docs(audit): reconcile stale roadmap claims with v0.4.0 reality#22
Merged
Conversation
Vaporware sweep over docs + agent guidance: - copilot-instructions.md: 'Roadmap scanners to implement' (SMB/FTP/ SSH/SNMP/LDAP/RPC/Kerberos/HTTP-content-discovery/TLS-cipher-enum/ DNS-AXFR) reframed as shipped — every listed scanner is in tree under src/Drederick/Recon/. - EMPIRE.md: 'OPSEC profiles: Template stagers with obfuscation, certificate pinning, jitter' replaced with 'OPSEC profile auto- rotation' — the Malleable C2 corpus + MalleableProfileLibrary shipped in v0.4.0; only per-stage rotation + cert pinning remain deferred. - UI_GUIDE.md: 'What's still CLI-only' → 'What's still Avalonia-CLI- only' — the offensive engine and Jeopardy CTF subsystem are now exposed by the Web UI (Offensive + Jeopardy pages); only the Avalonia console still lacks them. - ARCHITECTURE.md: 'planned live UI stream' for AuditLog updated to point at the live Drederick.Web SignalR EventsHub. Class-(b) deferred items left intact: fight-notebook replay-into- prompts, MAGIKA CTF prompt enrichment, Avalonia offensive surface, Datasette auth + offensive-table facets, native http-enum/SMB/RPC/ Database tools, ICredTool split, Tier-2+ self-sufficiency benchmarks, Web UI a11y/dark-mode/rate-limit/TLS follow-ups. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vaporware sweep — pass 4 (docs-audit-2026-05-vaporware-sweep)
Walks
docs/*.md,AGENTS.md,README.md,.github/copilot-instructions.mdfor roadmap / future-tense claims and reconciles them with v0.4.0 shipped reality.Per-claim table
.github/copilot-instructions.md:125src/Drederick/Recon/(SmbTool,FtpTool,SshTool,SnmpTool,LdapTool,RpcTool+Recon/Ad/SmbNullSessionTool,KerberosTool+DelegationEnumTool+DcSyncDetectionTool,HttpContentDiscoveryTool,TlsCipherEnumTool,DnsZoneTransferTool). Reframed as the current bar new scanners must match.docs/EMPIRE.md:500MalleableProfileLibrary(src/Drederick/Exploit/Empire/MalleableProfileLibrary.cs) shipped in v0.4.0. Replaced with narrower "OPSEC profile auto-rotation" pointing at the existing library; only per-stage rotation + cert pinning remain deferred.docs/UI_GUIDE.md:60web/src/pages/Offensive/+web/src/pages/Jeopardy/). Section retitled "What's still Avalonia-CLI-only" with a pointer toWEB_UI.md.docs/ARCHITECTURE.md:440Drederick.Audit)src/Drederick.Web/Hubs/EventsHub.csexists; updated to "the live UI stream surfaced via theDrederick.WebSignalREventsHub".Class-(b) genuinely deferred — left intact
docs/LEARNING_LOOP.md:290/docs/FIGHTS.md:246— fight-notebook replay-into-next-fight-prompts (notebook persists, but LLM does not yet read prior notes back).docs/MAGIKA.md:32,140— CTF solver prompt enrichment from magika verdict (nomagikareference undersrc/Drederick/Jeopardy/).docs/UI.md:29,200— offensive engine + Jeopardy not surfaced in Avalonia console (no exploit/jeopardy ViewModel).docs/DATASETTE.md:312—exploit_runs/sessions/lootnot faceted (datasette/metadata.json confirms).docs/DATASETTE.md:456— Datasette auth not yet implemented (correct; Web UI has bearer token, Datasette doesn't).docs/PLUGIN_STRATEGY.md:104-110—NativeHttpReconToolfamily /NativeSmbReconTool/NativeRpcInfoTool/NativeDatabaseReconToolplanned (none exist in tree).docs/PLUGIN_STRATEGY.md:218—ICredToolplanned (no such interface exists).docs/SELF_SUFFICIENCY.md:143,158,191— Tier 2/3/4/5 roadmap + BenchmarkDotNet measured figures (legitimate forward roadmap).docs/WEB_UI.md:233— Phase 2+ roadmap items: a11y/keyboard, dark-mode refinement, API rate limiting, TLS termination guidance.docs/WEB_UI.md:324—test.fixmePlaywright tests with seed-hook breadcrumbs.docs/POST_EXPLOITATION.md:449— explicit roadmap section.docs/MODEL_BEHAVIOR.md:226— "future fights should collect…" forward data-collection guidance.docs/C2_INTEGRATION.md:396,400— illustrative "Phase 3/4 (Future)" inside example state-machine code, not a project claim.Class-(c) — none found.
Highlights worth flagging
The four class-(a) items are the only stale roadmap claims under our doc scope. The class-(b) list above is the live deferred-work set; the most operator-visible gaps are (1) fight-notebook replay into next-fight prompts (LEARNING_LOOP / FIGHTS) and (2) the Avalonia console still missing the offensive + Jeopardy surfaces despite both being in the Web UI now.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com