Roadmap

Feature

Release month

Develop branch?

Released?

Release Version

Development of AMS-I.E and Mass Comparison on Cookstove

July 2024

Yes

2.27

Indexer API

July 2024

Yes

2.27

Development of VMR0006

July 2024

Yes

2.27

Filtering data for blocks is stateful API, introduce stateless data filters for API usage.

July 2024

Yes

2.27

Auto-testing community submitted policies

October 2024

Yes

3.0

Code audit: support and resolution of issues

October 2024

Yes

3.0

GHG Scorecards Research

October 2024

Yes

3.0

Token action block to work with token templates

October 2024

Yes

3.0

Different token IDs for different projects by the same policy

October 2024

Yes

3.0

Enhance MongoDB Integration

October 2024

Yes

3.0

Leverage the pre-built images as the default way to start Guardian locally

October 2024

Yes

3.0

Global Carbon Council (GCC) GCCM001

October 2024

Yes

3.0

Default values for schema-defined fields

October 2024

Yes

3.0

Rationalize API and UI return error codes

October 2024

Yes

3.0

Simplify default SR schema to take out optional properties

October 2024

Yes

3.0

Guardian analytics: bottom-up data traceability

October 2024

Yes

3.0

API versioning and support/deprecation schedule

October 2024

Yes

3.0

Data Parameterization and Conditional Review Logic

October 2024

Yes

3.0

Calculation logic for values in 'automatic fields' in schemas

October 2024

Yes

3.0

Verify and Fix the features that got affected by Mirror node changes

October 2024

Yes

3.0

Climate Action Reserve's U.S. Landfill Protocol

January 2025

Yes

3.1

Scope 3/PCF Referencing Demo (Methodology Breakdown)

January 2025

Yes

3.1

Development of AMS-I.C

January 2025

Yes

3.1

API facilities to retrieve unique references (IDs) of results for API-triggered operations

January 2025

Yes

3.1

Guardian analytics: labels and top down data way points

January 2025

Yes

3.1

Trustchain support for contract-based issuance and retirement implementation

January 2025

Yes

3.1

GHGP Version 3

January 2025

Yes

3.1

Enhancements and Bugs of Indexer

January 2025

Yes

3.1

Formula Linked Definitions & Schema Tree Enhancement

January 2025

Yes

3.1

Dry-run policy execution 'savepoints' - restart policy dry-run from the list of 'saved' places

January 2025

Yes

3.1

Standardize UI on Angular Material, remove/replace PrimeNG

January 2025

Yes

3.1

Enhancing Research on Indexer and Analytics Use Cases

January 2025

Yes

3.1

Add policy support for more than one external data block

May 2025

Yes

3.2

Firing external event when minting process is finished

May 2025

Yes

3.2

Establish deprecation policy for architectural APIs

May 2025

Yes

3.2

Cross-context (API+UI) refresh token invalidation (regression from v2.18.0)

May 2025

Yes

3.2

Business UseCase for Emissions Reduction/Removals (ERRs)Calculation Pre-Calculator in Guardian

May 2025

Yes

3.2

Add capabilities to display complex geoJSON shapes superimposed on maps

May 2025

Yes

3.2

Weak Default configuration

May 2025

Yes

3.2

System Logs Accessible by All Registries

May 2025

Yes

3.2

Development of VM0042 v2.1: Improved Agricultural Land Management

May 2025

Yes

3.2

Manual trigger of re-indexing for specific policy, SR, token

May 2025

Yes

3.2

Article 6.4 Forms Research

May 2025

Yes

3.2

Session Token in URL

May 2025

Yes

3.2

Accessing a Guardian policy from a Guardian instance other than the publishing instance

May 2025

Yes

3.2

Exporting Project Data in CSV format

July 2025

Yes

3.3

Missing Authentication between Services

July 2025

Yes

3.3

Server-Side Request Forgery (SSRF) in Request Data module

July 2025

Yes

3.3

No Password Policy

July 2025

Yes

3.3

Development of VM0033

July 2025

Yes

3.3

Detailed Research on Indexer Enhancements

July 2025

Yes

3.3

Guardian policy embedded code testing/debugging facility for Custom Logic, Calculate, etc blocks

July 2025

Yes

3.3

Substitute Google maps API in Guardian UI with an OSS alternative

July 2025

Yes

3.3

Outdated Software/Libraries

July 2025

Yes

3.3

Identifying, Implementing and Integrating 3rd Party data resources

July 2025

Yes

3.3

Authorization Headers Potentially Leaked through IPFS in Request Data Module

July 2025

Yes

3.3

Facilities to use specialist math tooling (such as R language) for calculatio ns in Guardian Policies .

July 2025

Yes

3.3

Payload Shapefile Ingestion

August 2025

Improvement in the error handling for excel schema exports

August 2025

Dry-run savepoint[s] to survive exit and policy editing

August 2025

Locations Data Field enhancement

August 2025

SLA Ticket Import and Policy Publish Performance in Guardian

August 2025

Validation for project data submission

September 2025

Guardian Form UI Improvements

September 2025

Make testing easier for subflows

September 2025

--— August 2025 ----

Payload Shapefile Ingestion

Make the payload ingest shapefiles, KML etc.

Referral Link: https://github.com/hashgraph/guardian/issues/5046

Improvement in the error handling for excel schema imports

To have better validation when excel is imported into guardian which will help prevent all the points I mentioned above and some more that I probably missed while working on methodology digitization

Referral Link: https://github.com/hashgraph/guardian/issues/4755

Dry-run savepoint[s] to survive exit and policy editing

Make savepoints 'survive' multiple "exit dry-run -> edit policy -> execute dry-run" cycles such that policy authors would not have to enter values in fields again on subsequent dry-runs.
Enable to existence of multiple 'savepoints' per policy
Enable policy authors to choose when savepoint to apply on each policy dry-run session.
Users can clean-up savepoints by deleting them individually, or choosing to 'Delete All'

Referral Link: https://github.com/hashgraph/guardian/issues/5056

Locations Data Field enhancement

Validation Check: Implement a validation step to confirm that location data being passed to the policy is in polygon format (e.g., Polygon or MultiPolygon in GeoJSON).

Data Format Enforcement: Ensure that only valid polygon geometry types are accepted. Reject or flag submissions that use unsupported formats (e.g., Point, LineString, or malformed geometries).

GeoJSON Handling (Optional Enhancement): Explore and, if feasible, implement a conversion method to extract the location GeoJSON and convert it into a downloadable file format (e.g., .geojson or .json).

Referral Link: https://github.com/hashgraph/guardian/issues/5061

Authorization for /change-password endpoint

Need provide access token to change password

Referral Link: https://github.com/hashgraph/guardian/issues/4574

SLA Ticket Import and Policy Publish Performance in Guardian

Investigate bottlenecks in the SLA Ticket Import process:

File parsing and validation
Schema mapping and VC generation
Backend processing queues

Optimize the policy publishing process:

Reduce the time to publish policies with SLA blocks
Improve processing time for VC issuance and anchor creation on Hedera
Implement batch processing or lazy loading where applicable

Evaluate and optimize:

MongoDB write operations
Hedera anchoring transaction handling
Large file buffer management
Provide loading indicators and progress status updates to the user

Add backend logs/metrics to measure:

SLA import time
VC issuance time
Total policy publishing duration

Referral Link: https://github.com/hashgraph/guardian/issues/5120

--— September ----

Validation for project data submission

Validation Rules Enhancement Implement robust validation for schema fields in both UI-level form inputs and backend processing logic for key field types:

GeoJSON: Ensure that the data is a valid FeatureCollection or Geometry object following RFC 7946 standards.
IPFS Links: Ensure that the link is not empty and follows proper CID or ipfs:// format.

Error Handling and Feedback

Inform the user with clear error messages during submission if data fails validation.
Prevent submission if any required or format-sensitive fields are invalid.

Backward Compatibility Handling

Optionally, mark or flag previously submitted documents with invalid data for review or correction.

Unit and Integration Tests

Add test cases to ensure all validations work across various scenarios and edge cases

Referral Link: https://github.com/hashgraph/guardian/issues/5060

Guardian Form UI Improvements

These four can be made into their individual issues as well. Let me know, I'd be happy to submit four separate ones.

Support a table input(and csv import) field for multi-year data fields. Often methodologies require multi-year inputs(think 10 or 100 year) and it's not the easiest to visualize or input them with a typical form UI. It'd be good to have a way to have tabular inputs and a way to specify how they will be read within calculations code.
Support attachments to a field (justifications, report). Corresponding to a submitted field, a VVB or SR may ask for justification report which is usually a file. A similar issue is already there - Manual input of additional data for inclusion into the VC document #2076
For large documents for example PDD, it'd be good to divide them into sections when user is submitting. We must allow draft saves and make dry-run testing feasible. Such a feature already exists(tabbed/navigation UI), but if document is too big, policy developer needs to click test data button multiple times to fill the entire form.
GeoJSON/Shapefiles rendering - Allow file uploads of such types and they should be rendered with maps in best way in form UI.

Referral Link: https://github.com/hashgraph/guardian/issues/5042

Make testing easier for subflows

There should be a way to test the sub-flows similar to unit test paradigm we have in programming. Each unit should be individually runnable and testable. Following the entire workflow for testing takes up ~50-60% of time of policy development.

Referral Link: https://github.com/hashgraph/guardian/issues/5045

--— October ----

Complex iterative review and approval workflows

Introduce reviewVcDocumentBlock as a complement to the requestVcDocumentBlock into Policy definition language and corresponding Guardian UI tools which would facilitate complex iterative document review workflows supporting rich communications, namely the ability to:

send messages/descriptions associated with actions
conduct stand-alone (not action-linked) message exchanges (questions, responses, general comms)
send requests for providing additional documents/evidence, and provide facilities to upload/receive them
ability to edit/correct previously submitted (but rejected) document and resubmit again
forward messages to another user
involve other users into 'conversations'

These actions, steps, message exchanges have to be verifiably traceable, i.e. recorded and published as VC/VP documents alongside the usual data-containing documents produce by the policy workflows.

Referral Link: https://github.com/hashgraph/guardian/issues/4548

Policy warnings

Introduce the generic capability to highlight blocks, elements within them, and groups of blocks
Introduce the generic capability to produce and display warning/error/info messages, their numbers and ability to disable/resolve:
- ignore (this one)
- ignore all like this
Add the corresponding API capability to access and manage the warnings etc via API

Referral Link: https://github.com/hashgraph/guardian/issues/2230

Schema deletion with child schemas

Implement a safe way to delete all schemas embedded into the parent schema in one operation such that:

the system check whether the schemas embedded into the parent schema being deleted are used anywhere else, and if so prevents the delete operation
users can select whether to delete all embedded schema together with the parent one or not before the deletion

Referral Link: https://github.com/hashgraph/guardian/issues/2692

Implementing Artifacts such as Schemas/Policies/tokens Deletion all at once

Create a checkbox at the top of the schema/policy/token table, which will allow to select all the artifacts.
Once, all the schemas/policies/tokens are selected, and clicked on delete, we should be able to delete all the schemas/policies/tokens at once

Referral Link: https://github.com/hashgraph/guardian/issues/3375

Option to delete all schemas for a particular policy in Draft stage

There may be another solution/improvement to the excel where it checks for duplicates and provides with an option to replace. Similar to the file system in macOS for example where it doesnt allow 2 folders with the same name at a particular destination. Issue for that created here: #4754

Referral Link: https://github.com/hashgraph/guardian/issues/4753

Import Excel to check for duplicates by schema name

But I believe there is one more check which the guardian can do when the excel is imported and that is to check for duplicates and provide the user with an option to either replace the schema or keep both the files.

Referral Link: https://github.com/hashgraph/guardian/issues/4754

Deterministic compression

Implement deterministic compression for all cases in which compression is applied by Guardian.

Referral Link: https://github.com/hashgraph/guardian/issues/4931

Project Account Wallet (ex:Project Developer or Accountable Impact Organisation)

Each new Project must have a unique wallet address generated/associated upon creation.
The Project wallet must support:
- Receiving funds (Hedera tokens/HBAR)
- Sending funds (to users, vendors, or community members)
- Holding and managing tokens (if applicable)
- Transactions must be traceable back to the Project wallet for reporting/financial audit.

Referral Link: https://github.com/hashgraph/guardian/issues/5044

Need to implement best practices on Schema Cycle

We need to implement and document best practices covering the following aspects of the schema lifecycle:

Schema Design & Format Guidance

Explain how to design schemas that align with Guardian requirements.
Describe valid formats and structure (e.g., JSON Schema).
Outline file format expectations for importing into Guardian.

Manual Schema Creation in Guardian

Step-by-step process to create schemas directly in the Guardian UI.
Include tips for defining required fields, types, and constraints.
Emphasize validation logic to reduce submission errors.

Schema Mapping

When and why to map schemas.
Best practices for setting up mapping relationships (if applicable).
Examples of mapped vs. unmapped use cases.

Referral Link: https://github.com/hashgraph/guardian/issues/5062

Update Walkthroughs in Documentation

A clear and concise description of what you expected to happen.

Referral Link: https://github.com/hashgraph/guardian/issues/4507

Graphical View of formula linked definitions

Add the capability to display dependencies and relationships of data feeding into Formula definitions as a diagram similar to 'schema tree view' or 'statistics'.
Color code (or in other way identify) the data points based on:
- their values (missing/default/as suggested/not-null)
- type (data structure/scalar value)
- in the future other criteria (e.g. "outside of 'normal' range")

Referral Link: https://github.com/hashgraph/guardian/issues/4730

Capture/replay and compare data of published policies

Introduce the capability to record and publish 'runs' of the policy for published policies such that it would be possible to replay these runs locally (in dry-run mode) and compare the results.

Additionally the runs need to be secured as a certified artifact which can be undeniably attributed to an instance of the Guardian and Standard Registry in it. Thus it would provides additional execution environment verification tool for auditors etc potentially other interested parties.

Make the recording of the runs for published policies executions 'on' by default (which can be disabled by the user), with an option to publish the final 'runs' artifact on IPFS which is also 'on' by default.

Referral Link: https://github.com/hashgraph/guardian/issues/3008

---- January 2025----

Climate Action Reserve's U.S. Landfill Protocol

Creating Schema design for this methodology.
Development of the schema and policy.
Testing the policy development through Guardian UI and configurator.

Referral Link: https://github.com/hashgraph/guardian/issues/3709

Documentation Link: https://docs.hedera.com/guardian-dev-1/guardian/demo-guide/carbon-emissions/climate-action-reserves-u.s.-landfill-protocol-version-6.0

Scope 3/PCF Referencing Demo (Methodology Breakdown)

Once the approach has been approved, we can update the GHGP policy and run the example data, publish the PCFs to the Hedera Network, and demonstrate how another guardian policy (of a supply chain partner) can reference a dynamic PCF to support scope 3 calculations. I believe Wes was interested in having this be a methodology breakdown.

Referral Link: https://github.com/hashgraph/guardian/issues/3723

API facilities to retrieve unique references (IDs) of results for API-triggered operations

Design a generic approach to the 'traceability' of API calls such that for each API call a chain of events and actions within Guardian policy and especially to outside systems can be established via the unique IDs culminating in:
Hedera transactions
Hedera topics messages
Hedera contract calls
Artifacts published on IPFS
Introduce a corresponding UI where users can visually observe the same information
Consider packaging this into Interactions Resilience Module (see related Hedera interactions resilience module #2905)

Referral Link: https://github.com/hashgraph/guardian/issues/3139

Documentation Link: https://docs.hedera.com/guardian-dev-1/guardian/standard-registry/show-list-of-hedera-transactions

Guardian analytics: labels and top down data way points

Introduce 2 new workflows into Guardian, which include the corresponding roles and access permissions:
- labels author, for users to be able to create the 'rulesets' for evaluating data for their compliance with the chosen 'label',
- auditor workflow, for users which would use these 'rulesets' to apply to data.
Introduce the concept of labels, which can be specified to combine multiple statistics (introduced in Guardian analytics: bottom-up data traceability #3336) to create 'higher-order' statistics which themselves can be combined further essentially enabling the creation of 'data transformation' trees which, when applied to data, would ultimately get resolved into binary compliant/non-compliant answers. The top-level 'nodes' in these trees are 'Labels'.
Enhance the current capability of qualitative evaluations in Statistics to support the ability for users to attach external evidence and add textual comments/explanations whenever a human input is enabled. The evidence would then become part of the 'evaluation trust-chain', i.e. it should be hashed and stored verifiably. Evidence in the image formats should be viewable in the browser, archives (zip files), pdfs, csv files should be supported for attachment and then download.
Enable Auditors to apply 'label rulesets' to tokens, Guardian would then automatically traverse the token trust-chain to find and evaluate the required data to produce the label conclusion, i.e. the compliant/non-compliant results. These results can optionally be published to IPFS/topics by Auditors that generated them.
Enable ordinary users to search for statistics, label ruleset, and label conclusions that have been published.

Referral Link:https://github.com/hashgraph/guardian/issues/4322

Documentation Link: https://docs.hedera.com/guardian-dev-1/guardian/standard-registry/policies/policy-labels

Trustchain support for contract-based issuance and retirement implementation

Extend/modify trustchain implementation to support new contract-based issuance and retirement functionality such that users have visibility to the entire lifecycle of the token and have access to all significant artifacts produced as a result.

Referral Link: https://github.com/hashgraph/guardian/issues/2243

Documentation Link: https://docs.hedera.com/guardian-dev-1/guardian/tokens/retirement-contract/trustchain-representation-of-token-retirement

American Carbon Registry (ACR) ACR Methodology for Quantifying, Monitoring, Reporting, and Verifying Greenhouse Gas Emissions Reductions and Removals from Landfill Gas Destruction and Beneficial Use Projects

Creating Schema design for this methodology.
Development of the schema and policy.
Testing the policy development through Guardian UI and configurator.

Referral Link: https://github.com/hashgraph/guardian/issues/3710

Documentation Link: https://docs.hedera.com/guardian-dev-1/guardian/demo-guide/carbon-emissions/landfill-gas-destruction-and-beneficial-use-projects-version-2.0

GHGP Version 3

Some items that could help take this policy to the next level would be to build out scope 3 and PCF referencing capabilities, build out SEC compliance aspects, and pursue a “Built on GHGP Mark” of approval. I believe this will help drive the policy to be attractive to real world users and ready for adoption.

Referral Link: https://github.com/hashgraph/guardian/issues/3728

Enhancements and Bugs of Indexer

We need to enhance Indexer feature by implementing following:

Progress Bar to show the data loading to DB.
Token and search data should be sortable by time

Referral Link: https://github.com/hashgraph/guardian/issues/3929

Documentation Link: https://docs.hedera.com/guardian/guardian/global-indexer/indexer-user-guide

Formula Linked Definitions & Schema Tree Enhancement

Introduce a UI component, or 2 separate but compatible components, into the Guardian which can display mathematical formulas in a format familiar to the user (like formulas in a LaTex documents of PDFs). These formulas should be interactive, i.e.:
- at the viewing time individual elements of the formulas should be clickable so users can drill into the variables and see corresponding schemas/documents.
- users should be able to input formulas (in a formula editor) of sufficient complexity to cover all VCM cases
- users should be able to copy/paste entire formulas or parts thereof
Enable policy authors to map schema tree structures to formulas, linking the fields and variables so Guardian UI can display them as per point above
Enhance Guardian schema, policy and VC/VPs views to display the formulas whenever they are available.
Introduce the ability to attach a PDF file to the schemas/formulas at the policy/schema creation time, and specify the (external) 'origin' link so the original source of the math can be traced to the original paper.
Enhance schema tree view to display the formulas alongside schemas.

Referral Link: https://github.com/hashgraph/guardian/issues/3408

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/formula-linked-definitions

Dry-run policy execution 'savepoints' - restart policy dry-run from the list of 'saved' places

Introduce a new functionality for users to 'save' dry-run execution status at arbitrary points by clicking 'save state' button.
The system should support the creation of multiple save points for the same execution workflow
Next time the (draft) policy is executed in the dry-run mode users should be given a choice whether to restart from the beginning or continue execution from any of the 'save points'.
Starting execution from a 'save point' invalidates and removes all the other save points that logically followed it
It should be possible to delete some or all save points manually

Referral Link: https://github.com/hashgraph/guardian/issues/2838

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/dry-run/demo-guide-on-dry-run-operations#id-4.9-savepoint

Standardize UI on Angular Material, remove/replace PrimeNG

Standardize Guardian UI to be Material-based
Remove/Replace all PrimeNG with Material without changing the look feel

Referral Link: https://github.com/hashgraph/guardian/issues/3141

Enhancing Research on Indexer and Analytics Use Cases

Identify and map out potential uses cases for the indexer and what type of analytics if could be used for.

Referral Link: https://github.com/hashgraph/guardian/issues/3730

Development of AMS-I.C.: Thermal Energy Production with or Without Electricity

Designing the Schema for the methodology
Development of the policy
Development of all the tools involved in this policy
- Tool 03- Tool to calculate project or leakage CO2 emissions from fossil fuel combustion
- Tool 05- Baseline, project and/or leakage emissions from electricity consumption and monitoring of electricity generation
- Tool 06- Project emissions from flaring
- Tool 07- Tool to calculate the emission factor for an electricity system
- Tool 09- Determining the baseline efficiency of thermal or electric energy generation systems
- Tool 12- Project and leakage emissions from transportation of freight
- Tool 16- Project and leakage emissions from biomas
- Tool 19- Demonstration of additionality of microscale project activities
- Tool 21- Demonstration of additionality of small-scale project activities 
- Tool 22- Leakage in biomass small-scale project activities

Referral Link : https://github.com/hashgraph/guardian/issues/2873

Documentation Link : https://docs.hedera.com/guardian/guardian/demo-guide/carbon-offsets/cdm-ams-i.c.-thermal-energy-production-with-or-without-electricity

---- February 2025----

Add policy support for more than one external data block

Allow more than one external data block per policy. Each external data block should be able to handle a different schema, enabling multiple types of data to be sent from external sources as needed.

Referral Link: https://github.com/hashgraph/guardian/issues/3992

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/external-events/send-data-using-the-external-data-apis/sends-data-from-an-external-source

Firing external event when minting process is finished

Add another external event when the minting process is completed (i.e. external-events.token_minting_process_completed)
Include in the event payload, among other details like tokenID, minted tokens, etc, the consensus timestamp of the last mint transaction

Referral Link: https://github.com/hashgraph/guardian/issues/4090

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/external-events#external-events-list

Establish deprecation policy for architectural APIs

Identify and enumerate all architectural APIs significant to end users
Extend API deprecation policy coverage to include the above APIs

Referral Link: https://github.com/hashgraph/guardian/issues/1794

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/versioning-and-deprecation-policy/internal-apis-versioning-and-deprecation-policy

Cross-context (API+UI) refresh token invalidation (regression from v2.18.0)

Looking into the code, it seems that the refresh token should last for a year, this is fine as it is configurable, but losing login context (or a user potentially feeling they lost all their data) isn't great UX.

In terms of code behaviour, I would presume that this change would fix the issue:

const user = await new DataBaseHelper(User).findOne({refreshToken: decryptedToken.id, username: decryptedToken.name});

const user = await new DataBaseHelper(User).findOne({username: decryptedToken.name});

The reason why this might be okay, is that the expire at decoding happens on the line above, so a refresh token, would last for the period of time by default.

As this is authentication related, it requires review from more people.

Referral Link: https://github.com/hashgraph/guardian/issues/3525

Business UseCase for Emissions Reduction/Removals (ERRs)Calculation Pre-Calculator in Guardian

We are in the process of creating a few approaches to this ticket from the business use case perspective. One is essentially an “estimator” with a simplified workflow that can be used to estimate emission reductions, token issuance, etc. upfront to help the user better anticipate issuances and the impacts of various project activities and methodological choices. The other is more of a “summary preview” of the actual calculation results, that can be implemented just before validation (or anytime thereafter) to see summary KPIs based on the actual inputs and methodological choices made by the user, and they can then interact with the data like the Nerd Wallet retirement calculator to see how changes to the project activities could impact issuances. To be discussed further with the team.

Referral Link: https://github.com/hashgraph/guardian/issues/4562

Add capabilities to display complex geoJSON shapes superimposed on maps

Introduce capability for geometric shapes display for geoJSON in Guardian UI (both Indexer and Guardian itself).
Shapes display must be correctly superimposed on maps wherever possible

Referral Link: https://github.com/hashgraph/guardian/issues/4375

Documentation Link: https://docs.hedera.com/guardian/guardian/global-indexer/indexer-user-guide

---- March 2025----

Weak Default configuration

Change the password to a strong, random value, or create additional setup steps were the deployer is required to set this secrets. Additionally, set the most secure configuration as the default in the repository. This ensures that any user deploying the repository will benefit from enhanced security by default. In addition, as highlighted on the issue finding "Lack of Security Hardening Guides", a security guideline is recommended so that users can configure securely their environment before deploying it.

Referral Link: https://github.com/hashgraph/guardian/issues/4109

System Logs Accessible by All Registries

It is recommended to separate the system functionality from the registry functionality specifically for log management. Additionally, it would be appropriate to restrict access to system logs to a different admin role, who would only review the system logs. For registry logs, it is recommended to ensure that one registry can only view its logs, without seeing the logs of other registry users.

Referral Link: https://github.com/hashgraph/guardian/issues/4058

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/roles-and-permissions/roles-and-permissions-user-guide

Development of VM0042 v2.1: Improved Agricultural Land Management

Flexible Quantification Approaches:
Support for three primary quantification approaches: - Measure and Model - Measure and Remeasure - Default Factors
Document and Template Integration:
Capture key documents/templates: - Project Description Template, v4.4 - Monitoring Report Template, v4.4 - Validation Report Template, v4.4 - Verification Report Template, v4.4 - User Registration Forms - Emission Calculation Form
CDM Tools and Modules Integration:
AR-TOOL14: Tool for Testing Significance of GHG Emissions in A/R CDM Project Activities
A/R Methodological Tool for the Identification of Degraded or Degrading Lands in CDM A/R Project Activities
VMD0053 Module: This module will be treated as a tool within Guardian.

Referral Link: https://github.com/hashgraph/guardian/issues/4559

Documentation Link: https://docs.hedera.com/guardian/guardian/demo-guide/carbon-offsets/vm0042-improved-agricultural-land-management-v2.1

Manual trigger of re-indexing for specific policy, SR, token

Introduce a new capability into the indexer to trigger manual re-indexing for a specific 'vertical', starting at a specific topic and navigating (only) down the hierarchy for immediate availability of data.
Develop a UI for users to provide a Topic ID for one of the specific items below as an entry point into the 'vertical':
- Policy
- Standard registry
- Token
When manual re-indexing is scheduled it must take priority, or the rest should gets postponed until the manually-triggered update is finished.
The user who triggered the update must be notified when the update is finished.

Referral Link: https://github.com/hashgraph/guardian/issues/4373

Documentation Link: https://docs.hedera.com/guardian/guardian/global-indexer/indexer-user-guide#id-1.2-priority-loading-data-queue

Article 6.4 Forms Research

o Identify the additional requirements of Article 6 in comparison to one (or more) of the main voluntary standards.

o Determine functionality requirements to implement a “label-type” feature discussed above

Referral Link: https://github.com/hashgraph/guardian/issues/4560

---- April 2025----

Session Token in URL

The application should use an alternative mechanism for transmitting session tokens, for example, the Authorization header, as it is done by the rest of the web application.22

Referral Link: https://github.com/hashgraph/guardian/issues/4059

Accessing a Guardian policy from a Guardian instance other than the publishing instance

A Guardian user should be able to access a policy published by another Guardian instance from their own Guardian instance. This access should be based on a request-grant model.

Referral Link: https://github.com/hashgraph/guardian/issues/3951

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/decentralized-guardian/remote-policy-ui

---- May 2025----

Server-Side Request Forgery (SSRF) in Request Data module

If the functionality is important enough to keep despite the risk, then all URLs should be requested through a secure proxy server. This is a significant effort, and to be secure the proxy must ensure that:

The URL does not resolve to a private or local IP address 2. Redirects are not followed
Only HTTP(S) protocol schemes are supported Additionally, the application server should define and enforce rate limits to discourage abuse of the functionality as a web scanner. If the application is hosted on AWS servers, enforce usage of AWS “Instance Metadata Service Version 2” with token usage required. This is a new AWS metadata API which severely curtails the ability of attackers to abuse SSRF to access the AWS metadata API. However, this will not prevent attacks against other internal services.

Referral Link: https://github.com/hashgraph/guardian/issues/4110

Exporting Project Data in CSV format

We should be able to export the complete project data of any policy in CSV format through Guardian.
We should also be able to apply filters to the project data, which should be included in the export file.
When we export the data in csv format, it should follow proper naming convention such as saving the exported file by its respective policy name_version.csv

Referral Link: https://github.com/hashgraph/guardian/issues/3680

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/exporting-project-data-in-csv/export-documents-in-csv-using-ui

Missing Authentication between Services

It is recommended to implement mutual authentication for all internal microservice communications to ensure that each service can verify the identity of the other. It is recommended to ensure that each service is properly authenticated, using authorization roles and permissions to ensure that each service can only publish or consume messages in the queues relevant to its designated function. Moreover, messages could be digitally signed, ensuring they originate from the correct service. At each step in the process, the signatures can be verified to ensure that the message has not been tampered with. Where applicable, integrate these recommendations into the security hardening guide to ensure organizations deploying the application can implement these best practices effectively.

Referral Link: https://github.com/hashgraph/guardian/issues/4107

Documentation Link: https://docs.hedera.com/guardian/guardian/readme/getting-started/installation/building-from-source-and-run-using-docker#id-3.2-setting-up-jwt-keys-in-.env-file

No Password Policy

It is recommended to create a password policy, that can be configured by the organizations using the application. It should also be noted that recent guidance from NCSC promotes password policies which are designed to decrease the burden on the user. This can include relaxing controls requiring users to change their passwords at regular intervals in favor of the use of suitably complex passwords. The NCSC password guidance21 should be reviewed to determine if this new guidance can be applied to the environment reviewed.

Referral Link: https://github.com/hashgraph/guardian/issues/4057

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/password-management/password-policy

---- June 2025----

Development of VM0033

Creating Schema Design.
Review the design
Development of the methodology
Testing the methodology
Documenting the methodology user guide.

Referral Link: https://github.com/hashgraph/guardian/issues/4877

Documentation Link:https://docs.hedera.com/guardian/guardian/demo-guide/carbon-offsets/vm0033-methodology-for-tidal-wetland-and-seagrass-restoration

Detailed Research on Indexer Enhancements

Identify and implement indexer enhancements based on example use cases and community feedback.

Referral Link: https://github.com/hashgraph/guardian/issues/4561

Guardian policy embedded code testing/debugging facility for Custom Logic, Calculate, etc blocks

Introduce the 'Test' button to all places where source or math code can be inputted in Guardian policy which would trigger the 'in place' execution of the code based on the execution context and defined inputs/outputs of the block. This tool could prompt the user for input data when required.
Add ability to 'print' (i.e. log) data and variable values somewhere when test-running policy (e.g. in Dry-run mode). This way policy authors would be able to examine the data structures passed into the functions and identify unexpected behaviour in this area.
Add recommendations to the documentation wrt running this code in an separate developer environment, i.e. all the needed execution context such as imported libraries etc so those developers who prefer to use their code editors can replicate the execution of the code there.

Referral Link: https://github.com/hashgraph/guardian/issues/4304

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/testing-debugging-code/testing-debugging-code-for-calculate-and-custom-logic-block-using-ui

Outdated Software/Libraries

Ensure the Guardian code is covered by an effective patching policy that allows the latest server software upgrades, updates, or patches to be tested and applied within a short time frame following their release by the vendor.

Referral Link: https://github.com/hashgraph/guardian/issues/4056

Substitute Google maps API in Guardian UI with an OSS alternative

Substitute currently used Google Maps for the same open maps as used in the Indexer.

Referral Link: https://github.com/hashgraph/guardian/issues/3959

Documentation Link: https://docs.hedera.com/guardian/guardian/global-indexer/indexer-user-guide

---- July 2025----

Identifying, Implementing and Integrating 3rd Party data resources

Identify and shortlist 2-3 key Environmental-related data sources to be used as reference data and/or
Implement integration with these 3rd party data providers (may be similar to IPFS/Hedera integration), such as:
policy can easily add such 'integration' to their policy - potentially using the new policy modules functionality Linkable policy modules for constructing end-to-end Policy workflows #1657
the data can be defined as mandatory or optional (by the policy author)
data imported into Policy artifacts is stored and displayed in its native format, preserving 'mime type' and/or any other indication of the nature of the data as well as the identity/credentials of the source, time/date and other identifying information as appropriate

Referral Link: https://github.com/hashgraph/guardian/issues/1690

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/integrating-3rd-party-data-resources

Authorization Headers Potentially Leaked through IPFS in Request Data Module

Implement a secure method to handle secrets in the Request Data module that ensures sensitive information, such as authorization headers, is not published with the policy. A possibility may be to include encrypted headers with the public key that only the private key of the policy owner can decrypt. Other possibility may be to store the secrets headers in the vault and fetch them at runtime using appropriate access controls. Update the documentation to explicitly warn policy creators about the risks of including sensitive information in the policies and recommend using the module only for public HTTP methods. Provide guidelines on securely configuring policies to avoid the leakage of sensitive data.

Referral Link: https://github.com/hashgraph/guardian/issues/4049

Facilities to use specialist math tooling (such as R language) for calculations in Guardian Policies

Introduce support for Python language in Policies such that Python code can be embedded into Policies and enable them to perform complex calculations in the course their execution by users
Bundle Python interpreter and a standard (curated) set of libraries into Guardian distros
Add 'Guardian version' parameter to the documents so any complex calculations can be replicated by knowing versions of libraries and interpreters used by the Policy at the document production time.

Referral Link: https://github.com/hashgraph/guardian/issues/3573

Documentation Link: https://docs.hedera.com/guardian/guardian/standard-registry/policies/python-implementation-in-guardian

Last updated 8 hours ago