Clarify RelayX roadmap status model

Author: RedteamNotes

docs/ROADMAP.md

@@ -4,12 +4,17 @@ RelayX is an OPSEC-aware NTLM relay exposure assessment, lab-calibrated
 validation, and controlled execution orchestration tool for authorized red
 teaming.
 
-This roadmap tracks the product direction without using development phase
-labels. The guiding standard is evidence-backed relay exposure analysis:
+This roadmap separates implemented product capability from data-dependent
+calibration work, deliberately disabled live capability, and future engineering
+tracks. The guiding standard is evidence-backed relay exposure analysis:
 RelayX should explain what it observed, what it inferred, what remains
 uncertain, and what an operator is allowed to do next.
 
-## Current Capabilities
+## Implemented In v0.1.14
+
+The v0.1.14 release completes the current engineering baseline for RelayX.
+These capabilities are implemented, schema-covered, documented, and guarded by
+the quality gate.
 
 - Native readiness assessment for SMB, HTTP/HTTPS NTLM, LDAP/LDAPS, and MSSQL.
 - NTLM Type1/Type2 challenge-flow evidence for HTTP, LDAP/LDAPS, and MSSQL.
@@ -25,6 +30,8 @@ uncertain, and what an operator is allowed to do next.
   noise, blocker, remediation, and expected telemetry metadata.
 - Route/Pivot Awareness for source sessions, segments, subnets, structured
   route hops, pivot type normalization, reachability state, and route risk.
+- Authorized direct TCP reachability checks from the operator runtime for route
+  reports without opening or operating pivot sessions.
 - Relay calculus annotations for rule ID, target family, preconditions,
   hardening gates, decision state, and defensive controls.
 - Lab calibration profiles and baseline comparison for controlled IIS/AD CS,
@@ -46,40 +53,42 @@ uncertain, and what an operator is allowed to do next.
 - Evidence source taxonomy for separating wire observations, policy
   inferences, lab-calibration evidence, source and route models, control
   mappings, operator context, errors, and unsupported boundaries.
+- OPSEC policies for validation, execution, source planning, listener planning,
+  callback planning, connect checks, armed mode, and confirmed mode.
+- Operation controls for assessment, route-check, and validation commands,
+  including rate-limit, delay, jitter, start-after, and stop-before.
 - Guarded validation and controlled execution state machines with dry-run,
   armed, and confirmed modes.
 - Execution module inventory, module planning, and Adapter SDK dispatch,
   including a supported offline audit-record adapter, credential/listener
-  policy guardrails, lifecycle audit, and explicit unsupported boundaries for
-  live relay adapters.
+  policy guardrails, lifecycle audit, lab-only fixture boundaries, and explicit
+  unsupported boundaries for live relay adapters.
 - Versioned schema and evidence contract validation for results, lab profiles,
   corpuses, lab provenance reports, lab stability reports, execution records,
   module manifests, OPSEC policies, route reports, bundle manifests, quality
   gates, OpenGraph, JSONL, and CSV.
-- Versioned lab confidence contracts for calibration decisions and baseline
-  comparisons, including evidence sources, discriminators, promotion gates, and
-  remaining uncertainty.
 - Enterprise exports for OpenGraph-style graph analysis, JSONL, CSV, Markdown,
   HTML, Mermaid, multi-scan diffing, and remediation impact simulation.
 - Enterprise bundle generation with manifest, artifact hashes, schema
   validation status, and optional route report.
-- CI and release quality gates for package metadata, fixtures, schema
-  contracts, enterprise docs, GitHub workflows, wheel builds, and install
-  smoke tests.
+- Quality-gate v2 contract for release automation, including package metadata,
+  fixture determinism, schema contracts, documentation coverage, GitHub
+  workflow coverage, wheel build expectations, and install smoke tests.
 - Short option aliases and curated help topics for common interactive CLI
   workflows, with safety-sensitive guardrails preserved.
 - Complete offline tutorial and schema-validated example result fixtures that
   exercise assessment review, calibration, validation planning, offline
   execution audit, enterprise bundle, diff, and remediation simulation
   workflows.
+- Authorized AD/IIS/AD CS/MSSQL integration-test expectations documented in
+  `docs/INTEGRATION_TESTS.md`.
 
-## Evidence And Calibration
-
-The highest priority is to keep improving judgement quality. RelayX should
-promote a conservative finding only when a lab profile, a baseline difference,
-or an explicit protocol diagnostic supports the promotion.
+## Data-Dependent Calibration Work
 
-Near-term work:
+This work is not blocked by missing framework code. It depends on authorized
+lab environments and repeated real captures. The current codebase already has
+the corpus, provenance, stability, differential, schema, and quality-gate
+contracts needed to ingest this data.
 
 - Populate the real lab profile corpus across Windows Server, IIS, AD CS,
   domain controller, and SQL Server policy matrices.
@@ -95,7 +104,7 @@ Near-term work:
 - Keep synthetic authentication rejection states subdivided without treating
   invalid-credential rejection as proof of relayability.
 
-Relevant fixtures:
+Relevant fixture and contract files:
 
 - `fixtures/protocol_validation_matrix.json`
 - `fixtures/relay_calculus_matrix.json`
@@ -105,98 +114,108 @@ Relevant fixtures:
 - `fixtures/enterprise_output_matrix.json`
 - `fixtures/execution_module_matrix.json`
 - `fixtures/route_pivot_matrix.json`
+- `fixtures/lab_corpus/*.json`
 
-## OPSEC And Scope
+## Next Development Tracks
 
-RelayX should favor controlled, auditable action over broad probing.
+These tracks are suitable for continued development now because they improve
+trust, reporting, and reviewability without enabling uncontrolled live relay
+execution.
+
+### Enterprise Trust
 
-Current capabilities:
-
-- Assessment, route-check, and validation commands support rate-limit,
-  delay, jitter, start-after, and stop-before operation controls.
-- Confirmed validation reprobes fail closed outside the configured operation
-  window; dry-run planning records the same window as a warning.
-- Route reports can optionally run authorized direct TCP reachability checks
-  from the operator runtime without opening or operating pivot sessions.
-- OPSEC policies can require explicit scope for connect checks, listener
-  planning, callback planning, source planning, armed mode, and confirmed mode.
-- Source plans and execution plans record listener and callback scope contracts.
-- Active and future-active operations record expected telemetry and rollback
-  steps in JSON artifacts and audit records.
-- Machine-readable JSON, CSV, JSONL, HTML, Markdown, Mermaid, and graph exports
-  remain banner-free and stable by default.
-
-Future work:
-
-- Add policy-profile presets for common engagement windows and rate envelopes.
-- Extend route reachability validation with authorized pre-existing proxy/tun
-  adapters while preserving no-broad-pivot defaults.
-- Add deeper telemetry mapping by Windows event family, IIS log surface, SQL
-  audit source, and network sensor type.
-
-## Controlled Execution
-
-The execution core currently supports safe offline audit recording through the
-RelayX Adapter SDK. Live relay adapters remain disabled until they pass
-protocol design review, credential handling review, OPSEC review, and
-authorized lab regression.
-
-Current capabilities:
-
-- Execution module manifests support lab-only fixture contracts before any live
-  module can be registered as supported; lab-only modules hard-fail in
-  confirmed mode.
-- Adapter contracts record one-shot behavior, fail-closed timeout behavior,
-  expected telemetry, and evidence capture requirements.
-- Confirmed execution requires explicit operator identity, reason,
-  confirmation, scope, audit log, and acceptable OPSEC noise.
-- Source-side triggers remain separated from target relay execution; future
-  network execution modules are blocked unless source-trigger planning and
-  target execution are individually scoped and audited.
-- The only supported built-in adapter remains `relayx_audit_record`, which
-  performs offline audit recording without listeners, credential handling,
-  source triggers, or network relay.
-
-Future work:
-
-- Add authorized lab regression packs for protocol-specific live adapter
-  candidates before considering registration.
-- Add adapter-specific integration tests that prove listener lifecycle,
-  credential handling, one-shot behavior, and rollback under isolated lab
-  conditions.
-
-## Enterprise Output
-
-RelayX should be useful to operators, defenders, and reporting teams from the
-same result file.
-
-Current capabilities:
-
-- OpenGraph exports include a field contract version, deterministic edge IDs,
-  explicit node/edge mappings, RelayX control nodes, and path-to-control edges.
-- HTML reports include offline filters for severity, status, protocol, source
-  capability, target family, defensive control, and free-text review.
-- CSV and JSONL exports use stable field contracts for SIEM, blue-team, and
-  spreadsheet ingestion.
-- Multi-scan diffing reports exposure trend, score delta, control trends,
-  remediation regressions, and remediation improvements.
-- Remediation simulation reports control dependencies, remaining controls,
-  remaining target families, and estimated residual exposure.
-
-Future work:
+Goal: strengthen enterprise handoff integrity and downstream ingestion.
 
 - Add signed export manifests for organizations that need immutable evidence
   handoff packages.
-- Add optional team-defined CSV/JSONL field allowlists without changing the
-  default contract.
+- Add `relayx bundle verify` or equivalent manifest verification.
+- Add export profiles for team-defined CSV/JSONL allowlists while preserving
+  the default stable field contract.
+- Add quality-gate checks for signed bundle metadata and export profile schema.
+
+### Telemetry Catalog
+
+Goal: make expected telemetry more precise without pretending lab-specific
+event behavior is universal.
+
+- Add a telemetry catalog schema and fixtures for Windows security events,
+  LDAP bind failures, IIS logs, AD CS Web Enrollment logs, SQL Server audit or
+  error events, and network sensor observations.
+- Map validation and execution plans to expected telemetry families.
+- Add report and bundle sections that show expected telemetry, collection
+  surface, rollback notes, and remaining uncertainty.
+- Fill exact event IDs, log fields, and product-specific differences from
+  authorized lab captures over time.
+
+### Route Adapter SDK
+
+Goal: support richer authorized reachability checks while preserving the
+current no-broad-pivot default.
+
+- Add route adapter contracts for pre-existing proxy, tun, or SOCKS contexts.
+- Keep proxy/tun checks disabled or lab-only until scope, audit, OPSEC, and
+  regression requirements are satisfied.
+- Record adapter identity, route scope, expected telemetry, timeout behavior,
+  and rollback assumptions.
+- Keep direct TCP checks as the default operator-runtime reachability mode.
+
+### Live Capability Review Pack
+
+Goal: prepare for future live modules without registering live relay
+capability by default.
+
+- Add protocol design review checklists for future live relay adapters.
+- Add credential handling policy checks for capture, forwarding, storage,
+  masking, and audit boundaries.
+- Add listener lifecycle fixtures for bind, accept, timeout, cleanup, and
+  rollback behavior.
+- Add mock/lab-only adapters and negative tests that prove unsupported or
+  lab-only modules cannot dispatch in confirmed mode.
+- Add authorized lab regression harness requirements before any live adapter
+  can be registered as supported.
+
+## Deliberately Disabled Pending Review
+
+These capabilities are intentionally not enabled in the default product. They
+should remain disabled until they pass protocol design review, credential
+handling review, OPSEC review, and authorized lab regression.
+
+- Live relay adapters.
+- Source trigger and target relay linked execution.
+- Credential capture or forwarding by RelayX execution modules.
+- Listener-backed live relay modules.
+- Proxy/tun route reachability adapters outside lab-only or explicitly
+  authorized adapter contracts.
+
+Current controlled execution support remains limited to safe offline audit
+recording through `relayx_audit_record`.
+
+## OPSEC Direction
+
+RelayX should favor controlled, auditable action over broad probing.
+
+Current OPSEC capabilities are implemented in v0.1.14. Future OPSEC work should
+focus on:
+
+- Policy-profile presets for common engagement windows and rate envelopes.
+- Deeper telemetry mapping by Windows event family, IIS log surface, SQL audit
+  source, LDAP diagnostic surface, AD CS web logs, and network sensor type.
+- Richer route reachability validation through authorized, scoped adapters
+  while preserving no-broad-pivot defaults.
+- Stronger rollback recording for active or future-active operations.
 
-## Engineering Quality
+## Engineering Quality Direction
 
-Near-term work:
+The engineering quality baseline is implemented in v0.1.14. Future quality
+work should focus on keeping release automation trustworthy as the project adds
+real lab data and future adapter contracts.
 
-- Keep the `relayx quality-gate` contract stable enough for release automation.
-- Keep CLI short-option coverage and documentation synchronized through the
-  quality gate.
+- Keep the `relayx quality-gate` contract stable for release automation.
+- Keep CLI short-option coverage, generated help, README, and CLI docs
+  synchronized through the quality gate.
 - Keep lab fixtures deterministic and tied to expected classifications.
-- Document integration-test expectations for authorized AD/IIS/AD CS/MSSQL
+- Keep integration-test expectations current for authorized AD/IIS/AD CS/MSSQL
   labs.
+- Add quality-gate checks for signed bundle verification, telemetry catalog
+  fixtures, route adapter contracts, and future live-capability review packs as
+  those tracks are implemented.