Product Roadmap

Last updated: April 9, 2026. Based on comprehensive code review, competitive analysis, and architecture audit.

This roadmap consolidates all identified improvements into a prioritized timeline. Items are derived from the Competitive Analysis, security audit, frontend UX review, and architecture gap analysis.

Current State (April 2026)

Metric	Value
Golden eval pass rate	99.0% (296/299)
Medical advice incidents	ZERO
Taxonomy entities	2,663 (deduped from 12,997)
Documents / Chunks	2,548 / 10,430
Test functions	4,189+
Pyright errors	0 (fixed from 208)
Languages supported	8
Competitors in Belgian market	ZERO

Phase 0: Security & Safety (Critical — Immediate) COMPLETE

Timeline: Before next production deployment -- All items completed April 9, 2026

#	Item	Type	Effort	Status
1	Fix `::jsonb` pattern in `admin_feedback.py:920`	Security	30 min	Done
2	Add auth to `accept_improvement` endpoint	Security	1 hour	Done
3	Enable JWT `verify_aud` with Keycloak audience mapper	Security	2 hours	Open
4	Make guardrails check fail-closed (not fail-open)	Safety	1 hour	Done
5	Fix SafetySettings frontend auth bypass (null token)	Security	30 min	Done
6	Escape ILIKE wildcards in user search	Security	30 min	Done
7	Fix broken `/query` links (should be `/search`)	Bug	15 min	Done
8	Fix diagnostics tenant slug divergence	Bug	30 min	Done

Success criteria: All CRITICAL and HIGH security items resolved. Zero new safety incidents.

Phase 1: Production Hardening (High Priority — Q2 2026) COMPLETE

Timeline: April 2026 -- All items completed April 9, 2026

#	Item	Type	Effort	Status
9	Graceful shutdown handling (`--timeout-graceful-shutdown`)	Reliability	4 hours	Done
10	GDPR user deletion endpoint (`DELETE /api/v1/gdpr/users/{id}/data`)	Compliance	1 day	Done
11	Prompt versioning (`PROMPT_VERSION` constant + audit logging)	Quality	2 hours	Done
12	Deep health check endpoint (`/health/ready`)	Operations	4 hours	Done
13	Per-request token budget enforcement	Cost safety	4 hours	Open
14	Remove unused Neo4j from docker-compose	Cleanup	30 min	Done
15	Thread-safe settings (separate runtime config from `@lru_cache`)	Reliability	4 hours	Open
16	Safety regex for Dutch medication/dosage patterns	Safety	2 hours	Done
17	Reuse OpenAI client in SafetyService (not per-call)	Performance	1 hour	Done
18	Reuse GuardrailsService instance (not per-check)	Performance	1 hour	Open
19	Extract `_hospital_identity()` to shared module	Code quality	30 min	Done

Success criteria: Graceful shutdown verified. GDPR deletion tested. Health check includes LLM circuit state.

Phase 2: UX & Compliance (Medium Priority — Q2/Q3 2026)

Timeline: May-July 2026 -- 6 of 10 items completed April 9, 2026

#	Item	Type	Effort	Status
20	Internationalize hardcoded English strings (~30 strings in admin pages)	i18n	1 day	Done
21	Add `aria-live` for streaming responses	Accessibility	2 hours	Done
22	Add `prefers-reduced-motion` for admin animations	Accessibility	2 hours	Done
23	Remove unused 3D graph dependency (save ~115KB)	Performance	1 hour	Open
24	Guard console.log statements in production	Security	2 hours	Open
25	EU AI Act transparency notice (AIDisclaimer component)	Regulatory (Aug 2026 deadline)	1 day	Done
26	WCAG 2.2 AA accessibility audit	Legal requirement	3 days	Open
27	Management ROI dashboard (call deflection, search volume)	Business value	5 days	Open
28	`arq` task queue for crawl/taxonomy pipeline	Reliability	3 days	Open
29	Structured JSON logging (`structlog`)	Operations	2 days	Done

Success criteria: WCAG 2.2 AA audit passed. EU AI Act transparency notice deployed. Zero hardcoded English strings.

Phase 3: Market Features (Q3/Q4 2026)

Timeline: August-December 2026

#	Item	Type	Effort
30	Webhook receiver for Drupal content push	Integration	2 days
31	Physical wayfinding ("How to get to Department X at Campus Y")	Feature	3 days
32	Voice search (Web Speech API + Dutch ASR)	Feature	3 days
33	Appointment booking integration (Doctoranytime/Doctena API)	Feature	5 days
34	French language content pipeline	Market expansion	5 days
35	Proactive search suggestions (trending queries, seasonal)	Feature	2 days
36	SLO definitions + Prometheus alert rules	Operations	1 day
37	Data lifecycle TTLs for analytics/audit logs	Compliance	2 days
38	Automated eval regression detection in deploy pipeline	Quality	2 days
39	German language pipeline (complete trilingual Belgium)	Market expansion	2 days
40	WhatsApp channel	Feature	3 days

Success criteria: Search relevance >20% over keyword baseline. Call center load -15%. French pipeline operational.

Phase 4: Scale Preparation (2027)

#	Item	Type
41	Multi-tenant load testing	Scalability
42	Circuit breaker state in Redis (multi-instance)	Scalability
43	Hospital onboarding automation workflow	SaaS readiness
44	FHIR-based provider data import	Interoperability
45	Read replicas for PostgreSQL	Performance
46	Config refactoring (nested Pydantic settings groups)	Code quality

Architecture Decision Records to Create

ADR	Topic	Phase
ADR-0046	Clarifying Questions for Ambiguous Queries	Phase 2 (Done)
ADR-0047	Task Queue Architecture (arq)	Phase 2
ADR-0048	GDPR Data Lifecycle	Phase 1
ADR-0049	Structured Logging Standard	Phase 2
ADR-0050	SLO Definitions	Phase 3
ADR-0051	EU AI Act Compliance	Phase 2

Key Metrics to Track

Metric	Current	Phase 1 Target	Phase 3 Target
Golden eval pass rate	99.0%	99.0%	99.5%
Medical advice incidents	0	0	0
Pyright errors	0	0	0
WCAG compliance	Unaudited	Audit scheduled	AA certified
EU AI Act	Transparency notice deployed	Transparency notice	Full compliance
Languages	8 (response)	8	10 (NL+FR+DE content)
Belgian hospitals	1 (ZOL)	1	2-3

Document version: 1.1 | Date: 2026-04-09 | Author: SOFT4U BV

Current State (April 2026)​

Phase 0: Security & Safety (Critical — Immediate) COMPLETE​

Phase 1: Production Hardening (High Priority — Q2 2026) COMPLETE​

Phase 2: UX & Compliance (Medium Priority — Q2/Q3 2026)​

Phase 3: Market Features (Q3/Q4 2026)​

Phase 4: Scale Preparation (2027)​

Architecture Decision Records to Create​

Key Metrics to Track​