From db94ca7c7bccfc472b0231a6532339a22513b5f7 Mon Sep 17 00:00:00 2001 From: shenxianpeng Date: Sat, 30 May 2026 07:35:01 +0300 Subject: [PATCH] docs: update ROADMAP with enterprise adoption milestones - Mark M1 and M2 as completed (May 2026) - Add Enterprise Policy & Compliance Tooling status table listing completed capabilities: .ods.yaml profiles, compliance report, fix suggestions, AI review records - Add M3: Enterprise Adoption Surface (Q3 2026) - ods init scaffolding command - adoption mode (observe/warn/enforce) - multi-platform CI examples (GitLab CI, Bitbucket, Jenkins) - AI agent instructions (AGENTS.md) - L1 modules to Stable - Add M4: Supply Chain & Compliance Bridge (Q3-Q4 2026) - SLSA evidence bridge / JSON mapping - NIST AI RMF / EU AI Act control mapping - ods-ai-review.json artifact - Add M5: Community & Governance (Q4 2026) - Compress timeline: all milestones target 2026 - Clarify ODS complements SLSA in non-goals --- ROADMAP.md | 47 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/ROADMAP.md b/ROADMAP.md index e37bcb7..625f288 100644 --- a/ROADMAP.md +++ b/ROADMAP.md @@ -14,7 +14,7 @@ This document outlines the planned evolution of Open Delivery Spec. Priorities s --- -## Current Status (May 2026) +## Current Status (June 2026) > **Strategy**: Narrow focus on ODS L1 + AI Disclosure as the primary adoption path. Modules 04-09 are direction-setting experiments. The wedge is: make AI-generated PRs easier to review, not to prove a full governance framework. @@ -30,37 +30,63 @@ This document outlines the planned evolution of Open Delivery Spec. Priorities s | 08 โ€” Rollback Plan | ๐Ÿงช Experimental | โฌœ validate schema only | | 09 โ€” Production Evidence | ๐Ÿงช Experimental | โฌœ validate schema only | +### Enterprise Policy & Compliance Tooling + +These capabilities are now production-ready and run through the CLI and GitHub Action: + +| Capability | Status | +|--------|--------| +| `.ods.yaml` enterprise policy with profiles (`oss` / `enterprise` / `regulated`) | โœ… Production | +| HTML/JSON/SVG/Markdown compliance report with scores and fix suggestions | โœ… Production | +| PR bot comment with copy-paste fix templates on failure | โœ… Production | +| AI review record generation (L1/L2/L3) with reviewer attestation | โœ… Production | +| `ods review validate` against AI Change Review schema | โœ… Production | + --- ## Milestones -### M1 โ€” First Trusted Checkpoint (Q3 2026) +### M1 โ€” First Trusted Checkpoint โœ… -**Goal:** Prove the loop works end-to-end for the simplest modules. +**Status: Complete (May 2026)** - [x] CLI: `ods validate branch|commit|pr` passes against real projects - [x] GitHub Action runs reliably with Go-based CLI (validate-action@v1 published) - [x] End-to-end example with workflow files (see `examples/end-to-end/`) - [x] `.ods/` artifact directory convention documented -### M2 โ€” AI-Native Tooling (Q4 2026) +### M2 โ€” AI-Native Tooling โœ… -**Goal:** Build the CLI tools for AI review and CI failure analysis. Keep modules experimental pending adoption signal. +**Status: Complete (May 2026)** - [x] CLI: `ods ci parse` with hallucination detection - [x] CLI: `ods review generate` producing L1/L2/L3 records - [x] JSON Schemas for modules 04-09 published +- [x] Enterprise policy system: `.ods.yaml` with profiles, severity maps, configurable rules +- [x] Compliance report: `ods report` outputting HTML, JSON, SVG badge, Markdown with fix suggestions +- [x] PR bot comments with copy-paste fix templates on validation failure - [ ] Adoption signal: 2+ teams using ODS L1 with positive feedback -### M3 โ€” L1 Stable + Early Evidence (Q1 2027) +### M3 โ€” Enterprise Adoption Surface (Q3 2026) -**Goal:** Promote ODS L1 to Stable. Begin evidence module maturation based on real-world feedback. +**Goal:** Reduce friction for enterprise teams adopting ODS. Make the onboarding experience self-service. +- [ ] `ods init` command: one-command scaffolding of `.github/pull_request_template.md`, `.github/workflows/ods.yml`, `.ods.yaml` +- [ ] Adoption mode in policy: `mode: observe | warn | enforce` for progressive roll-out +- [ ] Multi-platform CI examples: GitLab CI, Bitbucket Pipelines, Jenkins (copy-paste templates) +- [ ] Agent instructions: `AGENTS.md` / `.claude.md` / Copilot instructions for ODS-compliant branch, commit, and PR creation - [ ] Modules 01-03 promoted to Stable (1.0.0) + +### M4 โ€” Supply Chain & Compliance Bridge (Q3โ€“Q4 2026) + +**Goal:** Position ODS as the delivery-governance layer that complements SLSA and maps to AI regulations. + +- [ ] SLSA evidence bridge: JSON mapping from ODS PR evidence โ†’ SLSA provenance link and guidance doc +- [ ] Control mapping doc: ODS fields โ†’ NIST AI RMF / EU AI Act / internal audit controls (traceability, human oversight, AI disclosure) - [ ] At least one evidence module (04-06) promoted to Candidate based on adopter needs -- [ ] Multi-platform CI examples (GitLab CI, Bitbucket Pipelines) +- [ ] `ods-ai-review.json` artifact with AI tool, AI scope, human reviewer, review checklist, risk level -### M4 โ€” Governance Model (Q2 2027) +### M5 โ€” Community & Governance (Q4 2026) **Goal:** Formal governance and community adoption. @@ -73,8 +99,9 @@ This document outlines the planned evolution of Open Delivery Spec. Priorities s ## Non-Goals (for now) - A hosted dashboard / SaaS offering โ€” focus is on the spec + CLI + CI integration -- Deep integrations with every CI platform โ€” start with GitHub Actions, expand later +- Deep integrations with every CI platform โ€” start with GitHub Actions, expand with copy-paste examples - Runtime monitoring / observability standards โ€” out of scope; ODS covers pre-deployment and deployment artifacts +- Replacing SLSA โ€” ODS complements SLSA (delivery governance layer before build provenance layer) ## How to Influence