parlov Roadmap

Versions are scope buckets, not calendar commitments — items shift based on complexity discovered during implementation.

v0.1.0 — Initial existence oracle

Theme: Binary ships, existence oracle works end-to-end across all HTTP methods.

CLI

Binary entry point with clap dispatch — existence subcommand [SHIPPED]
--target, --baseline-id, --probe-id, --header, --method, --body flags [SHIPPED]

Probe engine

HttpProbe::execute — single request → ResponseSurface [SHIPPED]
Adaptive collect_until_verdict loop — same-status short-circuits at 1 sample, differential collects up to 3 for stability [SHIPPED]
Concurrent baseline + probe via tokio::try_join! [SHIPPED]

Analysis

ExistenceAnalyzer — status code differential classifier for all GET, HEAD, POST, PATCH, PUT, DELETE patterns [SHIPPED]
Wildcard arm returns Likely/Low for unrecognised differentials [SHIPPED]

Testing

RFC-compliant axum test servers for all 6 HTTP methods + OPTIONS + TRACE [SHIPPED]
Sanity tests for every server fixture [SHIPPED]
Integration tests: all GET, HEAD, POST, PATCH, PUT, DELETE patterns [SHIPPED]
insta snapshot tests locked for table and JSON output [SHIPPED]

v0.2.0 — Existence oracle method coverage

Theme: Extended pattern coverage across all HTTP methods — 28 additional patterns.

Analysis

GET expansion: 206, 301, 304, 406, 400, 416 patterns [SHIPPED]
POST expansion: 409/202, 409/204, 413, 411 patterns [SHIPPED]
PATCH expansion: 200, 204, 409, 415, 412 patterns [SHIPPED]
PUT expansion: 200, 204, 409/201, 415, 412 patterns [SHIPPED]
DELETE expansion: 204, 200, 202, 409, 403 patterns [SHIPPED]
OPTIONS: 204 with Allow header [SHIPPED]
TRACE: 200 (echo) and 405 (disabled) [SHIPPED]

Testing

28 new integration test patterns across all methods [SHIPPED]

v0.3.0 — Automated elicitation scan

Theme: scan subcommand replaces manual per-oracle invocation with an automated multi-strategy pipeline.

CLI

scan subcommand with --target, --baseline-id, --probe-id, --risk, --header, --alt-credential, --known-duplicate, --state-field [SHIPPED]

Probe engine

ProbeSpec::Pair — adaptive collect loop [SHIPPED]
ProbeSpec::Burst — N-request burst loop [SHIPPED]
ProbeSpec::HeaderDiff — single-request header comparison [SHIPPED]

Elicitation

17 status-code-diff strategies across GET and PATCH [SHIPPED]

Testing

Integration tests for all 17 strategies against GET and PATCH fixtures [SHIPPED]

v0.4.0 — Output formats

Theme: Structured output for CI/CD integration.

CLI

--format <table|json|sarif> global flag [SHIPPED]

Output

SARIF v2.1.0 output for GitHub Advanced Security / Code Scanning integration [SHIPPED]
Raw JSON output for piping and scripting [SHIPPED]

v0.5.0 — Cache-probing vector + signal-based analysis

Theme: Second elicitation vector ships; analysis pipeline moves from pattern matching to signal-based scoring.

CLI

--vector flag with per-vector risk ceiling (e.g. --vector cache-probing:safe) [SHIPPED]

Elicitation

Cache-probing vector: 8 strategies (cp-if-none-match, cp-if-modified-since, cp-if-match, cp-if-unmodified-since, cp-range, cp-range-unsatisfiable, cp-if-range, cp-accept) [SHIPPED]
25 total strategies (17 status-code-diff + 8 cache-probing) [SHIPPED]

Analysis

Signal-based pipeline: ProbeExchange, DifferentialSet, Signal, Technique types [SHIPPED]
Per-signal normative weighting, signal families with diminishing returns [SHIPPED]
Confidence thresholds drive OracleVerdict; severity from highest leak impact gated by confidence [SHIPPED]
Technique metadata (vector, normative strength) flows end-to-end from strategy to output [SHIPPED]
Deterministic finding IDs (SHA-256 truncated to 12 hex chars) for cross-run deduplication [SHIPPED]

Output

JSON v1.0.0 schema: nested structure (finding → strategy → result → technique → matched_pattern → evidence) [SHIPPED]
SARIF: one rule per technique, security-severity, fingerprints, relatedLocations for signals [SHIPPED]

Testing

RFC 9110 cache-probing test servers (GET + HEAD) with 55 integration tests [SHIPPED]

v0.6.0 — Error-message-granularity vector

Theme: Third elicitation vector: body-level differential signals for BOLA, query/schema validation, state conflict, and FK violations.

Elicitation

Error-message-granularity vector: 7 strategies (BOLA body diff, query validation, schema validation PATCH/PUT, state conflict POST, FK violation DELETE, app-vs-server 404) [SHIPPED]
32 total strategies (17 status-code-diff + 8 cache-probing + 7 error-message-granularity) [SHIPPED]

Analysis

Body diff signal extractor — first extractor to read response body content [SHIPPED]
SignalFamily::ErrorBody with BodyDiff confidence weights [SHIPPED]
Body diff attenuation (0.25×) when status codes already differ — prevents double-counting [SHIPPED]
Scoring pipeline supports body-only findings (removed base_confidence == 0 gate) [SHIPPED]

Testing

RFC 9110 EMG test servers (GET/POST/PATCH/PUT/DELETE + cross-method) with 51 sanity tests [SHIPPED]
14 EMG integration tests covering all 7 strategies across applicable HTTP methods [SHIPPED]
insta snapshots for EMG output (8 snapshots across JSON/SARIF/table) [SHIPPED]

v0.7.0 — Proxy and multi-target

Theme: Operational tooling — route probes through a proxy and scan multiple targets in one run.

CLI

--proxy <url> flag: route all probe requests through an HTTP/HTTPS/SOCKS5 proxy
--targets <file>: newline-delimited target list for parallel multi-target scans

Probe engine

Proxy support in HttpProbe via reqwest proxy configuration
Parallel scan orchestration with per-target result aggregation

Output

Multi-target JSON and SARIF output (findings keyed by target URL)

v0.8.0 — OpenAPI ingestion and strategy chaining

Theme: Derive probe targets from a spec; let early probe results parameterize later ones.

CLI

--openapi <file>: parse an OpenAPI 3.x spec and derive scan targets from path parameters and operation IDs

Elicitation

Strategy chaining: harvest metadata from early probes (IDs, tokens, correlation headers) to parameterize subsequent strategies
OpenAPI-derived baseline IDs from spec examples and enum values

Testing

Integration tests against a synthetic OpenAPI spec with known resource paths

v0.9.0 — Authentication oracle

Theme: Second oracle class — username enumeration via error message and timing differentials.

CLI

auth subcommand and --oracle auth for scan

Probe engine

Login, registration, and password-reset endpoint probing
Timing probe support for bcrypt/argon2 path differentials (≥30 samples, adaptive)

Analysis

AuthAnalyzer — response body diff, status comparison, timing (Mann-Whitney U)
Three auth contexts: unauthenticated, authenticated-no-access, authenticated-has-access

Testing

RFC-compliant axum auth test servers (login, registration, password reset)
Integration tests for all auth oracle patterns and timing oracle

Dependency graph

v0.1.0  ──►  v0.2.0  ──►  v0.3.0  ──►  v0.4.0
                                            │
                                            ▼
                                         v0.5.0  ──►  v0.6.0  ──►  v0.7.0
                                                                        │
                                                                        ▼
                                                                     v0.8.0  ──►  v0.9.0

Unversioned ideas

No version assignment yet — may fold into a later bucket or be deferred indefinitely.

Unified RFC test server — replace per-method fixture servers with a single resource-state-based axum server parameterized by fixture config
Timing oracle (standalone) — timing subcommand for explicit timing oracle detection with single-packet HTTP/2 technique
Token validation oracle — JWT/OAuth claim-level leakage via WWW-Authenticate parameter differentials
State oracle — header differential analysis across authenticated and unauthenticated contexts
Verification oracle — cryptographic validation pipeline fingerprinting via cert/signature error granularity
Web UI — hosted scanner interface (Cloudflare Worker + parlov-worker backend)
Remote mode — parlov as a server accepting scan jobs over HTTP