Open issues¶

Decision required before M2 production cutover

Paths:

1. Malaysian Digital Signature Act 1997 compliance via a licensed CA (MSC Trustgate, Pos Digicert).
2. Interim self-signed organisational certs, upgraded to a licensed CA before M6 go-live.

Why it matters. Kertas Perakuan and SIGL carry regulatory weight; the signature must be legally recognised at production. Both paths are workable for dev / UAT; only path 1 is viable long-term.

Blocks: production cutover of signing-svc.

Owned by the GT Console / CityOS platform team

Whether MyDigital ID is mandatory for any persona. This is no longer a SISS decision — it is a GT Console identity-federation decision that applies to every CityOS module. SISS accepts whatever GT Console configures, since SISS receives OIDC bearer tokens and does not own the federation layer.

Blocks: final PSP sign-up UX (not strictly blocking M2 build).

Affects bim-svc outbound sync design

Whether Autodesk Construction Cloud is the client's system-of-record for BIM federation. If yes, bim-svc needs an outbound sync path; if no, federation is SISS-internal only.

Blocks: M5 federated-view mode design.

Source for zoning envelope data (M5)

Source of zoning envelope data for the M5 zoning comparison:

• SI-internal GIS — requires CMU data owner readiness.
• Third-party provider — moves faster, but introduces an external dependency.

A stub interface is specified; the real integration depends on the data owner's readiness.

Blocks: M5 zoning-compare activation.

Affects deliverability and per-recipient volume

Options for notification-svc email delivery:

• SendGrid — easiest, highest deliverability, external provider.
• Google Workspace SMTP — aligned with existing tenancy; lower volume.
• Government mail gateway — mandated for some Malaysian gov projects; slowest onboarding.

Blocks: M2 production rollout of notifications (not dev / UAT).

Corpus needs to be sourced

The product backlog notes: "No clear pathway on how to train the AI to pre-fill each technical agency checking."

The ai-svc design assumes a curated corpus of historical comments per department. That corpus needs to be sourced from CMU / ATD / ATL archives.

Blocks: M3 AI-drafted comment quality (not strictly M2).

Confirm with the GT Console / CityOS platform team

The siss.* permission catalog proposed in Security & RBAC and Platform integration is the SISS team's working set. It needs confirmation with the GT Console team before being encoded in GT Console role definitions, since the role / permission model is owned there.

Open sub-questions:

• Delivery mechanism for GT Console → SISS integration events (Pub/Sub bridge vs. direct webhook into core-svc).
• Whether auditors see a unified GT Console + SISS audit view, or two linked views.

Blocks: encoding siss.* roles in GT Console; implementation of the integration event consumers.