Roadmap

This page tracks what Edictum has shipped, what is actively being built, and what is planned -- across the core library and Edictum Console.

This page tracks what Edictum has shipped and what is planned. Items move through two stages: [Shipped] and [Planned].

The roadmap covers both the core library (pip install edictum) and Edictum Console (pip install edictum[server] + self-hosted server).

Core Library

[Shipped] Core Pipeline (v0.5.x)

The foundation: in-process contract enforcement with zero runtime dependencies.

Enforcement pipeline with preconditions, postconditions, and session contracts
6 framework adapters: LangChain, OpenAI Agents SDK, CrewAI, Agno, Semantic Kernel, Claude Agent SDK
YAML contract pipeline with JSON Schema validation and SHA-256 versioning
CLI tools: edictum validate, edictum check, edictum diff, edictum replay, edictum test
OpenTelemetry span emission with OTel Collector support
Observe mode for testing contracts against live traffic before enforcing
Postcondition findings interface with remediation callbacks (on_postcondition_warn)
Automatic secret redaction in audit events via RedactionPolicy
Built-in contract templates: file-agent, research-agent, devops-agent
Dry-run evaluation API (guard.evaluate(), evaluate_batch())

[Shipped] Postcondition Enforcement Effects (v0.6.0)

Postconditions gain redact and deny effects beyond the original warn.

effect: redact -- regex-based pattern redaction in tool output (READ/PURE tools only)
effect: deny -- suppress entire output, replaced with [OUTPUT SUPPRESSED] {message} (READ/PURE tools only)
SideEffect classification (PURE, READ, WRITE, IRREVERSIBLE) controls which effects apply
YAML tools: section for declaring tool side-effect classifications

[Shipped] Environment Selectors & Guard Merging (v0.7.0)

Contracts can now reference environment variables and guards can be merged.

env.* selector -- reference environment variables in contract conditions with automatic type coercion
Edictum.from_multiple() -- merge contracts from multiple guard instances

[Shipped] Bundle Composition & Dual-Mode Evaluation (v0.8.0)

Teams can compose multiple YAML bundles and observe-test contract changes against live traffic.

from_yaml(*paths) -- pass multiple YAML files; bundles are composed left-to-right with deterministic merge semantics
compose_bundles() -- low-level composition primitive with replace-by-ID for contracts, deep merge for tools/metadata, later-wins for defaults/limits/observability
observe_alongside: true -- dual-mode evaluation where a second bundle's contracts run as shadows, producing audit events without affecting real decisions
CompositionReport -- reports overridden and shadow contracts; available via return_report=True on from_yaml()
CLI support -- edictum validate and edictum diff support multi-file composition with override/shadow reports

[Shipped] YAML Extensibility & Adapter Lifecycle (v0.9.0)

The contract pipeline and adapters are now extensible without forking.

Custom operators -- register domain-specific condition operators (e.g., valid_iban, pii_free) via custom_operators parameter
Custom selectors -- register custom value selectors for YAML conditions via custom_selectors parameter
metadata.* selector -- contracts can reference bundle metadata fields in conditions
template_dirs -- load templates from custom directories alongside built-in ones
from_yaml_string() -- load contracts from string/bytes input for dynamic scenarios
on_deny / on_allow callbacks -- lifecycle hooks on every decision for logging, alerting, or approval gates
success_check parameter -- custom tool success detection for postcondition evaluation
set_principal() / principal_resolver -- mutable principal for mid-session role escalation (analyst -> operator)
CompositeSink -- fan-out audit events to multiple sinks simultaneously
CLI --json -- machine-readable output on check, validate, and diff for CI/CD integration
CLI --environment -- pass environment variables to edictum test cases
OTel TLS support -- insecure parameter on configure_otel() for development collectors

[Shipped] HITL Approval Workflows & Server SDK (v0.10.0)

Human-in-the-loop approvals, the Nanobot adapter, and the Server SDK package.

ApprovalBackend protocol with LocalApprovalBackend for CLI-based approval during development
effect: approve in preconditions -- pause the pipeline, request human approval, emit HITL audit actions
Wildcard tool matching -- tool selectors upgraded from exact-match to glob patterns via fnmatch (tool: "mcp_*")
Nanobot adapter (7th adapter) with GovernedToolRegistry, approval workflows, observe mode, sub-agent propagation
nanobot-agent contract template -- approval gates, workspace restrictions, session limits
Server SDK package (edictum[server]) -- 5 async client components: EdictumServerClient, ServerApprovalBackend, ServerAuditSink, ServerBackend, ServerContractSource

[Shipped] Sandbox Contracts (v0.11.0)

Allowlist-based governance: define what agents CAN do, not just what they can't.

type: sandbox -- allowlist boundaries for file paths (within/not_within), commands (allows.commands), and domains (allows.domains/not_allows.domains)
outside field -- controls the effect when a tool call falls outside the sandbox (deny or approve for HITL)
Multi-tool matching -- tools: [read_file, write_file, edit_file] applies one sandbox to multiple tools
Pipeline sandbox stage -- evaluates after preconditions, before session contracts
Sandbox in CLI -- edictum check and edictum test evaluate sandbox contracts
Sandbox composition -- from_multiple() merges sandbox contracts across bundles
Sandbox observe mode -- per-contract mode: observe logs sandbox denials without enforcing

[Shipped] Security Hardening (v0.11.1 -- v0.11.3)

Security-focused releases: path traversal fix, fail-closed hardening, adversarial test suite.

Path traversal bypass fix -- normpath upgraded to realpath for symlink resolution
ServerBackend fail-closed on network errors
BashClassifier expanded to detect additional shell metacharacters
Sandbox symlink resolution and tool_name validation in create_envelope
Adversarial test suite -- 114 @pytest.mark.security tests covering shell metacharacter bypasses, sandbox symlink escapes, input injection, backend failure modes, and session concurrency
bandit static security analysis in CI

[Shipped] Edictum Gate & API Improvements (v0.15.0)

Edictum Gate -- pre-execution governance for coding assistants:

5 assistant formats: Claude Code, Cursor, Copilot CLI, Gemini CLI, OpenCode
edictum gate init -- interactive setup wizard with contract deployment, assistant hook registration, and optional Console connection
Console sync -- auto-flush audit events to Console every 30 seconds via background fork; manual flush with edictum gate sync
Self-protection contracts -- always-enforced contracts preventing the assistant from reading, writing, or disabling Gate configuration
Scope enforcement -- prevents Write/Edit outside the project directory
Secret redaction -- secrets redacted before WAL write; API keys, SSH keys, tokens never hit disk or wire
Cursor auto-detection -- detects cursor_version/workspace_roots in stdin and uses the correct format handler

Google ADK adapter (8th adapter):

before_tool_callback / after_tool_callback integration
Plugin mode (as_plugin()) and per-agent callback mode (as_agent_callbacks())
Full PII interception via pipeline effects (redact/deny)

Core API additions:

CollectingAuditSink -- in-memory audit sink with bounded ring buffer and mark-based windowed queries
Edictum.local_sink property -- always-present CollectingAuditSink on every instance
Edictum.from_server(url, api_key, agent_id) -- one-line wiring of all server SDK components
Edictum.reload(contracts_yaml) -- atomic contract swap (fail-closed on parse errors)
Edictum.close() -- graceful shutdown of SSE watcher, contract source, HTTP client, and audit sink
SSE watcher -- background asyncio task that auto-reloads contracts on contract_update events

Breaking change:

StdoutAuditSink no longer added by default. Use audit_sink=StdoutAuditSink() or YAML observability.stdout: true.

Tool outputs often contain personally identifiable information that should not propagate back to the LLM or appear in logs. Today, postcondition contracts can match PII patterns via YAML matches: operators and use effect: redact to strip them, and classify_finding() classifies matches as pii_detected based on heuristics.

What's planned:

Built-in PII patterns -- ship common regex patterns (SSN, email, phone, credit card) as a contract template or YAML shorthand, so teams don't have to write their own
ML-based detection -- optional dependency for NER-based PII detection (e.g., Presidio) as a postcondition evaluator, catching patterns that regexes miss
YAML pii_detection shorthand -- declare PII checks directly in contract bundles without writing individual postcondition contracts

[Planned] Production Observability

Stdout and File (.jsonl) sinks ship today in core for development and local audit. Production deployments need audit data flowing to existing infrastructure.

Network audit sinks -- Webhook, Splunk HEC, Datadog as core sink implementations or via server-managed ingestion for compliance-grade audit trails
Finding notifications -- notifications on abnormal patterns (denial spikes, PII detections, session exhaustion)
Deployment recipes -- end-to-end guides for OTel to Grafana, Datadog, and Splunk

[Planned] Advanced Contracts

Single-call contracts cover most enforcement scenarios. Some problems require looking across multiple calls or letting non-engineers author contracts.

Sequence-aware contracts -- detect suspicious patterns across multiple tool calls, not just single calls (e.g., read credentials then call external API)
NL -> YAML authoring -- compliance officers describe a contract in English, system generates the YAML contract

[Planned] Performance & Operational Maturity

Performance characterization -- latency benchmarks for contract evaluation by type (precondition, postcondition, sandbox, session), memory overhead, and throughput at scale
Audit trail integrity -- signing or append-only guarantees on audit events for compliance-grade evidence

Edictum Console

[Shipped] Console v0.1.0

The first public release. Self-hostable operations console for governed AI agents.

Authentication and Security:

Local auth provider (email/password, bcrypt, HttpOnly cookies, Redis sessions with sliding TTL)
AuthProvider protocol for future OIDC integration
API key management (environment-scoped, bcrypt hashed, revocable, prefix-indexed)
CSRF protection (X-Requested-With header on cookie-auth mutating requests)
Rate limiting on login (per-IP sliding window) and approval creation (per tenant+agent)
User enumeration prevention (constant-time response for wrong email/password)
Adversarial test suite (43+ tests across 8 security boundaries)

Contract Management:

Contract library with versioning (each update creates a new version, old versions preserved)
Import existing YAML bundles to decompose into individual library contracts
Composable contracts: three-level model (Contract -> Composition -> Bundle)
Compositions with per-contract mode overrides (enforce/observe), position ordering, enable/disable
Bundle upload from raw YAML or assembly from compositions
Bundle versioning with SHA-256 revision hash for drift detection
Ed25519 bundle signing with private keys encrypted at rest (NaCl SecretBox)
YAML diff viewer between any two bundle versions
Evaluation playground (test contracts against tool calls without deploying)
AI contract assistant (streaming chat, knows full contract schema)
- Providers: Anthropic (Claude), OpenAI (GPT), OpenRouter (any model), Ollama (local)
- Per-tenant config with encrypted API keys and usage tracking

Live Hot-Reload:

SSE push to agents on bundle deployment (contract_update event with signed YAML)
Bundle-filtered streams (agents only receive updates for their assigned bundle)
Ed25519 signature + public key included in SSE event payload
Signing key rotation (re-signs all active deployments)
Agent auto-reconnect with exponential backoff (1s initial, 60s max)

Human-in-the-Loop Approvals:

Dashboard approval queue with auto-switching card/table view
Timer badges (green -> amber -> red) showing urgency
Bulk approve/deny with checkbox selection, deny-with-reason dialog
Configurable timeout per approval + timeout effect (deny or allow)
Background worker (10s interval) expires overdue approvals
Decision tracking (who, when, via which channel, reason)
Rate limited (10 approval requests per 60 seconds per agent)

Notification Channels:

6 channel types: Telegram, Slack App, Slack Webhook, Discord, Webhook, Email
Interactive approve/deny buttons in Telegram (inline keyboard), Slack (Block Kit), Discord (component buttons)
Routing filters per channel (environments, agent patterns, contract names -- AND logic)
Secrets encrypted at rest with NaCl SecretBox, masked in API responses
Test button per channel
No env vars required -- all channel config from dashboard

Audit Event Feed:

Batch ingestion from agents (50 events / 5s flush, 10K buffer, dedup by call_id)
Three-panel dashboard (faceted filters + event list with histogram + detail panel)
URL-driven filters (shareable links)
PostgreSQL partitioned by month, background partition worker
Event purge (30/60/90 days) from settings danger zone

Fleet Monitoring:

Live connected agents with environment, bundle, contract version, timestamp
Drift detection (per-agent comparison against deployed bundle)
Coverage analysis (per-agent and fleet-level: enforced/observed/ungoverned tools)
Agent auto-registration on first SSE connection
Agent detail page (coverage tab, analytics tab, history tab)
Ungoverned tools sidebar on fleet page

Agent Assignment System:

Three-level bundle resolution (explicit assignment -> rule match -> agent-provided)
Assignment rules: priority-ordered, glob patterns on agent_id, optional tag match
Bulk assignment (one bundle to multiple agents, pushes SSE events)
Dry-run resolution endpoint (preview which bundle an agent would receive)

Dashboard:

React SPA served by FastAPI at /dashboard
Dark and light mode with theme toggle
Real-time updates via SSE on every page
7 main pages: Home, Events, Approvals, Contracts, Agents, API Keys, Settings
Getting-started wizard for first-time users

Deployment:

Single Docker image (multi-stage: pnpm build -> python build -> slim runtime)
Docker Compose (Postgres 16 + Redis 7 + server)
Railway deployment config (railway.toml)
Kustomize manifests (deploy/k8s/)

[Planned] OIDC Auth Provider

The AuthProvider protocol is already defined. A second implementation for OIDC/SSO will enable:

Okta, Azure AD, Google Workspace, and other OIDC-compliant identity providers
JWT verification instead of session cookies for API access
Automatic user provisioning from identity provider claims
Single sign-on across organization tools

[Planned] Multi-Tenant Management UI

The backend is fully multi-tenant -- every table has tenant_id, every query filters by it. The frontend currently assumes single-tenant (one admin, one team). Adding multi-tenant UI includes:

Team/organization management
Tenant selector/switcher in the dashboard
Invitation flow for new team members
Per-tenant settings and billing
Role-based access control within tenants

[Planned] Role-Based Access Control

Currently all dashboard users are admins within their tenant. RBAC would add:

Predefined roles (admin, operator, viewer)
Per-role permissions (who can deploy, who can approve, who can view only)
Role assignment in the dashboard
Audit trail for permission changes

[Planned] Per-User Notification Subscriptions

Currently notification channels are team-wide -- an admin configures channels for the entire tenant. Per-user subscriptions would allow:

Individual users subscribing to specific environments, agents, or contract types
Personal notification preferences (email digest vs. real-time)
Mute/snooze per channel

[Planned] Bundle Signature Verification in SDK

Ed25519 signatures are included in every contract_update SSE event. The SDK currently stores but does not verify them. A future edictum[verified] extra would:

Verify bundle signatures before applying contract updates
Deny tampered bundles at the agent level
Pin public keys for additional security
Provide signature verification CLI command

[Planned] Centralized Observability

The core library already ships OpenTelemetry instrumentation (pip install edictum[otel]) with spans and metrics. Each agent configures OTel independently today -- endpoint, protocol, credentials. In production fleets, this becomes unmanageable: 50 agents means 50 places to rotate a Splunk HEC token.

Centralized config via Console:

Tenant-level observability settings in the console dashboard (collector endpoint, protocol, resource attributes, auth credentials)
Pushed to agents alongside bundle updates via SSE -- agents call configure_otel() with server-provided config
Secrets (HEC tokens, OTLP auth headers) encrypted in transit, never stored in bundle YAML
Single pane to update observability config for the entire fleet

Console-side telemetry:

Server-side events (approval decisions, bundle deployments, admin actions) emitted as OTel spans/logs
OTLP/Prometheus metrics export (denial rates, latency, contract coverage)
Grafana dashboard templates

Deployment recipes:

End-to-end guides for OTel Collector to Grafana, Datadog, and Splunk
Splunk HEC integration via splunk-otel-collector
Webhook/Splunk HEC/Datadog as direct audit sink options

[Planned] Multi-Instance & High Availability

The console currently runs as a single instance. For production fleets requiring HA:

Redis pub/sub bridge for SSE event fan-out across multiple server instances
Horizontal scaling behind a load balancer without sticky sessions
Health check endpoints for orchestrator liveness/readiness probes

Documentation

[Planned] Operational & Platform Guides

Docs for platform teams, SREs, and multi-team organizations adopting Edictum at scale.

CI/CD Integration Guide -- sample GitHub Actions workflow, contract validation in PRs, publishing via API on merge, replay integration for change impact analysis
Operations Runbook -- backup/restore (WAL-based PITR), upgrade/rollback procedures, secret rotation, incident response playbook, admin password reset, reverse proxy configuration for SSE
Troubleshooting Guide -- common issues: "contract not firing" (tool name mismatch, observe mode, missing field), "redact not working" (tool not classified as read/pure), "events not appearing" (rate limit, buffer full)
Migration Guide -- migrating from prompt-based governance to contract-based enforcement, before/after code examples, incremental adoption with observe mode