Roadmap
A pragmatic plan derived from two sources: the in-repo punch-lists (backend + frontend), and the gaps that surfaced while writing this documentation. Items below are tied to concrete code locations or doc-marked roadmap notes, not wishful thinking.
This is not a commitment to ship every item — priorities shift, and dockmesh is maintained in spare time. Treat it as “things that have been thought through enough to know they’re worth doing”, not as a timeline.
Active punch-list
Section titled “Active punch-list”These are the gaps the docs explicitly call out as roadmap, plus tracked items from the in-repo backend / frontend punch-lists. Cleanup-batch style — many small bites, not a single big feature.
Agents + multi-host
Section titled “Agents + multi-host”- Automatic agent mTLS certificate renewal — today client certs are 1 year, manual rotation via re-enrolment (mtls docs)
- Rolling-replace on remote hosts —
internal/host/remote.goreturns “not yet implemented”; the agent protocol needs a matching frame type - Cleanup stack on remote hosts — same shape: server-side helper works, agent-side endpoint missing
- Container files browse on remote hosts — file browser works on local host; agent-side support pending
- Hybrid agent install path — keep the current server-served install (works in air-gap), additionally publish on
get.dockmesh.dev/agentfor CDN-driven updates. Deferred — air-gap matters more for now
CVE scanning
Section titled “CVE scanning”- On-pull auto-scan — Grype runs on demand today; pull-triggered scan + scheduled rescan land together
- Suppress / Accept finding workflow — reserve
security.suppress_cvepermission, add suppress store + UI banner, separate “accept risk” audit channel - Offline DB import UI — file-level placement is the only path today
Alerts
Section titled “Alerts”- Tag-based scope — rules and channels currently scope by container-name glob; add
host_tagandstackdimensions - Filter-based mute page — today only per-rule
muted_untiltimestamps; a “mute everything matching X for Y hours” panel is on the list - Audit-log export to CSV / JSON Lines —
audit.exportpermission is reserved, endpoint not wired - Per-channel severity filter — channels get every rule that names them; the “Slack gets all, PagerDuty gets only critical” pattern isn’t supported yet
Backups
Section titled “Backups”- Restore to a different host in one click — today restore lands on the same host where the dockmesh server runs
- Backup-aware volume prune — block prune of a volume referenced by an active backup job (currently no awareness)
- Per-job encryption passphrase — single server-wide age key today; per-job keys are a different threat model
- SMB share auto-discovery on Test connection — operator must specify the share path manually today
Stacks + templates
Section titled “Stacks + templates”- Save-as-template from stack detail — the create-from-scratch template path works; the inverse (stack → template) isn’t shipped
- Auto-injected template parameters (
{{stack_name}},{{host}},{{timestamp}}) — these don’t auto-resolve today; deploy dialog prompts for them like any other input - Stack template marketplace — community-contributed templates browsable in-UI; not built
docker runconverter improvements — current parser handles the common case (multi-line\-continuation fixed already); edge cases like complex--mountsyntax, network modes, healthchecks still produce warnings
- Container lifecycle commands —
dmctl containers start|stop|restart|killaren’t shipped; only list, logs, exec. Use the REST API or web UI in the meantime (dmctl reference) - Windows binary —
dmctlfor Windows isn’t in the release matrix; run under WSL orgo installfrom source
Release engineering
Section titled “Release engineering”- Publish the Docker image —
Dockerfileexists in the repo; pipeline doesn’t push toghcr.io/dockmesh/dockmeshyet - Native Windows server / agent binaries — out of scope for now; PRs welcome if someone wants to lead the port
linux/arm/v7binaries — currently amd64 + arm64 only on Linux- GPG-signed checksums (
checksums.txt.asc) — release pipeline produceschecksums.txtbut doesn’t sign it
Observability + ops
Section titled “Observability + ops”/audit/exportendpoint for SIEM feeding — permission reserved, endpoint missing- Per-route rate-limiting — only
/auth/loginhas brute-force protection today; the docs recommend a reverse proxy for general rate-limiting
Ideas under consideration
Section titled “Ideas under consideration”Less concrete — interesting, plausible, no committed work yet:
- Plugin system — shell-out integrations for custom alert channels, backup targets, webhooks. Would need a stable protocol contract first.
- Terraform / OpenTofu provider — manage hosts, stacks, env vars declaratively. Probably built against the REST API as a thin layer.
- Built-in reverse tunnel — expose local-only stacks behind dockmesh-as-relay, as an alternative to Cloudflare Tunnel.
- Mobile-first PWA polish — the UI is responsive but not installable; add a manifest + offline shell.
- Compose
x-dockmesh.*extensions — opt-in labels that drive dockmesh behaviour from the compose file itself (alert thresholds, scaling hints, etc.). - i18n — UI is English-only today; no extracted message catalog yet. Translation requires a coordinated string-extraction pass first.
Things we’ve said no to
Section titled “Things we’ve said no to”For context — past requests that won’t be built:
| Request | Why not |
|---|---|
| Built-in CI/CD (GitHub Actions clone) | Use GitHub Actions, Gitea Actions, Drone — they do this better |
| Built-in log aggregation backend | Prefer integrating with Loki / Elasticsearch via container labels and a sidecar shipper |
| Desktop / Electron app | The web UI is the app — no maintenance burden of two UIs |
| SaaS-hosted dockmesh | Conflicts with the self-host ethos; the on-prem model is the point |
| Full Kubernetes management | K8s is a different tool with different UX — Rancher / Lens do that well, dockmesh sits a layer simpler |
| Cloud-provider-specific integrations (AWS LB, Azure DNS, etc.) | Out of scope; use the provider’s native tooling or Terraform |
How priorities are set
Section titled “How priorities are set”Roughly, in this order:
- Security issues — always top priority
- Bugs affecting users today — reported via Issues, reproducible
- Polish on existing features — gap-filling, UX improvements (most of the punch-list above falls here)
- Features users have asked for — weighted by Issue reactions + Discussion votes
- Features maintainers find interesting — sometimes technical curiosity leads, especially on the agent protocol side
There’s no paid “move my feature up the list” option — this isn’t a commercial product.
Making features happen faster
Section titled “Making features happen faster”If you want something specific:
- Upvote the relevant GitHub Issue (👍 reactions are tracked)
- Comment with your concrete use case — stories help prioritise more than abstract requests
- Contribute — a focused PR usually beats a wishlist; reach out before large work via a Discussion
- Sponsor — financial support frees up maintainer time, but doesn’t buy priority
Breaking changes
Section titled “Breaking changes”dockmesh follows semver. Pre-1.0 — the current state — minor versions may include breaking changes when they unlock a meaningful improvement; release notes will spell them out. After 1.0:
- Patch releases — bug fixes, no breaking changes
- Minor releases — new features, deprecations announced, no breaking changes
- Major releases — breaking changes allowed, migration guide provided
See also
Section titled “See also”- Changelog — what actually shipped
- Contributing — how to help close items above
- Release Process — how versions are cut