From 786d3e47afae43f1e1d1801d3305335b3838cfbd Mon Sep 17 00:00:00 2001 From: Mike Swanson Date: Sat, 30 May 2026 17:36:18 -0700 Subject: [PATCH] =?UTF-8?q?docs:=20correct=20roadmap=20=E2=80=94=20v2=20Ph?= =?UTF-8?q?ase=201=20already=20landed,=20not=20a=20future=20sprint?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Re-baseline against actual git/deploy state: secure-session-core Tasks 1-7 are committed and DEPLOYED; the 3 audit CRITICALs are closed and live in prod (verified: deployed checkout abc55ab descends from the CRITICAL#1 fix + Task 7; guruconnect.service running on :3002). The prior "Sprint 0: bypasses are live" banner was wrong (stale 2026-05-29 audit narrative) and is removed. Remaining to exit Phase 1 = secure-session-core Task 8 (e2e verification + security re-audit) + Code-Review sign-off on Tasks 3-5. Schema note corrected (connect_agent_keys + tenancy already exist via migration 004). Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/FEATURE_ROADMAP.md | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/docs/FEATURE_ROADMAP.md b/docs/FEATURE_ROADMAP.md index 938f282..ae8e4d8 100644 --- a/docs/FEATURE_ROADMAP.md +++ b/docs/FEATURE_ROADMAP.md @@ -8,12 +8,19 @@ GuruConnect is a standalone remote-support product (ScreenConnect/Splashtop-clas stack. It ships independently of GuruRMM and integrates with it via a versioned contract (see `specs/native-remote-control/` and ADR-001). -> **Active direction (2026-05-30): v2 reset.** Per [SPEC-002](specs/SPEC-002-v2-modernization-architecture.md), -> GuruConnect is being rebuilt above the salvaged Windows-internals cores. The feature specs below -> (SPEC-003–009) are **work-items inside the v2 phases**, not independent v1 backlog — see the mapping. -> **Sprint 0 (do first):** surgical v1 hotfix closing the 3 relay-auth CRITICALs (delete the -> JWT-as-agent-key branch; enforce blacklist + session-claim checks on the viewer WS) — the bypasses -> are live and the full v2 rebuild is multi-month. +> **Active direction: v2 reset — Phase 1 already landed (2026-05-30).** Per +> [SPEC-002](specs/SPEC-002-v2-modernization-architecture.md), GuruConnect is being rebuilt above the +> salvaged Windows-internals cores. **v2 Phase 1 (secure session core) is implemented in-place and +> deployed** — secure-session-core **Tasks 1–7 are committed** ([plan](specs/v2-secure-session-core/plan.md)), +> and the **3 audit CRITICALs are closed and live in production** (session-scoped viewer tokens + session-claim +> match, blacklist-on-WS, agent-plane rejects user JWTs via per-agent `cak_` keys). The feature specs below +> (SPEC-003–009) are **work-items inside the later v2 phases** — see the mapping. +> +> **Remaining to formally exit Phase 1:** secure-session-core **Task 8** (end-to-end verification + +> `/gc-audit --pass=security` re-audit + the manual CRITICAL checks) and Code-Review sign-off on Tasks 3–5 +> (implemented without a local toolchain at the time; since built + deployed). Live HW-H.264 validation is +> also pending — raw+Zstd remains the shipping default. ~~Sprint 0 (relay-auth CRITICAL hotfix)~~ **not +> needed — those fixes shipped in Tasks 2–3.** ### v2 phase mapping of current specs @@ -25,8 +32,10 @@ stack. It ships independently of GuruRMM and integrates with it via a versioned | **SPEC-005** (list view) · **SPEC-006** (search) · **SPEC-007** (installer) | **Phase 2 — dashboard** | built on the v2 dashboard + Phase-1 keys | | **SPEC-009** (documented API + tokens) | **Phase 3 — integration contract** | alongside `/api/integration/v1/` | -> Schema note: SPEC-002 Phase 0's "fresh v2 schema" should already carry SPEC-003's inventory columns, -> SPEC-004's `machine_uid`, and `connect_agent_keys` — born into v2, not retrofitted as later migrations. +> Schema note: the v2 tenancy-ready schema + `connect_agent_keys` already exist (Task 1 / migration +> `004_v2_secure_session_core.sql`). SPEC-004's per-agent-key identity binding is largely covered by +> Tasks 1–3; what remains of SPEC-004 (deterministic `machine_uid`, TTL session reaping, operator bulk +> removal) and SPEC-003's inventory columns are the additive Phase-2 migrations to fold onto that base. ---