Obscura — Product Roadmap
Living feature inventory + forward plan. Companion to BUILD_BLUEPRINT.md (engineering spec),
PRODUCT_DESCRIPTION.md (pitch), and AI_FEATURES.md. This file is organized by priority,
not by component, because priority is what drives sequencing.
What Obscura is
An enterprise Document Management System whose differentiators are (1) forensic watermarking
(trace a leaked document back to a recipient) and (2) a clean, AGPL‑free, on‑prem‑friendly stack.
Deployment posture: B2G on‑prem / air‑gapped first, SaaS later. Most B2G installs have
internet; some are air‑gapped. Every enforcement/licensing decision must degrade gracefully offline.
Two different “anti” systems (do not conflate)
| System |
Protects |
Priority |
| Software anti‑piracy / licensing |
Obscura the product from being run without a valid license after sale |
Medium |
| Forensic watermarking / steganography |
tracing a leaked document back to its recipient |
Low |
Status legend
| Mark |
Meaning |
| ✅ |
Done (backend and/or UI live) |
| 🔄 |
In progress — current build |
| 🌱 |
Seam only — interface/plumbing exists, real engine deferred |
| ⬜ |
Not built |
| ⏸ |
Parked — explicitly out of scope |
P0 — Shipped (was the current build)
| Feature |
Status |
Notes |
| Custom no‑download preview (pdf.js canvas viewer) |
✅ |
RestrictedPDFViewer canvas; replaces native iframe + browser PDF toolbar |
In‑app DLP download enforcement (AllowDownload) |
✅ |
content_access.go gates /content; /preview inline+ungated; owner + content‑admin break‑glass exempt |
AllowForward → real external‑share gate |
✅ |
Blocks share‑link creation for restricted classes |
Remove AllowPrint |
✅ |
Removed entirely (column + UI + API) |
| Document create from UI |
✅ |
NewDocumentModal + button |
P1 — High priority
Core DMS (the foundation)
| Feature |
Status |
Notes |
| Folders, documents, versions, metadata schemas |
✅ |
|
| Check‑out/in, version compare, rollback |
✅ |
|
| Tags, attachments, links, comments, subscriptions |
✅ |
|
| Full‑text + advanced search (backend) |
✅ |
Dedicated /search page UI now ✅ |
| Bulk operations |
✅ |
|
| ZIP export, trash/restore |
✅ |
|
| Template library + data‑merge |
✅ |
|
| Document request & intake tracking |
✅ |
|
| Numbering schemes |
✅ |
|
| Document create from UI |
✅ |
NewDocumentModal |
| Text‑editor suite (create/edit content in‑app) |
✅ |
TipTap (RichTextField + TextEditorView); Finalize→PDF bridge so authored docs become signable/publishable |
| Search results page UI |
✅ |
/search page — full‑text + classification/expired filters, opens detail on row click; header search box wired to it |
Records Retention (one coupled workstream)
| Feature |
Status |
Notes |
| Per‑document retention floor + legal hold |
✅ |
Enforced inside the delete transaction |
| Retention policy catalogue (records‑type → period) |
⬜ |
doc_type → policy bridge; replaces the placeholder admin tab |
| Disposition schedules (end‑of‑life: auto‑delete / archive / route‑to‑review) |
⬜ |
Built with the catalogue |
Data protection
| Feature |
Status |
Notes |
| Encryption at rest |
✅ |
Per‑blob age (X25519) envelope encryption (platform/blob/cipher.go); fresh per‑blob file key, content‑addressing preserved on plaintext, backward‑compatible read path. Master key mounted per‑environment (gitignored), never baked in |
| Data residency |
⬜ |
Largely satisfied by on‑prem deployment; make explicit |
Access control / RBAC (already complete — keep green)
| Feature |
Status |
Notes |
| 5‑tier content ACL (None/Viewer/Contributor/Editor/Manager) |
✅ |
Positions as first‑class subjects |
| Folder cascade + file override + deny |
✅ |
|
| Folder index‑filtering (closed‑by‑default) |
✅ |
|
| Functional permission‑keys (separate ANDed axis) |
✅ |
|
| Manager‑only declassify + workflow‑only publish |
✅ |
|
Audit & workflow (already complete — keep green)
| Feature |
Status |
Notes |
| Hash‑chained tamper‑evident audit log |
✅ |
Gives tamper‑evidence (detect) |
| No‑code workflow designer, routing, SLA/escalation |
✅ |
|
| Correspondence (sifat, kop/footer, dispositions) |
✅ |
Needs edge‑case testing |
P2 — Medium priority
AI document‑intelligence (ACL‑aware; provider‑swappable)
| Feature |
Status |
Notes |
| Provider seam (Anthropic / OpenAI / mock) |
✅ |
|
| Summarize, classify (backend) |
✅ |
No UI yet |
| Auto‑classification & filing at ingest |
⬜ |
|
| Content intelligence: RAG Q&A, semantic search, drafting |
⬜ |
Needs embedding index |
| Intelligent field extraction (AI‑1) |
⬜ |
|
| Duplicate / near‑duplicate detection (AI‑3) |
⬜ |
|
| Semantic document comparison (AI‑4) |
⬜ |
|
| Related documents / institutional memory (AI‑5) |
⬜ |
|
| Workflow copilot (AI‑7) |
⬜ |
|
| Pre‑flight completeness check (AI‑8) |
⬜ |
|
| Auto‑redaction (AI‑11) |
⬜ |
|
| Natural‑language reporting (AI‑12) |
⬜ |
|
Trusted long‑term signatures
| Feature |
Status |
Notes |
| Internal e‑signature (PAdES) + multi‑signer |
✅ |
|
External‑party signing (no account; public token‑gated /sign page) |
✅ |
Phase 1 (Global/Mekari externals, WhatsApp‑OTP) + Phase 2 (2026‑06‑29): internal‑tier externals — a provider="local" envelope (no Mekari), Obscura‑emailed 6‑digit OTP (sha256 + 10m + ≤5 attempts), self‑hosted attestation PAdES signed under the in‑house CA (system:obscura-attestation), evidence assurance=internal/is_external, roster‑driven finalize. Parallel + sequential. Final review SHIP‑WITH‑NITS (no HIGH/CRITICAL); self‑driving mailpit e2e PASS. Follow‑ups (optional, integrity‑safe): (a) remap the UNIQUE(document_id,version) collision two simultaneous parallel local signers can hit to a friendly ErrConflict retry (today: one signer sees an opaque 500, no signature lost); (b) modal re‑validates the external roster vs tier on tier‑change (server already fails closed); (c) subtle.ConstantTimeCompare on the OTP‑hash check (hygiene). |
| External sealer seam (Mekari / Peruri PSrE) |
🌱 |
Mock until sandbox creds |
| PAdES‑LTV / TSA timestamping |
⏸ |
DEFERRED (2026‑06‑29, after empirical check): Mekari Global already ships full PAdES‑B‑LT — embedded RFC‑3161 signature timestamp + DSS/OCSP/CRL, GlobalSign AATL cert — so the certified/high‑stakes path is covered. Only the in‑house (internal‑tier, self‑signed‑CA) signatures lack LTV, and those are lower‑stakes (trust confined to the org’s own domain). Build only when a customer with long‑retention internal‑archive needs asks; minimal slice = self‑hosted RFC‑3161 TSA + B‑T timestamp on the pdfsign path. Do NOT add LTV on Mekari output (redundant + risks breaking their B‑LT). |
| e‑Meterai request + affix flow |
🌱 |
Mock; official‑sign‑first rule enforced |
Software anti‑piracy / licensing (hybrid model)
Reality: on‑prem means the customer controls the binary — this is a strong deterrent, not
unbreakable. Goal: stop casual copying, enforce seats + expiry, enable a remote kill‑switch when
connected. Must work fully offline for air‑gapped installs.
| Feature |
Status |
Notes |
| Signed offline license file (floor) |
✅ |
Program B: signed Ed25519 license JSON, fails‑closed read path, node‑lock (machine‑id / OBSCURA_NODE_ID; empty = unlocked) + expiry + seats; works air‑gapped. GA build pins the prod public key via ldflags (licensegen -verify) so release builds reject dev‑key licenses. See LICENSING.md |
| Feature/seat gating from license |
✅ |
License toggles the premium modules (correspondence / watermarking / ai / esign) end‑to‑end via requireModule + UI enabled_modules; seats advisory |
| License admin UI + lawful‑basis surfacing |
✅ |
Admin → Licensing tab (LicensingTab): shows current license + modules + node‑lock + expiry, live upload/hot‑swap (atomic pointer) |
| Online activation + heartbeat (when connected) |
⬜ |
Periodic phone‑home + remote kill‑switch; optional, never required offline. The remaining licensing follow‑up |
| Tamper / integrity checks |
⬜ |
Detect patched binaries; raise the cost of cracking (GA license‑key build‑pinning done; runtime binary‑tamper detection not built) |
P3 — Low priority
Forensic watermarking / steganography (document‑tracing engine)
The product’s headline differentiator, but the heaviest lift (Python sidecar + OpenCV/OCR + KMS +
vault). Deferred by decision. Policy seam + issuance‑ledger plumbing already exist (protection/),
so the real engine swaps in with no caller changes.
| Feature |
Status |
Notes |
| Protection policy + issuance‑ledger chokepoint |
🌱 |
Deliverer mints issuance rows; engine is no‑op |
gRPC contract proto/stego/v1/stego.proto |
✅ |
Contract only |
| Python stego sidecar (encode/decode/normalize) |
⬜ |
In sibling repo pdfprotect-stego, not integrated |
| Channel V (geomstego — crop/screenshot resilient) |
⬜ |
Blind verification |
| Channel K (kerning — camera/print‑scan) + one‑sided fix |
⬜ |
Needs starmap vault |
| Unified font‑aware surgery (simple + CID) |
⬜ |
The keystone |
| Unified payload (issuance_id + keyed‑MAC + Reed‑Solomon) |
⬜ |
Kills false‑positive attribution |
| Starmap vault (encrypted, KMS) |
⬜ |
|
| Blind public verify (V‑only) |
⬜ |
|
| Forensic console (V+K + cross‑channel agreement) |
⬜ |
|
| Verification‑as‑a‑Service API |
⬜ |
|
| Watermark‑on‑view in preview |
⬜ |
|
| Fail‑closed download on protected docs |
⬜ |
|
| Anti‑collusion (Tardos) + print‑scan corpus |
⬜ |
Research roadmap |
Records management & compliance (most — Indonesia low‑demand)
| Feature |
Status |
Notes |
| WORM / immutable storage |
⬜ |
Write‑Once‑Read‑Many: once committed, a version can’t be altered/deleted until retention expires (even by admins, in compliance mode). Value: legal defensibility + ransomware/insider protection. Partly mitigated by our hash‑chained audit (detect vs prevent). Low for ID market |
| File plan / records certification (DoD 5015.2, ISO 15489) |
⬜ |
|
| eDiscovery / litigation export |
⬜ |
|
| DPIA hook + lawful‑basis record (GDPR) |
⬜ |
|
| Antivirus / malware scan on upload |
⬜ |
|
Integrations on demand
| Feature |
Status |
Notes |
| WebDAV / drive mount |
⬜ |
Boilerplate/seam only, unless a client requests it |
| Office co‑authoring (WOPI) |
⬜ |
On request |
Platform & reach (sequenced as needed / pre‑GA)
| Feature |
Status |
Notes |
| Password auth + sessions + OIDC SSO |
✅ |
|
| 2FA / TOTP |
✅ |
|
| SCIM provisioning, AD/LDAP, multi‑IdP |
⬜ |
Only OIDC today |
| WebAuthn / passkeys |
⬜ |
|
| Multi‑channel notifications |
✅ |
Confirm channel reach (email/push) |
| Secure external share links |
✅ |
Watermark‑on‑access pending the stego engine |
| DLP controls per classification |
✅ |
AllowDownload gate on /content; restricted no‑download canvas preview |
| Public REST API + webhooks + connectors |
⬜ |
Email‑ingest, cloud storage, core‑banking hooks |
| Full mobile app + camera scan‑to‑intake |
⬜ |
|
| Air‑gapped deployment kit (incl. on‑prem AI) |
⬜ |
Tied to on‑prem strategy + licensing |
| Backup / corpus‑manifest export |
✅ |
DR / RPO‑RTO ⬜ |
| Storage quotas |
✅ |
|
| Reports / dashboard |
✅ |
Basic stat tiles |
| i18n (EN/ID) |
✅ |
|
| Observability (metrics/tracing/structured logs) |
⬜ |
Health endpoint only |
| Rate limiting / API keys |
⬜ |
|
| Multi‑tenancy |
⬜ |
Single‑tenant by design (on‑prem makes it moot; revisit for SaaS) |
| Accessibility (WCAG) |
⬜ |
Unverified |
Parked — explicitly out of scope
| Feature |
Why |
| PDF annotation / markup (F‑8) |
Not needed |
| Smart folders / saved searches (F‑7) |
Parked |
| AI‑2 scanned‑mail OCR intake |
Parked |
| AI‑6 translation |
Parked |
| AI‑9 work digest |
Parked |
| AI‑10 records/retention auto‑classification |
Parked (manual retention is high‑priority instead) |
Honesty notes (set expectations)
- The DMS shell is ~80–85% done; the product spine is not. Forensic watermarking is a no‑op seam,
and the AI intelligence layer is ~15% (2 of ~11 features, backend‑only). “Almost done” applies to
the shell, not the differentiators.
- Two deferred engines both swap in behind existing seams with no caller changes: the stego
sidecar (gRPC, low priority) and the external e‑sign/e‑Meterai providers (Mekari/Peruri,
awaiting creds).
- On‑prem deterrence has limits. Both software anti‑piracy and forensic watermarking are
cost‑raising deterrents, not guarantees — the customer/leaker controls the artifact.