optional
- [ ] **Knox integration** – If required, integrate Knox SDK (e.g. secure storage, VPN) for target devices; Knox API level 39 is supported on primary device.
- [ ] **WebRTC full integration** – Replace WebRTCManager TODOs with actual PeerConnection, audio/video capture, and track setup when library is fully integrated.
- [ ] **Connection quality from WebRTC** – Replace StubConnectionQualityMonitor with implementation that uses WebRTC `getStats()` (bandwidth, RTT, loss) and calls SmartRoutingService/AdaptiveCodecSelector.
- [x] **InfrastructureManager endpoints** – Done: BuildConfig SMOA_STUN_URLS, SMOA_SIGNALING_URLS; SMOAApplication configures STUN and signaling at startup; TURN set programmatically (see modules/communications/README.md).
- [ ] **Screen sharing / file transfer** – Implement TODOs in VideoTransport for screen sharing and file transfer in meetings.
- [ ] **SmartCardReader** – Implement actual card detection, connection, disconnection (or remove if not required).

---

## iOS (last 3 generations)

### Remaining
- [ ] **iOS app project** – Scaffold: [docs/ios/README.md](docs/ios/README.md). Create full app (Swift/SwiftUI) targeting iOS 15, 16, 17.
- [ ] **Keychain for API key** – To implement in iOS app.
- [ ] **Offline queue** – To implement in iOS app (queue sync when offline; retry when online).

### Optional
- [ ] **Face ID / Touch ID** – Optional app unlock or sensitive-action auth.
- [ ] **Certificate pinning** – Optional for API calls.

---

## Web Dapp (Desktop / Laptop + touch)

### Remaining
- [x] **Web scaffold expand** – Done: [docs/web-scaffold/index.html](docs/web-scaffold/index.html) – API info, health, **Pull directory** (GET /api/v1/directory, list display, 304 handling); vanilla JS, no build step. Full SPA (React/Vue/Svelte) remains optional.
- [ ] **Build and host** – Build pipeline and HTTPS hosting when SPA is ready.
- [ ] **CORS** – Configure backend `smoa.cors.allowed-origins` for web app origin(s) in production.

### Optional
- [ ] **Offline** – Service Worker + Cache API; queue sync in IndexedDB/localStorage and flush when online.
- [ ] **PWA** – Installable; optional offline shell.

---

## Infrastructure

### Optional
- [x] **Reverse proxy** – Done: [nginx-smoa.conf.example](docs/infrastructure/nginx-smoa.conf.example), [docker-compose.yml](docker-compose.yml).
- [ ] **TURN / signaling** – Host TURN and/or signaling for WebRTC if not using external services.
- [x] **k8s manifests** – Done: [docs/infrastructure/k8s/backend-deployment.yaml](docs/infrastructure/k8s/backend-deployment.yaml) (Deployment, Service, optional Secret/ConfigMap).

---

## Domain / compliance (optional, by priority)

### High (requires approvals / provider selection)
- [ ] **NCIC/III integration** – NCIC API (CJIS approval required).
- [ ] **ATF eTrace** – ATF eTrace API (federal approval required).
- [ ] **eIDAS QTSP** – Integrate with Qualified Trust Service Provider; qualified signatures, timestamps, EU Trust Lists.

### Medium
- [ ] **Digital signatures** – Full BouncyCastle (or similar) signature generation/verification; certificate chain validation.
- [ ] **XML security** – Apache Santuario; XMLDSig/XMLEnc for AS4 and compliance.
- [x] **CertificateManager.checkRevocationStatus** – Stub clarified: returns UNKNOWN; extend with OCSP/CRL for production.
- [ ] **AS4 full implementation** – Full AS4 message envelope, ebMS 3.0, WS-RM, receipts, CPA (see AS4Service TODOs).
- [x] **Report digital signature** – Done: ReportService.signReports + minimal SHA-256 content-hash signature; full signing via dedicated service when needed.
- [ ] **Electronic seal** – Actual seal verification (ElectronicSealService TODO).

### Lower / future
- [x] **ZeroTrustFramework** – Replaced TODO with “Minimal implementation; extend for production”.
- [x] **ThreatDetection** – Replaced TODOs with “Minimal implementation; extend for production”.
- [ ] **ATF form storage** – Add entities and storage for ATF forms (ATFFormDatabase TODO).
- [ ] **NCIC query storage** – Add entities for NCIC query storage (NCICQueryDatabase TODO).
- [ ] **Compliance gaps** – Address domain-specific gaps in [COMPLIANCE_EVALUATION.md](docs/reference/COMPLIANCE_EVALUATION.md) (eIDAS QES, credential formats, barcode, NIBRS/UCR, etc.) per deployment priorities.

---

## Testing

### Optional
- [ ] **Backend tests** – Fix Gradle plugin so `:backend:test` runs; add more integration tests as needed.
- [ ] **Android unit/integration** – More unit tests for remaining modules; integration tests; UI tests; target 80%+ coverage where practical.
- [ ] **E2E** – End-to-end tests for critical flows (sync, auth, meetings).

---

## Documentation

### Optional
- [x] **README/back-end** – Done: Backend README lists DELETE/GET, rate limit, audit, Docker, tenant (smoa.tenant.require-unit), Request ID, Flyway, PostgreSQL prod, CORS (smoa.cors.allowed-origins), ETag.
- [x] **Timeline** – Done: IMPLEMENTATION_STATUS.md “Next steps (short-term)” section added.

---

## Summary

| Area        | Remaining | Optional |
|------------|-----------|----------|
| Backend    | 0         | 2        |
| Android    | 0         | 6        |
| iOS        | 3         | 2        |
| Web Dapp   | 2         | 2        |
| Infra      | 0         | 2        |
| Domain     | 0         | 12+      |
| Testing    | 0         | 3        |
| Docs       | 0         | 0        |

Use this file as the single checklist for remaining and optional work; link to it from [docs/README.md](docs/README.md) or [IMPLEMENTATION_STATUS.md](docs/status/IMPLEMENTATION_STATUS.md) as needed.