# TODOs and Placeholders - Detailed List

**Last Updated**: 2024-12-28  
**Purpose**: Quick reference for all TODOs and placeholders with exact file locations

---

## TODOs in Code (7 items)

### Identity Service
1. **`services/identity/src/index.ts:134`**
   ```typescript
   // TODO: Implement actual VC issuance with DID/KMS
   ```
   - **Action**: Implement full VC issuance with KMS signing and proof generation

2. **`services/identity/src/index.ts:170`**
   ```typescript
   // TODO: Implement actual VC verification
   ```
   - **Action**: Implement VC signature verification, expiration, and revocation checks

3. **`services/identity/src/index.ts:208`**
   ```typescript
   // TODO: Implement actual document signing with KMS
   ```
   - **Action**: Complete KMS integration and signature metadata storage

### Finance Service
4. **`services/finance/src/index.ts:118`**
   ```typescript
   // TODO: Save to database
   ```
   - **Action**: Persist ledger entries to database with transaction handling

5. **`services/finance/src/index.ts:161`**
   ```typescript
   // TODO: Process payment through payment gateway
   ```
   - **Action**: Integrate payment gateway (Stripe/PayPal) and handle webhooks

### Dataroom Service
6. **`services/dataroom/src/index.ts:165`**
   ```typescript
   // TODO: Fetch from database
   ```
   - **Action**: Replace hardcoded deal with database query

7. **`services/dataroom/src/index.ts:210`**
   ```typescript
   // TODO: Upload to storage and save to database
   ```
   - **Action**: Save document metadata to database after storage upload

---

## Placeholders (10 items)

### Identity Service
1. **`services/identity/src/index.ts:173`**
   ```typescript
   const valid = true; // Placeholder
   ```
   - **Issue**: VC verification always returns true
   - **Fix**: Implement actual verification logic

2. **`services/identity/src/index.ts:138`**
   ```typescript
   issuer: 'did:web:the-order.example.com',
   ```
   - **Issue**: Hardcoded issuer DID
   - **Fix**: Use environment variable or configuration

### Workflows
3. **`packages/workflows/src/intake.ts:31`**
   ```typescript
   const ocrText = 'Extracted text from document'; // Placeholder
   ```
   - **Issue**: No actual OCR processing
   - **Fix**: Integrate OCR service

4. **`packages/workflows/src/review.ts:98`**
   ```typescript
   // For now, return true as a placeholder
   return true;
   ```
   - **Issue**: Approval always returns true
   - **Fix**: Query database for actual approval status

### Authentication
5. **`packages/shared/src/auth.ts:127-132`**
   ```typescript
   // Placeholder: Extract user info from token
   // In production: const userInfo = await oidcProvider.validateToken(token);
   request.user = {
     id: 'oidc-user',
     email: 'user@example.com',
   };
   ```
   - **Issue**: Hardcoded user info
   - **Fix**: Validate token with OIDC issuer and extract real user info

### Test Files
6. **`services/identity/src/index.test.ts:12`**
   ```typescript
   // For now, this is a placeholder structure
   ```
   - **Issue**: Test not implemented
   - **Fix**: Complete test implementation

---

## Hardcoded Values (15+ items)

### Configuration Values

1. **Storage Buckets**
   - `services/intake/src/index.ts:35`: `'the-order-intake'`
   - `services/dataroom/src/index.ts:33`: `'the-order-dataroom'`
   - **Fix**: Use `STORAGE_BUCKET` environment variable

2. **KMS Key IDs**
   - `services/identity/src/index.ts:94`: `'test-key'`
   - `services/identity/src/index.ts:211`: `'default-key'`
   - **Fix**: Require `KMS_KEY_ID` in environment, no fallback

3. **DID Issuer**
   - `services/identity/src/index.ts:138`: `'did:web:the-order.example.com'`
   - **Fix**: Use `VC_ISSUER_DID` environment variable

4. **Swagger Server URLs**
   - All services: `http://localhost:XXXX`
   - **Fix**: Use environment-specific URLs

5. **CORS Default**
   - `packages/shared/src/security.ts:38`: `['http://localhost:3000']`
   - **Fix**: Require `CORS_ORIGIN` in production

6. **Deal Data**
   - `services/dataroom/src/index.ts:168`: `'Example Deal'`
   - **Fix**: Remove hardcoded data, query database

7. **Test Database URL**
   - `packages/test-utils/src/db-helpers.ts:47`: `'postgresql://test:test@localhost:5432/test'`
   - **Note**: This is acceptable for tests, but should be documented

---

## Simplified/Incomplete Implementations

### Workflows

1. **Intake Workflow** (`packages/workflows/src/intake.ts`)
   - Line 29-31: OCR placeholder text
   - Line 33: Simple keyword-based classification
   - Line 36: Minimal data extraction (only word count)
   - Line 39-40: No document routing
   - **Comment**: "This is a simplified implementation. In production, this would use Temporal or AWS Step Functions"

2. **Review Workflow** (`packages/workflows/src/review.ts`)
   - Line 27-28: Document not loaded
   - Line 66-88: All automated checks return `{ passed: true }`
   - Line 42-43: No reviewer assignment
   - Line 97-99: Approval always returns true
   - **Comment**: "This is a simplified implementation. In production, this would use Temporal or AWS Step Functions"

### Authentication

3. **DID Signature Verification** (`packages/auth/src/did.ts:83-90`)
   - **Comment**: "Basic signature verification (simplified - real implementation would use proper crypto)"
   - **Issue**: May not work correctly for all key types

4. **eIDAS Verification** (`packages/auth/src/eidas.ts:52-59`)
   - **Comment**: "Verify certificate chain (simplified - real implementation would validate full chain)"
   - **Issue**: Certificate chain not fully validated

5. **OIDC Token Validation** (`packages/shared/src/auth.ts:121-132`)
   - **Comment**: "In production, this would validate the OIDC token with the issuer"
   - **Issue**: Only checks token length

---

## Missing Implementations

### Services Not Using Auth
- ❌ Identity service endpoints are public
- ❌ Finance service endpoints are public
- ❌ Dataroom service endpoints are public
- ❌ Intake service endpoints are public
- **Fix**: Add authentication middleware to protected endpoints

### Missing Database Operations
- ❌ No database migrations defined
- ❌ No database schema
- ❌ No database seed scripts
- ❌ No database connection initialization in services

### Missing External Service Integrations
- ❌ OCR service client
- ❌ ML classification service
- ❌ Payment gateway client
- ❌ Notification service
- ❌ Message queue client

### Missing Infrastructure
- ❌ Redis/caching setup
- ❌ Message queue setup
- ❌ Workflow orchestration (Temporal/Step Functions)
- ❌ Monitoring stack (Prometheus, Grafana)

---

## Code Comments Indicating Gaps

### "In production" Comments (8 instances)

1. `packages/workflows/src/intake.ts:21-22`: Temporal/Step Functions
2. `packages/workflows/src/intake.ts:30`: OCR service call
3. `packages/workflows/src/intake.ts:40`: Document routing
4. `packages/workflows/src/intake.ts:55`: ML models
5. `packages/workflows/src/intake.ts:81`: NLP extraction
6. `packages/workflows/src/review.ts:21-22`: Temporal/Step Functions
7. `packages/workflows/src/review.ts:28`: Document service
8. `packages/workflows/src/review.ts:43`: Reviewer assignment
9. `packages/workflows/src/review.ts:97`: Database approval check
10. `packages/shared/src/auth.ts:121`: OIDC token validation
11. `packages/shared/src/auth.ts:128`: User info extraction

### "Simplified" Comments (6 instances)

1. `packages/workflows/src/intake.ts:54`: Classification logic
2. `packages/workflows/src/intake.ts:80`: Data extraction
3. `packages/workflows/src/review.ts:66`: Automated checks
4. `packages/workflows/src/review.ts:91`: Approval status
5. `packages/auth/src/did.ts:83`: Signature verification
6. `packages/auth/src/eidas.ts:52`: Certificate validation

---

## Environment Variable Gaps

### Optional but Required Variables

1. `DATABASE_URL` - Required for all services
2. `STORAGE_BUCKET` - Required for storage operations
3. `KMS_KEY_ID` - Required for encryption/signing
4. `JWT_SECRET` - Required for authentication

### Missing Variables

1. `PAYMENT_GATEWAY_API_KEY`
2. `PAYMENT_GATEWAY_WEBHOOK_SECRET`
3. `OCR_SERVICE_URL`
4. `OCR_SERVICE_API_KEY`
5. `ML_CLASSIFICATION_SERVICE_URL`
6. `ML_CLASSIFICATION_API_KEY`
7. `NOTIFICATION_SERVICE_URL`
8. `REDIS_URL`
9. `MESSAGE_QUEUE_URL`
10. `VC_ISSUER_DID`
11. `VC_ISSUER_PRIVATE_KEY`
12. `SWAGGER_SERVER_URL` (per environment)

---

## Test Implementation Gaps

### Incomplete Tests

1. **`services/identity/src/index.test.ts`**
   - Test structure exists but not implemented
   - Missing: Server setup
   - Missing: Mock configuration
   - Missing: Actual test execution

### Missing Tests

1. Integration tests for all services
2. E2E tests for portal apps
3. Database integration tests
4. Storage integration tests
5. KMS integration tests
6. Workflow tests
7. Authentication middleware tests

---

## Application Gaps

### Portal Public
- Only placeholder homepage
- No components
- No API integration
- No authentication UI

### Portal Internal
- Only placeholder homepage
- No admin features
- No management UIs
- No reporting

### MCP Apps
- Not reviewed (may have similar gaps)

---

## Priority Fix Order

### Week 1 (Critical)
1. Remove all hardcoded test/default values
2. Add database persistence to all services
3. Add authentication middleware to protected endpoints
4. Fix placeholder implementations (VC verification, approval status)

### Week 2-3 (High Priority)
5. Integrate payment gateway
6. Integrate OCR service
7. Complete test implementations
8. Add missing environment variables

### Week 4+ (Medium Priority)
9. Workflow orchestration
10. ML classification
11. Monitoring setup
12. Portal app development

---

## File-by-File Summary

### Services
- **identity/src/index.ts**: 3 TODOs, 2 placeholders, 2 hardcoded values
- **finance/src/index.ts**: 2 TODOs
- **dataroom/src/index.ts**: 2 TODOs, 1 hardcoded value
- **intake/src/index.ts**: No TODOs, but missing database persistence

### Packages
- **workflows/src/intake.ts**: 1 placeholder, 5 "in production" comments
- **workflows/src/review.ts**: 1 placeholder, 4 "in production" comments
- **shared/src/auth.ts**: 1 placeholder, 2 "in production" comments
- **auth/src/did.ts**: 1 "simplified" comment
- **auth/src/eidas.ts**: 1 "simplified" comment

### Tests
- **identity/src/index.test.ts**: 1 placeholder comment, incomplete implementation

---

## Quick Action Items

### Immediate Fixes (1-2 hours each)
- [ ] Remove `'test-key'` and `'default-key'` fallbacks
- [ ] Remove `'Example Deal'` hardcoded data
- [ ] Change `const valid = true` to actual verification
- [ ] Change `return true` in approval to database query
- [ ] Move hardcoded issuer DID to environment variable
- [ ] Make critical env vars required in production

### Short Term (1-2 days each)
- [ ] Add database persistence to all service endpoints
- [ ] Integrate payment gateway
- [ ] Add authentication middleware to endpoints
- [ ] Complete test implementations

### Medium Term (1-2 weeks each)
- [ ] Integrate OCR service
- [ ] Integrate ML classification
- [ ] Set up workflow orchestration
- [ ] Build portal apps

---

**See `GAPS_AND_PLACEHOLDERS.md` for detailed analysis of each gap.**