Home | Getting Started | CLI Reference | Architecture | Roadmap | Contributing

Roadmap

Planned evolution of custos from first release through platform maturity.

Principles

Ship test first. A single command that works reliably is worth more than five commands that don’t.
Offline is the differentiator. The ability to test policies without touching Vault is what makes custos unique.
CI is the growth engine. Adoption happens when someone drops custos into a pipeline and it catches a bad policy on a PR.
Match Vault’s behavior exactly. If custos says “allow” and Vault says “deny,” trust is gone.

v0.1.0: “It works offline” — Released

The credibility release. One command, one promise: you can test Vault policies without touching Vault.

Project scaffolding and CI/CD setup
HCL policy parser with full field support
YAML test spec loader and validator
Offline policy evaluation engine
custos test command with terminal reporter
Comprehensive evaluation engine tests
Version command with --json flag
Build and release infrastructure (GoReleaser, Docker, install script, Homebrew)

v0.2.0: “It fits in CI” — Planned

Once the core works, the next unlock is CI/CD integration.

JUnit XML reporter (--format junit)
JSON reporter (--format json)
Proper exit codes (--fail-on-warn)
custos validate command
custos init --from policy.hcl
Verbose mode (-v) improvements

v0.3.0 to v0.5.0: “It’s the platform” — Planned

v0.3.0 — Online mode and security scanning

Online mode (--vault-addr, --vault-token)
custos scan command
Severity filtering (--severity)

v0.4.0 — Deep analysis

Overprivilege detection
Policy conflict detection
Path coverage reporting

v0.5.0 — Enterprise

Namespace-aware evaluation
Sentinel policy integration
Timeout and retry configuration

Version history

Version	Status	Theme
v0.1.0	Released	Offline policy testing
v0.2.0	Planned	CI/CD integration
v0.3.0	Planned	Online mode and scanning
v0.4.0	Planned	Deep analysis
v0.5.0	Planned	Enterprise features