Zion Boggan · Updated May 2026 · Oversight Protocol v0.4.11

This page mirrors the public roadmap in docs/ROADMAP.md and supersedes any earlier timeline. The source of truth is the repository; this page is kept in sync so visitors can read the current plan without leaving the site.

April 20, 2026 correction

The launch plan is now gated on product usability and threat-model honesty, not on a calendar date. The headline changes:

1. L3 safety fixes and collusion documentation shipped in v0.4.5. L3 defaults off for wording-sensitive document classes, requires explicit disclosure when enabled, records canonical_content_hash in the manifest, and supports a boilerplate-only mode for contracts and filings.
2. Web viewer and drag-drop share UI is the next website and product milestone. No broad HN or Reddit launch while the only supported interface is a CLI. Non-technical recipients have to be able to open and inspect Oversight files before a public launch is honest. Inspector shipped Classic + hybrid decrypt shipped Hardware sample shipped in v0.4.11 The browser inspector parses .sealed files, verifies issuer signatures via WebCrypto, decrypts supported sample suites locally, and optionally resolves provenance against the registry declared in the manifest.
3. Outlook add-in first for the first ecosystem integration. Drive, Box, SharePoint, and Teams plugins are deferred until there is a maintainer or design partner paying for them. Scaffold landed 2026-05-07 Office 1.1 MailApp manifest, task-pane HTML/JS, and icons are hosted under integrations/outlook/; the task pane imports the public viewer's parse / verify / decrypt directly so there is no second crypto stack. Tenant pilot and visual design pass remain pending.
4. SIEM integration before SOC 2. Splunk HEC, Microsoft Sentinel, and Elastic Common Schema exports are prioritized because they are fast to ship and high-ROI for enterprise evaluators. Shipped in v0.4.6 Formatters, the oversight siem export CLI, and the operator guide live at docs/SIEM.md.
5. SOC 2 Type 1 scoping becomes realistic after a design partner engagement. ISO 27001 follows SOC 2. FedRAMP is dropped from near-term planning; it is a multi-year commercial program requiring sponsor-agency backing, and Oversight has not earned that yet.
6. Registry federation. Publish and harden docs/spec/registry-v1.md during the Rust Axum and SQLx registry work so a second operator can run a compatible registry. Hardened in v0.4.7 Spec aligned with the reference server, and a conformance harness at tests/test_registry_conformance.py exercises every endpoint. An operator runs it with OVERSIGHT_REGISTRY_URL=https://registry.example.org python3 tests/test_registry_conformance.py to claim v1 compatibility. The Rust Axum port now has operator-token parity and Python-to-Rust migration tooling; deployment burn-in remains the v1.0 prerequisite.

Public launch sequence

1. L3 safety and collusion documentation. Shipped in v0.4.5
2. Browser inspector and drag-drop share workflow. Inspector + classic decrypt shipped Hybrid (post-quantum) decrypt shipped 2026-05-03
3. Outlook add-in. Scaffold landed 2026-05-07 Tenant pilot pending
4. One regulated-industry design-partner deployment.
5. SOC 2 Type 1 scoping, in parallel with the design partner.
6. Public launch. Not before steps 3 and 4.

Already shipped

• v0.3: RFC 3161 qualified timestamps with FreeTSA primary and DigiCert fallback.
• v0.4: Rust canonical port of the hot path with cross-language conformance.
• v0.4.4: Nine security findings resolved under fail-closed discipline, including DNS event shared-secret auth.
• v0.4.5: L3 semantic watermark safety, canonical_content_hash and l3_policy in the manifest, and the Tkinter GUI starter.
• v0.5: Sigstore Rekor v2 transparency log integration with DSSE envelopes and hashed recipient keys.
• v0.4.6: SIEM export for Splunk HEC, Microsoft Sentinel, and Elastic Common Schema, with the oversight siem export CLI and docs/SIEM.md operator guide.
• v0.4.7: Registry v1 interop spec hardened against the reference server and a 33-check federation conformance harness (tests/test_registry_conformance.py). CORS middleware deployed so the browser inspector can read public endpoints.
• Browser inspector: static viewer/ page with drag-drop .sealed parsing, WebCrypto Ed25519 verification, canonical-JSON matching Python byte-for-byte, and optional registry lookup.
• Classic-suite in-browser decrypt: WebCrypto X25519 + HKDF-SHA256 with a vendored pinned copy of @noble/ciphers for XChaCha20-Poly1305. Post-decrypt SHA-256 check against manifest.content_hash; wrong key, recipient mismatch, and tampered ciphertext all fail loudly.
• Hybrid and hardware viewer paths: the browser inspector decrypts hybrid ML-KEM/X25519 samples and loads the v0.4.11 hardware P-256 tutorial identity without leaving the device.
• v0.4.11: hardware-suite completion across Rust, Python, and browser reference implementations, with the OSGT-HW-P256-v1 sample fixture and manifest/container parity.
• Rust registry migration: oversight-registry --migrate-from and --migrate-dry-run copy Python registry SQLite manifests, beacons, watermarks, events, and corpus rows into the Axum/SQLx schema.
• Opsec hygiene: scripts/opsec-scan.sh, .github/workflows/opsec.yml, pre-commit hook, and .gitignore rules that block the handoff-note filename patterns from landing in public history. Retroactive history rewrite cleared earlier leaks.

Near-term

• Hybrid (post-quantum) decrypt in the browser. Shipped 2026-05-03 Vendored @noble/post-quantum ML-KEM-768 alongside the existing WebCrypto X25519 + HKDF-SHA256 path. KEK bound X-wing-style over both shared secrets and both ephemeral inputs.
• Outlook add-in. Scaffold shipped 2026-05-07 Tenant pilot pending Office 1.1 MailApp manifest, task pane HTML/JS, and icons live at integrations/outlook/ on the site. Task pane imports the public viewer's parseSealed / verifyManifestSignature / decryptSealed.
• Hardware KeyProvider integration in Rust (YubiKey, Nitrokey, OnlyKey) with docs/HARDWARE_KEYS.md as the vendor-neutral setup guide. Trait + OSGT-HW-P256-v1 shipped 2026-05-07 PivKeyProvider next
• Rust Axum registry: deployment burn-in and migration validation; the conformance harness remains the acceptance gate. v1 conformance 33/33 shipped 2026-05-03 operator-token parity shipped 2026-05-14 migration tooling shipped 2026-05-17
• arXiv preprint (~15 pages, cs.CR).
• Threat model document in the repository (companion to docs/security.md).

Mid-term

• IETF Internet-Draft submission and informal BoF presentation at CFRG or a relevant security working group.
• USENIX Security Cycle 2 paper submission.
• Black Hat Europe 2026 CFP.
• ACSAC 2026.

2027

• Independent security audit (Trail of Bits, NCC Group, Cure53, or Zellic are candidates).
• v1.0 release, spec freeze, and RFC shepherding.
• Black Hat USA 2027 Briefings submission.

Explicitly dropped or deferred

• FedRAMP: dropped from near-term planning. Multi-year program requiring sponsor-agency backing.
• Cloud-TEE key custody: dropped in favor of hardware security keys. Ties Oversight to a single cloud vendor and contradicts the open-source goal.
• Drive, Box, SharePoint, Teams plugins: deferred until there is a maintainer or design partner funding them.
• Broad public launch: not before the Outlook pilot and design-partner deployment prove the non-technical path.

For the authoritative, always-current version of this plan, see docs/ROADMAP.md in the repository.