Backend Gap Register

This page summarizes the backend completion state that platform administrators should track. Sources are adr/0001-remaining-backend-gaps.md, matrix.md, and the current route contract under backend/docs/.

Contract Status

AreaStatus
Cahier route backlogAll expected backend routes are represented in Swagger.
Swagger wildcardNot tracked as a product route; concrete Swagger routes are served.
FrontendOwned separately, with both frontend BFF and dashboard in the repo.
HederaReal adapter, smart contracts, and deployment/test scripts still deferred.
WORM/Object LockDeferred by product direction.

Closed Backend Slices

SliceCurrent behavior
Billing operator admin routesBILLING_OPERATOR can use tenant-selected admin billing dashboard, usage, receipts, report list/download, and export routes with explicit tenant_id. Responses exclude certificate PDFs, canonical proof JSON, and proof payload content.
License grant import and quota rulesImports validate instance_fingerprint, duplicate grant IDs, commercial chain, dates, addendum/revocation references, org-tree allocation limits, and quotas where configured.
Notification deliverySMTP/webhook delivery records status, retries with backoff, updates DLQ metadata, renders branded email templates, and updates billing export delivery metadata.
Production observabilityAPI/worker telemetry heartbeats, queue depth/in-flight/DLQ metrics, proof pending/failed gauges, DB connection gauges, signer operation metrics, alert rules, dashboard panels, and runbooks are implemented for the Grafana/Loki/Tempo/Prometheus/OpenTelemetry stack.
API contract polishbackend/docs/api-contract-status.md reports no missing cahier backlog endpoints.
Agent ingestion hardeningISO one-time enrollment tokens are validated by prefix/hash, expiry, consumed state, and revocation state. Enrolled-agent API keys are write-only, linked to enrollment state, update last_seen, and persist PKI/mTLS-ready identity metadata.
CI/CD and deliveryThe Gitea workflow includes migration discipline checks, parallel-safe compose E2E, generated Swagger/HeyAPI freshness, Go tests, security scans, SBOM/provenance, image build/scan/publish, and a dedicated migrator image.
Billing/reporting passVolume, success-rate, CO2 reporting, restricted SQL billing views, monthly report artifacts, and report/export endpoints are implemented.

Active Backend Work

No active implementation branch is tracked in this docs site. Operators should still treat the gaps below as open before production acceptance.

Blocked Or Deferred Work

AreaBlocking input
Production agent PKI and enrollment issuer policyFinal trust roots, certificate revocation source, mTLS forwarding contract, ISO token issuer ownership, and production enrollment approval policy.
Production signerFinal remote Signer protocol, mTLS material, key IDs, rotation metadata, transaction signing, HMAC, decrypt, PAdES, and TSA behavior.
Hedera anchoringNetwork, account, contract IDs, mirror-node behavior, finality semantics, explorer URL format, Exaion smart-contract deployment, SDK adapter, key resolver, and replay policy.
Storage infrastructureFinal bucket names, versioning policy, write-only billing drop ownership, SSE/KMS settings, and retention schedules. WORM/Object Lock remains deferred.
Kubernetes/Harbor deploymentKubernetes or Helm target and secret ownership.

Current Implementation Gaps To Track

GapOperational impact
Real Hedera anchoring is absent.Certificates can be issued with CERTIFIED_NO_ANCHOR; public verification cannot prove real on-chain finality until adapter/contracts/config are complete.
Ingest listener mTLS enforcement is not final.Agent enrollment can issue/store PKI-ready identity metadata, but production mTLS termination/forwarding policy must be wired before exposing the standalone gateway to agents.
Proof state notifications are incomplete.Webhook/email delivery exists, but proof.failed, proof.rejected, and proof.awaiting_license producers are not fully connected.
S3 write-only billing push and DKIM/PGP delivery policy are incomplete.Billing exports can be generated and downloaded; hardened external delivery remains infra/product work.
License duration types are deferred.MONTHLY, ANNUAL, MULTI_YEAR, and PERPETUAL semantics are not in the signed grant model yet.
Production backup/retention policy is infra-owned.App retention workers exist, but final storage retention, immutability, and restore process must be validated in the target environment.

Refresh Checks

Before closing backend work that changes routes, schemas, docs, or generated clients:

  cd backend
make swagger
make route-contract
go test ./...
  

For full-stack backend coverage with the local compose stack:

  docker compose up --build -d
cd backend
make e2e