Status & Roadmap¶
The single honest view of what is implemented today versus planned. Every maturity caveat elsewhere links here.
Implemented today¶
| Capability | State | Where it lives |
|---|---|---|
| SIDC / MIL-STD-2525D / APP-6D symbology | Implemented | common/src/sidc/ (parser) + android/ui/symbols/ (renderer) |
| ADatP-3 formatted text (OPREP, INTREP, SALUTE) | Implemented | gateway/src/formats/adatp3.rs |
| CoT / TAK exchange | Implemented | gateway/src/formats/cot*.rs, tak_protobuf.rs |
| NFFI / STANAG 5527 blue-force tracking | Implemented (file export) | gateway/src/formats/nffi.rs |
| STANAG 4774/4778 classification labels | Implemented | server/src/classification_gate.rs |
| Zenoh transport routing (relay + federation) | Implemented | server (Zenoh router; router↔router mTLS) |
| FIDO2 identity + token issuance | Implemented | directory (FIDO2 login, signs IdentityToken/ServerToken) |
| Per-message classification gate | Implemented | server/src/classification_gate.rs |
In progress / transitional¶
- Token-only PKI migration. Identity is moving to Directory-signed tokens only; the
client-certificate PKI (CSR-issued X.509 leaves, client-cert mTLS,
bound_cert_serial) is being removed.waypoint_commonalready dropped it, butnodeand the Directory device-enroll path still carry residual cert fields. See PKI — Transitional (being removed). - Server-blind E2E content confidentiality — flag-day cutover outstanding. The model
is implemented in
common, theserver, and the Android client: member content is AES-256-GCM sealed under the deployment group key; the router is payload-blind and group-key-free; the Directory issues the key to clients only. The web client, gateway, and node clients, and the coordinated flag-day wire-breaking cutover that activates it fleet-wide, remain outstanding. Seesecurity/model.md.
Planned¶
| Standard | Where it will live | Doc |
|---|---|---|
| Link 16 (MIL-STD-6016 / STANAG 5516) | gateway/src/formats/ (no adapter yet) |
link16-track-ingest |
| Link 11B (STANAG 5511) | gateway/src/formats/ (no adapter yet) |
link11b-serial-ingest |
| VMF (MIL-STD-6017) | gateway/src/formats/ (no adapter yet) |
vmf-binary-messaging |
| MIP / DEM | gateway/src/formats/ (no adapter yet) |
mip-dem-exchange |
| NVG (NATO vector graphics) | gateway/src/formats/ (no adapter yet) |
nvg-tactical-graphics |
| OTH-Gold maritime | gateway/src/formats/ (no adapter yet) |
oth-gold-maritime |
| HLA simulation | gateway/src/formats/ (no adapter yet) |
hla-simulation |
| WMS (OGC) map tile layers | Not started (MapLibre supports WMS natively) | wms-map-sources |
Known gaps¶
- Directory horizontal scaling (HA prerequisite). Making the data tier highly available
(Postgres/Cloud SQL replication + backup) is an infrastructure choice. But the Directory
application assumes a single replica today: its nonce store and per-device refresh
rate limiter hold state in process memory, which would have to move behind Postgres before
more than one Directory instance could run behind a load balancer
(
directory:app/domains/api/service_token_refresh_limiter.ts). Until that app change lands, Directory availability is bounded by a single instance regardless of database HA. (The signing key is already DB-backed and re-read per mint, so it is not a blocker.) The Directory is the system's only true SPOF — while it is down no new logins or tokens are issued, though already-issued tokens keep the live mesh running. Routers do not need HA — they are relays whose redundancy comes from running federated peers (see Deployment topology → What needs HA).
Verified against directory@e8287cd, gateway@29df288, common@7fbfa19.