v1.0 Release Roadmap — sequencing, waves & critical path

[VijitSingh97]

Single source of truth for the v1.0 release plan. This issue sequences the milestone v1.0 work into ordered waves so humans and agents can see what to do next and why, not just what's left. The milestone says what ships in 1.0; this issue says in what order and what blocks what.

How to use this

• Pick up the lowest-numbered wave with unfinished work. Within a wave, follow the listed order (it encodes intra-wave dependencies).
• Every issue carries a wave-N-* label, so you can query directly, e.g. is:open is:issue milestone:v1.0 label:wave-6-release.
• Check the box here when an issue closes (GitHub keeps the cross-references live).

Status (updated 2026-06-11): v1.0 is 55 closed / 3 open — just the release-engineering finish line (#44, #80) plus this roadmap. Waves 1, 2, 3 and 5 are DONE; Wave 4 was slipped to v1.1. The security/privacy long pole (Wave 2) closed out: every clearnet leak fix landed (#161/#162/#163/#122/#153/#164), the stratum access-password #152 + dev-fee transparency #173 shipped (PR #207), dashboard auth #8 shipped (PR #217), and #57 (argv RPC creds) was closed wontfix with the rationale recorded in docs/privacy.md (PR #219). The whole Wave 3 dashboard cluster shipped (the #156→#159 metrics/layout chain, worker-table accuracy #169/#182, chart/badge polish #168/#184/#175, and correctness bugs #141/#136). Wave 5 test hardening is done (#124 CI image builds + hadolint; #140 backup/restore + caddyfile + host-helper tests, PR #220). The privacy-default flips (#165/#166), the #160 epic, and the #91/#183 hardening/convenience items, plus the Wave-4 alerting pair (#121/#79), were deferred to v1.1 (the privacy flips need live-mining benchmarking; the alerting pair is net-new and not launch-blocking).

What's actually left for v1.0: just the Wave 6 finish line — the release pipeline #44, then the launch assets #80 (both unblocked: #54 ✔ + VERSION ✔, and the dashboard UI is final). The Wave-4 alerting pair (#121/#79) was slipped to v1.1. That's it — two release-engineering items.

---

Critical path (what gates "can we ship?")

Waves 1 / 2 / 3 / 5  ✔ ALL DONE   ·   #54 E2E gate ✔ PASSED   ·   Wave 4 (#121/#79) ➡️ slipped to v1.1
        │
        └─►  #44 release pipeline (unblocked)  ─►  #80 launch assets (unblocked: UI final)  ─►  SHIP

• The long pole is cleared. Wave 2 (security & privacy) is closed for v1.0; the only privacy work left (the Tor-by-default flips) is consciously a benchmarked v1.1 change, not a launch blocker.
• Release & versioning structure (single-product releases via GHCR) #44 and Launch assets: refreshed hero screenshot + demo GIF + GitHub social preview #80 are both unblocked. Comprehensive end-to-end infrastructure test matrix on a real Ubuntu server (full Monero + Tari node) #54 (the E2E gate) passed and VERSION exists, so the pipeline is clear; the dashboard UI is final, so the launch screenshots can be captured.
• No open scope decisions. The Wave-4 alerting pair (Telegram alerting (notifications-only): node/worker down + recovered (config.json, default off) #121/Healthchecks.io dead-man's-switch: detect power loss / host-down via external ping (config.json, default off) #79) was slipped to v1.1 (their draft PRs Telegram alerting (notifications-only): node/worker down + recovered (#121) #143/Add optional Healthchecks.io dead-man's switch (#79) #133 are stale; v1.1 owns the richer Telegram interactive bot / command interface (query stack status over Telegram) #45 bot + Flag outages / significant hashrate-loss events on the chart (+ feed Telegram/Healthchecks alerts) #99 outage flagging). v1.0 is now purely Release & versioning structure (single-product releases via GHCR) #44 → Launch assets: refreshed hero screenshot + demo GIF + GitHub social preview #80.

Parallel tracks

Both the backend/security track and the dashboard track have converged. All that remains is Wave 6 (#44 then #80), runnable now.

---

Wave 1 — Correctness, data-safety & setup wave-1-correctness ✅ DONE

Silent-failure bugs that burn early adopters, plus first-run/setup reliability.

Apply / upgrade / persistence path:

• pithead apply: a failed 'docker compose up' leaves old containers running, and re-apply is a silent no-op #125 — failed docker compose up leaves old containers running and re-apply is a silent no-op
• Relocating or running a different checkout of the install silently re-syncs (data dirs pinned as absolute $PWD paths in .env) #126 — relocating / a second checkout silently re-syncs (data dirs pinned as absolute $PWD paths)
• pithead upgrade rebuilds images but doesn't re-render .env / Caddyfile / Tari config — stale generated config after git pull #128 — upgrade rebuilds images but doesn't re-render .env / Caddyfile / Tari config → stale generated config
• Dashboard runs with no persistence and no operator-visible signal if the SQLite DB init/writes fail #131 — dashboard runs with no operator-visible signal if the SQLite DB init/writes fail (silent data loss)
• Dashboard undercounts P2Pool shares (records at most one per 30s poll) — skews PPLNS-window count and the XvB controller gate #129 — dashboard undercounts P2Pool shares (≤1 per 30s poll) → skews PPLNS window + XvB gate

First-run / setup path:

• [Bug] setup command crashes during disk space check if data directories do not exist yet #179 — setup crashes during the disk-space check when the data directories don't exist yet
• optimize_kernel writes an invalid THP kernel param (transparent_hugepages, plural) — THP-disable silently never takes effect #176 — optimize_kernel writes an invalid THP param → THP-disable silently never takes effect
• Make the mining_net subnet/base configurable to avoid host address-space collisions #180 — make the mining_net subnet/base configurable (configurable subnet base, preserving the SSRF: miner-controlled worker name/IP becomes an outbound request host from the host-networked dashboard #122 SSRF CIDR guard + fixed bridge addressing)

Wave 2 — Security & privacy wave-2-security ✅ DONE (for v1.0)

Credibility-critical for a private-Monero product. The leak fixes, the auth, and the access-control knobs all shipped; the privacy-default flips were consciously deferred to v1.1.

Tier A — clearnet leaks & fail-closed:

• Dashboard: route XvB stats through Tor + gate behind XVB_ENABLED (IP↔wallet leak) #163 — dashboard XvB stats over clearnet with the wallet as a query param → routed via Tor + gated behind XVB_ENABLED
• monerod: eliminate clearnet DNS leaks (priority-node hostnames, DNS checkpoints, update check) #161 — monerod clearnet DNS leaks · [x] Tari: eliminate clearnet DNS leaks (DNS seeds + Tari Pulse), fix misleading DoT comment #162 — Tari clearnet DNS leaks · [x] SSRF: miner-controlled worker name/IP becomes an outbound request host from the host-networked dashboard #122 — dashboard SSRF · [x] xmrig-proxy HTTP API: enforce authentication (fail closed if the access token is empty) #153 — xmrig-proxy API fail-closed

Tier B — hardening & limits:

• p2pool monerod RPC credentials exposed on the process command line (--rpc-login is argv-only) #57 — p2pool monerod RPC credentials on argv (--rpc-login) → closed wontfix (local-only, unfixable without removing RPC auth / an upstream change; rationale recorded in docs/privacy.md, PR docs: record the p2pool argv RPC-credential limitation (#57, wontfix) #219)
• Optional stratum access-password: require miners to authenticate to xmrig-proxy #152 — optional stratum access-password (PR Expose two xmrig-proxy config knobs: stratum access-password (#152) + dev-fee donate-level (#173) #207, opt-in, default off; RigForge docs [rigforge#97]; Phase-2 auto-fetch = RigForge: fetch the stratum access-password at worker setup → default-on stratum auth (Phase 2 of #152) #208)
• Add memory caps to monerod / p2pool / dashboard (only Tari is bounded today) #132 — add memory caps to monerod / p2pool / dashboard
• ➡️ Security follow-ups: dashboard host-networking, Tari gRPC allow-list, assert_safe_dir #91 — lower-priority hardening (host-networking, Tari gRPC allow-list, assert_safe_dir) — moved to v1.1

Tier C — privacy-first defaults (epic #160): the v1.0 leak-fixes (Tier A) are done; the default-flips need live-mining benchmarking and were deferred:

• ➡️ [Epic] Privacy: no clearnet egress outside Tor — close leaks + privacy-first defaults #160 — [Epic] Privacy: no clearnet egress outside Tor — v1.0 children all closed; epic moved to v1.1 (now tracks only the Tor-default flips below)
• ➡️ p2pool: route outbound sidechain P2P through Tor by default (--socks5), documented clearnet opt-out #165 — p2pool outbound P2P through Tor by default (--socks5), p2pool.clearnet opt-out — moved to v1.1 (benchmark orphan/uncle-rate first)
• ➡️ XvB donation: route mining upstream through Tor by default + pin --donate-level 0 (xvb.tor opt-out) #166 — XvB donation through Tor by default + pin --donate-level 0, xvb.tor opt-out — moved to v1.1 (benchmark reject-rate first)
• ➡️ Feature: optional clearnet initial sync (Monero + Tari) then switch to Tor — default off, privacy-first #183 — optional clearnet-then-Tor initial sync (default off) — moved to v1.1

Tier D — dashboard auth & safe exposure:

• Secure Dashboard: authentication/login + safe public exposure (re-evaluate Caddy/TLS) #8 — Secure Dashboard: optional Caddy basic-auth login, opt-in + off by default (PR Dashboard: optional Caddy basic-auth login, opt-in + off by default (#8) #217). Also the gate for future relaxed-ingress / co-hosting ([Feature/Discussion] Support co-hosting via migration guides and relaxed reverse-proxy/network bindings #181, v1.1).

Transparency:

• [Feature] Expose xmrig-proxy dev-donation level (donate-level) in config / advanced config #173 — expose & let operators adjust the xmrig-proxy dev-fee donate-level (default 0; PR Expose two xmrig-proxy config knobs: stratum access-password (#152) + dev-fee donate-level (#173) #207)

Docs: [x] #164 — docs/privacy.md egress reference · [x] #113 — public-IP warning.

Wave 3 — Dashboard wave-3-dashboard ✅ DONE

The thing people screenshot. The whole cluster shipped (PRs #210–#216, #218).

A. Core metrics & layout chain:

• Dashboard: use *routed* (xmrig-proxy) hashrate everywhere for display; credited (XvB API) only in the swap algorithm + Advanced card #156 — routed (xmrig-proxy) hashrate everywhere for display; credited (XvB API) only in the swap algo + Advanced card
• Dashboard 'Current Tier' uses only the 24h credited avg — overstates tier on a hashrate drop (raffle needs 1h AND 24h) #157 — "Current Tier" uses min(1h, 24h) credited avg, not 24h-only
• Dashboard: surface explicit VIP status (a PPLNS share) — make-or-break for ALL tiers incl. Whale/Mega #158 — explicit VIP status (a PPLNS share) + "Not VIP" warning
• Dashboard: redesign card layout to prioritize stack-relevant data on top (Simple + Advanced) #159 — card layout redesigned to operator priority

B. Worker-table accuracy:

• Dashboard: "Uptime" column is misleading for disconnected workers — show DOWN, and track real uptime in-dashboard #169 — "Uptime" shows DOWN for offline workers + real in-dashboard uptime
• Dashboard: stale/offline miners never leave the "Workers Alive" table — add a fall-off cutoff and/or a hide control #182 — stale/offline workers fall off "Workers Alive"; headline + chart count only workers reaching this node

C. Chart & badge polish:

• Dashboard: toggle hashrate averaging window (1m / 10m / 1h / 12h / 24h) in the chart #168 — toggle the hashrate-averaging window (1m / 10m / 1h / 12h / 24h)
• Dashboard: chart reads blue-purple when mining 100% to P2Pool — empty XvB series paints its line over the P2Pool edge #184 — per-segment chart color (no blue-purple bleed at 100% P2Pool)
• Dashboard: HugePages reads red when enabled but unused (0 in use) — should be green #175 — HugePages badge green when enabled-but-unused

D. Correctness bugs:

• _parse_proxy_summary returns {} on a malformed (non-exception) payload, wiping the last-good share-health totals #141 — _parse_proxy_summary no longer wipes last-good share-health totals on a malformed payload
• XvB 'stats updated' timestamp is bumped every algo cycle, not when xmrvsbeast.com is actually fetched — misleading freshness #136 — XvB "stats updated" timestamp bumps only on a real fetch

Wave 4 — Operator alerting wave-4-alerting ➡️ SLIPPED to v1.1

Feature track, deferred to v1.1 (2026-06-11). Net-new, default-off, not launch-blocking, and v1.1 already owns the richer Telegram bot (#45) and outage flagging (#99). Both have draft PRs but they're stale (opened 2026-06-04, predating the #124 CI expansion + the Wave-3 dashboard refactor) and need a rebase + full re-validation + un-draft before review — kept open as the v1.1 starting point.

• ➡️ Telegram alerting (notifications-only): node/worker down + recovered (config.json, default off) #121 — Telegram alerting (notifications-only) → v1.1 (draft PR Telegram alerting (notifications-only): node/worker down + recovered (#121) #143, +1081, stale)
• ➡️ Healthchecks.io dead-man's-switch: detect power loss / host-down via external ping (config.json, default off) #79 — Healthchecks.io dead-man's switch → v1.1 (draft PR Add optional Healthchecks.io dead-man's switch (#79) #133, +718, stale)

Wave 5 — CI & test hardening wave-5-ci-tests ✅ DONE

• CI doesn't validate the container build layer: build the build/* images, shellcheck their scripts, add hadolint #124 — CI builds all build/* images + shellchecks build scripts + adds hadolint
• Expand the pithead bash test suite: backup/restore round-trip + doctor/upgrade/generate_caddyfile #140 — expand the bash test suite: backup/restore round-trip + caddyfile scheme + host helpers (PR Expand the pithead bash test suite: backup/restore + caddyfile scheme + host helpers (#140) #220)

Wave 6 — Release gate & launch wave-6-release ⬅ THE FINISH LINE

Strictly ordered. The gate (#54) is cleared; both remaining items are unblocked.

1. Comprehensive end-to-end infrastructure test matrix on a real Ubuntu server (full Monero + Tari node) #54 — comprehensive E2E infrastructure test matrix on a real Ubuntu server (the release gate — PASSED)
2. Release & versioning structure (single-product releases via GHCR) #44 — release & versioning pipeline → GHCR (unblocked: Comprehensive end-to-end infrastructure test matrix on a real Ubuntu server (full Monero + Tari node) #54 ✔ + VERSION ✔)
3. Launch assets: refreshed hero screenshot + demo GIF + GitHub social preview #80 — launch assets: refreshed hero screenshot + demo GIF + social preview (unblocked: the dashboard UI is final)

---

Cross-issue dependencies (still live)

This…	…waits for	Status
#80 (launch screenshots)	the final dashboard UI (Wave 3)	✅ unblocked — Wave 3 shipped
#44 (release pipeline)	#54 ✔ + VERSION ✔	✅ unblocked
#160 epic (now v1.1)	#165, #166	Epic closes when the Tor-default children land (v1.1)
#182 ↔ #169	shared per-worker last_active state	✅ both shipped together

Deferred to v1.1 (the release valve — all actioned)

• p2pool: route outbound sidechain P2P through Tor by default (--socks5), documented clearnet opt-out #165 / XvB donation: route mining upstream through Tor by default + pin --donate-level 0 (xvb.tor opt-out) #166 — Tor-by-default for p2pool / XvB (benchmark first).
• [Epic] Privacy: no clearnet egress outside Tor — close leaks + privacy-first defaults #160 — the privacy-egress epic (its v1.0 leak-fixes are done; tracks the v1.1 flips).
• Security follow-ups: dashboard host-networking, Tari gRPC allow-list, assert_safe_dir #91 — self-scoped post-launch hardening.
• Feature: optional clearnet initial sync (Monero + Tari) then switch to Tor — default off, privacy-first #183 — optional clearnet-then-Tor sync.
• Telegram alerting (notifications-only): node/worker down + recovered (config.json, default off) #121 / Healthchecks.io dead-man's-switch: detect power loss / host-down via external ping (config.json, default off) #79 — Wave-4 operator alerting (draft PRs Telegram alerting (notifications-only): node/worker down + recovered (#121) #143/Add optional Healthchecks.io dead-man's switch (#79) #133, stale — need a rebase before review).

Explicitly NOT in v1.0

• v1.1 — config editor Stack config editor: change any setting from the dashboard, applied via pithead (incl. P2Pool mode hot-swap) #33, Telegram bot Telegram interactive bot / command interface (query stack status over Telegram) #45, upgrade button Dashboard: new-version warning + one-click upgrade button #59, cadence/luck Pool cadence & luck panel (time-to-share, time-since-block, luck %, PPLNS weight) #84, outage flagging Flag outages / significant hashrate-loss events on the chart (+ feed Telegram/Healthchecks alerts) #99, share-stats/telemetry persistence Store share stats as time-series for reject-rate trends/charting #116 + the telemetry epic [Epic] Persist valuable telemetry as time-series — stop discarding block / share-health / disk-growth / XvB / per-worker data #196, co-hosting [Feature/Discussion] Support co-hosting via migration guides and relaxed reverse-proxy/network bindings #181 (relaxed ingress + migration guides; appliance stays the Tier-1 default), the dead-known_workers removal Remove dead known_workers persistence layer (orphaned by the proxy-sourced worker rewrite) #144, the deferred Wave-2 privacy flips ([Epic] Privacy: no clearnet egress outside Tor — close leaks + privacy-first defaults #160/p2pool: route outbound sidechain P2P through Tor by default (--socks5), documented clearnet opt-out #165/XvB donation: route mining upstream through Tor by default + pin --donate-level 0 (xvb.tor opt-out) #166/Feature: optional clearnet initial sync (Monero + Tari) then switch to Tor — default off, privacy-first #183/Security follow-ups: dashboard host-networking, Tari gRPC allow-list, assert_safe_dir #91), and the dashboard features returned as too large for launch: Component Health panel Dashboard: Component Health panel with per-component + outbound-connection security status (Tor vs clearnet) #170, custom-token support Dashboard: config to read workers that use a custom XMRig API token #171, configurable worker ports Configurable worker ports & endpoints: non-standard stratum/API ports + per-worker host/port/token overrides (later) #172, Worker Inspect page Dashboard: Worker Inspect page — read/edit each miner's XMRig config over its API, with versioned config history + per-config hashrate stats #185. Post-launch test follow-ups e2e: deploy a NON-default network.subnet in the live matrix (#180) #201/e2e: fault-inject a dashboard DB write failure and assert db_healthy=false (#131) #202/e2e: assert an empty PROXY_AUTH_TOKEN makes the stack refuse to start (#153) #203/e2e: optional tier-4 live validation for already-unit-tested security features #206/Integration tests: RigForge worker ↔ Pithead xmrig-proxy (end-to-end flows) #209 (e2e + RigForge↔Pithead integration) are unmilestoned.
• v2 (appliance) — bootable installers Bootable USB installers: self-provisioning appliance images for the stack host and RigForge miner #77, Podman/Quadlet Evaluate Podman + Quadlet as the container runtime for the immutable appliance (vs Docker Compose) #78, remote node-starter repos Far-off: appliance-style Monero (and Tari) node-starter repos for easy remote nodes #105.

[VijitSingh97]

Wave-2 close-out (2026-06-11)

With the clearnet leak fixes (#161/#162/#163/#164) and dashboard auth #8 merged, the security long pole is effectively cleared for v1.0. Dispositioning the remainder:

• p2pool monerod RPC credentials exposed on the process command line (--rpc-login is argv-only) #57 (p2pool --rpc-login on argv) → wontfix, rationale now recorded in docs/privacy.md ("Local trust boundary & known limitations"). Closed via docs: record the p2pool argv RPC-credential limitation (#57, wontfix) #219. Host-local-only; unfixable without removing RPC auth or an upstream p2pool change.
• p2pool: route outbound sidechain P2P through Tor by default (--socks5), documented clearnet opt-out #165 / XvB donation: route mining upstream through Tor by default + pin --donate-level 0 (xvb.tor opt-out) #166 (Tor-by-default for p2pool / XvB) → deferred to v1.1. Both flip a yield-sensitive default and need live-mining benchmarking (Tor latency vs orphan/reject rate) first — their own bodies mark them v1.1 / not launch-blocking.
• Security follow-ups: dashboard host-networking, Tari gRPC allow-list, assert_safe_dir #91 (lower-priority hardening) and Feature: optional clearnet initial sync (Monero + Tari) then switch to Tor — default off, privacy-first #183 (optional clearnet initial-sync, default-off) → deferred to v1.1 (the roadmap's named defer candidates).

The #160 epic keeps its v1.0 children done; its two remaining children (#165/#166) are now v1.1, so the epic effectively rolls to v1.1.

Resulting v1.0 finish line

• Wave 5: Expand the pithead bash test suite: backup/restore round-trip + doctor/upgrade/generate_caddyfile #140 (expand the bash test suite) — in progress.
• Wave 6: Release & versioning structure (single-product releases via GHCR) #44 (release pipeline → GHCR), Launch assets: refreshed hero screenshot + demo GIF + GitHub social preview #80 (launch assets / screenshots — unblocked now that the dashboard UI is final).
• Wave 4 (Telegram alerting (notifications-only): node/worker down + recovered (config.json, default off) #121 / Healthchecks.io dead-man's-switch: detect power loss / host-down via external ping (config.json, default off) #79 alerting): still the slip candidates → v1.1 if the timeline tightens.