Product Roadmap

Intercepts and redacts sensitive target information (IPs, subdomains, internal hosts) before queries are sent to external LLMs, dynamically de-masking them for local execution to ensure absolute compliance and data privacy.

Re-architecting plugins as self-contained security domains (SAST, Forensics, Cloud, Compliance) with isolated intent triggers, execution phases, and custom tool handlers, allowing modular and extensible development.

Re-architecting the 114+ security tool parsers under a strict, type-safe schema validation layer. Ensures all findings (severity, CVE, target) are validated prior to ingestion, eliminating raw, unvalidated dict mappings.

Integrating tiny, local ONNX-based semantic embedding models to enhance zero-dependency intent mapping and complex parameter extraction without requiring network connectivity.

Overhauling stealth controls to dynamically throttle scan rates, randomize intervals, rotate User-Agents, and change network signatures automatically when target IDS/IPS alerts are suspected.

Improving connection handling, health checks, and error recovery for Ollama, llama.cpp, LM Studio, vLLM, and LocalAI providers. Adding post-launch verification, configurable timeouts, and graceful degradation when local services are unavailable or starting up.

Correcting misconfigured provider capability flags (supports_streaming, supports_tools) across local provider profiles. Adding dynamic model discovery, fallback default models, and proper vision model detection for vLLM and LocalAI.

Replacing 41 direct subprocess calls with the safe subprocess_utils wrapper. Eliminating plaintext sudo password caching in module globals, hardening path traversal detection against unicode and symlink attacks, and ensuring consistent subprocess timeout propagation.

Activating sandboxing (Bubblewrap/bwrap on Linux, NTFS ACL hardening on Windows) by default. Implementing a 'fail-closed' strategy to block host execution unless explicit sandboxing is successful.

Upgrading the session branching mechanism to use append-only transaction logs or SQLite backing instead of file-overwriting JSONLs, eliminating write collisions during parallel agent execution.

Refactoring the autonomous script runner to use topological sorting on command steps. Replaces naive concurrent execution with dependency-aware step orchestration to prevent step-sequence failures.

Refactoring the threat intelligence subsystem to use asynchronous HTTP clients and executing DNS lookups inside thread pools. Adds a local SQLite TTL cache to prevent NVD and OTX rate-limiting blocks.

Extending the local CVSS scorer with live EPSS (Exploit Prediction Scoring System) feeds to score and prioritize vulnerabilities based on actual real-world exploitation probability.

Upgrading the automatic tool downloader with checksum validations, GPG key signature checks, and isolated virtual environments (venvs) to prevent supply chain attacks during runtimes.

Adding thread-locks to all credential store operations to prevent dictionary corruption under concurrent access. Ensuring AES-256-GCM is consistently used for all new credentials, not only after explicit migration. Addressing Windows key file protection limitations.

Resolving a critical reentrant-lock deadlock in audit log cleanup by migrating to threading.RLock. Restoring full 64-character SHA-256 hash chain integrity, fixing counter race conditions outside lock scope, and adding on-disk chain verification beyond the last 1000 entries.

Fixing a data race on shared CommandResult.lines between parallel execution tasks and live display updates. Adding return_exceptions=True to all asyncio.gather calls to prevent total plan failure from a single step error. Improving error handling across autonomous and registry executors.

Eliminating duplicated stopword lists and tokenization logic duplicated across nlp_engine.py and learning_system.py. Centralizing synonym dictionaries (300+ hardcoded entries) into external configuration files for easier maintenance.

Centralizing duplicated provider endpoint definitions currently scattered across health.py, provider_utils.py, and connectivity.py into a single source of truth. Adding dynamic provider discovery from ProviderManager to replace hardcoded provider lists.

Correcting a logic bug in the stealth proxy rotation system where the proxy index increments on every call instead of only during rotation intervals, causing premature proxy exhaustion and degraded operational security.

Extending the knowledge graph with automated lateral movement edges and subnet routing scopes. Enables bidirectional traversals to calculate blast-radius and trace security paths.

Creating virtual filesystem and context containment areas per subagent run, partitioning credentials, temporary folders, and execution logs in isolated workspaces.

Replacing the CLI onboarding script with a browser-based setup wizard. Visually test API keys, configure AI providers, verify tool dependencies, and manage master secrets.

Introducing Slack, Discord, and Telegram chatbot integrations to remotely execute scans, approve workflow steps, and receive real-time alerts via secure webhook gateways.

Fixing core finding categorization within the report builder. Adding native renderers for CEF, LEEF, STIX, and Splunk HTTP Event Collector (HEC) logs to stream findings to external SIEMs.

An isolated, web-based simulation environment for safe, real-time testing and debugging of autonomous planner scripts and plugin policies.

Breaking down oversized files that have grown beyond maintainable size: planner_registry.py (2100+ lines), onboarding.py (2900 lines), cli/__init__.py (1800 lines), and tool_handlers.py (800 lines) into focused, single-responsibility modules with clear interfaces.

Adding dedicated unit tests for each of the 113 security tool parsers. Currently only 11 test files cover the entire parser ecosystem, leaving 90% of parsers untested individually. Establishing a standardized parser test harness and fixture framework.

Reducing PBKDF2 iterations for credential store operations on mobile and Raspberry Pi-class devices. Adding adaptive performance profiles that detect available resources and adjust caching, thread pool sizes, and background task aggressiveness accordingly.

Auditing all asynchronous code for proper error handling patterns, timeout propagation, and event loop compatibility across Windows (ProactorEventLoop), Linux, and macOS. Standardizing on create_task over ensure_future and eliminating synchronous HTTP calls in async contexts.

Merging the separate webhooks.py and notifications.py modules into a unified dispatch system with automatic retry logic, rate limiting, and support for multiple output formats (Slack, Discord, generic webhook, email). Replacing synchronous urllib calls with async httpx throughout.

Deduplicating overlapping workflow definitions (stale, changelog, codeql, security workflows) and aligning coverage thresholds across pyproject.toml (70%), Makefile (50%), and CI configuration (40%) to a consistent, enforced standard.

Replacing non-reentrant threading.Lock with RLock across MemoryStore to prevent deadlocks in nested operations. Adding proper database connection lifecycle management and ensuring persistence failures are surfaced to the caller rather than silently skipped.

Consolidating all hardcoded timeouts (currently ranging from 0.5s to 600s across 20+ modules) into a single configuration layer. Making executor limits, cache TTLs, guardrail thresholds, stealth intervals, and health check timeouts centrally configurable via environment variables and config files.