strands-labs/robots roadmap | v0.3.9 → v0.4.0

[cagataycali]

📌 Pinned roadmap — releases, merged PRs, active work, what's next.

Current tag: v0.3.8 — shipped 2026-02-23
Active: v0.3.9 — mesh security hardening (split into 9 surgical PRs, 8/9 merged; #226 closed-superseded) + pentest remediation (5/5 merged)
Next: v0.4.0 — docs + new policies + classical motion planners

---

Release Flow

flowchart LR
    subgraph "v0.3.8 ✅ Shipped"
        A[Foundation<br>Feb 23]
    end
    subgraph "v0.3.9 🔒 Active"
        B["Mesh security 8/9 in<br>+ pentest remediation 5/5"]
    end
    subgraph "v0.4.0 🎯 Target"
        C["Docs + Policies<br>Motion planners<br>HW compat"]
    end
    A --> B --> C

    style A fill:#2ea44f,color:#fff
    style B fill:#d29922,color:#fff
    style C fill:#0969da,color:#fff

Loading

---

v0.3.9 — Mesh Security Hardening (Active)

PR #195 was split into 9 surgical PRs for reviewability. Each ships independently behind feature gates. 8/9 merged; the docs PR (#226) was closed-superseded (its content landed via consolidated docs branches).

Mesh Security Split (#195 → 9 PRs)

#	PR	Scope	Status
1/9	#220	PKI test helpers + shared conftest	✅ Merged
2/9	#223	Payload validation (action allowlist + bounds)	✅ Merged
3/9	#224	Zenoh + ACL config builders (mTLS, downsampling)	✅ Merged
4/9	#221	Tamper-evident audit log (HMAC + per-peer seq)	✅ Merged
5/9	#222	Bridge cross-transport dedup + monotonic TTL	✅ Merged
6/9	#225	Replay caches + override-resume + safety topics	✅ Merged
7/9	#227	robot_mesh HITL + per-action rate limit	✅ Merged
8/9	#228	AWS IoT provisioning (CA pin + scoped policy)	✅ Merged
9/9	#226	README env-var matrix + CHANGELOG	⚪ Closed (docs consolidated)

🛡️ Pentest Remediation (robots-pentest harness)

After the mesh-security split landed, the robots-pentest harness flagged 5 cases that still did not pass. One surgical PR each closes the gap. All 5 now merged.

PR	Finding	Scope	Status
#332	Teleop bypass of validation	Validate teleop input frames before apply (key/value bounds, charset)	✅ Merged
#333	B-13/F-19	Fleet Provisioning PreProvisioningHook — deny-by-default + dedicated least-priv IAM role	✅ Merged
#334	F-20/B-14	Scope OperatorShadow to thing/strands-* (no cross-thing wildcard)	✅ Merged
#335	B-08/F-14	Hard-refuse operator denylist ACL without STRANDS_MESH_ACCEPT_PERMISSIVE_ACL opt-in	✅ Merged
#336	B-09/F-15	Scope robot response publishes to own ThingName (response/${iot:Connection.Thing.ThingName}/*)	✅ Merged

All 5 reviewed by @yinsong1986 and merged 2026-06-05. #333 carried a blocking IAM-role fix + CodeQL unused-var — both fixed with pinned regression tests. Remaining reviewer items are non-one-way-door follow-ups tracked for v0.4.1.

Other Security

PR	Scope	Status
#153	19 dependabot vulnerabilities	⚪ Closed (superseded)
#196	gr00t_inference input validation v2 (replaces #90)	⚪ Closed (superseded)
#216	CodeQL py/unsafe-cyclic-import suppression	🟡 In review
#234	Pin codeql-advanced.yml action SHAs	⚪ Closed (superseded)

Closed (superseded): #194 (replaced by #195 split), #90 (replaced by #196), and #153/#196/#234/#226 (content consolidated into other branches; PRs closed unmerged). Remaining live security review: #216.

---

v0.4.0 — Docs, Policies, Motion Planners, HW Compat

With the mesh security split + pentest remediation landed, v0.4.0 adds documentation, new policy backends (motion planners + Cosmos), embodiment expansion, and lerobot 0.5.x compatibility fixes.

Scope

Theme	PR	Title	Status
Embodiment	#128	UNITREE_G1_SONIC config	✅ Merged
HW compat	#276	Real-mode SO-100/101 on lerobot 0.5.1	⚪ Closed (shipped via #379)
HW compat	#277	LeRobot policy discovery (molmoact2, ...)	⚪ Closed (superseded)
Motion planner	#306	CuroboPolicy [curobo] extra	🟡 In review
Motion planner	#305	MoveIt2Policy [moveit2] extra	🟡 In review
Mesh dispatch	#304	tell() → Simulation.run_policy	✅ Merged
Policy ABC	#300	docs: VLA + classical planners	✅ Merged
VLA policy	#319	Qwen-VLA unified provider + 4-stage training	🟡 In review
VLA policy	#317	NVIDIA Cosmos 3 omnimodal VLA policy	✅ Merged
VLA policy	#163	CosmosPredictPolicy	⚪ Closed (shipped via #317)
Docs	#160	MkDocs Material site (39 pages)	✅ Merged
Docs	#371	README rewrite for v0.x (factory, mesh, sim)	✅ Merged
Docs	#87	README rewrite + 8 examples	⚪ Closed (shipped via #371)

Classical Motion Planners (#299 epic)

flowchart LR
    EPIC["#299 Policy ABC<br>supports planners"]
    EPIC --> S1["#300 docs ✅"]
    EPIC --> S2["#301 → #306<br>CuroboPolicy (in review)"]
    EPIC --> S3["#302 → #305<br>MoveIt2Policy (in review)"]
    EPIC --> S4["#303 → #304<br>mesh tell→sim ✅"]

    style EPIC fill:#0969da,color:#fff
    style S1 fill:#2ea44f,color:#fff
    style S2 fill:#d29922,color:#fff
    style S3 fill:#d29922,color:#fff
    style S4 fill:#2ea44f,color:#fff

Loading

Drafts (post-v0.4.0)

#	PR	Title	Target
1	#370	Device Connect integration	v0.4.1

---

Beyond v0.4.0

Feature	Issue/PR	Notes
Newton backend (GPU-native)	robots-sim #18	NVIDIA Warp, 4096 envs/GPU — Stage 4 epic, in progress
Isaac Sim backend	robots-sim #14	USD + IsaacLab — Phase 2 wiring PRs #62–#65 in review
Zenoh web dashboard	#48	Mesh ✅ unblocked
ROS2 integration	#2	DDS bridge + #305 MoveIt2
SIL/HIL Isaac Sim	#5	Builds on Isaac backend
RoboSuite adapter	#109	BenchmarkProtocol ext
Meta-World adapter	#108	BenchmarkProtocol ext
MolmoAct2	#154	Unblocked by #277 work
Reachy Mini tool	#159	Draft
use_zenoh tool	#158	Draft
use_dds tool (ROS2)	#157	Draft

---

Mesh Quality Backlog

50+ open issues tagged mesh + quality/security were filed from the PR #225 / #228 review trails as deferred follow-ups, plus the v0.4.1 follow-ups from the pentest-remediation reviews. These are post-merge hardening items, not v0.4.0 blockers. Tracked under labels mesh and hardware.

---

Last updated: 2026-06-14 — mesh-security split 8/9 merged (#226 closed-superseded), pentest remediation 5/5 merged (#332–#336), #128/#160/#317/#371 merged; #153/#196/#234/#276/#277/#163/#87 closed-superseded (content consolidated). v0.4.0 motion planners (#305/#306) + Qwen-VLA (#319) in review.