docs(audit): reconcile stale roadmap claims with v0.4.0 reality

.github/copilot-instructions.md

@@ -122,13 +122,17 @@ impact faster:
   should assume it will run concurrently per-host and per-service. No
   shared mutable state outside `KnowledgeBase` / `AuditLog`, both of
   which must stay thread-safe.
-- **Wider enumeration surface.** Roadmap scanners to implement
-  aggressively: SMB (shares, sessions, OS), FTP (anon + banner), SSH
-  (algos, host keys, user enum), SNMP (community brute + walk), LDAP
-  (anon bind, naming contexts, user/group enum), RPC (endpoint mapper
-  + null session), Kerberos (SPN listing, AS-REP roast, kerberoast
-  where in scope), HTTP content-discovery (wordlist-driven), TLS
-  cipher enumeration, DNS AXFR. Each re-checks scope inside the tool.
+- **Wider enumeration surface.** The shipped scanner set already
+  covers SMB (shares, sessions, OS), FTP (anon + banner), SSH (algos,
+  host keys), SNMP (community brute + walk), LDAP (anon bind, naming
+  contexts), RPC (endpoint mapper + null session via
+  `Recon/Ad/SmbNullSessionTool`), Kerberos (SPN listing,
+  delegation/AS-REP/kerberoast helpers under `DelegationEnumTool` /
+  `DcSyncDetectionTool`), HTTP content-discovery
+  (`HttpContentDiscoveryTool`), TLS cipher enumeration
+  (`TlsCipherEnumTool`), and DNS AXFR (`DnsZoneTransferTool`). Each
+  re-checks scope inside the tool. New scanners should match this
+  bar — wider surface, scope-checked, audit-recorded.
 - **Full NSE surface inside scope.** `safe,default,discovery,version,
   auth,exploit,intrusive,vuln` are all available in lab mode. `dos`
   and `malware` are opt-in per run. In strict mode the defaults are

docs/ARCHITECTURE.md

@@ -437,7 +437,8 @@ network; downstream tools enforce scope per
 
 Append-only JSONL log (`out/audit.jsonl`) capturing every tool call, scope
 decision, doctor detection/install, and session event. Used by tests,
-forensics, and the planned live UI stream.
+forensics, and the live UI stream surfaced via the `Drederick.Web`
+SignalR `EventsHub`.
 
 ## Thread-safety {#thread-safety}
 

docs/EMPIRE.md

@@ -497,6 +497,6 @@ drederick --scope lab.txt --target 10.0.0.0/8 --autopilot --out out/
 - **Listener orchestration:** Auto-start Empire server, return listener URL to stager
 - **Module API integration:** Query `empire/handlers` for available modules, match against findings
 - **Callback tunneling:** Route agent callbacks through Drederick's network isolation layer
-- **OPSEC profiles:** Template stagers with obfuscation, certificate pinning, jitter
+- **OPSEC profile auto-rotation:** Per-stage profile rotation and certificate pinning on top of the bundled Malleable C2 corpus already shipped via [`MalleableProfileLibrary`](../src/Drederick/Exploit/Empire/MalleableProfileLibrary.cs).
 - **Lateral move simulation:** Pre-flight test lateral movement paths before execution
 

docs/UI_GUIDE.md

@@ -57,11 +57,13 @@ loaded (the `scope-file-read-only` invariant).
   **Findings → Open in Datasette** button launches `drederick serve`
   against the currently selected output directory.
 
-## What's still CLI-only
+## What's still Avalonia-CLI-only
 
 The offensive engine (`ExploitRunner`, `MsfDriver`, `CredRunner`,
-`PayloadStager`, session tracking) and the Jeopardy CTF subsystem ship
-today as CLI features. Run them with the per-category opt-in flags
+`PayloadStager`, session tracking) and the Jeopardy CTF subsystem are
+exposed by the CLI and by the **Web UI** (see [`WEB_UI.md`](./WEB_UI.md)
+— Offensive and Jeopardy pages). They are not yet surfaced in the
+Avalonia console. Run them with the per-category opt-in flags
 (`--allow-exec-pocs`, `--allow-cred-attacks`, `--allow-payloads`,
 `--allow-destructive`, `--allow-dos`, `--acknowledge-lockout-risk`).
 Surfacing them in the Avalonia console is tracked in [`UI.md`