Roadmap¶
This page is auto-synced from docs/roadmap/INDEX.md in the engineering
repo on every docs build. Treat it as a public-facing snapshot of the
backlog. Plan-by-plan deep dives stay in the engineering monorepo.
Sync source
Generated by scripts/sync-docs.sh from
docs/roadmap/INDEX.md.
Single source of truth for plan status + priority.
Treat this file as the backlog. Pick the highest-priority OPEN row, turn it into a task (TodoWrite + branch + PR), and update the row's status here when it ships.
Process¶
- Capture — new idea →
docs/roadmap/<date>-<slug>.mdwith header# Plan NN — title,**Status:**,**Priority:**. Add a row here. - Rank — assign P0/P1/P2/P3. P0 = sales blocker, P1 = within 30 days of first paying customer, P2 = within 90 days, P3 = defer to v0.13+.
- Pick up — when starting work: status
OPEN→IN-FLIGHT, create TodoWrite tasks, branchfeat/plan-NN-<slug>orfix/<slug>. - Ship — PR → admin-merge → tag. Status
IN-FLIGHT→SHIPPED, link the merge SHA. - Block — if waiting on external (counsel, customer, vendor): status →
BLOCKED, note the unblock condition in the row.
The TodoWrite tasks are conversation-scoped working memory. The plan numbers + this index persist across sessions.
Numbering¶
- 60–86: Plan 70 admin config gaps + sub-plans + adjacent v0.11 work
- 87: Pluggable LLM extractors Phase 3
- 88: Google sign-in (shipped)
- 89, 90, 91: Marketing manager rewrite / rule-book buyer descriptions / dashboard explainer overlays (shipped)
- 92: Customer onboarding flow (self-serve signup) — shipped v0.10.0
- 93: Customer usage metering
- 94: In-app learning mode
- 95: AI-generated training videos
- 96: RICS vertical pack (UK chartered surveyors) — full pack v1 shipped v0.11.26
- 97: Per-framework counsel review routing
- 98: Multi-regulation homepage rewrite (UK-first)
- 99: UK Defence AI Playbook rule book
- 100: Defence Standard 05-138 (cyber security overlay)
- 101: Secure by Design (UK Government — checklist+maturity, NOT rule book)
- 102: RLB customer pilot (living doc — first paying customer)
- 103: Frameworks as Subscription Products
- 104+: free for next captures
P0 — sales blockers (ship now)¶
| # | Plan | Status | Notes |
|---|---|---|---|
| 102 | RLB customer pilot (living doc) | IN-FLIGHT | First paying customer. UK chartered surveying + UK government / defence supplier. Pilot kickoff TBD with founder. |
P1 — within 30 days of first paying customer¶
| # | Plan | Status | Notes |
|---|---|---|---|
| 99 | UK Defence AI Playbook rule book | OPEN | Next after RICS per founder direction 2026-05-09. ~3-4 weeks FT. WI-0 PDF extraction first. |
| 100 | Defence Standard 05-138 (cyber security) | OPEN | After Plan 99. ~5-6 weeks FT (heaviest). Profile-based (Cyber Risk Profiles). Architectural test of "non-AI compliance" extensibility. |
| 103 | Frameworks as Subscription Products | OPEN | Per-tenant subscription metadata; admin framework picker in onboarding. Ship before second paying customer. ~10d FT. |
| 75 | Compliance officer roster (HITL routing) | OPEN | Plan 71 P2 removed the compliance_officer role; needs fresh approach (roster table + per-tenant HITL routing config). |
| 76 | Notification routing rules | OPEN | Today: per-user notification_preferences toggle on/off, no routing rules. |
| 77 | API tokens | OPEN | Customer integration prerequisite. |
| 79 | Discovery schedule per connection | OPEN | Phase 2 of discovery worker — daily/weekly/on-demand. |
| 80 | Evidence pack templates (branded PDF) | OPEN | annex_iv.html hard-codes "Secruna · EU AI Act Compliance" — no per-tenant brand hooks. RLB pilot may flag this if blocking. |
| 89 P3 | Counsel review of legal pages | DEFERRED | Skipped pending Plan 97 counsel routing infrastructure. [TBD — pending counsel review] placeholders stay until counsel exists. |
| 62 | Rule book v1.1 (generic LLM + shadow AI rules) | DEFERRED | Skipped pending Plan 97. Rule YAMLs scaffolded on main but firing scoped to test fixtures. |
P2 — within 90 days of first paying customer¶
| # | Plan | Status | Notes |
|---|---|---|---|
| 98 | Multi-regulation homepage rewrite (UK-first) | OPEN | Sales asset; defer until RLB pilot stable. ~11d FT (Phase 1+2). UK-tone primary voice; EU AI Act becomes one of many. |
| 101 | Secure by Design (UK Government) | OPEN | Different shape — checklist + maturity assessment, NOT rule book. Only relevant if customer bids on UK central government digital. ~3-4 weeks FT. |
| 93 | Customer usage metering | OPEN | Required before any "metered billing" pricing tier. Stripe parity blocker. |
| 81 | Platform-admin promotion / demotion | OPEN | DB-only today; Secruna-internal. |
| 82 | Per-tenant feature flags + rate limits + retention | OPEN | Bundled. |
| 83 | Tenant lifecycle (archive / suspend / delete / restore) | OPEN | tenants.deleted_at column already in 0001_initial_tenants; missing the state machine + UI + endpoints. |
| 84 | Rule book version pinning per tenant | OPEN | Mid-audit customers need pin. |
| 61 P2 | Event-triggered discovery worker | OPEN | Phase 1 cron */2 * shipped; event-driven defer. |
| 87 WI-3 | Pluggable extractors — failover chain | OPEN | Reliability — only matters at >2 paying customers. |
| 97 | Per-framework counsel review routing | OPEN | Magic-link click + optional PDF (Option C). Reuses 4-eyes magic-link primitive (Plan 71). Unblocks Plans 62, 89 P3, RICS/Defence counsel signoff. ~10-12d FT. Defer until first counsel relationship. |
P3 — defer to v0.13+¶
| # | Plan | Status | Notes |
|---|---|---|---|
| 94 | In-app learning mode | OPEN | Onboarding polish. |
| 95 | AI-generated training videos | OPEN | Sales asset, not core product. |
| 87 WI-4 | Pluggable extractors — production OSS hosting | OPEN | Sovereign-deployment customer ask only. |
Shipped — v0.11 wave (2026-05-06 → 2026-05-08)¶
| # | Plan | Tag |
|---|---|---|
| 60 | Plan 60 (initial v0.11 scoping) | v0.11.0 |
| 61 P1 | Discovery worker — cron Phase 1 | v0.11.x |
| 61 P2 | Discovery worker — cp-api invokes worker job | v0.11.x |
| 62 | Rule book matcher schema (artifact_metadata) — Phase 1 | v0.11.x |
| 65 | 17 Annex III synthetic Lambda fixtures + extractor validation | v0.11.x |
| 66 | Onboarding session refresh + invite-second-admin nudge | v0.11.x |
| 67 | Tenant slug collision auto-retry | v0.11.x |
| 68 | Corporate-email-domain enforcement | v0.11.x |
| 69 | Azure connector account-picker + cross-account warning | v0.11.x |
| 70 | Frontend admin config gaps — meta-plan | v0.11.x |
| 71 P1 | Tenant member management — invitations + member routes + frontend | v0.11.x |
| 71 P2 | Tenant member management — role taxonomy rename | v0.11.x |
| 72 | Connector re-authorisation flow | v0.11.x |
| 73 | Manual AI system entry | v0.11.x |
| 74 | Tenant settings page (display block) | v0.11.x |
| 88 | Google sign-in | v0.11.x |
| 89 P1 | Marketing manager-buyer homepage rewrite | v0.11.x |
| 90 | Rule book customer descriptions | v0.11.x |
| 91 | Dashboard explainer overlay | v0.11.x |
| 92 | Customer onboarding flow (self-serve signup) | v0.10.0 |
| 87 WI-1 | Pluggable extractor — per-tenant UI | v0.11.15 |
| 89 P2 | /use-cases rewrite with article anchors |
v0.11.16 |
| 85 | Bulk operations on verdicts | v0.11.x (pre-existing on main; never tracked here) |
| 87 WI-2 | Pluggable extractor — BYO endpoint | v0.11.17 |
| 78 | Webhooks (push events to SIEM/Slack/Teams) | v0.11.17 |
| 86 | Connector credential rotation UI | v0.11.17 |
| 96 WI-0 | RICS POC — loader multi-framework + AVM rule | v0.11.19 |
| 96 WI-1 | RICS — 4 remaining rules (GIS, GenAI drafting, due-diligence, chatbot) | v0.11.20 |
| 96 WI-2 | Multi-framework load + per-tenant enabled_frameworks |
v0.11.24 |
| 96 WI-3 | Per-framework category taxonomy (EU + RICS enums) | v0.11.25 |
| 96 WI-4 | Surveying connector signal patterns | v0.11.25 |
| 96 WI-7 | Marketing landing /use-cases/rics + GTM |
v0.11.25 |
| 96 WI-5 | AI Use Disclosure Statement export | v0.11.26 |
| 96 WI-6 | Firm AI Register export (PDF + CSV) | v0.11.26 |
| 96 WI-8 | RICS eval golden set (20 cases, F1=1.000) | v0.11.26 |
| 87 WI-2 | Pluggable extractor — BYO endpoint | v0.11.17 |
| 78 | Webhooks (push events to SIEM/Slack/Teams) | v0.11.17 |
| 86 | Connector credential rotation UI | v0.11.17 |
| — | P0 fix: admin verdict detail 404 → /admin/verdicts/{id} | v0.11.18 |
| 96 WI-0 | RICS POC — loader multi-framework + AVM rule | v0.11.19 |
| — | Plan 72 follow-up: reauthorize button AJAX + toast | v0.11.15 |
Strategic / context (read-only — not implementation work)¶
2026-05-01-roadmap.md— early roadmap snapshot2026-05-03-eu-ai-act-gap-analysis.md— regulation vs product2026-05-03-mvp-priorities.md— MVP priority stack2026-05-03-onetrust-gap-analysis.md— competitive annex
Conventions¶
- Filename:
YYYY-MM-DD-<slug>.md(older docs without plan-NN in filename are fine — header# Plan NN — …is the truth). - Header order:
# Plan NN — title→**Status:** ...→**Priority:** ...→ optional**Captured:** YYYY-MM-DD. - This INDEX is the truth when status drifts in individual docs. Touch the doc when convenient; the index is updated every time a plan moves states.