harmony/ROADMAP.md

Harmony Roadmap

Eight phases to take Harmony from working prototype to production-ready open-source project.

#	Phase	Status	Depends On	Detail
1	Harden harmony_config	Not started	—	Test every source, add SQLite backend, wire Zitadel + OpenBao, validate zero-setup UX
2	Migrate to harmony_config	Not started	1	Replace all 19 SecretManager call sites, deprecate direct harmony_secret usage
3	Complete harmony_assets	Not started	1, 2	Test, refactor k3d and OKD to use it, implement Url::Url, remove LFS
4	Publish to GitHub	Not started	3	Clean history, set up GitHub as community hub, CI on self-hosted runners
5	E2E tests: PostgreSQL & RustFS	Not started	1	k3d-based test harness, two passing E2E tests, CI job
6	E2E tests: OKD HA on KVM	Not started	5	KVM test infrastructure, full OKD installation test, nightly CI
7	OPNsense & Bare-Metal Network Automation	In progress	—	Full OPNsense API coverage, Brocade switch integration, HA cluster network provisioning
8	HA OKD Production Deployment	Not started	7	LAGG/CARP/multi-WAN/BINAT cluster with UpdateHostScore, end-to-end bare-metal automation
9	SSO + Config Hardening	In progress	1	Builder pattern for OpenbaoSecretStore, ZitadelScore PG fix, CoreDNSRewriteScore, integration tests

Current State (as of branch feat/opnsense-codegen)

• harmony_config crate exists with EnvSource, LocalFileSource, PromptSource, StoreSource. 12 unit tests. Zero consumers in workspace — everything still uses harmony_secret::SecretManager directly (19 call sites).
• harmony_assets crate exists with Asset, LocalCache, LocalStore, S3Store. No tests. Zero consumers. The k3d crate has its own DownloadableAsset with identical functionality and full test coverage.
• harmony_secret has LocalFileSecretStore, OpenbaoSecretStore (token/userpass/OIDC device flow + JWT exchange), InfisicalSecretStore. Zitadel OIDC integration implemented with session caching.
• SSO example (examples/harmony_sso/): deploys Zitadel + OpenBao on k3d, provisions identity resources, authenticates via device flow, stores config in OpenBao. OpenbaoSetupScore and ZitadelSetupScore encapsulate day-two operations.
• KVM module exists on this branch with KvmExecutor, VM lifecycle, ISO download, two examples (example_linux_vm, kvm_okd_ha_cluster).
• RustFS module exists on feat/rustfs branch (2 commits ahead of master).
• 39 example crates, zero E2E tests. Unit tests pass across workspace (~240 tests).
• CI runs cargo check, fmt, clippy, test on Gitea. No E2E job.

OPNsense & Bare-Metal (as of branch feat/opnsense-codegen)

• 9 OPNsense Scores implemented: VlanScore, LaggScore, VipScore, DnatScore, FirewallRuleScore, OutboundNatScore, BinatScore, NodeExporterScore, OPNsenseShellCommandScore. All tested against a 4-NIC VM.
• opnsense-codegen pipeline operational: XML → IR → typed Rust structs with serde helpers. 11 generated API modules (26.5K lines).
• opnsense-config has 13 modules: DHCP (dnsmasq), DNS, firewall, LAGG, VIP, VLAN, load balancer (HAProxy), Caddy, TFTP, node exporter, and legacy DHCP.
• Brocade switch integration on feat/brocade-client-add-vlans: full VLAN CRUD, interface speed config, port-channel management, new BrocadeSwitchConfigurationScore. Breaking API changes (InterfaceConfig replaces tuples).
• Missing for production: UpdateHostScore (update MAC in DHCP for PXE boot + host network setup for LAGG LACP 802.3ad), HostNetworkConfigurationScore needs rework for LAGG/LACP (currently only creates bonds, doesn't configure LAGG on OPNsense side), brocade branch needs merge and API adaptation in harmony/src/infra/brocade.rs.

Guiding Principles

• Zero-setup first: A new user clones, runs cargo run, gets prompted for config, values persist to local SQLite. No env vars, no external services required.
• Progressive disclosure: Local SQLite → OpenBao → Zitadel SSO. Each layer is opt-in.
• Test what ships: Every example that works should have an E2E test proving it works.
• Community over infrastructure: GitHub for engagement, self-hosted runners for CI.