TheAbider · TheAbider · May 30, 2026 · May 30, 2026
@@ -9,12 +9,25 @@ time.
 The roadmap is intentionally narrow. RackStack is a single-maintainer
 project; commitments here are realistic, not aspirational.
 
-Last updated: **2026-05-29** (v1.107.0).
-
-Recently shipped: the five hybrid-cloud / server-role feature modules
-(Azure Arc, Microsoft Defender for Endpoint, WSUS, AD CS, Storage
-Migration — v1.99.0) and session-wide **Interactive Dry-Run Mode**
-(v1.100.0). The security-operations arc followed in v1.102-v1.107: GPO Manager (71), JEA (72), NPS/RADIUS (73), Always-On VPN (74), CIS compliance scanner (75), and SIEM log forwarder (76). RackStack is now 77 modules.
+Last updated: **2026-05-30** (v1.119.1).
+
+Recently shipped: the **v1.109.0 → v1.119.0 feature arc** — eleven
+serial minor releases covering VHDX encryption-at-rest verification
+(31), AD DS Recycle Bin enablement (61), Failover Cluster Validation
+Report (27), richer VM inventory export (50), SMB signing/encryption
+enforcement (56), print-server cleanup (35), in-box network throughput
+benchmarking (58), NTP clock-tamper protection (19), and three new
+modules: **78-CertificateAudit** (service-certificate binding audit),
+**79-DFS** (DFS Namespaces & Replication), and
+**80-RemoteDesktopServices** (RDS role lifecycle + licensing-mode
+configuration). v1.119.1 then cleared two CI deprecation notices
+(`actions/attest-sbom` → `actions/attest`; `windows-latest` →
+`windows-2025`). RackStack is now **81 modules, 201 CLI actions, and
+5,167 structural regression tests** (plus the Pester suite).
+
+A recurring theme of that arc: where a planned mutation could not be
+implemented safely or verified honestly, it was **deferred with a written
+rationale rather than shipped untested** — see "Deferred" below.
 
 ---
 
@@ -23,17 +36,30 @@ Migration — v1.99.0) and session-wide **Interactive Dry-Run Mode**
 | Item | Status | Why |
 |---|---|---|
 | OpenSSF Best Practices **Silver** badge | **Earned** (Passing + Silver both achieved) | Gold is structurally blocked by the single-maintainer bus factor. |
-| In-program defaults editor + Extended Undo (v1.101.0 candidate) | Planned | Edit `defaults.json` / `<company>.defaults.json` from inside the tool with hot-reload, and extend the single-level undo to multi-step. Both compose with the new Dry-Run queue and need no schema break. |
-| GPG-signed git tags | Planned | Closes the OpenSSF `version_tags_signed` criterion. One-time `git config commit.gpgsign true` + `tag.gpgsign true` + key registration at https://github.com/TheAbider.gpg. |
+| In-program defaults editor + Extended Undo | Planned | Edit `defaults.json` / `<company>.defaults.json` from inside the tool with hot-reload, and extend the single-level undo to multi-step. Both compose with the Dry-Run queue and need no schema break. Still unbuilt as of v1.119.x. |
+| GPG-signed git tags | Planned | Closes the OpenSSF `version_tags_signed` criterion. One-time `git config commit.gpgsign true` + `tag.gpgsign true` + key registration at https://github.com/TheAbider.gpg. CI currently auto-tags releases without a maintainer GPG signature. |
 
 ## Next quarter (June–August 2026)
 
 | Item | Why |
 |---|---|
-| Expand Pester coverage to 4 more modules (`07-IPConfiguration`, `13-Timezone`, `21-Licensing`, `06-NetworkAdapters`) | Currently coverage is measured against 3 modules; broadening the denominator while keeping coverage above 90% improves Codecov / Scorecard signal. |
-| `SBOM` for the PSGallery module specifically (separate from the EXE SBOM) | Currently SBOM scans the whole repo as a directory; an explicit module-only SBOM would let consumers verify the `RackStack.psd1` + `RackStack.psm1` dependency surface independently. |
+| Expand Pester coverage to 4 more modules (`07-IPConfiguration`, `13-Timezone`, `21-Licensing`, `06-NetworkAdapters`) | Coverage is measured against a small module set; broadening the denominator while keeping coverage above 90% improves Codecov / Scorecard signal. |
+| `SBOM` for the PSGallery module specifically (separate from the EXE SBOM) | The SBOM currently scans the whole repo as a directory; an explicit module-only SBOM would let consumers verify the `RackStack.psd1` + `RackStack.psm1` dependency surface independently. |
 | Documentation generator polish | The PlatyPS-generated cmdlet docs at `theabider.github.io/RackStack/cmdlets/` need a theme + nav. Currently they render as flat markdown. |
-| GPO backup / restore + drift detection (`71-GPOManager`) | The last unbuilt Tier-1 feature gap. Wraps `Backup-GPO` / `Get-GPOReport` and diffs against a saved baseline. Additive `defaults.json` only — no schema break. |
+| Revisit the windows-2025 → VS2026 image migration (2026-06-15) | The runners are pinned to `windows-2025`; GitHub moves that image's Visual Studio sub-image to VS2026 on 2026-06-15. RackStack's pipeline never invokes the VS toolchain, so this is expected to be a no-op — confirm green after the migration and update this line. |
+
+## Deferred (built or scoped, then intentionally held back)
+
+These were prototyped or designed during the v1.109–v1.119 arc and
+deferred for correctness/safety reasons. They are the most likely source
+of the next feature releases once they can be validated safely.
+
+| Item | Why deferred | What unblocks it |
+|---|---|---|
+| RDP listener certificate **rotation** (extends `78-CertificateAudit`, which today only audits) | An adversarial review surfaced a real RDP lock-out risk — a freshly self-signed cert's private key is not readable by `NETWORK SERVICE` by default, and CIM writability of `SSLCertificateSHA1Hash` varies by Windows build. | A correct private-key ACL grant, validated on a live, elevated, RDP-enabled server (not testable on the dev workstation). |
+| RDS **session-collection quick-deploy** + CAL activation (extends `80-RemoteDesktopServices`, which today does role install + licensing mode) | `New-RDSessionDeployment` reconfigures the server and needs a reboot; CAL activation is done against a license agreement in RD Licensing Manager, where that key material belongs. | A real RDS-capable server to validate the deployment flow; CAL/key handling stays in the GUI by design. |
+| `diskspd` storage benchmarking | `diskspd.exe` is a separate Microsoft download, not in-box, and RackStack does not auto-download unverified binaries. | A detect-and-orchestrate model: run only when the operator has placed `diskspd.exe` on the host (same pattern as any operator-provided tool). |
+| WinRM HTTPS listener certificate rotation (read-only in `78` today) | Rebuilding the HTTPS listener can disrupt an active remoting session. | Same RDP-rotation groundwork above, plus a safe listener-swap path. |
 
 ## Later (September 2026 – April 2027)
 
@@ -47,8 +73,9 @@ Migration — v1.99.0) and session-wide **Interactive Dry-Run Mode**
 
 | Item | Why not |
 |---|---|
+| Server Core ↔ Server-with-Desktop conversion | Dropped during roadmap design. Windows Server 2019 and later removed in-place conversion between the Server Core and Desktop Experience installation options, so there is no supported, reversible operation for the tool to wrap. |
 | Cross-platform port (Linux, macOS) | RackStack's entire purpose is Windows Server configuration. Hyper-V, BitLocker, Failover Clustering, MPIO, AD DS, iSCSI initiator — none of these have a meaningful Linux/macOS equivalent in the same workflow. A port would be a different project. |
-| Switch from PowerShell to C# / Go / Rust | The existing 77 modules + 4,990 regression tests would be lost. Rewrite cost-benefit is not justifiable. |
+| Switch from PowerShell to C# / Go / Rust | The existing 81 modules + 5,167 regression tests would be lost. Rewrite cost-benefit is not justifiable. |
 | GUI front-end | The 72-char box-drawing console UI is intentional; it works over RDP, SSH-tunneled PowerShell, and emergency console-only scenarios where a GUI cannot. |
 | Web dashboard | Out of scope. Operators integrate via the `-OutputFormat JSON` CLI surface and route into their own dashboards. |
 | External REST API | Same as above — `-OutputFormat JSON` is the integration surface. |
@@ -58,15 +85,15 @@ Migration — v1.99.0) and session-wide **Interactive Dry-Run Mode**
 
 ## Release cadence
 
-- **Patch releases** (`x.y.Z`) ship as needed for security fixes (Tier 1: within 14 days of confirmed disclosure, per `SECURITY.md`).
-- **Minor releases** (`x.Y.0`) — feature batches, typically every few weeks during active development.
+- **Patch releases** (`x.y.Z`) ship as needed for security fixes (Tier 1: within 14 days of confirmed disclosure, per `SECURITY.md`) and for CI/maintenance fixes (e.g. v1.119.1).
+- **Minor releases** (`x.Y.0`) — feature batches; the v1.109–v1.119 arc shipped them one feature at a time.
 - **Major releases** (`X.0.0`) — only when a backwards-incompatible `defaults.json` schema or CLI surface change is unavoidable. None currently planned.
-- The current line is **1.100.x**. CI auto-bumps and auto-releases on every commit to `master` that bumps `Header.ps1` `.VERSION`.
+- The current line is **1.119.x**. CI auto-bumps and auto-releases on every commit to `master` that bumps `Header.ps1` `.VERSION`.
 
 ## How this roadmap is maintained
 
 This file is updated:
-- On every patch release that completes a "Now" item (item moves to a "Completed" section in the next revision and the changelog records it).
+- On every release that completes or defers a roadmap item (the item moves to the appropriate section and the changelog records it).
 - Quarterly, to refresh the "Next quarter" and "Later" sections.
 - Whenever the maintainer decides to add or remove a "Not on the roadmap" item.