Skip to content

Roadmap

The architecture of this PoC was designed from the ground up for extensibility. The use of a SharedKeyRegistry and the existing database schema (which includes models for Teams and Projects) provides a strong foundation for building a production-grade service.

Architectural Extensibility

The current design makes it straightforward to add more sophisticated features without a major overhaul:

  • Granular Roles: New access levels (e.g., "Editor," "Commenter," "Viewer") can be added by simply extending the SharedKeyRegistry with a role column. The API logic can then enforce permissions based on this role.
  • Group-Based Permissions: The groundwork is already laid for team- and project-based sharing. Building API endpoints to manage these groups and link them to documents is a logical next step.
  • Attribute-Based Access: In the future, the model could even be extended to support attribute-based access control (ABAC), where permissions are granted based on user attributes (e.g., "only users from the 'Finance' department in 'Europe' can access").

Roadmap

The path from this PoC to a full-featured, production-ready system can be broken down into clear phases. This roadmap directly addresses the limitations outlined in the section above.

Phase 1: Foundational Backend (✅ Completed in this PoC)

  • Core cryptographic engine using AES-GCM and RSA.
  • Secure, per-user, per-document access control model.
  • Stateless JWT-based authentication.
  • Basic CRUD operations for users and documents.

Phase 2: Hardening for Production Backend

This phase focuses on making the backend robust, secure, and ready for integration.

  • Implement Key Rotation: Introduce a mechanism to re-encrypt documents for true cryptographic revocation when a user's access is removed.
  • Comprehensive Audit Logging: Create a tamper-resistant audit trail for all security-sensitive events (logins, shares, access, deletions).
  • Document Versioning: Build a system to manage document version history, preventing data loss in collaborative environments.
  • Team & Project Management: Implement the API endpoints to create, manage, and assign users to teams and projects, enabling group-based sharing.

Phase 3: Building the Full Application Ecosystem

This phase focuses on building the user-facing components and enterprise-grade features.

  • Client-Side Crypto & UI: Develop a frontend application (web, desktop, or mobile) that performs all private key operations locally. This achieves a full zero-knowledge architecture and is the most critical step for a production system.
  • User-Friendly Account Recovery: Implement a secure workflow for users to back up and use a one-time Recovery Key.
  • SSO / LDAP Integration: Allow users to authenticate using existing enterprise identity providers.
  • Advanced Sharing Controls: Add features like expiring links, password-protected public shares, and read-only access.