ROADMAP.md

Base Module Roadmap

Current Status

Production-ready for module loading, signature verification, and plugin lifecycle management across Windows, Linux, and macOS.

Completed ✅

• Secure DLL/shared library loading (Windows DLL, Linux SO, macOS DYLIB) — Evidence: src/base/module_loader.cpp dlopen/LoadLibrary paths
• Digital signature verification for loaded modules — Evidence: ModuleSecurityVerifier in module_loader.cpp
• File integrity hash validation — Evidence: ModuleHashVerifier::loadManifest(), src/base/module_loader.cpp line 372 (SHA-256 manifest check Issue #2471)
• Trust levels: TRUSTED, VERIFIED, UNTRUSTED — Evidence: TrustLevel enum in include/themis/base/module_loader.h
• Revocation checking for certificates — Evidence: OCSP/CRL code paths in module_loader.cpp
• Development mode to allow unsigned modules — Evidence: ModuleSecurityPolicy::allowUnsigned in module_loader.h
• Plugin lifecycle management (initialize, execute, shutdown) — Evidence: lifecycle state machine in module_loader.cpp
• Interface discovery to query plugin capabilities — Evidence: getCapabilities() in module_loader.cpp
• Automatic resource cleanup on unload — Evidence: unloadModule() + RAII handles in module_loader.cpp
• Cross-platform export/import macros — Evidence: include/themis/base/export.h
• Version compatibility checking — Evidence: version fields in ModuleCapabilities struct
• Plugin sandboxing with resource limits (memory, CPU) (Issue: #2372) — Evidence: src/base/module_sandbox.cpp, include/themis/base/module_sandbox.h
• Plugin health monitoring and automatic restart (Issue: #2373) — Watchdog background thread (ModuleLoader::startWatchdog/stopWatchdog) performs periodic health checks on all loaded modules and automatically restarts failed plugins with configurable exponential backoff; WatchdogConfig and WatchdogModuleStats expose full per-module restart metrics; PluginWatchdogFocusedTests in tests/CMakeLists.txt
• [~] WASM-based plugin isolation for untrusted code (Issue: #1572) — Partial: full sandbox infrastructure implemented in src/base/wasm_plugin_sandbox.cpp; requires injection of a concrete WasmRuntime (e.g. Wasmtime, WasmEdge) before callExport() is operational; see Missing Implementations report
• Hot-reload support for plugins without database restart (Issue: #1554, PR: #2396) — Evidence: src/base/hot_reload_manager.cpp
• Plugin dependency graph visualization (Issue: #1563) — Evidence: src/base/plugin_dependency_graph.cpp, topologicalOrder() + DOT output
• Per-plugin audit trail (load, unload, errors) (Issue: #1564) — Evidence: auditTrail_ in module_loader.cpp
• A/B testing framework using module swapping (Issue: #1565) — Evidence: src/base/ab_test_manager.cpp
• Remote plugin loading from authenticated registry (base/remote_registry_client.cpp) — Evidence: TLS-verified download + SHA-256 integrity check in remote_registry_client.cpp
• Plugin dependency resolution and ordered loading (Issue: #1566) — ModuleDependencyResolver fully implemented in module_loader.cpp: registerModule, resolve, resolveFor, isVersionCompatible (semver), topological sort (Kahn's algorithm), cycle detection, missing-dependency and version-mismatch reporting
• TLS public-key pinning for remote plugin registry — RegistryConfig::pinned_public_key field added; CURLOPT_PINNEDPUBLICKEY applied in both httpGet and httpGetBinary code paths in remote_registry_client.cpp

In Progress 🚧

(No open work items — all Phase 1 and Phase 2 features are complete)

Planned Features 📋

Short-term (Next 3-6 months)

• Unit test coverage > 80% (Target: Q2 2026) (Issue: #1573)
• Integration tests for hot-reload and sandbox scenarios (Target: Q2 2026) (Issue: #1574)
• Performance benchmarks for module load and hot-reload cycles (Target: Q2 2026) (Issue: #1575)
• Automatic plugin restart after health-check failure (Issue: #2373) — implemented via ModuleLoader watchdog: startWatchdog(), stopWatchdog(), configureWatchdog(WatchdogConfig), getWatchdogStats(), getAllWatchdogStats(), resetWatchdogStats()

Long-term (6-12 months)

• Concrete WasmRuntime integration (Wasmtime or WasmEdge) (Target: Q3 2026) — ModuleSandbox::Config::enable_wasm_isolation and WasmRuntimeInjector injection path are ready (v1.8.0); register a concrete backend via THEMIS_REGISTER_WASM_RUNTIME macro
• TLS public-key pinning for remote plugin registry — implemented via RegistryConfig::pinned_public_key + CURLOPT_PINNEDPUBLICKEY; Ed25519 application-layer key pinning is handled separately by SignedPluginRepository in the plugins module

Implementation Phases

Phase 1: Secure Plugin Foundation (Status: Completed ✅)

• Secure DLL/SO/DYLIB loading across Windows, Linux, macOS (base/module_loader.cpp)
• Digital signature verification for loaded modules
• File integrity hash validation
• Trust levels: TRUSTED, VERIFIED, UNTRUSTED
• Revocation checking for certificates
• Development mode to allow unsigned modules
• Plugin lifecycle management: initialize, execute, shutdown (base/module_loader.cpp)
• Interface discovery to query plugin capabilities
• Automatic resource cleanup on unload
• Cross-platform export/import macros and version compatibility checking

Phase 2: Dynamic Loading & Dependency Management (Status: Completed ✅)

• Hot-reload support for plugins without database restart (base/hot_reload_manager.cpp) (Issue: #1554, PR: #2396)
• Per-plugin audit trail: load, unload, errors (base/module_loader.cpp) (Issue: #1564)
• Plugin dependency graph visualization (base/plugin_dependency_graph.cpp) (Issue: #1563)
• Remote plugin loading from authenticated registry (base/remote_registry_client.cpp)
• A/B testing framework via module swapping (base/ab_test_manager.cpp) (Issue: #1565)
• Plugin dependency resolution and ordered loading (Issue: #1566) — ModuleDependencyResolver in module_loader.cpp

Phase 3: Marketplace & Sandboxing (Status: In Progress 🚧 — partially complete)

• Plugin marketplace manifest format (JSON schema) — Evidence: setHashManifest() in module_loader.cpp
• Runtime plugin capability negotiation (version ranges) — ModuleDependencyResolver::isVersionCompatible() + topologicalSort() enforce version constraints during load-order resolution; higher-level runtime negotiation via PluginCapabilityNegotiator in plugins module (Issue: #1984)
• Plugin sandboxing with resource limits (memory, CPU) — Evidence: module_sandbox.cpp
• Plugin health monitoring and automatic restart — Watchdog background thread (startWatchdog/stopWatchdog) with configurable exponential backoff, WatchdogConfig/WatchdogModuleStats, PluginWatchdogFocusedTests (Issue: #2373)
• Signed plugin repository with key pinning — TLS SPKI pinning via RegistryConfig::pinned_public_key + CURLOPT_PINNEDPUBLICKEY; Ed25519 application-layer key pinning in SignedPluginRepository (plugins/signed_plugin_repository.h)
• [~] WASM-based plugin isolation for untrusted code — Partial: infrastructure complete; WASM runtime injection into ModuleSandbox implemented (v1.8.0, Issue: #1572); concrete backend (Wasmtime/WasmEdge) registration still required for production execution

Production Readiness Checklist

• Unit tests coverage > 80% (Issue: #1573) — test_base_entity.cpp (383 LOC), test_base_interfaces.cpp (678 LOC); focused standalone targets: BaseEntityFocusedTests, BaseInterfacesFocusedTests
• [I] Integration tests (Issue: #1574)
• [I] Performance benchmarks (Issue: #1575)
• Security audit (signature verification, revocation checking)
• Documentation complete — validated 2026-03-09
• API stability guaranteed for module loading interface

Known Issues & Limitations

• WASM plugin isolation (WasmPluginSandbox) requires injection of a concrete WASM runtime (Wasmtime, WasmEdge, etc.) for full execution support (Issue: #1572)
• Automatic plugin restart after health-check failure is implemented via ModuleLoader watchdog thread (Issue: #2373)
• Unit test coverage, integration tests, and performance benchmarks are still open (Issues: #1573, #1574, #1575)

Breaking Changes

• WASM plugin interface will be a new API surface (additive, non-breaking to existing plugin interface)