photoncloud-monorepo/docs/por/T003-feature-gaps/iam-gaps.md

# IAM/Aegis Feature Gap Analysis

**Date**: 2025-12-08
**Implementation Status**: 84% (38/45 features)

## Summary

Strongest implementation. Core RBAC/ABAC working. Gaps mainly in operational features.

## Gap Analysis

| Feature | Spec Section | Priority | Complexity | Notes |
|---------|--------------|----------|------------|-------|
| Metrics/Monitoring | 12.4 | P0 | Small (1-2 days) | No Prometheus metrics. |
| Health Endpoints | 12.4 | P0 | Small (1 day) | No /health or /ready. Critical for K8s. |
| Group Management | 3.1 | P1 | Medium (3-5 days) | Groups defined but no membership logic. |
| Group Expansion in Authz | 6.1 | P1 | Medium (3-5 days) | Need to expand group memberships during authorization. |
| Audit Integration | 11.4 | P1 | Small (2 days) | Events defined but not integrated into gRPC services. |
| OIDC Principal Mapping | 11.1 | P1 | Medium (3 days) | JWT verification works but no end-to-end flow. |
| Pagination Support | 5.2 | P2 | Small (1-2 days) | List ops return empty next_page_token. |
| Authorization Tracking | 5.1 | P2 | Small (1 day) | matched_binding/role always empty (TODO in code). |

## Working Features

- Authorization Service (RBAC + ABAC)
- All ABAC condition types
- Token Service (issue, validate, revoke, refresh)
- Admin Service (Principal/Role/Binding CRUD)
- Policy Evaluator with caching
- Multiple storage backends (Memory, Chainfire, FlareDB)
- JWT/OIDC verification
- mTLS support
- 7 builtin roles

## Effort Estimate

**P0 fixes**: 2-3 days
**P1 fixes**: 1.5-2 weeks
**Total**: ~2-3 weeks focused development